Privacy Insider newsletter: June 1

Welcome to Privacy Insider, a round-up of the week's most important stories.

I'm giggling to myself as I read the first sentence of an article I wrote in 2012: "Advances in technology, consumer complaints about privacy violations and regulatory action in 2012 have set the stage for 2013 to be a pivotal year for marketers and the rules that surround their profession."

First, today I'd write a much less generic lede. C'mon, Angelique, good writers don't use "set the stage" unless they're reviewing a play and discussing the stagehands. But while my prose may have progressed with time and experience, what hasn't moved forward much is the topic of conversation. The article I was writing then was about cookies. I was forecasting that the U.S. Federal Trade Commission (FTC) would start to crack down on mobile apps' tracking policies and the related lack of transparency. The FTC was about to release a guidance document, "Dot Com Disclosures: Information About Online Advertising."

Nearly a decade later, we're still having conversations globally about how to reign in companies' cookie practices. It's understandable: The insights companies can glean from dropping tracking cookies is highly valuable. It'd be wild if an entire ecosystem of players just shrugged its collective shoulders and quit the game simply because regulators were "growing concerned" about data privacy. But then, in 2018, the EU passed the General Data Protection Regulation, and things got real. There were new hard-and-fast rules about what data companies could collect from users and under which circumstances. After the GDPR, several countries followed suit, passing similar data privacy laws.

But even with prescribed rules, there's widespread noncompliance. Some of it is unintentional, some of it the result of an adtech ecosystem that leaks data during online "bidding" wars. And some of it is companies' refusal to change, digging their proverbial heels into the sand and insisting through pricey legal counsel their practices should be interpreted as legitimate under the law, for reasons X, Y and Z.

However, what seems clear now is it's time to move past the "denial" stage of the grieving process. No, cookies aren't dead. But employing them has to be done per local, regional and global laws. That point's illustrated in this week's news that Max Schrems and his group None of your business (Nyob) filed complaints with 10,000 sites across the EU alleging their cookie banners are illegal. If the sites don't make the necessary changes within a month, Nyob will file formal complaints with EU privacy authorities.

Schrems is no ordinary guy: His complaints against Facebook sunk Safe Harbor and the Privacy Shield both. Regulators have come to see him as more than a pesky law student seeking to stir up some controversy. His legal arguments thus far have contained merit. Whether this current round of complaints lands on regulators' laps is anyone's guess. But if I relied on a cookie-banner program that skirted the rules, I'd be looking at the Schrems complaint as a warning. While regulators have been slow to issue crushing fines over cookie noncompliance so far, it isn't likely they can look the other way much longer. If there's anything we've learned from Schrems in the last decade, it's that he won't be ignored.

I know I said it in 2012, but, seriously this time: You've got to get your cookie house in order, because the stage is set for 2021 to be a pivotal year. (Darn it. Old habits die hard, I guess.) 

Enjoy reading, and I'll see you next week!

1. Schrems’ group files cookie-banner complaints across 10k EU sites 
   
   Austrian privacy advocate Max Schrems and his privacy group have lodged complaints to 10,000 of the most visited sites in the EU over what it’s calling “cookie banner terror.” Noyb says the sites are intentionally making it difficult for users to opt-out of their online tracking practices and has given them one month to fix default settings so users have a clear “yes or no” option. Otherwise, it will issue formal complaints with EU data protection authorities, BBC News reports. 
   Read Story 

   2. EU privacy watchdog investigating gov’t use of U.S.-based cloud services 

   The European Data Protection Supervisor (EDPS) has opened two investigations into government institutions’ use of U.S.-based cloud services. EDPS Wojciech Wiewiorowski said his office will look at whether European Parliament and the European Commission’s contracts with Amazon and Microsoft Web Services comply with European privacy law, Reuters reports. The investigations come after the Snowden revelations and the subsequent “Schrems rulings,” invalidating two data flow agreements between the EU and the U.S.
   Read Story

   3. EU justice chief says some data-privacy investigations should be expedited 

   The European Commission is strategizing on how to expedite time-sensitive data privacy investigations, Politico reports. EU Justice Commissioner Didier Reynders said the recent Facebook data leak exemplifies cases that are taking “maybe too long,” the report states. Reynders’ statement comes amidst public criticism of EU privacy authorities’ efficacy in enforcing the EU General Data Protection Regulation. Reynders stopped short of calling for reforms to the regulation itself.  
   Read Story 

   4. Colorado aims to pass data privacy bill 

   Colorado lawmakers are pushing a bill that would grant consumers rights over how businesses collect and manage their personal data. SB21-190 unanimously passed the state’s Senate last week, GovTech reports. The bill most closely mirrors the bill Washington tried and failed to pass in its latest legislative session. It includes a requirement for a “global privacy control,” which would allow Colorado consumers to opt-out of data collection at any website they visit, the report states.
   Read Story

   5. EU digital rights groups’ complaints allege Clearview AI violates privacy law

   A group of European digital rights groups has lodged a series of privacy complaints against facial-recognition firm Clearview AI, Fortune reports. The group, which includes privacy activist Max Schrems’ Nyob, say Clearview is violating the EU General Data Protection Regulation’s rules on transparency and purpose limitation. But Clearview AI says it “has never had any contracts with any EU customer and is not currently available to EU customers.”
   Read Story

   6. Court documents indicate Google collected location data after opt-outs

   Business Insider reports that “newly unredacted documents in a lawsuit against Google reveal that the company’s own executives and engineers knew just how difficult the company had made it for smartphone users to keep their location data private.” The documents indicate that even when users turned off location-sharing settings, Google continued to collect the data. The documents are part of the Arizona attorney general’s lawsuit against Google, filed last year.
   Read Story