Privacy nutrition label

Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy

Image Credit: FDA Nutrition Label, modified by Metaverse Law

The growing frequency and severity of privacy incidents within the past decade—the Facebook-Cambridge Analytica data scandal and Equifax data breach, to name just a few—has made consumer privacy a topic of public attention and concern.

In response to consumers’ increased wariness regarding their private data, some companies are trying to use privacy labels and icons to signal a commitment to privacy protection. The ultimate goal is to make privacy more accessible, transparent, and understandable.

This article reviews the history and current trends around privacy icons and labels.

Privacy Visuals Part I: Icons

In 2010, the Digital Advertising Alliance (DAA) rolled out its “YourAdChoices” icon – a clickable blue triangular icon found on ads. This was one of the first privacy icons available. The DAA developed this icon in response to speculated federal regulation in the advertising industry.

Digital Advertising Alliance (DAA) YourAdChoices icon, appears as blue outlined triangle with inset letter 'i'
YourAdChoices icon. Image taken from https://digitaladvertisingalliance.org/.

To address Congressional inquiries into consumer privacy (and any possible resulting legislative efforts), the DAA formed a self-regulatory program with a set of privacy principles for participating companies and developed the YourAdChoices icon. Participating companies can voluntarily elect to place this symbol on their advertisements. By its nature, the DAA self-regulatory program and use of the YourAdChoices icon is not enforced by law. However, the DAA enforces the program by offering a consumer complaint process, public investigation procedure, and if necessary, escalation to a government agency, which happened in the case of SunTrust Bank in 2014.

Typically, the YourAdChoices icon is placed on cross-context behavioral ads—that is, ads targeted to consumers based on a profile of that consumer’s characteristics, preferences, and internet activity. If a browsing consumer views an ad that was targeted to them, they can click the YourAdChoices icon next to the ad to control whether ads should be personalized to them while browsing and to learn why that certain ad was displayed to them.

When the California Consumer Privacy Act (CCPA) came into effect in 2020, it created new privacy requirements for over 500,000 business nationwide . One of the requirements is to prominently display a “Do Not Sell My Personal Information” link on a business’ homepage, if a business is subject to CCPA, and “sells” or discloses a consumer’s personal information for valuable consideration. If a consumer submits a request through the link, the business must allow consumers to opt-out of the sale of that consumer’s personal information.

In response to this new requirement, the DAA designed a green version of the YourAdChoices icon for CCPA use. This is called the Privacy Rights Icon.

Digital Advertising Alliance (DAA) Privacy Rights icon, appears as green outlined triangle with inset letter 'i'
Privacy Rights icon. Image taken from https://digitaladvertisingalliance.org/.

When implemented correctly by participating companies, the green Privacy Rights icon brings consumers to www.privacyrights.info, a website set up by the DAA to help centralize and facilitate “Do Not Sell” requests across all participating companies.

While the two DAA icons above are forms of industry self-regulation, the California Office of the Attorney General (OAG) has also designed a “Do Not Sell” button to accompany the Do Not Sell link.

Continue Reading Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy
Cell phone with image of lock on the screen.

Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace

Photo by Franck on Unsplash

In 2020, with large portions of the global workforce abruptly sent home indefinitely, IT departments nationwide scurried to equip workers of unprepared companies to work remotely.

This presented an issue. Many businesses, particularly small businesses, barely have the minimum network defenses set up to prevent hacks and attacks in the centralized office. When suddenly everyone must become their own IT manager at home, there are even greater variances between secure practices, enforcement, and accountability.

“Reasonable Security” Requirements under CCPA/CPRA and Other Laws

Under the California Consumer Privacy Act (CCPA), the implementation of “reasonable security” is a defense against a consumer’s private right of action to sue for data breach. A consumer who suffers an unauthorized exfiltration, theft, or disclosure of personal information can only seek redress if (1) the personal information was not encrypted or redacted, or (2) the business otherwise failed its duty to implement reasonable security. See Cal. Civ. Code § 1798.150.

Theoretically, this means that a business that has implemented security measures—but nevertheless suffers a breach—may be insulated from liability if the security measures could be considered reasonable measures to protect data. Therefore, while reasonable security is not technically an affirmative obligation under the CCPA, the reduced risk of consumer liability made reasonable security a de facto requirement.

However, under the recently passed California Privacy Rights Act (CPRA), the implementation of reasonable security is now an affirmative obligation. Under revised Cal. Civ. Code § 1798.100, any business that collects a consumer’s personal information shall implement reasonable security procedures and practices to protect personal information. See our CPRA unofficial redlines.

Continue Reading Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace
person entering emoticons in smartphone.

Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data

[©2016. Published in GPSOLO, Vol. 37, No. 5, September/October 2020, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder]

* Updated November 25 to include references to CPRA/ Prop24.

The episode “Nosedive” of the television series Black Mirror envisions a society built on social credit scores. In this dystopia, all social media networks have converged into one platform—think Facebook, TikTok, Yelp, and Equifax combined.

This umbrella social platform allows users to rate each other on a five-point scale after each social interaction. Those with a high score gain access to job opportunities, favorable zip codes, and even high-status relationships. Those with a low score have the social ladder kicked out from under them, leading to a downward cycle of estrangement—and in the case of Black Mirror’s protagonist, jail time.

While the society in “Nosedive” seems far-fetched, is the technology behind it plausible?

Facebook Patents That Impact Privacy

According to Facebook’s patents, the answer is a resounding “yes.”

In a series of filings spanning almost a decade, Facebook has obtained several patents that allow social media platforms to track, identify, and classify individuals in new and innovative ways. Below are just few.

Tracking individuals via dust. U.S. Patent No. 9485423B2, “associating cameras with users and objects in a social networking system” (filed September 16, 2010, patented June 25, 2013), allows social media networks to identify an individual’s friends and relationships by correlating users across the same camera. To do so, an algorithm analyzes the metadata of a photo to find a camera’s “signature.”

Continue Reading Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data
PCI Expert Summer Virtual Event on November 5, 2020. Hosted by RSI.

Metaverse Law to Speak at PCI Expert Summit

Metaverse Law will be speaking at the PCI Expert Summit hosted by RSI Security.

This year, the annual PCI Expert Summit event is an online/virtual all-day conference on Thursday, November 5, 2020, from 9:00am to 5:00pm PST. The agenda includes panels with PCI experts in addition to breakout sessions on specialized topics, such as incident and data breach response. Continuing Professional Education (CPE) credits are available.

Register at https://www.rsisecurity.com/pciexpertsummit/.

WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

1 2