BBB National Programs Insights

Our recent Chocolate decision may seem complicated; it actually serves as an illustration of some very basic responsibilities from the DAA Principles. Collectively, companies’ responsibilities under the Principles all flow from two simple ideas. First, consumers need to know when interest-based advertising (IBA) happens on websites and mobile apps. Second, they should be able to opt out of it if they want to.

Re-certification is the process by which you annually re-affirm to DOC your Privacy Shield self-certification. Your annual Privacy Shield re-certification is essentially a process of re-approval, much the same as the initial process of becoming approved under Privacy Shield. The required steps are almost identical to those you went through to secure initial approval of your Privacy Shield self-certification, including verifying that DOC has copies of your most up-to-date disclosures and policies. After submission, your account receives a thorough review by a Privacy Shield team member.

Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.

On October 10, 2019 the California Attorney General released the long-awaited draft regulations under the California Consumer Protection Act (CCPA). CCPA goes into effect on January 1, 2020. The draft regulations interpret and clarify the CCPA. Among these clarifications are detailed descriptions of the requirements of the privacy notices that should be provided to California consumers.

Processing of personal data takes many forms. At times, the entire point of the service that a business provides requires the business to process its customers’ personal data. If someone orders a pair of shoes online, the business must receive and process the person’s physical address in order to complete the delivery. Thus, for the purpose of order fulfillment, the collection and processing (and perhaps even sharing with shipping providers) of the person’s physical address is necessary. Perhaps in a soft sense of “consent,” such a transaction involves the consent of the consumer.

You may have heard that the United Kingdom is expected to exit the European Union soon in a process that many are calling “Brexit.” (For background, this article offers a no-frills Brexit explainer.) The Brexit process continues to be politically contentious, and, though the U.K. is scheduled to leave the EU on March 29, 2019, it is not yet certain whether or not this will happen by that date, either partially or fully.

As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.

Many of today’s tech-savvy children know that you must be at least 13 years old to use certain websites or mobile apps. This begs the question, is there a point to online age screening at all? The Federal Trade Commission (FTC) is asking the same thing in its recent review of the regulations for the Children’s Online Privacy Protection Act (COPPA). In its last review in 2013, the FTC added a new category to the definition of “an online service directed to children” that allows operators that do not target children as their primary audience to age-screen and only comply with notice and consent requirements for users under 13. COPPA does not tell operators how to age-screen but does provide guidance in its publication, “Complying with COPPA: Frequently Asked Questions.” In the current review, the FTC asks whether the Rule should be more specific about the appropriate methods for determining the age of users.

The report is a result of the Annual Review that was conducted by the United States government, the European Commission, and the EU data protection authorities in Brussels on October 18 and 19, 2018. The primary objectives of the joint review were to monitor the current U.S. administration’s work on, and industry’s compliance with, the Privacy Shield, and to influence the privacy discussion in the United States. The report’s findings were also influenced by surveys that the Commission sent to U.S. trade associations and advocacy groups.

The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.