2. Today’s Discussion
1. Importance of the EU-US relationship
2. Mobile players and data obligations
3. Proposed EU regulation (GDPR)
4. US-EU/Swiss Safe Harbor Status
5. US developments (including COPPA)
6. Best Practices for both sides of the Atlantic
3. 1. Importance of EU-US relationship
● The EU & the US are each other’s largest trading partner, forming the
world’s largest integrated commercial artery - worth over $5.5 trillion
● The EU & the US are each other’s primary source and destination for
foreign direct investment - since 2000, the EU has received over 55%
of US investment dollars
● Since 2000, the EU has accounted for over 58% of the income from
foreign subsidiaries of US companies.
Source - The Transatlantic Economy 2015
4. 2. Mobile Players & Data Obligations
Publishers
● Typically an advertiser
who is interested in
monetizing its traffic
● As a data controller or
first party, still holds
primary responsibility for
data protection & privacy
compliance
Networks
● Usually classified as a data
processor (EU) or third
party (US)
● Can be viewed as a data
controller if it determines
“purpose and means” of
data processing (Art. 29 WP
opinion 1/2010)
Advertisers
● Classified as a data
controller (EU) or a first
party (US)
● As a data controller or
first party, holds primary
responsibility for data
protection & privacy
compliance
5. 3. Proposed EU Data Protection Regulation
● Trilogue - EU Council, EU Commission & EU Parliament must agree on
final version of the Regulation or “GDPR”
● Trilogue currently in process; hope to have agreement by end 2015.
● Per EU Council, implementation will be 2 years after final version is set
EU Council EU Parliament
6. 3. GDPR - Big Issues for Ad Ecosystem
● Technical identifiers likely categorized as “personal data”
● Affirmative consent and opt out requirements for personal data collection
● Advertisers, publishers and networks would be viewed as data controllers
● “Right to be forgotten”
● Watered down version of “one-stop shop”
● Fines - between 2-5% of global “turnover”
7. 4. Safe Harbor Negotiations….
Is the Safe Harbor still
credible after the
Snowden revelations
suggesting a “back
door” between US
companies and NSA?
8. ● The Safe Harbor is the primary means by which
companies collect and share data from EU citizens
● Alternatives to Safe Harbor are costly and lengthy
● The Safe Harbor is under review in Europe vs. Facebook -
EU’s largest privacy class action. The EU’s Court of Justice
may declare Safe Harbor “inadequate.”
4. Why do we care about the Safe Harbor?
9. 5. US Developments
● FCC* has recovered over $500 million for telco privacy violations
● FTC**, advocacy community unhappy with “Consumer Privacy Bill of Rights.”
● FTC’s right to regulate data security affirmed by Third Circuit (Wyndham)
● FTC continues its investigation into ad practices – cross device tracking is
next (November 2015).
* FCC - Federal Communications Commission
** FTC - Federal Trade Commission
10. 5. Childrens Online Privacy Protection Act
● COPPA requires that you get “verified parental consent” when collecting
personal data from kids under 13 for targeting purposes
● COPPA requires an age gate for “mixed audience” sites
● Ad IDs and other persistent identifiers are “personal data” under COPPA
● Attribution and contextual advertising are COPPA exceptions
Advertisers and Publishers are
responsible for COPPA compliance on
their apps
Networks are responsible for COPPA
compliance only if they have actual
knowledge that they are targeting ads
to kids under 13.
11. 6. Best Practices for both sides of the Atlantic
● The basics are a must - notice, consent, opt-out, security
● In the EU
○ Consider certification evidencing your compliance (EU)
● In the US
○ Consider participation in an industry framework (US)
○ Make sure you are COPPA compliant. FTC fines are significant because
COPPA is a law, not a best practice.
● Doing business in the EU and US?
○ Make sure your data transfers are “adequate” (Safe Harbor, BCR)
12. Regulatory
Art. 29 Working Party on Smart Mobile Devices: http://ec.europa.eu/justice/data-protection/article-
29/documentation/opinion-recommendation/files/2013/wp202_en.pdf
Privacy on the Go (CA privacy rules): http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf
FTC Marketing Guidelines (US - advertising and privacy): https://www.ftc.gov/tips-advice/business-
center/guidance/marketing-your-mobile-app-get-it-right-start
FTC “Start with Security” (US - data security guidelines for mobile apps): https://www.ftc.gov/tips-
advice/business-center/guidance/mobile-app-developers-start-security
Industry
FPF-CDT Best Practices (for Mobile App developers): http://www.futureofprivacy.org/best-practices-for-mobile-
app-developers/
DAA Mobile Guidelines (behavioral /targeted advertising OBA):
http://www.aboutads.info/DAA_Mobile_Guidance.pdf
NAI Code (1st & 3rd parties engaged in ad delivery): http://www.networkadvertising.org/code-enforcement/code
MMA Advertising Guidelines: http://www.mmaglobal.com/files/mobileadvertising.pdf
6. Additional Resources