Page 10 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 10
How to Prepare Interest-Based Video Ads for the April 1 Deadline
Posted on January 25, 2018
The Better Business Bureau’s Online Interest Based Advertising Accountability Program announced that it will require interest-based video ads to provide notice and choice to viewers as of April 1, 2018, as we reported in our Advertising blog, in compliance with the Digital Advertising Alliance’s self-regulatory principles for interest-based advertising. As providers of interest-based video ad networks and services gear up for the deadline, there are three core areas to think about. First, the basics, are you engaging in interest-based advertising in the serving of your video ads? Now is the time, in advance of the April 1 date, to have these conversations with your business teams. Second, if the answer is yes, how are users being provided with notice? Is the notice compliant with the DAA Principles? For example, is it up-front? Does it direct users to a location where they can get more detailed information about your activities? Third, how are users being provided with choice? For those who engage in other types of interest based advertising, these steps will sound familiar. But expanding the conversation with marketing to video advertising may be new.
PUTTING IT INTO PRACTICE: Companies involved with video advertising should start now to evaluate their data collection practices to determine whether they are engaged in interest-based advertising and, if they are, whether they are providing consumers with transparency and choice, as required by the DAA Principles.
CHILDREN’S PRIVACY
Unixiz Settles COPPA Allegations with NJ AG
Posted on August 27, 2018
Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental consent. The AG’s investigation into Unixiz’s privacy practices began after Unixiz disclosed a data breach in 2016. Users of the i-Dressup site created accounts with the site (and thus established usernames and passwords). In 2016 hackers accessed approximately 2.2 million users’ names and passwords. In response to the breach, the New Jersey AG launched an investigation into the company. The investigation revealed that in addition to failing to safeguard its users’ information, Unixiz did not get parental consent before collecting children’s personal information, as required under COPPA. Included among its users were 2,519 New Jersey children.
Unusual for a COPPA-consent decree, Unixiz is required to shut down the i-Dressup website. If it operates a site again, it has agreed to get verifiable parental consent before collecting personal information from children. It must otherwise follow COPPA, including allowing parents to review the information the website has about their child and revoke their consent for the use and maintenance of that information. Additionally, Unixiz agreed to put in place policies and procedures to protect all users’ information. Finally, Unixiz must pay almost $100,000 in penalties, with two thirds of that amount being suspended and vacated if the company complies with the other provisions of the order.
PUTTING IT INTO PRACTICE: This case is a reminder that after a data breach, regulators may look not only at a company’s security practices, but its privacy compliance practices more generally. Post-breach, companies may thus want to look back at their data collection activities and ensure that they are compliant with data privacy laws.
9 Eye on Privacy 2018 Year in Review