Privacy Update: COPPA, Shield and Carriers

GDPR and Cambridge Analytica aren't the only privacy stories in town. Elsewhere, US phone companies are in hot water for careless distribution of location data; comScore has been dragged into a Disney privacy suit; and the whole framework of EU-US data transfer is under fire again.


Disney may at present be focused on its $70bn+ upgraded bid for most of Fox, but it's also facing a class action lawsuit from a group of parents in California who say it allowed third parties to embed code that tracked young children who used apps including 'Princess Palace Pets' and 'Where's My Water?', in alleged violation of the COPPA children's privacy act. The case has just been expanded to include two firms known to DRNO readers, comScore and Twitter-owned mobile ad network MoPub.

The suit alleges: 'Unbeknownst to parents and their children, Disney - in partnership with (other) defendants - collects and exfiltrates personal data as users play the Disney gaming apps'. While 'unbeknownst exfiltration' may sound like dastardly behaviour worthy of Disney's baddest villains, the company says it has a 'robust COPPA compliance program... strict data collection and use policies for Disney apps created for children and families', and that 'The complaint is based on a fundamental misunderstanding of COPPA principles'.


Meanwhile, www.natlawreview.com reports that the Privacy Shield arrangements which replaced the EU-US Safe Harbour data agreement in 2016 are in some jeopardy. The Civil Liberties, Justice and Home Affairs Committee of the European Parliament last week passed a Resolution calling on the European Commission to suspend Privacy Shield unless the US 'demonstrates compliance by 1st September 2018'. The Committee says the States 'fails to provide enough data protection for EU citizens'.

The Shield is a mechanism to allow the sharing of EU citizens' personal data with certified US companies, and is reviewed on an annual basis - the last check, in October 2017, said provisions were adequate, but the Committee disagrees, citing in particular the US authorities' failure to ensure that certified companies are monitored for compliance with the principles. The new Resolution calls on the EC to ensure that the framework is compliant with the GDPR.


This week, giant US carriers AT&T and Verizon made assurances about their provision of cellphone location data to third parties, following recent revelations. An investigation by Senator Ron Wyden (D-Oregon) found the data is commonly used by law enforcement agencies wishing to track individuals, without requiring a search warrant; but that third party vendors to whom the data is being sold have not been verifying the legality of uses made before selling it on.

Verizon said that 'When these issues were brought to its attention' it took immediate steps to stop the practice of selling customer data to vendors. Security reporter Brian Krebs revealed in a May blog post that tracking firm LocationSmart leaked customer location data from all the major US mobile carriers - also including Sprint and T-Mobile - without consent. AT&T has also said it has stopped the practice.


Thanks to www.mediapost.com for content in two items above.

All articles 2006-23 written and edited by Mel Crowther and/or Nick Thomas, 2024- by Nick Thomas, unless otherwise stated.