HackerTrans
TopNewTrendsCommentsPastAskShowJobs

privacylawthrow

no profile record

comments

privacylawthrow
·3 years ago·discuss
This is factually incorrect. The "Cookie Directive" wasn't from 2003, it was an amendment to the ePrivacy Directive. The ePrivacy Directive came into effect in 2002, and it was amendend in 2009. That amendment is what people generally call the "Cookie Directive" because it required consent for storage of information on end user devices.

It did not specify cookies, and did not actually specify any technical means. The ePrivacy Directive requires that companies get consent from users before storing information or gaining access to information stored on end user devices. This includes every kind of cookie you can think of, including LocalStorage. There is an exception for cookies necessary for the service requested, which typically includes things like auth cookies or shopping cart cookies, so long as that data is not used for anything else.
privacylawthrow
·3 years ago·discuss
This is not true. The national implementation of the ePrivacy Directive are still law. You are correct that GDPR does not require cookie banners, but the law that does was not replaced by GDPR and remains in effect.
privacylawthrow
·3 years ago·discuss
The FTC has been begging the complain-for-profit sector to give it a formal path to regulate AI. The FTC's only enforcement hook in this area is that it can take action against companies that have unfair or deceptive trade practices. This is how the FTC began regulating privacy and security in the US, and it's been waiting to use it for AI.

It comes as no surprise that this complaint is from Mark Rotenberg, former head of EPIC. He's very well aware of the boundaries of the FTC's power, and this complaint effectively serves as a letter to the FTC from an expert about how the FTC can position itself to begin regulating AI.
privacylawthrow
·4 years ago·discuss
It's very much how most privacy laws work.

According to Revue's platform privacy policy[0], Revue processes subscriber emails as a data processor. Each newsletter publisher owns the email addresses of their respective audiences. Revue would have a legal obligation to make those email addresses available to the newsletter publishers until the shutdown date.

[0]: https://www.getrevue.co/privacy/platform?locale=en
privacylawthrow
·4 years ago·discuss
You asked the wrong lawyers, at least for the US. The FTC's case against Sears in 2009 made it clear that consent to a privacy notice isn't valid if the privacy notice is buried deep in a licensing agreement, even if the notice is correct.
privacylawthrow
·4 years ago·discuss
No. You need consent to store data on an end user's machine, regardless of whether you later track that data or not, unless such storage is strictly necessary for the operation of service explicitly requested by the user.
privacylawthrow
·4 years ago·discuss
You're wrong. The ePrivacy Directive does require that a website get consent before storing information on the end-user's device. Prior to GDPR, the local country implementations of the ePD allowed for implicit consent in some EU countries, and opt-out consent in other EU countries. GDPR redefined what constitutes legitimate consent to process personal data. Consent that was previously valid under the ePD was no longer valid under GDPR, which is why GDPR is about cookies, and every other processing of personal data.
privacylawthrow
·4 years ago·discuss
I'm a privacy lawyer that has worked on cookie consents for a number of commercial websites. Everything you said here is all too true. The real legal answer in a lot of cases is "Do what everyone else is doing. Don't be an outlier. Use industry tools because if there's a problem with an industry tool, they'll go after the tool and not its users."

The comments about cookies not being part of GDPR are grossly wrong. One of the early discussions in the privacy law community was how to handle the collision of the new consent requirements under GDPR with the fact that the ePrivacy Directive requires consent for cookies. Prior to GDPR, a large number of EU jurisdictions allowed for implicit consent through a variety of actions, like scrolling a page, or non-actions, like seeing a banner and not clicking "no". GDPR redefined consent and that's why cookie banners pop up.