Targeted advertising providers obliged to monitor consents and audit Publishers
In June 2023, the French data protection supervisory authority (“CNIL”) imposed a Euro 40 million fine on personalised advertising company Criteo for various GDPR breaches, including failing to take measures to monitor its network of data partners.
Criteo uses tracking technology to collect data from its publisher websites in order to display targeted advertising. Collection of consent is the responsibility of Criteo’s publisher partners who have the direct relationship with the individuals, and in some cases they placed the Criteo tracker on user devices without consent. The CNIL found that Criteo was obliged to verify and be able to demonstrate that consent was given, and also had not taken any measures to do so or to audit its publisher partners.
Criteo has now been forced to change contracts with data partners to include an obligation to provide proof that consent was obtained.
Contact us to see how pro-actively using Sentrio’s audit tool can support you in fulfilling your obligation to monitor data partners under the GDPR.
EU - US Data Privacy Framework agreed
The revised EU-U.S. Data Privacy Framework has been approved and adopted by the EU Commission. This means that US organizations that self certify under the Framework will be considered “adequate” for data protection purposes and so no standard contractual clauses or other formalities will be required for data transfers to them from the EU. Key parts of the framework include changes that have been made to US laws to provide additional guardrails around data access for national security purposes and to provide additional rights to individuals if their rights may have been breached.
The Framework will be administered and monitored by the US Department of Commerce and enforced by the US Federal Trade Commission.
Although the decision is intended to address the concerns raised by the EU Court in its Schrems II decision of July 2020, international data transfers remain a controversial area of data protection law, and legal challenges may always be expected. However, this is a welcome step which should help to simplify EU - US data flows once organizations start to use it.
The changes to US laws should also mean that, even for transfers to non-participating organizations, where EU standard contractual clauses for data transfers are used, transfer impact assessments should become more straightforward and fewer supplementary measures should be required.
Sentrio currently covers the GDPR, the CCPA in California, and Brazil’s LGPD, to help manage and monitor the compliance of your third party data providers.
CCPA / CPRA enforcement to start
As of 1 July 2023 The California Privacy Protection Agency and the California Department of Justice can bring enforcement actions on CPRA amendments to the CCPA.
Although the latest regulations detailing various matters under the CPRA have now been delayed by the courts and will not be enforceable until March 2024, the remainder of the CCPA and previous regulations are not affected.
Among other things, the changes under the CPRA include an obligation to update Privacy Notices to include:
- data collected/sold/shared in the last 12 months including various new categories; each category should be called out by the name used in CPRA – plus sources, purposes and recipients
- new consumer rights: e.g. “do not share my personal data” (with “sharing” referring to disclosure for cross-context behavioral advertising purposes); right to have personal information corrected; extended access rights, and the right to request limitation of the use of sensitive personal data;
- the length of time personal information is intended to be kept / how calculated.
Sentrio’s Audit Tool now also covers CCPA (including the CPRA amendments). Contact us for a demonstration on how Sentrio can be used to audit data providers in order to support your compliance activities.