A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Two

Part I: What Are Third-Party Cookies and Why they are Important


Privacy Laws And Third-Party Cookies

Welcome to our second installment in our five-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into cookies for a baseline understanding of the technology and why the phase-out of third-party cookies in particular is so relevant to every player in the adtech ecosystem. In this post, we survey the current privacy legal landscape regulating the use of third-party cookies to collect, track, and share personal information.

The proliferation of European and U.S. state privacy laws and regulations over the last several years has directly impacted companies’ ability to leverage third-party cookies for digital advertising and is one of the main drivers behind the phase-out of the third-party cookie.

Continue Reading

AdTech: Regulation, Compliance and Where We are Heading

Partners Fernando Bohorquez, Gerald Ferguson, Linda Goldstein and Jeewon Serrato, and Associate Justin Yedor served as panelists in a recent article published in the January 2022 issue of Financier Worldwide. In the article, they offer insights regarding key advertising technology regulation and compliance trends, including recent digital advertising efforts, benefits and insights, and current regulatory scrutiny.

Click here to read the article.

The Impact of Data Security Incident Trends on Commercial Transactions: Part III – Vendor Agreement Resolutions for 2022

As the BakerHostetler Digital Risk Advisory and Cybersecurity team wraps up the 2022 edition of annual Data Security Incident Response (DSIR) Report, we take one last look at the findings in the 2021 edition of the report to prepare our New Year’s resolutions of a data privacy and security attorney for vendor contracts.

In our first post, we reviewed the impact of these data security trends on M&A. In our second post, we reviewed the impact of these data security trends on commercial transactions. Now we will wrap up this series with an in-depth look at the impact on vendor agreements.

Continue Reading

Why Everyone Is Talking About a Rarely Invoked Rule – the FTC’s Health Breach Notification Rule

Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an informative blog about the Statement and what it could mean for non-HIPAA covered health apps. Now that the dust has settled, we thought it would be a good time to do a deeper dive into the Rule and provide some food for thought regarding compliance with it. Continue Reading

Reporting Cyberattacks: Challenges for US Government Defense Contractors

A report published by the U.S. Government Accountability Office (GAO) on Dec. 8, 2021, highlights the complexity surrounding cybersecurity compliance for the Department of Defense (DOD) and its contractors. The GAO’s report recommended that the DOD improve its communication to industry, develop a plan to evaluate a pilot program, and develop outcome-oriented performance measures. This may also be an opportunity for DOD to simplify other defense industry cybersecurity compliance challenges, such as incident reporting.

CMMC Update

The GAO report focused on the DOD’s Cybersecurity Maturity Model Certification (CMMC), which is designed to address concerns about contractor protection of sensitive information. After unveiling the CMMC in January 2020 and considering a number of comments from the public — including one official comment from the U.S. Small Business Administration that small businesses may find it difficult to navigate the complex requirements of the CMMC — the DOD streamlined the framework on Nov. 4, 2021. Most significantly, the DOD reduced the number of certification levels in the CMMC from five to three.

Continue Reading

US Facial Recognition Firm Ordered to Stop Processing UK and Australian Data and Pay Fine Over Privacy Law Violations

ICO and OAIC Find ‘Serious Breaches’ of Privacy Law

On Nov. 29, 2021, the U.K. Information Commissioner’s Office (ICO) announced a provisional intent to fine Clearview AI over £17 million, alleging several privacy violations related to the company’s use of “scraped” data and biometrics of individuals. More significantly, the provisional order would require the company to stop processing personal data of people from the U.K. and to delete the data collected from U.K. individuals. The ICO’s notice follows a similar announcement that was made by Australia’s Information Commissioner earlier in the month ordering Clearview to cease collecting facial images and biometric templates from individuals in Australia and to destroy existing images and templates collected from Australians. We provide some key takeaways for companies that are building and testing facial recognition and artificial intelligence tools.

In announcing the resolution of a joint investigation with the Office of the Australian Information Commissioner (OAIC), the ICO alleged several privacy violations, including:

  • Failing to process personal data fairly and in a way that people in the U.K. would expect.
  • Failing to implement a process to ensure data is not retained indefinitely.
  • Failing to rely on an appropriate legal basis.
  • Failing to treat biometric data with the sensitivity required of “special categories” data under the EU’s General Data Protection Regulation (GDPR) /U.K. GDPR.
  • Failing to provide appropriate notice.
  • Asking for additional information—in particular photos—from individuals wishing to exercise their rights, which the ICO argues could deter individuals from exercising their rights.

Continue Reading

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final rule that requires a federally regulated bank to notify its primary federal regulator within 36 hours after determining that a computer-security “notification incident” has occurred. We provide below a summary of the new notice requirement, which will apply to banking organizations and service providers starting in April 2022.

When does this final rule take effect?

The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. Regulators should provide supervised institutions logistics for notification in early 2022.[1]

Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part One

Editor’s Note: This blog post was originally published in September 2021, courtesy of the Association of National Advertisers. It is repurposed with permission.

— PART I —

Overview of the Five-Part Series

In a time of constant change in digital advertising, there is one consistent question that persists in advertisers’ minds: What do we do after third-party cookies are gone? The digital marketing ecosystem was built on the ability to track and target consumers as they surf across websites, apps, and online platforms. This is facilitated by third-party cookies – the small digital files that websites download to a user’s device to help identify the user as they interact with a website and traverse the Internet. In two years, the third-party cookie will likely be obsolete, and with it, the third-party consumer behavior-based digital advertising model that relies on it.

Due to a confluence of new data privacy laws and advertising technology standards, the cookie, specifically the third-party cookie, is scheduled to be phased out by the end of 2023. The questions advertisers are correctly asking themselves now are: What will replace the third-party cookie, and how should they best position themselves to market brands in the post-third-party cookie world? The good news is that alternative data solutions are already being developed, and the picture of what the digital advertising post-“cookie-pocalypse” landscape may look like is starting to come into focus.

Continue Reading

Welcome Brian Craig to the Digital Assets and Data Management Group

Please join me in welcoming Counsel Brian Craig to the Digital Assets and Data Management Group. Brian is located in our Washington, D.C. office and is a member of the Digital Risk Advisory and Cybersecurity (DRAC) Team.

Brian has deep experience in guiding clients with federal government contracts considerations through cybersecurity matters. Cyber incidents for federal contractors involve short-fuse government notifications. He brings years of experience at big primes like Lockheed Martin to the table and he can also provide proactive cybersecurity compliance concerns which are more complex as the Cybersecurity Maturity Model Certification continues its evolution.

Read More

Is China’s Personal Information Protection Law Contributing to the Global Supply Chain Snafu?

Less than a month after China’s Personal Information Protection Law (PIPL) took effect, ships in Chinese waters began disappearing from industry tracking systems.

While the PIPL governs the collection and cross-border transfer of personal information, which is broadly defined as information related to an identified or identifiable natural person that is recorded electronically or by other means, there is no reference to shipping data within the provisions of the PIPL, nor is shipping data included in the definition of personal information. Nevertheless, some domestic providers in China have reportedly ceased providing information to foreign companies, ostensibly because of the PIPL.

Continue Reading