When GDPR came into force in 2018 it was inevitable that cookies would become the target of privacy campaigners. Sure enough, on August 14 the first shots in what is likely to be a long battle were fired.
What is surprising, though, is where and at what they were shot. Salesforce was the first company cited in a class action suit filed in the Netherlands. With its focus on sales and marketing, that's not unexpected. The other company is Oracle.
The case was taken by an organization called the Privacy Collective based in the Netherlands and the UK, and aims to prevent large corporations from selling personal data and information about online behaviors to other companies through an auction without users’ knowledge.
Rebecca Rumbul, in a paper on the Privacy Collective website, writes that the class actions concern the use of third-party ad-tech tracking cookies (BlueKai and Krux), the "real-time bidding" processes used to target advertisements to individual users and the implications for personal data.
The figures that are being mentioned are staggering. According to Rumbul, the combined claims could exceed $11 billion, as millions of people have these tracking cookies on their systems and most have no idea where their data is going and who is tracking their online behavior.
“Those annoying ‘Accept All’ cookie pop ups you get on every website these days are supposed to enable you to consent to the use of your personal data and the placing of cookies on your system, but do you really know what they are doing?” she wrote.
Other companies could be targeted later. Alberdingk Thijm, Collective’s lawyer, explained they consciously chose two lesser-known parties in the technology market. Facebook and Google, he said, are already under fire from various authorities and private individuals. "But these large, listed tech groups [Salesforce and Oracle] are also very active in the data trade," he said.
The funding for the action comes from Innsworth, a British lender specializing in advancing these types of proceedings. Innsworth is owned by the well-known American hedge fund, Elliott.
Dorian Daley, Oracle executive vice president and general counsel, cited in TechCrunch, said: “The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts. As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program.”
Salesforce, in a statement also through TechCrunch, said it, too, believed the claims are without merit: "Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers."
It is unclear when a ruling will be handed down but there is a long way to go and Privacy Collective believes it could be the middle of next year before any decisions are made.
Apple to Restrict Ad Tracking
There is likely to be a lot more talk about cookies in the coming weeks after Cupertino, Calif.-based Apple announced that its forthcoming operating system for iPhones and iPads will require apps to show a pop-up screen before they enable a form of tracking needed to show personalized ads. Needless to say, neither Facebook nor Google are happy, as both are the largest among thousands of companies that track online consumers to pick up on their habits and interests and serve them relevant ads.
According to Facebook, the new rules could reduce what apps can earn by advertising through Facebook’s audience network. Facebook said it expects less impact on its own advertising revenue than on the ad-supported businesses that rely on its audience network to promote their apps.
Apple, for its part, has said the new feature is aimed at giving users greater transparency over how their information is being used. The company also indicated that that it will bolster a free Apple-made tool that uses anonymous aggregated data to measure whether advertising campaigns are working or not.
Facebook is also urging a wider discussion around the issue, saying that unilateral moves help no one. “We believe that industry consultation is critical for changes to platform policies, as these updates have a far-reaching impact on the developer ecosystem,” the company said in a statement. “We’re encouraged by conversations and efforts already taking place in the industry — including within the World Wide Web Consortium (W3C) and the recently announced Partnership for Responsible Addressable Media (PRAM)."
Cybersecurity Driven by Digital Transformation
Another area of data use and security in the spotlight in recent months is also likely to become more important as the year progresses, especially as more workers are sent home to work remotely. Given the level of digital transformation over the course of the COVID-19 pandemic, cybersecurity has been mentioned often but the impact has been difficult to quantify.
To address that, Microsoft interviewed 800 business leaders of companies of more than 500 employees in India, Germany, the United Kingdom and the United States to understand their views on the pandemic threat landscape, implications for budgets and staffing and how they feel the pandemic could reshape cybersecurity long term.
The research showed a spike in COVID-19 attacks in early March as cybercriminals applied pandemic-themed lures to known scams and malware. Phishing was found to be the biggest risk to security with 90% indicating phishing attacks hit their organization.
More than half of those surveyed said clicking on phishing emails was the highest risk behavior they observed while 28% admitted that attackers had successfully phished their users. More importantly, successful phishing attacks were reported in significantly higher numbers from organizations that described their resources as mostly on-premises (36%) as opposed to being more cloud-based. It is no surprise, then, that providing secure remote access to resources, apps and data is the biggest challenge reported by security leaders. The research also identified five long-term impacts from COVID-19:
- Security has proven to be the foundation for digital empathy in a remote workforce during the pandemic.
- "Zero Trust" security shifted from an option to a business priority in the early days of the pandemic.
- The pandemic illustrated the power and scale of the cloud as Microsoft tracked more than 8 trillion daily threat signals.
- Cyber resilience is fundamental to business operations.
- The cloud is a security imperative.
The bottom line is that digital transformation has reached every part of the workplace, including security. While the current pandemic is changing the workplace, it is less clear how deep that change will be. This gives some idea of how far and deep into enterprise IT the changes are going and some of the areas most impacted by the pandemic.
Can You Buy Medical Files Despite HIPAA?
Given the fact that the health care industry has more insider breaches than any other industry, researchers from Florida Atlantic University, Baylor University and the State University of New York at Buffalo took a look at the role that monetary incentives play in regulations and privacy laws.
According to the study, which was based on 520 students in an undergraduate information technology course, the objective of the paper was to identify the role that money plays in violating the Health Insurance Portability and Accountability Act’s (HIPAA) regulations and privacy laws
As part of the study, researchers developed five scenarios to determine if monetary incentives could be used to influence subjects to illegally obtain health care information. They also looked at the likelihood of participants releasing that information to individuals and media outlets. The subjects were also asked about the probability of getting caught for violating HIPAA laws.
The results should act as a warning to any enterprise leaders about the problems created by insider threats. The results, which were published in the Journal of Medical Internet Research, indicated a large percentage of them could be incentivized to violate HIPAA laws. They showed that:
- In the nursing scenario, 45.9% (240/523) of the participants indicated that there is a price, ranging from $1,000 to over $10 million to violate HIPAA laws.
- In the doctors’ scenario, 35.4% (185/523) said the price to violate the laws ranges from $1,000 to over $10 million.
- The insurance agent scenario, showed 45.1% (236/523) of the participants indicated that there is a price, ranging from $1,000 to $10 million.
Globally, the main finding is that individuals who believed there is a high probability of being caught were less likely to release private information. It also showed that the larger the financial reward, the more participants agreed to violate HIPAA in all five scenarios, according to researchers. The key to reducing noncompliance is training programs to encourage HIPAA compliance.
EU Companies Face GDPR Fines, Too
Finally, for American executives that are under the impression that GDPR is designed to hinder U.S. companies operating in Europe, a quick look at some recent research from Finbold shows that European companies are being brought to task over the use of customers personal data.
UK-based Finbold, or Finance in Bold, carries out analysis of financial news and how it impacts businesses and individuals. Having studied the fines and penalties that data protection authorities have imposed in the EU by sourcing data from the GDPR Enforcement Tracker fines database, it shows that:
- Italy received the highest number of fines (13), accumulating €45,609,000 since GDPR was introduced.
- Sweden was in second place, with €7,031,800 from four official fines.
- Followed by the Netherlands, with three fines totaling €2,080,000.
- Belgium accumulated fines of up to €717,000, even though it had a relatively high number of fines (7).
- The bottom of the table was Ireland, with €115,000 and four fines.
The total cost of fines across the board was €60,181,250 2020 with the most common violation being insufficient legal basis for data processing.