Cookie consent pop-ups among the ICO’s intended topics of discussion at the recent G7 meeting

Cookie consent pop-ups need to be tackled in order to provide more meaningful consent and a better browsing experience, according to the ICO.

 

At a recent meeting for the data protection authorities of G7 countries, the ICO decided to tackle the topic of cookie consent pop-ups. The ICO has mentioned that there have been complaints among the general population about the need to constantly interact with cookie consent pop-ups when arriving on a website. More importantly, the ICO believes that these cookie consent pop-ups, especially when configured awkwardly, tend to have the effect of causing people to consent to giving more personal information than they would like. The ICO released a statement earlier this month discussing their intent to bring this topic up at a recent G7 meeting.

 

The ICO is of the opinion that currently, cookie consent pop-ups may cause individuals to consent to more use of their personal data than they would have liked.

 

Cookie consent pop-ups and requirements have been a topic of conversation for quite some time, not only among the general population on the interwebs, but also by relevant data protection authorities. Recently we published an article discussing the best practices for cookie consent pop-ups and banners, as outlined by the Malta DPA. In preparation for the virtual meeting on September 7-8, the ICO expressed interest in discussing this with fellow G7 data protection and privacy authorities. The Information Commissioner expressed a belief that, in their current form, some cookie consent pop ups and banners may cause individuals to consent to more access to and use of their personal data than they would have liked.

 

While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development.

 

The ICO has recently announced several intended changes to their data protection model, and cookie consent pop-ups were one of the key points the authority expressed interest in. While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development. The ICO holds a vision for the future where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, instead of having to do that through pop-ups each time they visit a website. This may allow individuals to be more intentional in their selections, rather than selecting whatever they feel that they need to, in order to get past a banner. This approach is definitely already technologically possible and compliant with data protection law as well, however the ICO believes that more can be done to effect change and promote more privacy oriented solutions.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive, which together ensure the protection of natural persons with regard to cookie consent pop-ups and banners.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive. There are several types of cookies, which in most cases users can choose from. For example, a user can choose to only allow the storage of necessary cookies, and reject any additional cookies for marketing or preferences. Recital 30 of the GDPR, does make mention of the importance of cookies, insofar as they can be used to identify individuals, especially with the amount of information on a user, which can be stored through the use of cookies. The ePrivacy Directive is sometimes known as the “cookie law” as it has been very instrumental in influencing the current use of cookie consent pop-ups, and ensuring that consent is ethically sourced for the use and storage of cookies. The rules regulating cookies are continuously being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will naturally be a continuous job.

 

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Post-Brexit UK to overhaul privacy rules

Post-Brexit UK to overhaul privacy rules in an attempt to increase effectiveness while maintaining adequacy with the EU and other nations. 

The British government is looking forward to creating new privacy rules based on “common sense, not box-ticking”. The new privacy rules might drift the UK away from the EU data protection regulations, including the 2018 GDPR, which still guided the framework of their post-Brexit UK-GDPR privacy rules. According to the culture secretary, this may put an end to the irritating cookie popups and consents requests online. However, the new regime has to qualify for the EU’s adequacy requirement, otherwise continued data transfer between the UK and EU may be affected. 

After October, a new Information Commissioner will be appointed to replace Elizabeth Denham.

The culture secretary aims at developing a globally leading data policy that will help businesses and individuals across the UK. The government plans on giving this daunting task of overseeing the transformation to John Edwards, who will be appointed as the new Information Commissioner. He is currently the Privacy Commissioner of New Zealand, and the UK’s preferred choice to replace the current Information Commissioner, Elizabeth Denham, after the current tenure ends on October 31st. 

Will the new rules help small businesses or result in more trade and investment barriers?   

Whereas cookie consent rules have been widely criticised by the industry and the users, they represent a tiny portion of the current (UK) GDPR framework, and are unlikely to be decisive when it comes to mutual adequacy between nations. The bigger picture is the current freedom to transfer data between the UK and the EU/EEA based on the current European Commission adequacy decision, which still gives UK-based tech companies an edge. “Putting that in jeopardy would likely offset any benefits for tech startups in terms of compliance regime simplification,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. ‘We must also be aware that the UK consumers have gotten accustomed to a high degree of privacy protection, and they hardly see the current UK GDPR as an unnecessary bureaucratic burden.’

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Exposed records caused by misconfigured Power Apps

Millions of exposed records caused by misconfigured Power Apps from Microsoft include health related data. 

 

Over a thousand misconfigured web apps have resulted in millions of exposed records. An estimated 38 million records were reportedly exposed online. While there is no evidence that the exposed records were accessed by anyone, investigative research uncovered the fact that these records, which included lots of sensitive personal data, were readily accessible online.  

 

Researchers discovered that the default settings for Power Apps were making data publicly accessible. 

 

Researchers at an organization known as Upguard found one misconfigured app while enabling APIs, and noticed that the settings defaulted to making the data publicly accessible. Upon further inspection, they discovered that thousands more of the apps were similarly misconfigured, leaving the personal records of millions of data subjects available online. These records included phone numbers, home addresses, social security numbers and even COVID-19 vaccination status. This misconfiguration has affected several large companies and organizations, a testament to the far reaching consequences of this manner of incident. Although there is no evidence that these records were accessed by unauthorized persons, this situation is an attestation to the importance of ensuring privacy settings are as they should be, particularly with regard to cloud storage apps. 

 

Misconfiguration is a common issue with cloud based platforms, and many major companies have taken steps to secure privacy. 

 

The exposed data was all stored in Microsoft’s PowerApps portal service, a cloud based development platform that makes it easy to create web or mobile apps for external use. When it comes to cloud based platforms, misconfiguration is a common issue. Many major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to ensure that customers’ data is stored privately by default, and to flag potential misconfigurations, but until fairly recently, the industry as a whole didn’t necessarily prioritize this issue.  

 

Once Microsoft was informed of the issue of misconfiguration on their platform, they took immediate steps to correct it, and to alter their default settings. 

 

Researchers at Upguard, the organization which discovered the misconfigured settings immediately took action. Upguard observed the extent of the exposures and notified as many affected organizations as possible. Due to the sheer reach of the damage, researchers couldn’t get to every entity. They then also disclosed the findings to Microsoft. After being informed of the issue in this instance, Microsoft immediately took steps to correct it. Earlier this month, Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The company has also released a tool that customers can use to check their portal settings on their end.

 

Does your company utilize or offer cloud based storage? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Halifax-based company fined by the ICO

A Halifax-based company fined by the ICO was found to have been making unlawful pension calls. 

A Halifax-based company, Parker Beach LTD (PBL) has been fined by the ICO, a total of £50,000 for unlawful cold calls regarding pensions, according to this report from the ICO. The ICO’s investigation revealed that the company, which operates under the trading name “Your Pension Options”,  made calls to people regarding their pensions, looking to arrange an introduction to an advisor. These calls were unauthorized, and resulted in 16 complaints to the ICO. The company has admitted to making over 96 thousand calls. Pension cold calling was banned in 2019, specifically to protect vulnerable pensioners and their retirement funds, as cold calls are admittedly one of the more common ways of defrauding people out of pension and retirement funds. 

Pension calls have been outlawed since 2019, and are only allowed under very few, specific conditions. 

Pension calls are outlawed, unless certain conditions apply. If the caller is authorized by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, or if the recipient has an existing relationship with the caller and has consented to calls, these calls are considered lawful. This stance was taken in 2019, making it illegal for companies to make nuisance cold calls to people regarding pensions schemes. The ICO’s Head of Investigations, Andy Curry has stated that cold calls have been a common tool in fraud, and for that reason, tough action will be taken on companies who utilize this kind of marketing. He said in a statement, “Companies are responsible for knowing the law and following it. We have a range of powers and enforcement action which we can and will take on behalf of the public to put a stop to the activities of unscrupulous companies.”

The ICO fined the company and issued an enforcement notice ordering them to make no further calls. 

In their investigation, the ICO uncovered that PBL sourced the data for its calls from a third party supplier which obtained the data itself from various websites. Signing up on the site required users to agree to possible marketing from an extensive list of organizations from various sectors. It did not appear possible that these users could select which, if any of these organizations, they would like to have their details forwarded to or from which they would like to receive marketing material. This means that PBL did not obtain clear, informed consent. As a result the company was hit with a fine for £50,000, and also an enforcement notice ordering them stop making further calls. Under the Privacy and Electronic Communications Regulations (PECR), the ICO can issue fines of up to £500,000

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today