privacylawthrow's comments

This is factually incorrect. The "Cookie Directive" wasn't from 2003, it was an amendment to the ePrivacy Directive. The ePrivacy Directive came into effect in 2002, and it was amendend in 2009. That amendment is what people generally call the "Cookie Directive" because it required consent for storage of information on end user devices.

It did not specify cookies, and did not actually specify any technical means. The ePrivacy Directive requires that companies get consent from users before storing information or gaining access to information stored on end user devices. This includes every kind of cookie you can think of, including LocalStorage. There is an exception for cookies necessary for the service requested, which typically includes things like auth cookies or shopping cart cookies, so long as that data is not used for anything else.

This is not true. The national implementation of the ePrivacy Directive are still law. You are correct that GDPR does not require cookie banners, but the law that does was not replaced by GDPR and remains in effect.

The FTC has been begging the complain-for-profit sector to give it a formal path to regulate AI. The FTC's only enforcement hook in this area is that it can take action against companies that have unfair or deceptive trade practices. This is how the FTC began regulating privacy and security in the US, and it's been waiting to use it for AI.

It comes as no surprise that this complaint is from Mark Rotenberg, former head of EPIC. He's very well aware of the boundaries of the FTC's power, and this complaint effectively serves as a letter to the FTC from an expert about how the FTC can position itself to begin regulating AI.

It's very much how most privacy laws work.

According to Revue's platform privacy policy[0], Revue processes subscriber emails as a data processor. Each newsletter publisher owns the email addresses of their respective audiences. Revue would have a legal obligation to make those email addresses available to the newsletter publishers until the shutdown date.

[0]: https://www.getrevue.co/privacy/platform?locale=en

You asked the wrong lawyers, at least for the US. The FTC's case against Sears in 2009 made it clear that consent to a privacy notice isn't valid if the privacy notice is buried deep in a licensing agreement, even if the notice is correct.

No. You need consent to store data on an end user's machine, regardless of whether you later track that data or not, unless such storage is strictly necessary for the operation of service explicitly requested by the user.

You're wrong. The ePrivacy Directive does require that a website get consent before storing information on the end-user's device. Prior to GDPR, the local country implementations of the ePD allowed for implicit consent in some EU countries, and opt-out consent in other EU countries. GDPR redefined what constitutes legitimate consent to process personal data. Consent that was previously valid under the ePD was no longer valid under GDPR, which is why GDPR is about cookies, and every other processing of personal data.

I'm a privacy lawyer that has worked on cookie consents for a number of commercial websites. Everything you said here is all too true. The real legal answer in a lot of cases is "Do what everyone else is doing. Don't be an outlier. Use industry tools because if there's a problem with an industry tool, they'll go after the tool and not its users."

The comments about cookies not being part of GDPR are grossly wrong. One of the early discussions in the privacy law community was how to handle the collision of the new consent requirements under GDPR with the fact that the ePrivacy Directive requires consent for cookies. Prior to GDPR, a large number of EU jurisdictions allowed for implicit consent through a variety of actions, like scrolling a page, or non-actions, like seeing a banner and not clicking "no". GDPR redefined consent and that's why cookie banners pop up.

EU governments are exempt from the requirements of GDPR. In some countries police can access large amounts of data without the need for a warrant. For example German police do not need a warrant to get passwords to email account, PIN numbers for mobile phones, mobile usernames, birthdates, telco information, or hospital data.

6 months is not compliant. Employees have to be made aware of the posting on the same calendar day the job is posted. For jobs that are in constant demand, the company has to either send a daily email or have some kind of banner on its corporate intranet.

There is also no geographic restriction so if a company has any offshore service centers, it would need to post any promotional jobs to its Colorado employees as well.

The law also requires that Colorado employees be informed of all promotional opportunities. A promotional opportunity is "a vacancy in an existing or new position that could be considered a promotion for one or more employees in terms of compensation, benefits, status, duties, or access to further advancement."

If a company doesn't already have Colorado employees, they may not be interested in having a remote employee in CO that requires special treatment.

I am a privacy lawyer that has spent far too many hours on cookie issues. It is disappointing that your correct answer was downvoted. It goes to show just how much misinformation is out there about GDPR.

The top comment in this thread demonstrates that as well as the Data Protection Directive of 1995 had a functionally identical requirement allowing users to opt out of completely automated decisions for credit purposes.

If it's the TrustArc Ads Compliance Manager, it makes a call to all the ad networks requesting the network's opt out cookie. The opt out cookie prevents the user from being tracked by that ad network across all sites. Cookie banner opt outs usually only prevent tracking from the site you are one.

Unlike GDPR, which uses a website as the gate for all cookies, the ad industry also has self-regulatory programs. Participation in these programs require that a website allow a user to opt out of all ad networks present on their site. TrustArc built a module to do that: https://preferences-mgr.truste.com/.

If you run the tool there, it will make a call to the ad networks listed. Of course if you're running an ad blocker, the call will get blocked and it will look like the tool doesn't do anything.

Data scientists would rather buy data to work with big data sets than sell their own data for money. It's the marketers and people with P&L obligations that usually want to sell.

>It was never going to be the privacy savior Google billed it as, so why push forward with the concept?

Because these users are still anonymous to companies using Google services. Uniquely identifying users, and the liability for doing so, falls to intermediary services. I expect it will be the domain of data brokers like LiveRamp, Epsilon, and others.

"Use Google and be compliant" is a good sales tool and good value for companies that use Google services. Companies that don't want to sell data to brokers will stick with Google.

The law cares about intent and outcome. If you intended to publish Bill Gates' credit card number and did so, and if doing so was a crime, you'd be guilty of that crime. This is true regardless of how you published the information. There is no "out" for putting it behind a pretext.

It's why sharing child pornography is illegal, even though all the creators are really doing is sharing a set of instructions for someone's else's computer to generate the image/video.

These were already violations of the TCPA in the 9th Circuit under the 9th Circuit's previous ruling in Marks where the court found that an autodialer is any equipment that dials a number from a stored list.

Marks was used as precedent for this lawsuit. Facebook argued that this case was different from Marks. The Ninth Circuit found otherwise. SCOTUS appears to have shot down the ruling from Marks.

Marks was widely regarded as a terrible decision because it made no sense at the time. It's nice to see SCOTUS return some common sense to the law.

Note also that the TCPA allows for statutory damages of up to $1500 per violation, so it takes less than 675 calls/texts to rack up $1M in liability. Class action attorneys love it because they don't have to show damages. They only have to show that the call or text was sent using an autodialer.

The opt out cookie was created by ad networks prior to GDPR when many EU countries allowed for opt in by default. The opt out cookie was the tool to allow users to opt out. It still has value today as it allows an ad network to remember a user's choice not to be tracked.

The opt out cookie is set by the advertiser, not the publisher, and the contents of the cookie have generic text like "OPT OUT".

>Not to mention that if there were any hypothetical API calls those could be made asynchronously after closing the modal.

If you did that, users wouldn't be able to see whether their opt out was successful.

Some tools call APIs from a whole bunch of ad networks. That 60 seconds is likely spent getting opt out cookies from dozens of different ad network domains.