Commission d’access a la information du Quebec has issued guidance on employee geolocation tracking.

Here are some key takeaways:

  • Unless the law expressly provides for it, a company may not require a person to be tied to a device that makes it possible to know where he is.
  • Without obtaining valid consent from its employees, an employer cannot require them to use a geolocation-based application.
  • Consent must be manifest, free, informed and given for specific purposes and for the time necessary to achieve the purposes for which it was requested. In particular, for it to be free, it must be possible to refuse without incurring consequences.
  • A good way to promote free consent is to offer staff an alternative to using an application that uses geolocation to record the arrival and departure times of employees.
  • Even with valid consent from its employees, the employer should collect only the personal information necessary to achieve its objectives. The fact that information is useful does not necessarily make it necessary to collect it.
  • An employer must demonstrate that the intrusion into the privacy of its employees is proportional to the objective pursued or to the problematic situation that it wishes to counter.
  • Each situation is unique. The employer is responsible for carrying out a serious analysis according to his context in order to be able to demonstrate that it is necessary for him to collect geolocation data.
  • Remember that in case of doubt, the collection of personal information is deemed unnecessary.

If the collection of geolocation data from its employees is necessary, an employer will have to comply with other obligations. It must:

  • Inform its employees of the collection and the use that will be made of the information, the categories of people who will have access to it within the company and their rights of access and rectification.
  • Ensure the personal information is up to date and accurate.
  • Put in place appropriate security measures to ensure the protection of personal information.
  • Destroy personal information in a secure manner as soon as the purpose for which it was collected is fulfilled, subject to the time limit provided by law (e.g. for tax obligations).


Maybe someone is reading them after all? European Commission opens for consultation its report of the sector inquiry into consumer internet of things (IoT) devices.

The report shows that in addition to quality, brand reputation and privacy, the number of users plays a crucial role in competition. The privacy notice of the relevant device is flagged as one of the top deciding factors in:

  • competing with other smart home device manufacturers for integration on or
    interoperability with other smart home devices (#4)
  • competing with other smart home device manufacturers for users (#5)
  • competing with other wearable devices for users (#7)
  • competing with other consumer IoT services for presence on third party smart devices (#5)
  • competing with other consumer IoT services for users (#7)
  • competing with other voice assistants for presence on third-party smart devices (#3)
  • competition with other voice assistants for users (#5)

Read the full preliminary European Commission report.

Several German Data Protection Authorities commence independent investigation of cross border transfers of personal data in violation of Schrems II.

The investigation has commenced by sending companies questionnaire regarding among other things, the use of service providers for:

  • sending e-mails
  • hosting of websites
  • web tracking
  • the administration of applicant data
  • the internal exchange of customer data
  • the intercompany transfer of employee data.

The authorities are mindful of the Court of Justice of the European Union’s (CJEU) instruction that the supervisory authorities “suspend or forbid” transfers that do not meet with the Schrems II requirements for mode of transfer or supplemental measures. Suspending a transmission, says the Berlin DPA in a press release, is likely to succeed in starting a cooperative dialogue with the companies. Where this is not possible regulatory action will follow.

Per Christopher Schmidt, FIP CIPP⁄E CIPM CIPT CDPO’s unofficial translation, questions include:

  • Does your company transfer personal data to other companies of the group located outside the EEA (this includes accessing data stored in Germany from other locations)?
  • Which data is transferred, to which companies and at what intervals?
  • What is the purpose and legal basis of the transfer?
  • Have you checked whether there are no provisions in the third country’s legislation that make it impossible for data importers to comply with their contractual obligations under the SCC?
  • Are any of the other companies subject to FISA 702?
  • Do you use encryption? What kind?
  • What are preparatory steps for alternatives to this transfer/mode of transfer?

U.S. Senator Edward J. Markey of Massachusetts has introduced the “Algorithmic Justice and Online Platform Transparency Act.”

If signed into law, the bill will impose several new requirements on online platforms:

  • Transparency – including explaining the information collected, how it is used (for advertising and/or content moderation), method by which the type of algorithmic process prioritizes, assigns weight to, or ranks different categories of personal information to withhold, amplify, recommend or promote content
  • Records – retaining a (deidentified) record of the algorithmic process
  • Retaining an advertising library – including copies of all ads, targeting criteria, information provided to the advertisers and identity of the advertisers
  • Data portability – providing the information to the individuals
  • Prohibition of discrimination

The bill would also establish an interagency task force on the algorithmic processes of online platforms that would examine the discriminatory use of personal information by those processes.

Read the bill.

C is for ‘cookie,’ and that’s not good enough for me.

NOYB, the privacy organization based in Vienna, Austria, is moving on hundreds of companies who use unlawful cookie banners. They have sent over 500 draft complaints so far, hoping to end “cookie banner terror.”

Per NOYB, “users must be given a clear yes/no option. As most banners do not comply with the requirements of the GDPR, NOYB developed a software that recognizes various types of unlawful cookie banners and automatically generates complaints. Nevertheless, NOYB will give companies a step-by-step guide (PDF) on how to change software settings to comply with the law as well as a one-month grace period to comply with EU laws before filing the formal complaint.”

“Over the course of a year, NOYB will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe.”

Per Max Schrems, “companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”

Read the full NOYB article.

The UK Information Commissioner’s Office is calling for collaboration with UX and design firms for the implementation of the Age-Appropriate Design Code.

Per the ICO:

“We know that the aims of the design community align with this vision set out in the Children’s Code and can see design practices evolving. Designers are more conscious of societal harms and how the decisions they make impact children’s information rights and digital experiences. And we want to help designers understand, implement and embed the Children’s Code into their practices, helping them to create a better digital world for children.”

“We are currently developing practical guidance to help designers in their day-to-day work. The guidance will help a range of practitioners to apply the Children’s Code; from UX and product designers to service managers and content designers.”

“This is a new approach for the ICO. By working in collaboration with the design community, we can create practical guidance driven by industry needs. For the first iteration of the UX design guidance we’ll focus on Transparency as a key UX design challenge in the code.”

Read the full statement from the UK ICO.

The “Cookie-pocalypse” or the “Identity Revolution.” Whatever you call it, digital advertising is undergoing a massive transition as the deprecation of third-party cookies gets closer. To help marketers successfully navigate this changing ecosystem, it’s clear the role of agencies must evolve, says Larson Banilower, Head of Agency at Criteo.

Three audience targeting approaches agencies can leverage to reach and convert their clients’ customers in this new environment are:

  • Addressable: While third-party cookies still exist, agencies must use all the signals they provide to create meaningful experiences that people want to opt-in to. The more consumers that opt-in today, the larger the addressable audience an agency’s clients will have tomorrow.
  • Cohort: If agencies truly understand the mindset of these cohorts, they can create one-to-many ads that still feel personalized.
  • Contextual: By marrying contextual signals from a webpage and commerce signals from their clients’ first-party data, agencies can deliver impactful (and seemingly personalized) ads to consumers at the right place and time.

Details in Ad Exchanger.

The National Institute of Standards and Technology (NIST) has issued a draft report on Trust and Artificial Intelligence.

“If the AI system has a high level of technical trustworthiness, and the values of the trustworthiness characteristics are perceived to be good enough for the context of use, and especially the risk inherent in that context, then the likelihood of AI user trust increases. It is this trust, based on user perceptions, that will be necessary of any human-AI collaboration.”

“Like any other human cognitive process, trust is complex and highly contextual, but by researching trust factors we stand to enable use and acceptance of this promising technology by large parts of the population.”

“AI system designers and engineers have identified several technical characteristics that are necessary for system trustworthiness. There are, at the time of this writing, nine identified characteristics that define AI system trustworthiness: Accuracy, Reliability, Resiliency, Objectivity, Security, Explainability, Safety, Accountability, and Privacy”

Read the full report.

U.S. Sen. Amy Klobuchar, (D-Minn.) has introduced the Social Media Privacy Protection and Consumer Rights Act.

“Among other things, it requires, social media, search, and other data-centric companies handle user data to give consumers a way to opt out of data collection. This could be as straightforward as someone declining the terms of service. If a person does opt out, the bill says companies are free to deny users access.”

The bill also has requirements regard the UX of terms of use and privacy notices: terms of service must be in a form that is “easily accessible, of reasonable length… and uses language that is clear, concise, and well organized and follows other best practices appropriate to the subject and intended audience.”

Details in Ars Technica.

“When brands use their own data to know customers and prospects better, wonderful things start to happen. This is really about Identity – not cookies.”

“What to do:
  • Assess your current state
  • Embrace the first-party future.
  • Take ownership when it comes to identity and only allow processors (companies like identity providers or adtech partners) to access the data as needed, with strict privacy and security policies governing any sharing or access outside their firewalls.
  • Do not settle for less (than a complete customer view).
  • Prove the value.
  • Be transparent. The brand or “controller” has the greatest responsibility to protect the privacy and the rights of known customers as well as visitors. Processors should act as trusted partners and a direct extension of the brand by providing the people, processes, and technology to build and maintain highly precise and scalable real-time consumer recognition, activation, and measurement that help ensure transparency, privacy and security are held to the highest standard at every step. All this is done within the brand’s private, owned, and dedicated environment.
  • Do it now.”

Details in this MarTech Today article.