EDPB adopts final report of outcome of the cookie banner task force

“[..] the EDPB adopted a report on the work undertaken by the Cookie Banner Task Force, which was established in September 2021 to coordinate the response to complaints concerning cookie banners filed with several EEA DPAs by NGO NOYB. The Task Force aimed to promote cooperation, information sharing and best practices between the DPAs, which was instrumental in ensuring a consistent approach to cookie banners across the EEA. In the report, the DPAs agreed upon a common denominator in their interpretation of the applicable provisions of the ePrivacy Directive and of the GDPR, on issues such as reject buttons, pre-ticked boxes, banner design, or withdraw icons.”

Topics covered

  • No Reject button on the first layer
  • Pre-ticked boxes
  • Deceptive “Link Design”
  • Deceptive button colors and Deceptive button contrast
  • Legitimate interest claimed, list of purposes
  • Inaccurately classified “essential” cookies
  • No withdraw icon

from EDPB announcement at https://edpb.europa.eu/news/news/2023/edpb-determines-privacy-recommendations-use-cloud-services-public-sector-adopts_en

CNIL statement (in English): https://www.cnil.fr/en/edpb-adopts-final-report-outcome-cookie-banner-task-force

Cookie Banner Task force Report: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

NIST Transitioning Away from SHA-1 for All Applications

NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030.

NIST responded in 2006 with an announcement encouraging a rapid transition to the use of the SHA-2 family of hash functions for digital signature applications, which were initially specified in FIPS 180-2. NIST began a competitive process to develop an additional hash function, which resulted in the SHA-3 family of hash functions published in 2015 as FIPS 202. In 2011, NIST released SP 800-131A, which announced the deprecation of SHA-1 when generating new digital signatures and restricted further use of SHA-1 to only where allowed in NIST protocol-specific guidance.

Cryptanalytic attacks on the SHA-1 hash function as used in other applications have become increasingly severe in recent years (“SHA-1 is a Shambles” by Leurent and Peyrin, 2020 https://www.usenix.org/conference/usenixsecurity20/presentation/leurent). As a result, NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030.


Updated FTC-HHS online tool helps developers understand which federal laws apply

The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.


HHS Bulletin: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

– mentions Google Analytics and Meta Pixel by name..

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

This Bulletin provides a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

  • What is a tracking technology?
  • How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies


LfDI BW: Embedding external videos on web sites


asking for consent, and a two-click solution

With the help of a so-called two-click solution, it is basically possible for the website operator, as joint controller with the video platform operator, to obtain the consent of the visitors.

  • A preview of the external content is first displayed – without transmitting the IP address, browser information or other personal information to third parties.
  • Only when visitors actively click on the preview, for example to watch a video, will their data be transmitted.

If website operators embed third-party videos from commercial video platforms or third-party websites without joint responsibility according to Art. 26 GDPR, the two-click solution should be used in the following variant:

  • First, there should be a preview with a reference to the following external content is displayed.
  • This notice should make the visitor understand that when the embedded video is played, the platform operator, for example, receives information about who has just accessed which website and that a link to existing data is possible.
  • Only when visitors actively click on the preview, for example to watch a video, may the video platform operator or third parties receive the IP address, browser information or other personal information.