Steve Roosa (US)

Subscribe to all posts by Steve Roosa (US)

Apple introduces “Privacy Manifests” for new and updated apps

By Steve Roosa (US), Wenda Tang (US) and Elyssa Diamond (US) on April 16, 2024 Posted in General, Privacy

Apple recently announced that beginning in spring 2024, developers of certain SDKs and apps that use those SDKs will be required to include a “Privacy Manifest,” which lists all tracking domains used in the relevant SDK or app. To determine whether this is relevant to your company, a list of SDKs that require a Privacy … Continue reading

Testing the tricky apps for privacy and data protection

By Steve Roosa (US) and Wenda Tang (US) on March 25, 2024 Posted in Data Protection, NT Analyzer Blog Series, Privacy

Dealing with cert pinning and root detection The privacy area has been white-hot lately, including litigation and investigations involving VPPA; Wiretap/Pen Register/Trap and Trace; and Opt Out Compliance. Furthermore, with the HHS updates on tracking in the HIPAA context, and the new state privacy laws (such as the My Health My Data Act), we can … Continue reading

HHS updates online tracker guidance

By Steve Roosa (US) and Susan Ross (US) on March 21, 2024 Posted in HIPPA, NT Analyzer Blog Series, Privacy

On March 18, 2024, the US Department of Health and Human Services (HHS) issued an updated, 17-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the Bulletin). Our readers may recall that HHS had originally issued the Bulletin in December of 2002, which we summarized here. HHS’ changes are generally clarifications … Continue reading

Everyone is using ChatGPT what does my organisation need to watch out for

By Marcus Evans, Lara White (UK) and Steve Roosa (US) on April 27, 2023 Posted in Cybersecurity, Fintech

In December 2022, OpenAI released ChatGPT, a powerful AI-powered chatbot that could handle users’ questions and requests for information or content in a convincing and confident manner. The number of users signing up to use the tool increased very rapidly, with users using the tool to write letters, edit text, generate lists, prepare presentations and … Continue reading

Biden restricts U.S. government use of commercial spyware

By Steve Roosa (US), Susan Ross (US), Daniel Rosenzweig (US) and Gerar Mazarakis (US) on April 20, 2023 Posted in General

Governments state that they use commercial spyware exclusively for criminal investigations, but critics claim such spyware has purportedly been used for human rights abuses targeting journalists, human rights defenders, lawyers, and political dissidents. Moreover, the U.S. Government and its employees have been allegedly targeted by such spyware. To set an example for governments globally—both authoritarian … Continue reading

Validating State Privacy Law Opt-Out Signals

By Steve Roosa (US) and Daniel Rosenzweig (US) on March 29, 2023 Posted in CCPA, Data Protection, Privacy law

State privacy laws, such as the California Consumer Privacy Act (CCPA), require companies to implement opt-out solutions and honor applicable privacy requests. But if you have implemented an opt-out, how do you know it actually works? Read the full NT Analyzer blog, “Validating State Privacy Law Opt-Out Signals.”… Continue reading

Privacy law is becoming more technically sophisticated. So should you.

By Steve Roosa (US), Daniel Rosenzweig (US) and Susan Ross (US) on March 22, 2023 Posted in Compliance and risk management, Privacy law

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.… Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on December 5, 2022 Posted in Compliance and risk management

HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading

Google’s Data Safety Form: Timeline Extended and Key Considerations

By Steve Roosa (US) and Daniel Rosenzweig (US) on February 28, 2022 Posted in NT Analyzer Blog Series

Google recently announced several key changes to the upcoming “Data safety form” for Google Play. Learn more about these updates on our NT Analyzer blog. … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on February 14, 2022 Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law

Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Data Privacy Concerns: 2022 and beyond

By Steve Roosa (US) and Daniel Rosenzweig (US) on January 31, 2022 Posted in NT Analyzer Blog Series

We may be a tad late to Data Privacy Day but we are looking ahead: 2022 will be a big year for privacy. See our timeline on our NT Analyzer blog for some of the privacy events on the horizon that are on our radar. Read the NT Analyzer blog… Continue reading

iOS 15 Privacy Report Update and what it means for app owners

By Steve Roosa (US) and Daniel Rosenzweig (US) on January 19, 2022 Posted in NT Analyzer Blog Series

As we previously noted, iOS 15 rolled out several privacy-focused measures to users. For example, users may record their app activity and download a report on app metrics from the previous seven days, called the App Privacy Report. These metrics include, for example: 1) when apps access certain permissions on the device (e.g. microphone, location, camera, … Continue reading

Google Play Store Releases Data Safety Form

By Steve Roosa (US) and Daniel Rosenzweig (US) on November 19, 2021 Posted in NT Analyzer Blog Series

Android will adopt iOS-like privacy nutrition labels, called the “Data safety form,” starting April 2022. And according to Google, apps that fail to comply with this upcoming requirement may be “subject to policy enforcement, like blocked updates or removal from Google Play.” While it may be tempting to just repurpose the iOS nutrition labels, Google notes … Continue reading

NT Analyzer: Does your app track users that opted-out of tracking?

By NRF Digital Team, Steve Roosa (US) and Daniel Rosenzweig (US) on October 26, 2021 Posted in NT Analyzer Blog Series

A transparency-focused privacy software company confirms that some apps are continuing to transmit data despite some users having opted-out of “tracking.” The study tested 10 popular apps and discovered that some continue to track even though those users have “ask[ed] app not to track” when presented with the ATT pop-up. Read Steve Roosa and Daniel … Continue reading

Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

By Daniel Rosenzweig (US), Steve Roosa (US) and Wenda Tang (US) on July 21, 2021 Posted in NT Analyzer Blog Series

According to the California Attorney General, consumers may now utilize a new technology called the Global Privacy Control (“GPC”) in order to opt out of a “sale” of personal information under the California Consumer Privacy Act (“CCPA”). The GPC, according to its website, was developed by “various stakeholders including technologists, web publishers, technology companies, browser vendors, … Continue reading

Google to nix “GAID” for opted-out users on Android

By NRF Digital Team, Steve Roosa (US) and Daniel Rosenzweig (US) on June 8, 2021 Posted in NT Analyzer Blog Series

Steve Roosa and Daniel Rosenzweig report on Google’s recent announcement regarding Android GAID settings. Beginning later in 2021, for Android 12, Android devices will “zero-out” the Google Advertising ID (“GAID”) for users who have opted out of tracking and personalized advertising. (In other words, using the “Opt out of Ads Personalization” settings). Read the full … Continue reading

How data privacy can affect consumer goods

By Steve Roosa (US) and Daniel Rosenzweig (US) on June 2, 2021 Posted in NT Analyzer Blog Series

Almost every website, mobile app, and IoT rely on third party code. But more often than not, this necessary reliance results in undetected data leakage, which can result in regulatory action, litigation, and/or bad PR. Learn more on our NT Analyzer site.… Continue reading

iOS 14.5 and ATT Framework is coming

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 22, 2021 Posted in NT Analyzer Blog Series

On April 26, 2020, iOS/iPadOS/tvOS 14.5 and the enforcement of the AppTrackingTransparency (‘ATT’) go into effect. Read more about this on Steve Roosa and Daniel Rosenzweig’s blog post on NT Analyzer.… Continue reading

Don’t let Apple determine your app’s fate

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 13, 2021 Posted in NT Analyzer Blog Series

Apple, in centralizing control over data collected on iOS, is rejecting apps from the App Store, essentially 50,000 apps at a time. For example, the App Store recently rejected updates to an app that used a third party software development kit (“SDK”) from Adjust. As a result of the SDK and according to Apple (as … Continue reading

Navigating Virginia’s new privacy law

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 8, 2021 Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key. Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified … Continue reading

Apple’s New Privacy Requirement: The Impact and the Solution

By Steve Roosa (US) and Daniel Rosenzweig (US) on October 16, 2020 Posted in NT Analyzer Blog Series

NT Analyzer is equipped to provide organizations with a digestible report to meet Apple's new privacy requirements on app’s privacy practices on in their App Store Connect.… Continue reading

101 Problems and Schrems Ain’t One

By Steve Roosa (US) and Daniel Rosenzweig (US) on September 29, 2020 Posted in General

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” … Continue reading

CCPA: “Wait and see” is not the right approach

By Chris Cwalina (US), David Kessler (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on August 29, 2019 Posted in CCPA, Compliance and risk management

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable. Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links … Continue reading