Get in touch

Tag: surveillance

  • Final storage and access technologies guidance published

    ico.org.uk

    Read original article →

    Concatena says

    Our Take: I’ve not had a chance to fully read into this yet, but my initial big takeaway is the uphill battle that the ICO has in trying to convince people that terms like SATs mean the same thing as they understand when they here cookies. I know how they feel, it’s driven me mad for years, but sometimes you need to meet people where they are. I’m slightly concerned about the references to consulting with the online advertising industry to help shape future initiatives – I’d really like to see consultation with third sector or indeed businesses who are reliant on the advertising revenue but also value their customers to pitch in here too. Final thought is to about how it’s intended that “demonstrably low privacy risks” are quantified. In 2004 I remember the then commissioner, Richard Thomas, warning that we were sleepwalking into a surveillance society. Whilst the current commissioner has stepped away for a while, I hope the ICO still remembers that report.

    Your Takeaway: Nothing really to see here, yet – but if online tracking or advertising is important to your business, or to your ethics, it’s worth a closer read – and maybe getting involved in the ongoing discussions.

    The ICO has today published its finalised guidance on Storage and Access Technologies (SATs), alongside an update on its online tracking strategy.

    Highlights

    The guidance, which covers how the Privacy and Electronic Communications Regulations (PECR) (and where relevant, the UK GDPR) apply to cookies, tracking pixels, device fingerprinting and similar technologies (‘storage and access technologies’), incorporates updates following two consultations and changes introduced by the Data (Use and Access) Act. It includes new examples and points of clarification to help organisations comply with the law. It reflects the law as it currently stands, and sits separately from our ongoing work to review regulation 6 of PECR for online advertising purposes, on which further updates will follow in the coming weeks.

    We have today published our finalised guidance on Storage and Access Technologies (SATs), alongside an update on our online tracking strategy.

  • Online tracking strategy update – April 2026

    ico.org.uk

    Read original article →

    Concatena says

    Our Take: We’ve commented on the SATs guidance in a separate post, but this wider summary from the ICO is worth a read too. I still don’t love the focus on consent for “cookies/SATs” (and don’t even get me started on consent-or-pay) – I don’t see how the average user can possibly understand the network that lies behind that little button – but that’s the legal landscape were in.

    Your Takeaway: As with the SAT guidance, there’s nothing requiring action here yet (unless you didn’t check your cookie banner compliance last year… in which case, I’d recommend a look now). Still, some ongoing discussions here it’s worth keeping on top of – and contributing to as well.

    At the start of 2025, we published our online tracking strategy setting out our plans to give people meaningful choice and control over how they are tracked online, and provide businesses with certainty to innovate responsibly.

    Highlights

    After careful consideration and review of our concerns, we concluded that further action would not be appropriate after observing positive improvements from the platforms as compared to their historical processing practices. This was communicated to the platforms in January of this year.

    We assessed key areas of concern, including: the validity of consent for the data processing carried out by these platforms and their lawful basis relied upon for processing.

    We have driven improvements in the standard products offered to website owners by working directly with key cookie banner vendors responsible for the largest market shares across the UK’s most popular websites. For example, OneTrust and Usercentrics have developed UK-specific templates aligned with our guidance. This is in addition to a range of other improvements made by these platforms and changes implemented by Sourcepoint and Inmobi to enhance their existing templates and guidance. This engagement has raised the bar across a significant portion of the market and made it easier for online businesses to offer fair, compliant choices to users.

    We committed to reviewing cookie banners on the top 1,000 websites in the UK. As we updated in December, our action has seen significant changes. It has lowered the prevalence of cookies being placed before a user has expressed their choice and has driven an increase of clear reject options on consent banners, making it easier for users to control how they are tracked.

    Next month, we will be publishing our advice to government on where PECR requirements to obtain consent for the use of storage and access technologies for online advertising purposes could be removed. We understand that the government is exploring whether to create an exception or exceptions for some online advertising purposes, using secondary regulation-making powers under regulation 6A of PECR. This work will help inform government policy–making.

    Last year, we opened a call for views on our review of regulation 6 PECR where the use of storage and access technologies for advertising may pose demonstrably low privacy risks.

  • Meta cuts contractors who reported seeing Ray-Ban Meta users have sex

    Scharon Harding

    Read original article →

    Concatena says

    Our Take: Without going into the many many layers of this story, our takeaway for anyone procuring products or services is to consider the full supply chain when looking at the ethics of a product. What feels like automated magic is often a person behind the curtain, probably in a jurisdiction with fewer safeguards, more often than you might expect.

    Your Takeaway: Beauty isn’t skin deep – make sure you do your due diligence and that your happy that your providers ahve appropriate worker protection and safeguards all the way down the chain. And if you’re running human‑review workflows – think through all the consequences. Finally, if you’re using wearable tech which captures images of everyone around you, give real consideration to how you’d feel if a someone with less moral integrity than you were to do the same.

    Meta ended its contract with Kenyan firm Sama after workers reported seeing private and explicit videos recorded by Ray-Ban Meta glasses. Sama denies failing to meet standards and says it was not warned about any issues. The situation has raised privacy concerns and led to investigations and a class-action lawsuit against Meta.

    Highlights

    BBC reported that Sama workers believe Meta ended the contract because workers spoke out about seeing Ray-Ban Meta-shot footage of people performing personal acts, like changing their clothes, having sex, and using the toilet.

    A Meta spokesperson told BBC that Meta “decided to end our work with Sama because they don’t meet our standards.” Ars Technica reached out to Meta asking how, specifically, Sama failed to meet Meta’s expectations and will update this article if we hear back. Ars has also reached out to Sama.

    In February, numerous workers from a company that Meta contracted to perform data annotation for Ray-Ban Meta reported viewing sensitive, embarrassing, and seemingly private footage recorded by the smart glasses. About two months later, Meta ended its contract with the firm.

  • Congress keeps kicking surveillance reform down the road

    Gaby Del Valle

    Read original article →

    Concatena says

    Our Take: Congress has kicked the FISA 702 can down the road. Whilst this legal back and forth might feel far away, the way the US sets its surveillance rules has real knock-on effects for UK/EU businesses relying on US cloud and SaaS tools, and for anyone worrying about international data transfers. This is one to watch closely in case future “reforms” either harden surveillance or, more optimistically, edge towards better privacy safeguards that could ease some cross-border risk.

    Your Takeaway: If your business leans on US tech stacks, keep in mind that ongoing FISA 702 wrangling could shift the risk profile of your international data flows overnight. Treat this as a reminder to map which services touch US infrastructure, keep your transfer impact assessments fresh, and be ready to explain to customers and boards why a very American-sounding fight in Congress still matters for their data.

    Congress extended Section 702 of the Foreign Intelligence Surveillance Act for 45 days to allow more time for reform talks. The House passed a version with minor changes but no warrant requirements, causing frustration among some lawmakers. Privacy advocates say the bill does not do enough to protect Americans’ rights.

    Highlights

    “Three weeks is more than enough time to negotiate a reform bill,” Thune said on the Senate floor on Thursday. “That is, if members are serious about negotiating.”

    The House renewed Section 702 with minor reforms on Wednesday evening. The bill didn’t include the hotly debated warrant requirement, but it did feature a provision prohibiting the Federal Reserve from issuing Central Bank Digital Currencies, which Senate Majority Leader John Thune (R-SD) described as a nonstarter.

    Congress has reauthorized Section 702 of the Foreign Intelligence Surveillance Act — but only for another 45 days. The extension is meant to give legislators more time to negotiate reforms to the controversial wiretapping bill. If the past few weeks are any indication of how future debates will go, however, we’re in for a bumpy ride.

  • Utah’s New Law Targeting VPNs Goes Into Effect Next Week

    Rindala Alajaji

    Read original article →

    Concatena says

    Our Take: Internet regulation is hard, and if you don’t take a multi-step view, then you can end up playing whack-a-mole.

    Your Takeaway: If the tech you rely on could be outlawed, how can you plan?

    For the last couple of years, we’ve watched the same predictable cycle play out across the globe: a state (or country) passes a clunky age-verification mandate, and, without fail, Virtual Private Network (VPN) usage surges as residents scramble to maintain their privacy and anonymity. We’ve seen this everywhere—from states like Florida, Missouri, Texas, and Utah, to countries like the United Kingdom, Australia, and Indonesia. 
    Instead of realizing that mass surveillance and age gates aren’t exactly crowd favorites, Utah lawmakers have decided that VPNs themselves are the real issue.
    Next week, on May 6, 2026, Utah will become, to EFF’s knowledge, the first state in the nation to target the use of VPNs to avoid legally mandated age-verification gates. While advocates in states like Wisconsin successfully forced the removal of similar provisions due to constitutional and technical concerns, Utah is proceeding with a mandate that threatens to significantly undermine digital privacy rights. 
    What the Bill Does
    Formally known as the “Online Age Verification Amendments,” Senate Bill 73 (SB 73) was signed by Governor Spencer Cox on March 19, 2026. While the majority of the bill consists of provisions related to a 2% tax on revenues from online adult content that is set to take effect in October, one of the more immediate concerns for EFF is the section regulating VPN access, which goes into effect this coming Wednesday.
    The VPN Provisions
    The new law explicitly addresses VPN use in Section 14, which amends Section 78B-3-1002 of existing Utah statutes in two primary ways:

    Regulation based on physical location: Under the law, an individual is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN, proxy server, or other means to disguise their geographic location.
    Ban on sharing VPN instructions: Commercial entities that host "a substantial portion of material harmful to minors" are now prohibited from fa…

    Highlights

    Next week, on May 6, 2026, Utah will become, to EFF’s knowledge, the first state in the nation to target the use of VPNs to avoid legally mandated age-verification gates. While advocates in states like Wisconsin successfully forced the removal of similar provisions due to constitutional and technical concerns, Utah is proceeding with a mandate that threatens to significantly undermine digital privacy rights.

    For the last couple of years, we’ve watched the same predictable cycle play out across the globe: a state (or country) passes a clunky age-verification mandate, and, without fail, Virtual Private Network (VPN) usage surges as residents scramble to maintain their privacy and anonymity. We’ve seen this everywhere—from states like Florida, Missouri, Texas, and Utah, to countries like the United Kingdom, Australia, and Indonesia.

    Instead of realizing that mass surveillance and age gates aren’t exactly crowd favorites, Utah lawmakers have decided that VPNs themselves are the real issue.