We have previously addressed new requirements to website and application owners and encapsulated how businesses should prepare for the changes. Breaches of the requirements for the use of recommendation technology can now entail fairly substantial fines.
What are recommendation technology and where is it used?
Recommendation technology consists of algorithms that collect, organise and analyse user preferences to provide them with personalised information.It is important to understand that recommendation technology is not just “smart feeds” on social media or streaming services. The law covers:
- personalised selection of products, content or services in online stores;
- AI-powered chatbots that identify the smart solutions based on conversation;
- any other services where the provided information depends on the user's behaviour and preferences.
In addition, as we have previously noted, if, for example, an online store’s algorithm suggests purchasing a phone case along with a smartphone and does so for all users of the online store (for example, through a “Frequently Bought Together” section), in this case the regulations governing recommendation technology would not apply. On the contrary, if an online store owner collects information using cookies, profiles user, and offers specific products to a user based on their region, information about their past purchases, the device they used to visit the website, etc., such an algorithm will be subject to regulation, and that website owner will be required to comply with the requirements and may potentially face liability in the event of a breach.
What fines are introduced for breaches of recommendation technology?
New Article 13.56 of the AOC of the Russian Federation provides for liability for the services' owners and fines imposable on legal entities range:- from RUB500,000 to RUB700,000 for first-time breaches. This includes the use of recommendation technology in a manner that infringes third parties' rights, the failure to notify users of the use of algorithms, and the unavailability on the website of rules governing the use of recommendation technology or a contact email address for legal communications;
- from RUB1 mln to RUB1,4 mln for a repeated breach.
It is also worth noting that Roskomnadzor has the authority to block websites that breach recommendation technology requirements.
What fines may improper authentication trigger?
Article 13.55 of the Administrative Offences Code of the Russian Federation also establishes liability for failing to comply with the obligation to authenticate users located in Russia using the prescribed methods. As a reminder, according to the Law “On Information, Information Technology and Information Protection,” the following are permissible methods of authentication on websites, applications and other resources:- Russian telephone number;
- USIA (Gosuslugi);
- UBS (Unified Biometric System);
- another system owned by a Russian national (with no foreign participation or dual citizenship).
What businesses should do right now?
- Check authentication methods. If the website or application uses Google ID, Apple ID, or other foreign services, you should disable them. Only legally allowed methods should remain (a Russian telephone number, Gosuslugi, UBS, or another Russian system).
- Check if recommendation technology documents are available. Ensure that websites using recommendation algorithms display a notice regarding their use, publish guidelines for the use of recommendation technology, and provide an actual contact email address. It is also necessary to ensure that the recommendation technology in itself does not breach legal requirements.
