By Elizabeth Crooks and Chehalis Dorman
Here’s a snapshot of a few of the privacy developments we followed from the past couple of months from February 10, 2022 to March 21, 2022. If you missed our last post, you can find it here.
U.S. Federal
FCC: Proposed ‘Ringless Voicemail’ Robocall Protections
· FCC Chairwoman Rosenworcel proposed an action in February that would find ringless voicemails to be “calls” protected by TCPA. If adopted, callers would be required to obtain consumer consent before delivering a ringless voicemail.
FTC: New Enforcement Approach
· The FTC has for the third time in a privacy case, and first time in a COPPA case, ordered companies to destroy models or algorithms developed in whole or in part based on ill-gotten data. This may become a new standard for penalizing tech companies that violate privacy and use deceptive data practices.
FTC: Case Against WW International and Kurbo Inc. was Settled
· Following a DOJ complaint filed on behalf of the FTC, a settlement order was obtained with compliance obligations imposed on WW International, formerly known as Weight Watchers and their subsidiary Kurbo for marketing a weight loss app for use by children as young as eight and collecting their personal information without parental permission .
Google: Introduction of Google Analytics 4
· Google is planning to update Google Analytics' programming by July 2023 to address user privacy and regulatory compliance demands, including EU-related privacy concerns, with the rollout of Google Analytics 4.
Google: New tool called Checks Launched
· Google has launched Checks - an app privacy diagnostics tool used to address privacy compliance issues for mobile apps on Google Play.
IAB: The IAB’s New Measurement Standards for In-Game Ads
· The first public-facing draft of the new standards will be released for comment at the end of May, and the IAB anticipates it will publish the final version at some point in June.
IRS: Abandons ID.me After Backlash
· The IRS cut ties with facial recognition company ID.me in February after initially announcing plans in January to partner with the company to verify online accounts. The change came about after the IRS was flooded with privacy and security concerns.
SEC: Imposed Rule
· The SEC has proposed a rule regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The rule proposes amendments to require current reporting about material cybersecurity incidents and periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks.
Standards: NIST Publishes Guidance on the Bias found in AI
· NIST released Towards a Standard for Identifying and Managing Bias in Artificial Intelligence which takes into account comments received on the initial draft, focusing on how bias manifests itself not only in AI algorithms and the data used to train them, but also in the societal context in which AI systems are used.
The Children’s Advertising Review Unit (CARU): TickTalk Tech in Violation of COPPA and CARU’s Privacy Guidelines
· CARU found that TickTalk failed to provide clear and complete, and non-confusing, notice of its children’s information collection practices in its privacy policy and failed to provide any notice that would constitute a direct notice to parents as required by COPPA. TickTalk agreed to take corrective action including revising its website and correcting their Privacy Policy.
U.S. State
Illinois: Class Action Against Tesla
· The Plaintiff claims that Tesla has violated Illinois’ Biometric Information Privacy Act (BIPA) by its use of facial recognition technology that tracks head and eye movements to capture attentiveness while driving. Tesla has yet to respond.
Illinois: BIPA Settlements
· Illinois McDonald’s will pay out $50 million to settle its BIPA lawsuit involving employee data.
· Employee time management software provider Kronos agrees to $15 million settlement over BIPA violations.
Texas: Suing Meta over Alleged Biometric Privacy Law Violations
· State AG Paxton sued Meta in February, alleging that Meta exploited the biometric data of millions of Texas residents in violation of the Capture of Use of Biometric Identifiers (CUBI) Act. The suit involves the ‘tag suggestions’ feature of Facebook that used facial recognition.
Utah: Utah Consumer Privacy Act
· The Utah Consumer Privacy Act has passed the House and the Senate. The Bill has similar provisions to the California’s, Colorado’s, and Virginia’s comprehensive privacy laws. If enacted, it will go into effect on December 31, 2023.
Virginia: VCDPA Amendments
· Lawmakers passed HB 381 and SB 393 on February 25, 2022, and March 4, 2022. The bills add new exemptions to the VCDPA’s right to delete.
Wyoming: Genetic Data Privacy Act
· Governor Mark Gordon signed the Wyoming Genetic Data Privacy Act into law on March 8, 2022. The law requires any business that collects genetic data from individuals to: (1) provide notice regarding the company’s policies and procedures regarding genetic data before collection and (2) obtain express consent before collecting genetic data. It goes into effect on July 1, 2022.
Latin America
Brazil: LGPD Regulation Approved
· The Brazilian ANPD approved a regulation that clarifies the application of the LGPD to small businesses and startups.
Asia Pacific
Australia: Facebook vs Australian Information Commissioner Ruling
· The Full Federal Court of Australia determined that Facebook Inc.’s (now Meta) installation and/or management of cookies on the physical devices of Australian users was enough for Facebook Inc. to be ‘carrying on business’ in Australia. The disputed allegations focus on personal data disclosures by Facebook to Cambridge Analytica.
Australia: Changes to Privacy Credit Reporting Code
· The OAIC approved changes to the Privacy Credit Reporting Code, including protections around the collection, use, disclosure, and retention of consumer financial hardship information.
Sri Lanka: Sri Lanka parliament enacted Data Protection Act
· The Act aims to promote a digital economy amid concerns raised over the privacy of individuals and adverse impact on media reporting.
Europe & UK
EDPB: Draft Guidance
· The European Data Protection Board (EDBP) announced draft guidelines for supervisory authority cooperation covering DSARs and dark patterns in social media platform interfaces.
EDPB: First Opinion on Certification Criteria
· The EDPB issued its first opinion on the GDPR certification scheme submitted by the Luxembourg Supervisory Authority. A number of changes were recommended by the EDPB to the draft certification criteria to ensure consistency and correct application of certification criteria across the EEA.
France: CNIL Google Analytics ruling
· The CNIL concluded in its decision that data collection and transfers to the U.S. using Google Analytics “are illegal,” violating Article 44 of the GDPR. This comes weeks after the Austrian DPA’s ruling.
France: CNIL publishes 2022-2024 Strategic Plan
· The CNIL published a Strategic Plan covering three themes: 1. promote the control and respect of individuals’ rights in the field, 2. promote the GDPR as a trusted asset for organisations, and 3. prioritise targeted regulatory actions for high-stake privacy issues.
Greece: Enforcement Action against Cosmote and OTE
· Greece’s data protection authority, the HDPA, issued the highest fine thus far against Cosmote and OTE for multiple violations of the GDPR: falling short regarding the data minimization and storage limitation principles; failure to follow the principle of transparency; inadequate data protection impact assessment; inadequate implementation of the anonymization procedures; inadequate security measures; failure to establish responsibility as joint controllers; and inadequate security measures in relation to the infrastructure.
Liechtenstein: Liechtenstein joins Austria and UK’s stance against Google Analytics
· Austria, UK, and now Liechtenstein have all stated that Google Analytics is in violation of the GDPR for its overseas data transfer.
Iceland: Icelandic Bank Found to be in Violation of GDPR
· The Icelandic data protection authority ('Persónuvernd') found the Landsbankinn Bank in violation of the GDPR for allowing an unauthorized access to financial data, but no fines were imposed.
Italy: Enforcement Action Against Clearview AI
· Italy's data protection authority fined Clearview AI €20 million for GDPR violations related to its facial recognition software and database.
Netherlands: Enforcement Action against DPG Media - €525,000 Fine
· The Data Protection Authority of the Netherlands found DPG to be in violation of the GDPR data minimization requirements for unnecessarily requesting that data subjects submit ID to exercise their right to access and right to deletion.
Norway: Legal Basis Review for Russian-Ukrainian Transfers Encouraged
· Because of the war between Russia and Ukraine resulting in a changing security policy, Norwegian businesses are encouraged to reconsider the legal basis for any of the transfers of personal data to recipients in Ukraine and Russia.
Poland: The Polish Cookie Case
· In October 2021, Poland’s DPA issued its first decision on cookies. Per this decision, data controllers should precisely and clearly explain every issue concerning technological matters. Additionally, the decision established that the creation of a behavioral profile of an internet user by collecting information about them inextricably involves the processing of personal data.
Poland: Enforcement Action against on Fortum Marketing and Sales Polska S.A.
· The Polish DPA issued a record fine of PLN 4.9 million (€1,080,000) for failure to implement appropriate technical and organisational measures to ensure personal data security and failing to verify the processor.
Slovakia: Enforcement Action Against Employers
· The Slovakian Data Protection Authority issues fines of €500 to employers who kept former employee’s email accounts active and continued to monitor and access the email account after the employment was terminated. The employers failed to prove demonstrable legal basis for this processing.
Spain: AEPD Fines Amazon Road Transport 2 Million Euro
· The AEPD found that Amazon Road Transport had been negligent and failed to implement adequate procedures for collecting and processing personal data relating to criminal convictions.
United Kingdom: Enforcement Action Against Tuckers Solicitors LLP
· On March 10, 2022, the UK Information Commissioner’s Office (ICO) handed down its first Monetary Penalty Notice for a ransomware attack and data exfiltration incident. The penalty notice imposes an administrative fine of £98,000 for a failure to process personal data in a manner ensuring appropriate security.
United Kingdom: New Model Clauses for International Data Transfers
· On February 2nd, the ICO issued new model clauses for international data transfers. If no objections are raised and with parliamentary approval, they will go into effect March 21st.
United Kingdom: Supreme Court Decision on Privacy
· The UK’s Supreme Court judges ruled unanimously in a case against Bloomberg LP that individuals have the right not to be identified by the media until criminal charges are brought.
Middle East
Oman: Approval of Data Privacy Law
· Oman’s Ministry of Information published the Law on the Protection of Personal Data, set to take effect February 9, 2023.
Saudi Arabia: PDPL Going into Effect
· Saudi Arabia’s Personal Data Protection Law comes into effect March 23, 2022.