Data Privacy

Business data

Experts: New AI laws pose risk of overlap with data protection mandates


Companies are at serious risk of facing multiple fines for the same offense under different sets of legislation if the artificial intelligence technologies they employ misuse personal data or cause harm to consumers, according to legal experts.


GoodRx facing $1.5M fine over improper sharing of health data


GoodRx agreed to pay $1.5 million as part of a settlement reached with the Federal Trade Commission addressing allegations the telemedicine and prescription drug discount provider shared personal health data with third parties for advertising purposes.

California AG

California AG launches CCPA violation sweep against mobile apps


The California attorney general announced his office notified an unspecified number of businesses with mobile apps they are failing to comply with the California Consumer Privacy Act.

WhatsApp phone

WhatsApp fined $5.9M for lawful processing GDPR violations


The Irish Data Protection Commission announced a fine of €5.5 million (U.S. $5.9 million) against WhatsApp under the General Data Protection Regulation for forcing users to consent to updated terms and conditions or lose access to the service.


Drizly data security to be monitored for 20 years under FTC order


Online alcohol retailer Drizly and its chief executive officer agreed to data security requirements and to be assessed by an independent monitor for up to 20 years as part of a final settlement with the Federal Trade Commission over a data breach that impacted 2.5 million consumers.


Survey: Data retention in 2023

2023-01-11T01:04:00+00:00Provided by

The level of urgency around data privacy grows each year, with new laws being implemented across the globe and technologies offering enhanced means of data storage.

Facebook Ireland

Meta fined $414M for targeted advertising GDPR breaches


The Irish Data Protection Commission fined Meta Ireland a total of €390 million (U.S. $414 million) for breaching the General Data Protection Regulation by forcing users to agree their personal data can be used for targeted advertising to access Facebook and Instagram.


Ten things I’d like to see happen in 2023 (2022 in review)


Expect big developments for the compliance profession in 2022 to continue to take center stage in the year ahead, including CCO certifications, climate-related disclosures, and more.


Meta to pay $725M to settle privacy class-action lawsuit


Meta, the parent company of Facebook, agreed to pay $725 million to settle a class-action lawsuit accusing the social media giant of selling data to third parties without users’ consent.


Irish DPC probing Twitter over breach affecting 5.4M users


The Irish Data Protection Commission is investigating whether Twitter violated the European Union’s General Data Protection Regulation regarding a data breach alleged to have affected 5.4 million users.

Epic Games

Epic Games to pay $520M over COPPA, trick purchase charges


Epic Games, developer of the popular video game Fortnite, agreed to pay a record-breaking $520 million in penalties and restitution to settle allegations it violated online child privacy laws and employed illegal purchase patterns.


Portugal statistics office fined record $4.6M for GDPR violations


The government office for national statistics in Portugal was assessed a fine of €4.3 million (U.S. $4.6 million) by the country’s data protection authority for multiple violations of the General Data Protection Regulation that occurred during its 2021 census work.


Clubhouse app operator fined $2M for GDPR violations


Alpha Exploration, operator of the social media app Clubhouse, received a penalty from the Italian data protection authority for the unlawful processing of EU citizens’ data in violation of the General Data Protection Regulation.

Compliance_Fails_2022 Main Art_index

Top ethics and compliance failures of 2022


Businesses not taking AML requirements seriously, years of noncompliant off-channel communications catching up to financial services titans, and a manufacturing firm that shared revenue with terrorists comprise CW’s list of the biggest ethics and compliance fails of 2022.


Experts: AML efforts dealt blow by CJEU beneficial ownership ruling


Determining the true owner of a company might become more difficult after Europe’s top court ruled automatic access to registers of beneficial ownership conflicted with the right to privacy.

Meta building

Meta fined $274M under GDPR for data scraping breach


Meta Platforms Ireland was fined €265 million (U.S. $274 million) for failing to put in place adequate measures to protect users’ data after a leak compromised the personal details of more than half a billion individuals.

Facebook Ireland

Privacy advocate sues Meta over targeted ad GDPR violation claims


A privacy and human rights advocate sued Meta Platforms in the United Kingdom, claiming the social media giant is refusing her request to stop being targeted with advertising based on her use of Facebook.


​Discord fined $830K for GDPR lapses


Discord, a popular communication service primarily utilized by the video game community, was assessed a fine of €800,000 (U.S. $829,000) by the French data protection authority for multiple violations of the General Data Protection Regulation related to safeguarding user data.

Google building

Google to pay record $391.5M in settlement with states over location tracking


Google agreed to pay $391.5 million to settle charges it misled millions of users regarding a setting that tracked location data without their knowledge, according to an agreement the company reached with a coalition of 40 state attorneys general.

Australian Parliament

​Australia privacy law proposal sets steep penalty mark for breaches


The Australian government is weighing stringent new privacy reforms that would establish among the steepest penalty regimes in the world—up to AUD$50 million (U.S. $33.5 million)—for serious or repeated breaches.

Data money

CFPB outlines rule mandating FIs provide customers their data


The Consumer Financial Protection Bureau initiated rulemaking that would require banks and other financial institutions to make a consumer’s personal financial data available to them upon request.

Google sign

Google agrees to legal compliance monitor under novel DOJ settlement


Google reached a first-of-its-kind settlement with the Department of Justice requiring the tech giant to hire an outside compliance expert and overhaul its legal compliance process.


CPE Webcast: Why your CPRA compliance strategy is broken and how to fix it

2022-10-25T14:00:00+01:00Provided by

It is critical for organizations to carefully assess their CPRA compliance programs to identify gaps, avoid pitfalls, and minimize risks. Even organizations that have implemented a CCPA compliance program will need to consider enhancements to meet CPRA requirements.

FTC seal

FTC places restrictions on CEO in Drizly enforcement proposal


The Federal Trade Commission announced a tentative settlement with online alcohol delivery platform Drizly and its chief executive officer regarding a data breach affecting 2.5 million consumers and the alleged lax security that allowed it to happen.


ICO warns of ‘complacency’ in fining Interserve $5M under GDPR


The U.K. Information Commissioner warned companies not to ignore “crucial measures” to prevent cyber incidents following his office’s decision to fine construction firm Interserve £4.4 million (U.S. $5 million) for failing to secure employee personal information.

France privacy

French DPA latest to fine Clearview AI over GDPR violations


France’s CNIL became the fourth European data protection authority this year to fine Clearview AI over its controversial facial image aggregation practices, matching a pair of its counterparts with a €20 million (U.S. $19.6 million) penalty.

exterro gdpr ebook thumbnail

e-Book: How the EU might move forward with GDPR

2022-10-20T03:05:00+01:00Provided by

Data privacy experts believe the mechanisms in place under the General Data Protection Regulation (GDPR) to ensure compliance, enforcement, and redress need revisiting—and quickly.

Employee monitoring

ICO guidance stresses importance of reasoning in employee monitoring


The U.K. Information Commissioner’s Office issued draft guidance to help ensure employers’ monitoring of staff performance does not turn into surveillance or harassment.


AI monitoring benefits must be weighed against employee skepticism


The EU’s agency for occupational safety and health released a report examining the risks and opportunities of AI-based worker management systems for employee’s physical and mental wellbeing.

White House

U.S. includes surveillance concessions in new transatlantic data flow framework


President Joe Biden’s executive order on a data privacy framework aims to provide a workable, legally resilient solution for companies to continue moving and storing the personal data of EU-based citizens to American-based servers without running afoul of the GDPR.

UK privacy

Easylife fined $1.5M under GDPR for profiling customers


The Information Commissioner’s Office fined catalog retailer Easylife £1.35 million (U.S. $1.5 million) for marketing health-related products to individuals without their consent in violation of the U.K. General Data Protection Regulation.


Samsung facing class action alleging CCPA violations over data breaches


Samsung collected too much personal data from customers and failed to adequately secure it, leading to two data breaches this year and potentially millions of harmed individuals, a class-action lawsuit alleges.

TikTok building

TikTok facing $29M fine over U.K. children’s privacy violations


The Information Commissioner’s Office warned social media platform TikTok it could be fined £27 million (U.S. $29 million) for failing to protect children’s data in line with the U.K.’s version of the General Data Protection Regulation.

Instagram icon

Ireland interpretations of GDPR criticized again in Instagram case


In fining Instagram a record €405 million (U.S. $405 million) for General Data Protection Regulation violations regarding the safeguarding of teenage users’ data, the Irish Data Protection Commission took some heat of its own.

ground labs300x200

CPE Webcast: Data discovery and compliance with data protection legislation

2022-09-20T11:00:00+01:00Provided by

There is an increasing need for effective data discovery in the worldwide push toward data protection and privacy legislation. Data privacy laws have been passed in 71 percent of countries, and a further 9 percent have draft legislation in progress.


South Korea data regulator fines Google, Meta combined $72M


South Korea’s data regulator fined Google and Meta a total of ₩100 billion (U.S. $72 million) for violating the country’s personal data collection law, which forbids the collection and use of personal information without user consent.

HHS building

Dems seek stronger HIPAA privacy for abortion patients


Democratic senators are urging the Department of Health and Human Services to strengthen federal health privacy protections for abortion patients by updating the HIPAA Privacy Rule.

EU Artificial Intelligence

Experts: Europe’s AI Act to push companies to confront technology’s use


The Artificial Intelligence Act, along with upcoming EU rules addressing digital markets and services, should have companies considering their use of AI and other emerging technologies to determine how the laws might impact their business.


Instagram facing record $401M fine over children’s privacy violations


Instagram is set to be fined €405 million (U.S. $401 million) by Ireland’s data protection regulator for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation.

FTC building

FTC sues Kochava for collecting, selling mobile phone user data


Data broker Kochava has been sued by the Federal Trade Commission for selling geolocation data on hundreds of millions of mobile phone customers that could unveil sensitive personal information without their knowledge or consent.


Accor fined $600K under GDPR after EDPB intervention


French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of €100,000 (U.S. $99,900) was too low.


Sephora fined $1.2M in first public CCPA enforcement


Cosmetics retailer Sephora agreed to pay $1.2 million in the first public enforcement action under California’s landmark consumer privacy law.


Snap agrees to $35M settlement in Illinois biometric data lawsuit


Social media company Snap reached a $35 million settlement in principle to resolve an Illinois class-action lawsuit alleging violations of the state’s Biometric Information Privacy Act through the collection of “facial biometric identifiers” without users’ consent.

Google building

Google fined $42M for misleading Australian customers on data collection


Google was ordered to pay 60 million Australian dollars (U.S. $42 million) to resolve charges levied by Australia’s competition regulator it misled its Australian customers about how to opt out from the collection of their personal location data.

FTC seal

FTC seeks to expand authority on data breaches, commercial surveillance


The Federal Trade Commission is seeking comment on potential rules that would penalize companies that suffer data breaches due to lax cybersecurity protocols and punish firms that engage in abusive commercial surveillance practices.


Adtech firm Criteo facing $61M GDPR fine in France


Adtech firm Criteo faces a proposed fine of €60 million (U.S. $61.4 million) from France’s data protection authority for noncompliance with the European Union’s General Data Protection Regulation.


CPE Webcast: Is your retention program ready for a penetration test?

2022-08-09T14:00:00+01:00Provided by

As organizations continue to collect and manage data, it is critical they understand the data retention requirements within their jurisdictions and the periods in which the data needs to be retained and respond to data subject access requests efficiently and defensibly.

Health records

Proposed NIST cybersecurity guide incorporates HIPAA Security Rule


The National Institute of Standards and Technology is seeking comment on proposed guidance intended to help healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s Security Rule.


One year later, Amazon GDPR fine details remain clouded


It’s been one year since online retailer Amazon announced it was on the receiving end of a record €746 million (U.S. $758 million) fine under the General Data Protection Regulation, but details about the decision—as well as the actual complaint—remain sketchy.


Volkswagen fined $1.1M under GDPR for unauthorized data collection


Volkswagen has agreed to pay €1.1 million (U.S. $1.1 million) to resolve allegations of violating the General Data Protection Regulation when a camera on one of its test vehicles recorded nearby drivers without their knowledge.