Experts: New AI laws pose risk of overlap with data protection mandates
Companies are at serious risk of facing multiple fines for the same offense under different sets of legislation if the artificial intelligence technologies they employ misuse personal data or cause harm to consumers, according to legal experts.
GoodRx facing $1.5M fine over improper sharing of health data
GoodRx agreed to pay $1.5 million as part of a settlement reached with the Federal Trade Commission addressing allegations the telemedicine and prescription drug discount provider shared personal health data with third parties for advertising purposes.
California AG launches CCPA violation sweep against mobile apps
The California attorney general announced his office notified an unspecified number of businesses with mobile apps they are failing to comply with the California Consumer Privacy Act.
WhatsApp fined $5.9M for lawful processing GDPR violations
The Irish Data Protection Commission announced a fine of €5.5 million (U.S. $5.9 million) against WhatsApp under the General Data Protection Regulation for forcing users to consent to updated terms and conditions or lose access to the service.
Drizly data security to be monitored for 20 years under FTC order
Online alcohol retailer Drizly and its chief executive officer agreed to data security requirements and to be assessed by an independent monitor for up to 20 years as part of a final settlement with the Federal Trade Commission over a data breach that impacted 2.5 million consumers.
Survey: Data retention in 2023
The level of urgency around data privacy grows each year, with new laws being implemented across the globe and technologies offering enhanced means of data storage.
Meta fined $414M for targeted advertising GDPR breaches
The Irish Data Protection Commission fined Meta Ireland a total of €390 million (U.S. $414 million) for breaching the General Data Protection Regulation by forcing users to agree their personal data can be used for targeted advertising to access Facebook and Instagram.
Ten things I’d like to see happen in 2023 (2022 in review)
Expect big developments for the compliance profession in 2022 to continue to take center stage in the year ahead, including CCO certifications, climate-related disclosures, and more.
Meta to pay $725M to settle privacy class-action lawsuit
Meta, the parent company of Facebook, agreed to pay $725 million to settle a class-action lawsuit accusing the social media giant of selling data to third parties without users’ consent.
Irish DPC probing Twitter over breach affecting 5.4M users
The Irish Data Protection Commission is investigating whether Twitter violated the European Union’s General Data Protection Regulation regarding a data breach alleged to have affected 5.4 million users.
Epic Games to pay $520M over COPPA, trick purchase charges
Epic Games, developer of the popular video game Fortnite, agreed to pay a record-breaking $520 million in penalties and restitution to settle allegations it violated online child privacy laws and employed illegal purchase patterns.
Portugal statistics office fined record $4.6M for GDPR violations
The government office for national statistics in Portugal was assessed a fine of €4.3 million (U.S. $4.6 million) by the country’s data protection authority for multiple violations of the General Data Protection Regulation that occurred during its 2021 census work.
Clubhouse app operator fined $2M for GDPR violations
Alpha Exploration, operator of the social media app Clubhouse, received a penalty from the Italian data protection authority for the unlawful processing of EU citizens’ data in violation of the General Data Protection Regulation.
Top ethics and compliance failures of 2022
Businesses not taking AML requirements seriously, years of noncompliant off-channel communications catching up to financial services titans, and a manufacturing firm that shared revenue with terrorists comprise CW’s list of the biggest ethics and compliance fails of 2022.
Experts: AML efforts dealt blow by CJEU beneficial ownership ruling
Determining the true owner of a company might become more difficult after Europe’s top court ruled automatic access to registers of beneficial ownership conflicted with the right to privacy.
Meta fined $274M under GDPR for data scraping breach
Meta Platforms Ireland was fined €265 million (U.S. $274 million) for failing to put in place adequate measures to protect users’ data after a leak compromised the personal details of more than half a billion individuals.
Privacy advocate sues Meta over targeted ad GDPR violation claims
A privacy and human rights advocate sued Meta Platforms in the United Kingdom, claiming the social media giant is refusing her request to stop being targeted with advertising based on her use of Facebook.
Discord fined $830K for GDPR lapses
Discord, a popular communication service primarily utilized by the video game community, was assessed a fine of €800,000 (U.S. $829,000) by the French data protection authority for multiple violations of the General Data Protection Regulation related to safeguarding user data.
Google to pay record $391.5M in settlement with states over location tracking
Google agreed to pay $391.5 million to settle charges it misled millions of users regarding a setting that tracked location data without their knowledge, according to an agreement the company reached with a coalition of 40 state attorneys general.
Australia privacy law proposal sets steep penalty mark for breaches
The Australian government is weighing stringent new privacy reforms that would establish among the steepest penalty regimes in the world—up to AUD$50 million (U.S. $33.5 million)—for serious or repeated breaches.
CFPB outlines rule mandating FIs provide customers their data
The Consumer Financial Protection Bureau initiated rulemaking that would require banks and other financial institutions to make a consumer’s personal financial data available to them upon request.
Google agrees to legal compliance monitor under novel DOJ settlement
Google reached a first-of-its-kind settlement with the Department of Justice requiring the tech giant to hire an outside compliance expert and overhaul its legal compliance process.
CPE Webcast: Why your CPRA compliance strategy is broken and how to fix it
It is critical for organizations to carefully assess their CPRA compliance programs to identify gaps, avoid pitfalls, and minimize risks. Even organizations that have implemented a CCPA compliance program will need to consider enhancements to meet CPRA requirements.
FTC places restrictions on CEO in Drizly enforcement proposal
The Federal Trade Commission announced a tentative settlement with online alcohol delivery platform Drizly and its chief executive officer regarding a data breach affecting 2.5 million consumers and the alleged lax security that allowed it to happen.
ICO warns of ‘complacency’ in fining Interserve $5M under GDPR
The U.K. Information Commissioner warned companies not to ignore “crucial measures” to prevent cyber incidents following his office’s decision to fine construction firm Interserve £4.4 million (U.S. $5 million) for failing to secure employee personal information.
French DPA latest to fine Clearview AI over GDPR violations
France’s CNIL became the fourth European data protection authority this year to fine Clearview AI over its controversial facial image aggregation practices, matching a pair of its counterparts with a €20 million (U.S. $19.6 million) penalty.
e-Book: How the EU might move forward with GDPR
Data privacy experts believe the mechanisms in place under the General Data Protection Regulation (GDPR) to ensure compliance, enforcement, and redress need revisiting—and quickly.
ICO guidance stresses importance of reasoning in employee monitoring
The U.K. Information Commissioner’s Office issued draft guidance to help ensure employers’ monitoring of staff performance does not turn into surveillance or harassment.
AI monitoring benefits must be weighed against employee skepticism
The EU’s agency for occupational safety and health released a report examining the risks and opportunities of AI-based worker management systems for employee’s physical and mental wellbeing.
U.S. includes surveillance concessions in new transatlantic data flow framework
President Joe Biden’s executive order on a data privacy framework aims to provide a workable, legally resilient solution for companies to continue moving and storing the personal data of EU-based citizens to American-based servers without running afoul of the GDPR.
Easylife fined $1.5M under GDPR for profiling customers
The Information Commissioner’s Office fined catalog retailer Easylife £1.35 million (U.S. $1.5 million) for marketing health-related products to individuals without their consent in violation of the U.K. General Data Protection Regulation.
Samsung facing class action alleging CCPA violations over data breaches
Samsung collected too much personal data from customers and failed to adequately secure it, leading to two data breaches this year and potentially millions of harmed individuals, a class-action lawsuit alleges.
TikTok facing $29M fine over U.K. children’s privacy violations
The Information Commissioner’s Office warned social media platform TikTok it could be fined £27 million (U.S. $29 million) for failing to protect children’s data in line with the U.K.’s version of the General Data Protection Regulation.
Ireland interpretations of GDPR criticized again in Instagram case
In fining Instagram a record €405 million (U.S. $405 million) for General Data Protection Regulation violations regarding the safeguarding of teenage users’ data, the Irish Data Protection Commission took some heat of its own.
CPE Webcast: Data discovery and compliance with data protection legislation
There is an increasing need for effective data discovery in the worldwide push toward data protection and privacy legislation. Data privacy laws have been passed in 71 percent of countries, and a further 9 percent have draft legislation in progress.
South Korea data regulator fines Google, Meta combined $72M
South Korea’s data regulator fined Google and Meta a total of ₩100 billion (U.S. $72 million) for violating the country’s personal data collection law, which forbids the collection and use of personal information without user consent.
Dems seek stronger HIPAA privacy for abortion patients
Democratic senators are urging the Department of Health and Human Services to strengthen federal health privacy protections for abortion patients by updating the HIPAA Privacy Rule.
Experts: Europe’s AI Act to push companies to confront technology’s use
The Artificial Intelligence Act, along with upcoming EU rules addressing digital markets and services, should have companies considering their use of AI and other emerging technologies to determine how the laws might impact their business.
Instagram facing record $401M fine over children’s privacy violations
Instagram is set to be fined €405 million (U.S. $401 million) by Ireland’s data protection regulator for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation.
FTC sues Kochava for collecting, selling mobile phone user data
Data broker Kochava has been sued by the Federal Trade Commission for selling geolocation data on hundreds of millions of mobile phone customers that could unveil sensitive personal information without their knowledge or consent.
Accor fined $600K under GDPR after EDPB intervention
French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of €100,000 (U.S. $99,900) was too low.
Sephora fined $1.2M in first public CCPA enforcement
Cosmetics retailer Sephora agreed to pay $1.2 million in the first public enforcement action under California’s landmark consumer privacy law.
Snap agrees to $35M settlement in Illinois biometric data lawsuit
Social media company Snap reached a $35 million settlement in principle to resolve an Illinois class-action lawsuit alleging violations of the state’s Biometric Information Privacy Act through the collection of “facial biometric identifiers” without users’ consent.
Google fined $42M for misleading Australian customers on data collection
Google was ordered to pay 60 million Australian dollars (U.S. $42 million) to resolve charges levied by Australia’s competition regulator it misled its Australian customers about how to opt out from the collection of their personal location data.
FTC seeks to expand authority on data breaches, commercial surveillance
The Federal Trade Commission is seeking comment on potential rules that would penalize companies that suffer data breaches due to lax cybersecurity protocols and punish firms that engage in abusive commercial surveillance practices.
Adtech firm Criteo facing $61M GDPR fine in France
Adtech firm Criteo faces a proposed fine of €60 million (U.S. $61.4 million) from France’s data protection authority for noncompliance with the European Union’s General Data Protection Regulation.
CPE Webcast: Is your retention program ready for a penetration test?
As organizations continue to collect and manage data, it is critical they understand the data retention requirements within their jurisdictions and the periods in which the data needs to be retained and respond to data subject access requests efficiently and defensibly.
Proposed NIST cybersecurity guide incorporates HIPAA Security Rule
The National Institute of Standards and Technology is seeking comment on proposed guidance intended to help healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s Security Rule.
One year later, Amazon GDPR fine details remain clouded
It’s been one year since online retailer Amazon announced it was on the receiving end of a record €746 million (U.S. $758 million) fine under the General Data Protection Regulation, but details about the decision—as well as the actual complaint—remain sketchy.
Volkswagen fined $1.1M under GDPR for unauthorized data collection
Volkswagen has agreed to pay €1.1 million (U.S. $1.1 million) to resolve allegations of violating the General Data Protection Regulation when a camera on one of its test vehicles recorded nearby drivers without their knowledge.