Companies are at serious risk of facing multiple fines for the same offense under different sets of legislation if the artificial intelligence technologies they employ misuse personal data or cause harm to consumers, according to legal experts.
GoodRx agreed to pay $1.5 million as part of a settlement reached with the Federal Trade Commission addressing allegations the telemedicine and prescription drug discount provider shared personal health data with third parties for advertising purposes.
The California attorney general announced his office notified an unspecified number of businesses with mobile apps they are failing to comply with the California Consumer Privacy Act.
The Irish Data Protection Commission announced a fine of €5.5 million (U.S. $5.9 million) against WhatsApp under the General Data Protection Regulation for forcing users to consent to updated terms and conditions or lose access to the service.
Online alcohol retailer Drizly and its chief executive officer agreed to data security requirements and to be assessed by an independent monitor for up to 20 years as part of a final settlement with the Federal Trade Commission over a data breach that impacted 2.5 million consumers.
The level of urgency around data privacy grows each year, with new laws being implemented across the globe and technologies offering enhanced means of data storage.
The Irish Data Protection Commission fined Meta Ireland a total of €390 million (U.S. $414 million) for breaching the General Data Protection Regulation by forcing users to agree their personal data can be used for targeted advertising to access Facebook and Instagram.
Expect big developments for the compliance profession in 2022 to continue to take center stage in the year ahead, including CCO certifications, climate-related disclosures, and more.
Meta, the parent company of Facebook, agreed to pay $725 million to settle a class-action lawsuit accusing the social media giant of selling data to third parties without users’ consent.
The Irish Data Protection Commission is investigating whether Twitter violated the European Union’s General Data Protection Regulation regarding a data breach alleged to have affected 5.4 million users.
Epic Games, developer of the popular video game Fortnite, agreed to pay a record-breaking $520 million in penalties and restitution to settle allegations it violated online child privacy laws and employed illegal purchase patterns.
The government office for national statistics in Portugal was assessed a fine of €4.3 million (U.S. $4.6 million) by the country’s data protection authority for multiple violations of the General Data Protection Regulation that occurred during its 2021 census work.
Alpha Exploration, operator of the social media app Clubhouse, received a penalty from the Italian data protection authority for the unlawful processing of EU citizens’ data in violation of the General Data Protection Regulation.
Businesses not taking AML requirements seriously, years of noncompliant off-channel communications catching up to financial services titans, and a manufacturing firm that shared revenue with terrorists comprise CW’s list of the biggest ethics and compliance fails of 2022.
Determining the true owner of a company might become more difficult after Europe’s top court ruled automatic access to registers of beneficial ownership conflicted with the right to privacy.
Meta Platforms Ireland was fined €265 million (U.S. $274 million) for failing to put in place adequate measures to protect users’ data after a leak compromised the personal details of more than half a billion individuals.
A privacy and human rights advocate sued Meta Platforms in the United Kingdom, claiming the social media giant is refusing her request to stop being targeted with advertising based on her use of Facebook.
Discord, a popular communication service primarily utilized by the video game community, was assessed a fine of €800,000 (U.S. $829,000) by the French data protection authority for multiple violations of the General Data Protection Regulation related to safeguarding user data.
Google agreed to pay $391.5 million to settle charges it misled millions of users regarding a setting that tracked location data without their knowledge, according to an agreement the company reached with a coalition of 40 state attorneys general.
The Australian government is weighing stringent new privacy reforms that would establish among the steepest penalty regimes in the world—up to AUD$50 million (U.S. $33.5 million)—for serious or repeated breaches.
The Consumer Financial Protection Bureau initiated rulemaking that would require banks and other financial institutions to make a consumer’s personal financial data available to them upon request.
Google reached a first-of-its-kind settlement with the Department of Justice requiring the tech giant to hire an outside compliance expert and overhaul its legal compliance process.
It is critical for organizations to carefully assess their CPRA compliance programs to identify gaps, avoid pitfalls, and minimize risks. Even organizations that have implemented a CCPA compliance program will need to consider enhancements to meet CPRA requirements.
The Federal Trade Commission announced a tentative settlement with online alcohol delivery platform Drizly and its chief executive officer regarding a data breach affecting 2.5 million consumers and the alleged lax security that allowed it to happen.
The U.K. Information Commissioner warned companies not to ignore “crucial measures” to prevent cyber incidents following his office’s decision to fine construction firm Interserve £4.4 million (U.S. $5 million) for failing to secure employee personal information.
France’s CNIL became the fourth European data protection authority this year to fine Clearview AI over its controversial facial image aggregation practices, matching a pair of its counterparts with a €20 million (U.S. $19.6 million) penalty.
Data privacy experts believe the mechanisms in place under the General Data Protection Regulation (GDPR) to ensure compliance, enforcement, and redress need revisiting—and quickly.
The U.K. Information Commissioner’s Office issued draft guidance to help ensure employers’ monitoring of staff performance does not turn into surveillance or harassment.
The EU’s agency for occupational safety and health released a report examining the risks and opportunities of AI-based worker management systems for employee’s physical and mental wellbeing.
President Joe Biden’s executive order on a data privacy framework aims to provide a workable, legally resilient solution for companies to continue moving and storing the personal data of EU-based citizens to American-based servers without running afoul of the GDPR.
The Information Commissioner’s Office fined catalog retailer Easylife £1.35 million (U.S. $1.5 million) for marketing health-related products to individuals without their consent in violation of the U.K. General Data Protection Regulation.
Samsung collected too much personal data from customers and failed to adequately secure it, leading to two data breaches this year and potentially millions of harmed individuals, a class-action lawsuit alleges.
The Information Commissioner’s Office warned social media platform TikTok it could be fined £27 million (U.S. $29 million) for failing to protect children’s data in line with the U.K.’s version of the General Data Protection Regulation.
In fining Instagram a record €405 million (U.S. $405 million) for General Data Protection Regulation violations regarding the safeguarding of teenage users’ data, the Irish Data Protection Commission took some heat of its own.
There is an increasing need for effective data discovery in the worldwide push toward data protection and privacy legislation. Data privacy laws have been passed in 71 percent of countries, and a further 9 percent have draft legislation in progress.
South Korea’s data regulator fined Google and Meta a total of ₩100 billion (U.S. $72 million) for violating the country’s personal data collection law, which forbids the collection and use of personal information without user consent.
Democratic senators are urging the Department of Health and Human Services to strengthen federal health privacy protections for abortion patients by updating the HIPAA Privacy Rule.
The Artificial Intelligence Act, along with upcoming EU rules addressing digital markets and services, should have companies considering their use of AI and other emerging technologies to determine how the laws might impact their business.
Instagram is set to be fined €405 million (U.S. $401 million) by Ireland’s data protection regulator for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation.
Data broker Kochava has been sued by the Federal Trade Commission for selling geolocation data on hundreds of millions of mobile phone customers that could unveil sensitive personal information without their knowledge or consent.
French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of €100,000 (U.S. $99,900) was too low.
Cosmetics retailer Sephora agreed to pay $1.2 million in the first public enforcement action under California’s landmark consumer privacy law.
Social media company Snap reached a $35 million settlement in principle to resolve an Illinois class-action lawsuit alleging violations of the state’s Biometric Information Privacy Act through the collection of “facial biometric identifiers” without users’ consent.
Google was ordered to pay 60 million Australian dollars (U.S. $42 million) to resolve charges levied by Australia’s competition regulator it misled its Australian customers about how to opt out from the collection of their personal location data.
The Federal Trade Commission is seeking comment on potential rules that would penalize companies that suffer data breaches due to lax cybersecurity protocols and punish firms that engage in abusive commercial surveillance practices.
Adtech firm Criteo faces a proposed fine of €60 million (U.S. $61.4 million) from France’s data protection authority for noncompliance with the European Union’s General Data Protection Regulation.
As organizations continue to collect and manage data, it is critical they understand the data retention requirements within their jurisdictions and the periods in which the data needs to be retained and respond to data subject access requests efficiently and defensibly.
The National Institute of Standards and Technology is seeking comment on proposed guidance intended to help healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s Security Rule.
It’s been one year since online retailer Amazon announced it was on the receiving end of a record €746 million (U.S. $758 million) fine under the General Data Protection Regulation, but details about the decision—as well as the actual complaint—remain sketchy.
Volkswagen has agreed to pay €1.1 million (U.S. $1.1 million) to resolve allegations of violating the General Data Protection Regulation when a camera on one of its test vehicles recorded nearby drivers without their knowledge.