Mobile health apps must follow FTC breach notice rule after update
Mobile health applications and similar technology must notify customers following a data breach or risk violating the Federal Trade Commission’s Health Breach Notification Rule, under a broad update approved by the agency.
TikTok bans mount across globe amid EU, U.S. crackdown
TikTok is suspending new features amid an inquiry by the European Commission into its compliance with the Digital Services Act, all while responding to a U.S. ban just signed into law.
CFTC commissioner calls for AI framework in commodities markets
A commissioner at the Commodity Futures Trading Commission is calling for the agency to launch initiatives addressing the use—and misuse—of artificial intelligence tools in commodities markets.
Czech DPA fines Avast $15M over GDPR violations
The Czech Republic’s data protection authority issued a fine of 351 million Czech koruna (U.S. $15 million) against antivirus software vendor Avast for alleged violations of the General Data Protection Regulation.
EDPB decision sparks ‘consent or pay’ debate for Big Tech firms
Big Tech firms might need to rethink their plans to charge users for not selling their personal data for behavioral advertising following a decision by Europe’s primary data regulator.
U.S. senator calls for Temu ban over forced labor, privacy concerns
Sen. Tom Cotton (R-Ark.) is calling on the Biden administration to investigate and ban Chinese e-commerce company Temu over forced labor and data privacy violation concerns.
Focused on consumer privacy? Don’t forget employees’ rights
The implications of a privacy rights case involving a U.K.-based Uber Eats driver underscore a popular belief that companies prioritize protecting the personal information of their customers over the data rights of their employees.
Key lawmakers put forward bipartisan American Privacy Rights Act
A bipartisan consumer privacy bill released by Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) would provide the broad, comprehensive protections businesses and Americans have called for, according to the lawmakers.
CPPA warns of collecting too much data in first enforcement advisory
The California Privacy Protection Agency warned businesses to stop asking for excessive information from consumers who have requested to opt out of having their data collected or who are otherwise exercising their privacy rights under the California Consumer Privacy Act.
New leadership no easy fix for Irish DPC’s GDPR woes
The Irish Data Protection Commission has a new leadership structure, but it is uncertain whether the changes can get the key privacy regulator caught up on enforcement of the General Data Protection Regulation.
ICO primed for enforcement increase behind new fining guidance?
The Information Commissioner’s Office updated its data protection fining guidance to provide companies with greater transparency and clarity about how and why it would issue penalties for a breach of the U.K. General Data Protection Regulation or Data Protection Act 2018.
DOT launches first data privacy review of 10 biggest airlines
The U.S. Department of Transportation is looking to thwart the nation’s 10 largest airlines from monetizing passenger data or selling it to third parties.
Privacy by design a silver bullet for stemming AI risks?
The proliferation of artificial intelligence technologies—and their reliance on publicly available data—has reinforced the need for tech developers and the companies using their solutions to ensure privacy by design and by default is at the crux of any offering.
Italian DPA fines UniCredit $3M over data breach GDPR lapses
The Italian data protection authority announced a fine of €2.8 million (U.S. $3 million) against UniCredit for alleged violations of the General Data Protection Regulation regarding insufficient security measures the bank had in place during a cyberattack.
FTC ‘will not stand for’ misuse of browsing, location data
The Federal Trade Commission is amid a crackdown on businesses misusing browsing and location data that provide enough information to be used to identify nonconsenting consumers.
CPE Webcast: Applying traditional TPRM security and data privacy practices in the digital space
This webinar explores the compliance challenges posed by evolving privacy regulations and the recent explosion of class-action litigation arising from third-party advertising technology on websites.
Biden executive order to target commercial data broker activities
A new executive order seeks to put clamps on the sale of Americans’ personal data by data brokers and other companies to certain countries found to be of national security concern.
Avast to pay $16.5M in FTC case over deceptive data selling
The Federal Trade Commission proposed Avast pay $16.5 million and be prohibited from selling any browser data to settle charges the software provider sold consumer information to third parties after promising it would not.
DoorDash fined $375K in second public CCPA enforcement
Food delivery company DoorDash agreed to pay a $375,000 fine as part of a settlement announced by California Attorney General Rob Bonta addressing alleged violations of the California Consumer Privacy Act.
Public consultation on GDPR opens door for changes
Feedback from a European Commission consultation on the six years of enforcement of the General Data Protection Regulation could result in tweaks to the rules and potential changes to the way data protection authorities enforce them.
LRN survey: Compliance programs shifting focus from bribery, corruption
Many ethics and compliance programs have refocused their efforts away from bribery and corruption and onto data security and privacy, complex government regulations, artificial intelligence security, and other contemporary challenges, a survey from LRN found.
Toeing the ‘fine line’ of cloud security compliance
When organizations move their data or operations to the cloud, the compliance team has their work cut out and then some, experts discussed at CW’s Cyber Risk & Data Privacy Summit.
The blurred lines of employee monitoring under GDPR
The French data regulator’s fine against an Amazon warehouse manager for violating employees’ rights to privacy in the workplace once again raises questions about what constitutes an overzealous approach to employee monitoring and why companies fail to recognize the signs.
Examining precedent set by French DPA’s Amazon employee monitoring fine
The decision by France’s data regulator to fine an Amazon warehouse manager for breaches of the General Data Protection Regulation over the way it monitored employee productivity raises questions about the reach data protection authorities have over corporate conduct.
Alphabet to pay shareholders $350M over Google+ privacy lapses
Alphabet, the parent company of technology giant Google, agreed to pay $350 million in a preliminary settlement with shareholders over alleged data privacy violations and materially false and misleading statements linked to now-defunct social media site Google+.
Compliance with growing number of U.S. privacy laws ‘a matter of culture change’
Different deadlines associated with the 13 U.S. state privacy laws currently on the books, including grace periods and enforcement dates, have proven challenging for compliance, experts discussed at CW’s Cyber Risk & Data Privacy Summit.
Uber facing $11M fine over driver privacy rights violations
Ride-hailing company Uber Technologies was assessed a penalty of €10 million (U.S. $11 million) by the Dutch Data Protection Authority for alleged privacy rights violations regarding the handling of European drivers’ personal data.
Meta’s ‘pay or consent’ model to force GDPR to adapt?
Experts weigh in on Meta’s plans to charge EU users monthly if they do not want to be tracked for online advertising and what the ramifications of the model would mean for the future of the General Data Protection Regulation.
Calif. AG launches sweep into streaming apps’ compliance with CCPA
California Attorney General Rob Bonta announced the launch of an investigative sweep targeting popular streaming apps and devices, alleging noncompliance with the California Consumer Privacy Act.
ICO seeking input on generative AI to inform guidance
The U.K. Information Commissioner’s Office is seeking input from developers, users, and those interested in generative artificial intelligence to help inform policy and guidance regarding the technology.
Amazon unit fined $35M under GDPR for employee productivity tracking
Amazon’s warehouse management arm in France was assessed a penalty of €32 million (U.S. $35 million) for violating the General Data Protection Regulation by excessively tracking the productivity of employees.
GDPR-minded Microsoft offers cloud customers EU-based personal data storage
Microsoft announced an expansion to its European Union data storage efforts that would allow cloud customers to keep all personal data stored within the EU boundary.
FTC bans Outlogic from selling sensitive location data in landmark action
Data broker Outlogic will be subject to the Federal Trade Commission’s first ban on the use, sale, or disclosure of sensitive location data as part of a proposed order announced by the agency.
CPPA preview: Cybersecurity audit regs nearing formal proposal
Companies with business in California could face tough new cybersecurity mandates under draft regulations that could be headed for formal rulemaking as soon as Friday.
Compliance lessons from Rite Aid facial recognition case
The Federal Trade Commission was clear in its recent enforcement action against Rite Aid regarding its expectations for companies using facial recognition technology or any biometric security or surveillance systems.
Ethical compliance for facial recognition technology
The lack of clear regulations and guidelines for the ethical use of facial recognition technology further exacerbates concerns of discriminatory practices and potential infringements on human rights.
FTC seeking comment on proposed COPPA enhancements
The Federal Trade Commission issued a notice of proposed rulemaking to strengthen data security requirements and modernize certain aspects of the Children’s Online Privacy Protection Act Rule.
Shades of GDPR? Experts assess AI Act as global standard
As the European Union’s AI Act sets its sights on 2026 to take full effect, experts are concerned other key jurisdictions might introduce divergent legislation that treats artificial intelligence use differently, thus making it difficult for companies to ensure compliance.
Rite Aid gets 5-year facial recognition use ban from FTC
Retail pharmacy chain Rite Aid agreed to a five-year ban on its use of facial recognition technology for surveillance purposes as part of a settlement with the Federal Trade Commission.
Assessing impact of court ruling on GDPR strict liability
The idea companies can be held “strictly liable” for violations of the European Union’s privacy rules was shot down, following a judgment from Europe’s top court relating to a case involving German property company Deutsche Wohnen.
Top ethics and compliance failures of 2023
A virtual currency exchange that sought to mislead regulators, banks failing after ignoring obvious risks, and a manufacturer that sold millions of its products in violation of U.S. export controls are among those that make up CW’s list of the biggest ethics and compliance fails of 2023.
Experts: More privacy rules, enforcement expected in 2024
Businesses can prepare for a bumpy ride as the 2024 global landscape of data privacy and other related laws and regulations begins to take shape.
Deutsche Wohnen earns CJEU win in high-profile GDPR appeal
German property company Deutsche Wohnen’s court win regarding a penalty levied against it for alleged violations of the General Data Protection Regulation carries notable ramifications for enforcement of the EU privacy law.
Automated decision-making tech rules added to crowded CPPA agenda
The California Privacy Protection Agency drafted its rules to apply the rights allowed to residents under the California Consumer Privacy Act to automated decision-making technology used by businesses.
Compliance officers share lack of faith in off-channel comms monitoring policies
Addressing employee use of off-channel communications for conducting business was clearly on the minds of compliance officers who responded to our “Inside the Mind of the CCO” survey, but their confidence in their related policies and procedures was surprisingly weak.
Medical center to pay $80K for Covid-19 patient info shared with media
Saint Joseph’s Medical Center agreed to pay $80,000 as part of a settlement with the Department of Health and Human Services’ Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Act.
Experts: ICO apology to ex-CEO does not absolve NatWest of GDPR liability
Just because Alison Rose received a public apology from the U.K. Information Commissioner’s Office regarding the suggestion she might have violated the General Data Protection Regulation doesn’t mean NatWest could avoid sanction.
Axpo Italia fined $10.5M in GDPR case over data processing
Axpo Italia, a producer and trader of renewable energy products, was penalized under the General Data Protection Regulation by the Italian data protection authority for processing inaccurate and outdated personal data of customers.
CPE Webcast: Privacy 201: Moving from concepts to implementation
In a world where privacy regulations are in constant flux, it’s essential to transition from mere concepts and sporadic projects to build a robust, adaptable, and sustainable privacy program.
The value of sales and compliance allyship
“Every compliance activity is a sales activity,” writes Al Raymond, privacy compliance officer at ZoomInfo, regarding his team’s approach to demonstrate to sales how a strong control environment can be a competitive advantage.