At the turn of the year, I wrote how 2023 was going to be the year of data privacy law enforcement and highlighted some of the challenges we would see in America with the arrival of the amended California Consumer Privacy Act (CCPA) and the introduction of a new State privacy law with Virginia.
I was also aware of some cases in Europe, which would likely see resolution in early 2023, but even I didn’t expect the wave of enforcement actions seen during the month of January some of which once resolved may dramatically transform the advertising and analytics industries.
Below you’ll find a brief list of some of the most notable events in the world of data privacy which have taken place so far this year.
Federal Enforcement Actions
Popular telehealth and prescription drug app GoodRX has entered a settlement in a first of its kind enforcement action for violation of the Health Breach Notification Rule by the Federal Trade Commission (FTC).
The FTC compliant spans 27 pages and charges GoodRx with effectively lying to consumers over misrepresenting HIPAA compliance, telling consumers it would not share health information for advertising (despite sharing information with Facebook, Google, Criteo and others), retargeting advertisements based on health information and failing to protect health related information. Indeed, the compliant alleges that GoodRx, as late as February 2020, had no formal written standard for privacy or data sharing policies and lacked a compliance program.
GoodRx elected to enter a settlement (still has to be approved by a judge). Under this settlement GoodRx will have to pay a fine of $1.5m dollars, and is required to refrain from sharing health data for advertising, is required to obtain consent for any other data sharing, is required to direct third parties to delete data which may have already been shared with them, is require to develop and publicly post a data retention policy and implement and maintain a privacy program.
This should act as a warning that companies can not lie to consumers, and must act in accordance with their stated policies. It also highlights that those whom deal with health related data still have obligations under the FTC rules, despite not qualifying as a covered entity under HIPAA (Health Insurance Portability and Accountability Act).
Health and Human Services has guidance on when HIPAA or the FTC Act may apply. Of particular use may be the mobile health apps interactive tool, which helps to identify which law(s) may affect your mobile app. Apps that deal with health related information would be well advised to review the compliant and see if they need to make changes to avoid similar enforcement action in the future.
State Enforcement Actions
At the State level, the California Attorney General sent a wave of CCPA non-compliance letters to businesses with mobile apps in the retail, food service and travel industries. Being the second pro-active enforcement sweep we are aware of – this should act as a warning that California is serious about enforcement action.
Also worth mentioning is the California Privacy Protection Agency approved in their Feb 3rd board meeting to adopt the rulemaking package and send it onward to the Office of Administrate Law (OAL) for review. The new regulations are not yet in effect as the OAL has 30 business days to review the proposed rules. Enforcement under the current (2020) regulations will continue in the mean time. This may mean that the regulations become enforceable some time in March of 2023 and so if you have not yet prepared to ensure compliance with the draft regulations, you are quickly running out of time.
Private Enforcement Actions
Lawsuits continue to roll in on alleged violations of the Video Privacy Protection Act (VPPA). More than 47 companies to date have been named in the lawsuits and include companies such as the NBA, GameStop, CNN, and BuzzFeed.
These companies stand charged of sharing video watching information with companies such as Facebook without consent, in violation of the VPPA. Should the suits prevail, we could see dramatic fall out across the analytics industry when it comes to video measurement.
International Events
Canada
Home Depot Canada was caught sharing personal data with Meta when consumers had their receipt for a purchase emailed to them via participating in Meta’s offline conversions program without knowledge or consent of the affected users.
“In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt. As Canada marks Data Privacy Week, it is the perfect time to remind companies that they must obtain valid consent at the point of sale to engage in this type of business activity.”
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2023/nr-c_230126/
Home Depot Canada relied on implied consent buried in its privacy policy and printed on receipts, an approach which was rejected by Canada’s Privacy Commissioner.
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2023/nr-c_230126/
“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”
Home Depot Canada did not prompt for consent, due to risk of ‘consent fatigue’.
The OPC recommended that:
- Home Depot cease disclosing personal information to Meta until it has valid consent
- Implement measures to obtain express, opt-in consent prior to sharing information
- Ensure meaningful consent by providing key information when consumers request an e-receipt.
Home Depot Canada agreed to implement the recommendations, and stopped sharing information with Meta in October 2022.
Europe
Several major events happened in Europe over the last several weeks.
First, the European Data Protection Board (EDPB) resolved disagreements over the Irish DPA’s handling of enforcement against Facebook, Instagram and Whatsapp. The decisions against Facebook and Instagram run nearly 175 pages, and dismantled Meta’s claims of ‘performance for contract’ in allowing them to use personal data for advertising without consent.
Meta now has to decide whether to shift to ‘Consent’ as a legal basis, or attempt a ‘Legitimate Interest’ claim. The latter of which is difficult and subject to a balancing test.
In a shareholder meeting which occurred on February 1st, Meta stated their intention to contest the ruling in the court system, which is unsurprising as the ruling as it stands threatens their business model in the European Union.
Secondly, the EDPB adopted a report on use of public cloud architecture. Notably, the report says that any use of foreign cloud providers may increase the risk of GDPR violations, and recommends the use of ‘sovereign’ or European based providers as a risk mitigation measure.
Third, the EDPB adopted a report from the Cookie Banner Taskforce, which working with NOYB sought to standardize the ‘floor’ for consent banner enforcement. The report speaks to topics such as having a reject button the first consent layer, use of pre-checked boxed, issues with color and contrast, and claims of legitimate interest.
The report thus is a good baseline to consider when deciding on your consent strategy and how you may want to proceed to reduce chance of enforcement action.
Finally, some notable fines out of Europe:
- Apple was fined more than 8 million Euros over claims of privacy violations in iOS 14.6 by the French CNIL.
- TikTok was fined 5 million Euros over lack of a ‘reject all’ functionality on their consent banners and not properly disclosing the purposes of data collection in violation of Art 82 of the French Data Protection Act.