Below are some of the most notable news in privacy for the month of February 2023.
Table of Contents
CNIL vs. Microsoft, Apple and TikTok.
France’s data protection authority, the CNIL, was also handing out Big Tech fines this month. Microsoft received a € 60 million fine for unlawful cookie consent mechanisms on the Bing search engine, as it had placed trackers without fully informing the user and made refusal more difficult. Implementing a recommendation by its rapporteur last month, CNIL also fined Apple € 8 million, as older versions of its iPhone operating system, iOS version 14.6, had placed trackers on user’s terminals as soon as they visited the App Store, without consent. Finally, third in its list of cookie consent penalties, CNIL handed TikTok a € 5 million fine for failures in informing users and difficulties in refusing consent. The announcement for the Microsoft fine can be read here, the Apple one here and the TikTok one here.
Department of Justice vs. Google.
The US Department of Justice filed an antitrust suit against Alphabet, Google’s parent company, seeking a breakup of its ad-tech business. Along with eight state attorneys general, the DOJ is accusing Google of monopolistic and anti-competitive behavior in the online advertising industry. The announcement can be read here.
NIST AI Risk Management Framework.
The National Institute of Standards and Technology published its first Artificial Intelligence Risk Management Framework, widely hailed as a key step in developing a national AI development strategy. Among the “responsible AI” principles are cybersecurity, transparency, accountability, unfair bias and privacy. On the latter, the NIST Framework not only promotes data minimization and de-identification, but also the implementation of “privacy-enhancing technologies”. The document can be read here.
Federal TikTok Ban Bill, State TikTok Ban Executive Order.
Following the ban of TikTok on government devices last year, Congressman Ken Buck and Senator Josh Hawley introduced a bill to ban TikTok on all US devices, as well as any commercial transactions with its parent company, ByteDance. The bill can be read here, with commentary available here. This follows the prohibition of TikTok, WeChat and potentially other apps on state devices in North Carolina, signed through an executive order earlier this month. The executive order is available here.
Facial recognition at Madison Square Garden.
Using facial recognition technology, Madison Square Garden identified and ejected multiple lawyers representing clients with pending cases against them. After rallies by numerous elected officials and privacy advocates, the New York state attorney general announced an investigation into the matter, sending a public letter to the corporation in charge of the venue, mentioning potential human rights violations. The announcement can be read here.
Google Class Action, Facebook Cambridge Analytica Class Action settlements.
Both Google and Meta reached multi-million dollar settlements over pending privacy class action suits. Meta’s Facebook reached a $ 725 million settlement over a class-action suit prompted by the 2018 Cambridge Analytica scandals, hailed by the plaintiffs’ attorneys as the “largest recovery ever achieved in a data privacy class action”. In the meantime, Google agreed to a $ 23 million settlement of a class action alleging it leaked users’ search queries to publishers, with an estimated 200 million US web users eligible to claim. Shortly thereafter, they settled for $ 9.5 million with DC’s attorney general for the use of deceptive “dark patterns” and ignoring explicit consent withdrawals in location tracking. More on the Facebook settlement is available here, and more on the Google class action is available here, with the location tracking settlement covered here.
Irish Data Protection Commission fines Meta 390 million euros for GDPR violation.
Ireland’s Data Protection Commission fined Meta due to the fact that Meta was unlawfully processing personal data for behavioral advertising purposes based upon the contract legal basis. Meta required Facebook and Instagram users to agree to a Terms of Service that stated that the platforms can use personal data for the purpose of behavioral advertising, which was in violation of GDPR. Learn more here.
Colorado Attorney General’s office releases revisions to Colorado Privacy Act draft regulations.
Changes from the previous revisions released in January include changes to business requirements for Privacy Policies, universal opt-out mechanisms, honoring consumer rights and opt-out requests. While the regulations are not yet finalized, the Colorado Privacy Act goes into effect on July 1, 2023. Learn more here.
Class action lawsuit filed against Chick-fil-A for allegedly violating the U.S. Video Privacy Protection Act.
The lawsuit claimed that the company violated the law by sharing viewership data of its “Stories of Evergreen Hills” videos with Facebook parent company, Meta. Plaintiffs argue that an embedded Meta pixel on the website collected personal information without viewers’ consent. Read more here.
CPPA announces board meeting.
The California Privacy Protection Agency Board will hold a meeting on February 3 regarding potential action on draft CPRA regulations. Any action by the board would mean the potential April release date for final regulations. Read more here.
What privacy bills are we tracking?
As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.
- Hawaii – HI SB1110/HB1497;
- Hawaii – HI SB 974;
- Indiana – IL SB5;
- Indiana – IL HB 1554;
- Iowa House File 2506;
- Iowa House Study Bill 12;
- Kentucky – KY S 15;
- Massachusetts – MA HD2281/SB745;
- Massachusetts – MA HD3263/SD1971;
- Mississippi – MS SB 2080;
- Minnesota – MN SF950;
- New Hampshire – NH SB255;
- New York – NY S2277;
- New York – NY SB365;
- New York – NY SB3162;
- New Jersey – NJ S 332;
- New Jersey – NJ A505;
- New Jersey – NJ A 1971;
- Oklahoma – OK HB1030;
- Tennessee – TN SB73;
- Washington – WA HB1616
- Vermont – VT HB121
Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals:
Growth of FTC enforcement in 2022 and what to expect in 2023 – January 31, 2023;
2023 Antitrust Law Section Consumer Protection & Data Privacy Conference – February 8, 2023;
Careers in privacy 2023: bull or bear market? – February 9, 2023.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.