A Little Privacy: week of July 20

–

USA

new Privacy Tool allows consumers to flag CCPA violations

California Attorney General Bonta announced a new Consumer Privacy Interactive Tool that consumers can use to notify companies of CCPA violations. The tool walks consumers through a guided questionnaire and then triggers an email to the company. AG Bonta noted that such an email may trigger the 30-day cure period for companies to comply under CCPA. AG Bonta also reported that 75% of businesses that received a notice to cure from the AG’s office over the past year for CCPA violations addressed the violationswithin the 30-day cure period. Examples of violations that the AG enforced over the last year were being slow to respond to CCPA requests, forcing users to accept data sharing when signing up for a service without a “Do Not Sell My Personal Information” option, failing to notify about the collection of information at the time of collection and in the privacy policy, and requiring personal information in exchange for participation in a loyalty program without disclosing a financial incentive.

UNIFORM PERSONAL DATA PROTECTION ACT PUBLISHED

The Uniform Law Commission released a Uniform Personal Data Protection Act that is approved and recommended for enactment in all U.S. states. Among other requirements, the Act requires that controllers obtain consent to process personal data, unless the processing is for “compatible data practices“, which is processing consistent with the ordinary expectations of data subjects or that is likely to benefit data subjects substantially.” The Act lays out factors for controllers to consider when determining whether processing is a “compatible data practice”. The Act specifically allows for for use of personal data and disclosure of pseudonymized data to deliver targeted advertising and other purely expressive content to a data subject, but it prohibits such use or disclosure to offer terms (including terms related to price or quality) to a data subject that are different from terms offered to data subjects generally, or for other differential treatment. The Uniform Law Commission is a non-profit conference of qualified representatives appointed by each state government to draft and promote enactment of uniform state laws where uniformity across states is desirable and practical. Uniform laws created by the commission are not binding law until adopted by a U.S. state legislature. Legislatures are urged to adopt Uniform laws as written to promote uniformity, but they are ultimately guidelines for legislatures to borrow from or adapt as they see fit. 

Europe

Facebook and Tiktok Face Alleged GDPR VIOLATIONS

The French data protection authority (CNIL) issued formal notices to 40 additional organizations for violations based on a failure to allow users to refuse cookies as simply as accepting them, giving them until September 6 to address the non-compliant practices. This is the CNIL’s second round of notices. The first round, sent to 40 organizations in May, resulted in a 100% compliance rate among those organizations within the required cure period. 

SCHREMS AWARDED SYMBOLIC DAMAGES IN FACEBOOK CASE

In a civil case between Max Schrems and Facebook alleging GDPR violations, the Austrian Supreme Court awarded €500 in symbolic damages to Schrems and referred questions to the Court of Justice of the European Union (CJEU) for clarification, including (a) whether Facebook can rely on consent to its platform terms of use as a lawful basis for processing under Articles 6(1)(a) (consent) and 6(1)(b) of the GDPR (processing necessary for the performance of a contract) to process data for personalized advertising; (b) whether Facebook’s aggregation, analysis and processing of all personal data held by it for targeted advertising is consistent with article 5(1)(c) (data minimization); (c) whether Article 9(1) (restricting processing of certain sensitive data categories, such as data revealing political opinions or sexual orientation) permits the targeted filtering of such data categories (e.g., for advertising) without differentiation; and (d) whether, under Articles 5(1)(b) and 9(2)(e), a statement regarding one’s sexual orientation for purposes of a panel discussion permits the processing of other data on sexual orientation for purposes of aggregating and analyzing data for personalized advertising. 

DUTCH DPA LEVIES GDPR FINE AGAINST TIKTOK

The Dutch data protection authority (AP) imposed a €750,000 fine on TikTok for providing its privacy policy to Dutch users (including children) only in English in violation of Article 12(1) of the GDPR (requiring that required disclosures be made in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child).  

RUSSIAN DPA CREATES NEW COMMITTEES

The Russian data protection authority (Roskomnadzor) created two new standing committees as part of its Public Council: a commission for the protection of children from destructive and dangerous content and a commission for the protection of personal data.