CJEU Ruling Broadens Scope of Sensitive Data Under GDPR

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

CARU Finds COPPA Violations By “Mixed Audience” App

Firefly games, operator of the LOL Surprise! Room Makeover app, agreed to take corrective actions after the Children’s Advertising Review Unit (CARU) of BBB National Programs found the app to constitute a “mixed audience” app under the Children’s Online Privacy Protection Act (COPPA), triggering certain requirements that CARU found the app was failing to fulfill.

Notably, the app was found to be collecting, and allowing third parties to collect, personal information through its app without verifying age or obtaining parental consent of users under 13.

Additionally, the app’s privacy disclosures were found to be inconsistent with the app’s actual practices.

WHY IT MATTERS

The FTC has made clear in its COPPA Frequently Asked Questions that “mixed audience” sites or services that are directed to children under 13 but not as the primary audience (e.g., the site also targets adults or older teens), should either treat all users as children or implement an age screen to collect personal information only from children 13 and older without parental consent.

These requirements may get even more protective of children and teens. Although COPPA currently only governs children under 13, a bill recently introduced by the U.S.

Senate would expand COPPA, requiring consent from minors ages 13-16 for targeted marketing and prohibiting targeted marketing to children under 13.

In the meantime, the Better Business Bureau’s Center for Industry Self-Regulation’s TeenAge Privacy Program Roadmap encourages businesses providing products or services appealing to teen audiences to establish the age of users and obtain opt-in consent before engaging in behavioral advertising to known teens, along with conspicuous disclosures that targeted ads may be shown and an explanation of tracking technologies.  

New Law Extends Funding / Privacy Directives to NIST

President Biden signed into law the Research and Development, Competition and Innovation Act, which, among other provisions, extends $1.5 billion in funding to the National Institute of Standards and Technology (NIST).

Among other directives, the act directs NIST to facilitate and support the development of best practices to improve privacy protections in systems, technologies and processes used by the public and private sector, as well as for the design, adoption and deployment of privacy enhancing technologies.

WHY IT MATTERS

The NIST Privacy Framework is designed to serve as a common set of standards and terminology, compatible with domestic and international legal and regulatory regimes.

Although the framework is voluntary, Ohio introduced a state privacy law this year that would have created a safe harbor from its requirements for companies that comply with the NIST privacy framework. 

EUROPE

Bank Fined 900,000 Euros for Profiling / Targeting Without Consent

 Lower Saxony’s State Commissioner for Data Protection (LfD) imposed a 900,000 euro fine on a bank that used a service provider to profile users for advertising purposes based on digital usage behavior indicating an inclination for digital media (e.g., making purchases in app stores, using account statement printers, and making transfers in online banking).

Information about the practice was sent to customers in advance, but actual consent was not obtained. 

WHY IT MATTERS

The press release notes the LfD’s increasing awareness of cases in which companies are processing information for profiling purposes that was initially lawfully processed for a different purpose.

State data protection officer Barbar Thiel pointed out that legitimate interest “does not allow profiles to be created for advertising purposes by evaluating large databases” and that, instead, consent must be obtained. 

CJEU Ruling Broadens Scope of Sensitive Data Under GDPR

 In a case referred by a regional court of Lithuania involving the online publication of certain personal information, including names of individuals and their spouses, the Court of Justice of the European Union found that, although the names are not inherently sensitive information under the GDPR, it is possible to deduce from the information the sexual orientation of the listed individuals.

The court found that in this case the publication of such information constitutes processing of special categories of personal data.

In its reasoning, the court noted that the data are “capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction.” 

WHY IT MATTERS

The decision may indicate a need for companies to take a closer look at whether the data they gather may, in combination, be capable of revealing certain sensitive information, even if the data elements on their own would not fall into GDPR’s special categories of personal data.

Those special categories include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.