Privacy News: August 29

Getting the week off to a good start!

Sephora to pay $1.2m to settle California privacy law claims

Jessica Lyons Hardcastle, The Register (theregister.com)

Sephora failed to disclose to consumers that it was selling their personal information, and failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA.  The settlement is relatively small – only $1.2 million – but important, because it establishes that regulations global privacy controls will be enforced and that California is taking a broad view of what is considered "sale" of data.

FIND OUT MORE:

• Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act, the  Office of the Attorney General's press release  (oag.ca.gov)
• Sephora pays $1.2 million to settle a California suit accusing it of selling customer data without telling them, Don Thompson, Associated Press (latimes.com)

Privacy after Roe

FTC sues data broker Kochava for sale of people’s sensitive location data, including visits to reproductive health clinics

Sarah Perez on TechCrunch (techcrunch.com)

The U.S. Federal Trade Commission (FTC) on Monday announced it has filed a lawsuit against data broker Kochava Inc. for selling geolocation data from “hundreds of millions of mobile devices,” it says, which could be used to trace the movements of individuals including those to and from sensitive locations. Specifically, the FTC said the data could reveal people’s visits to places like reproductive health clinics, domestic violence or homeless shelters, addiction recovery centers and places of worship.

FIND OUT MORE: FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations, the FTC's press release (ftc.gov)

Also ...

McMaster throws cold water on controversial Senate bill to ban abortion information in South Carolina, Joseph Bustos, The State (thestate.com): South Carolina's a controversial bill that aimed to ban the sharing of information about abortion resources will not go forward.  However, as EFF points out, this bill is based on a model from the National Right to Life Coalition, so is likely to show up in other states.

Federal privacy legislation

Privacy bill triggers lobbying surge by data brokers

Alfred Ng on POLITICO (politico.com)

Data brokers, who make money selling people's data (usually without consent), say that the proposed American Data Privacy and Protection Act could put restrictions on their industry and its work with law enforcement.  Well  yeah, that's the idea! As researcher Wolfie Christl says, “Law enforcement and fraud prevention shouldn’t be a free pass to collect and sell disproportionately excessive data on the whole population.”

But the brokers, including U.K.-based data giant RELX and credit reporting agency TransUnion, aren't up for that.  They want changes to the bill, arguing that otherwise it will cause problems for investigations of crimes. Some data brokers also want clearer permission to use third-party data for advertising purposes, and working to “ensure that fraud prevention products can continue providing meaningful consumer protections.”  In fact, at least four new exceptions got  added to the latest version (Secs. 102(1), 203(E)(1)(e), 203(E)(3)(A)(vi), 209(b)(2)), so it seems like the lobbying's having an effect.

SEE ALSO: Wolfie Christl's Twitter thread.

And ...

Trans Youths Need Data Sanctuary, Adam Schwartz on Electronic Frontier Foundation (eff.org):  A growing number of states have prohibited transgender youths from obtaining gender-affirming health care. So these youths and their families must travel out-of-state for necessary health care. The states they visit are health care sanctuaries.These states must also be data sanctuaries for transgender youth.

Meta settles Cambridge Analytica lawsuit in time to avoid Mark Zuckerberg and Sheryl Sandberg’s depositions, Richard Lawler on The Verge (theverge.com): Mark Zuckerberg would have faced hours of questioning.  No details yet on the settlement.

Democrat urges Labor Dept. to regulate tech that monitors employees in the workplace, Ines Kagubare on The Hill (thehill.com): Sen. Bob Casey (D-Pa.), a member of the Committee on Health, Education, Labor and Pensions, is urging the Department of Labor to monitor and regulate how companies are using invasive technology to monitor their employees during work hours.

Should Companies Track Workers With Monitoring Technology?, Bart Ziegler on WSJ (wsj.com): Employers can know when you’re logged in, what you’re typing and analyze your facial expressions. That raises all sorts of difficult questions.

Federal Judge: Invasive Online Proctoring “Room Scans” Are Also Unconstitutional, Jason Kelley on Electronic Frontier Foundation (eff.org)

DuckDuckGo opens its privacy-focused email service to everyone, Bill Toulas on BleepingComputer (bleepingcomputer.com): DuckDuckGo has opened its ‘Email Protection’ service to anyone wishing to get their own ‘@duck.com’ email address.

Facebook Restricted a Planned Parenthood Post Telling People About Abortion Pills, Joseph Cox on vice.com: Facebook took action on the post, despite medication abortion pills being legal in Michigan.

University can’t scan students’ rooms during remote tests, judge rules, Monica Chin on The Verge (theverge.com): The practice lies at the core of the Fourth Amendment’s protections.

The real problem with AI isn’t sentience, it’s privacy, Yacov Salomon on The Drum (thedrum.com): Ketch’s chief innovation officer Yacov Salomon writes that responsible AI will require us to rethink data privacy.

Snap agrees to $35 million settlement over privacy lawsuit, Mia Sato on The Verge (theverge.com): Illinois Snapchat users may be eligible for a cut

Gmail creates “Spam Emails”, despite CJEU judgment, NOYB on noyb.eu (noyb.eu):Today, noyb.eu filed a complaint against Google with the French Data Protection Authority (CNIL). The tech giant has repeatedly ignored the European Court of Justice (CJEU) ruling on direct marketing and used its email platform Gmail to send unsolicited advertising emails without valid consent of the users.

The Privacy Flaw Threatening US Democracy, Thor Benson on WIRED (wired.com): Without robust federal protections, the country’s widespread mass surveillance systems could be used against citizens like never before.

New Report on Limits of “Consent” in Macau’s Data Protection Law, Dominic Paulger on Future of Privacy Forum (fpf.org): a detailed overview of relevant laws and regulations in the Special Administrative Region of Macau, China.

‘Privacy Is Normal’: Rep. Tom Emmer Wants Answers About Tornado Cash Ban, Andrew Hayward on Decrypt (decrypt.co): The Treasury’s recent ban on Ethereum mixing service Tornado Cash has a U.S. Representative asking tough questions.

My Comments to the CPPA Regarding its Initial CPRA Proposed Regulations, Eric Goldman on Technology & Marketing Law Blog (blog.ericgoldman.org): Preparing those comments was a truly joyless task. Analyzing CPRA regulations is literally “read them and weep.”

Dear California Law Makers: How The Hell Can I Comply With Your New Age-Appropriate Design Code?, Mike Masnick on Techdirt (techdirt.com): I really don’t have time for this kind of thing, but I wanted to pass along that it appears that the California legislature is very, very close to passing AB 2273

Google faces ‘spam ads’ ePrivacy complaint in France, Natasha Lomas on TechCrunch (techcrunch.com): Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gmail email service in the guise of emails. Privacy advocacy group, noyb, has filed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the EU’s ePrivacy Directive rules on direct marketing by failing to gain consent from Gmail users for the ads it displays inside their inboxes, alongside promotional emails they have actually signed up for.

Quebec Privacy Law: Is Your Organization Ready for New Rules in Force this September?, Ellie Marshall on JD Supra (jdsupra.com): On September 22, 2022, the first set of amendments from Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, to Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) and the Act to establish a legal framework for information technology (Quebec IT Act) will come into force.

Looking Back to Forge Ahead: Challenges of Developing an “African Conception” of Privacy, Mercy King’ori on Future of Privacy Forum (fpf.org): An exploration ofthe cultural and societal underpinnings of “privacy” in Africa, looking throughout history, from pre-colonial times, and beyond the modern external influences on the legislative processes resulting in general data protection laws across the continent. Africa is not a monolith, it is multi-cultural and context differs across communities.

UK Privacy Group Says Police Are Abusing Stop And Search Powers To Hassle Protesters, Tim Cushing on Techdirt (techdirt.com): Most protest activity targets government entities. So, it’s really no surprise that government entities prefer to target protesters.

A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, Halefom H Abraha on OUP Academic (academic.oup.com): While the compromise has delivered on some of its promises in promoting diverse and innovative regulatory approaches, it also runs counter to the fundamental objectives of the GDPR itself by creating further fragmentation, legal uncertainty, and inconsistent implementation, interpretation, and enforcement of data protection rules.