CDP Institute

A sweep of online retailers found Sephora Cosmetics was selling customer data without consent to third party online tracking companies without consent, which is illegal under the California Consumer Privacy Act (CCPA). The company’s $1.2 million fine marks the first major settlement since CCPA went into effect. Violations included not notifying customers and failures to process customer opt-out requests.

The US Federal Communications Commission (FCC) has investigated the data use and retention practices of the top 15 US mobile carriers and found them well out of compliance. In fact, Verizon has been retaining cell tower location data; T-Mobile has been tracking “timing advance data” (which indicates how far a signal is from a cell tower); and AT&T has been helping itself to call record data.  And, while none of the carriers surveyed currently allow people to universally opt out, the FCC is tasking its Enforcement Bureau to launch a new investigation – and they’re inviting users to weigh in with their concerns and privacy complaints.

Vietnam notified onshore tech companies they must now store financial, biometric and other personal data locally and also set up local offices. Data must be held there for a minimum of two years, and Vietnamese authorities have broad rights to issue data collection requests for investigation. Companies that do not comply will be required to remove content.

A new survey of chief data officers and other senior data managers from TripleBlind calls out Privacy Enhancing Technologies (PET) and data collaboration as crucial to ensuring privacy protection and as key revenue drivers. Ninety-four percent believed enforcing existing regulations would increase revenue, and nearly half indicated that expanded data collaboration would give their organizations a competitive advantage. There was also great concern, with 64% of respondents suspecting third-parties would use data in ways not permitted legally.

The Children’s Advertising Review Unit (CARU) has gotten Firefly Games to agree to address a string of bad decisions the company made about how to handle “mixed audience” data – and the company’s violation should serve as a warning to other businesses with adult and youth consumers. CARU found major inconsistencies in the company’s app, LOL Surprise! Room Makover, which featured children’s characters and also appealed to adults. Issues included problems with the company’s and app’s privacy policy descriptions, inconsistent cookie and geo-location information, and a lack of age verification... Read More >

1) avoid blurring lines between ads and other content, 2) avoid manipulation, and 3) watch out if you don’t – because CARU plans to strictly enforce its guidelines.

Had this not been settled for what one would assume to be a very large though currently undisclosed sum, Zuckerberg and other top executives would have had to testify in court late September.

The company was accused of using “enhanced tracking methodologies” to pinpoint geolocations.

Concerns include that, 1) the ADPPA as a federal law would preempt state laws and provide weaker protections; 2) new data controls would hamper government access to deter major crimes; 3) there are too many loopholes in the law benefiting data brokers; and 4) placing limitations on the estimated $240 billion data market will severely hamper the use of third-party data for safety regulation – and also most importantly for advertising.

A request was made by India’s Parliamentary Standing Committee on Information for company executives to respond to public concerns.

A federal lawsuit filed in Illinois renews claims major retailers have been matching in-store surveillance camera images with biometric facial data scraped off the Internet by Clearview AI, presumably for the purpose of detecting shoplifters. The allegations claim victims’ images captured and able to be identified were in violation of Illinois’ BIPA privacy law. This new case has been filed because an attempt to tie it to a prior Macy’s case was disallowed for timing.

Data broker LexisNexis is accused in a Chicago-area lawsuit of selling personal information on immigrants to federal law enforcement and other third-party buyers without consent. Data included correctional bookings and vehicle collision and license plate data. Immigration advocacy groups involved pointed to a $22 million contract that US Immigration and Customs Enforcement (ICE) has for a LexisNexis product that enables instant access to personal data without warrants or subpoenas.