CDP Institute

A UK class action alleges Facebook coerced 45 million users into providing personal data that resulted in billions gained in ad revenue for Meta, but no benefit for users. This follows a similar EU case that found Facebook in violation of GDPR but did not focus on monetary harms as this does. The case still must be certified by the UK Competition Appeal Tribunal before proceeding.

While the US still doesn’t have a federal data privacy law, it does have the Video Privacy Protection Act (VPPN) – a video rental-era holdover of a law that disallows sharing video viewership data without consent. Chick-Fil-A, which has been using a Meta pixel tracker for an ongoing series of Christmas videos, is facing a class action similar to VPPA lawsuits brought against nearly 50 other organizations, including the NBA, GameStop, CNN and BuzzFeed.

Slovenia, the last EU country to formally adopt GDPR, has put its Personal Data Privacy Protection Act (ZVOP-2) into effect. The law includes rules for transmission of personal data, video surveillance, regulation of biometrics and personal data collection, and legal basis for imposing sanctions under GDPR.

In the latest Whack-a-Mole privacy exposure reveal at Twitter, a former-employee whistleblower has told the US Justice Department, the Federal Trade Commission and members of Congress that as many as 4,000 Twitter engineers could have accessed user data, including after Musk’s takeover via a function nicknamed “GodMode.” Twitter, again having recently gutted its compliance and communications teams, had no comment.

Heads up! California’s Attorney General just issued warning of an investigative sweep targeting mobile apps, particularly in retail, travel and food service industries that fail to comply with the California Consumer Privacy Act (CCPA). Letters were sent to businesses that may fail to provide consumers opt-out mechanisms or fail to honor consumer opt-out and deletion requests.

The Optimove 2023 Consumer Trust of Retailers Survey of US consumers found more than half don’t trust brand handling of personal information, and 77% unsubscribe from brands when they feel information is misused. Interestingly, 64% of the 406 surveyed said they are loyal to and shop at brands they don’t trust – and indicated the most important action a brand can take to change that is, according to 56%, to have a policy that it won’t share personal information.

Digital Infrastructure for Knowledge (Diksha), a key public education tool operated by India’s Ministry of Education and used by millions of Indian students particularly during the pandemic, had its data left unprotected on a Microsoft Azure cloud server for more than a year. Wired, which has verified the story, reported this left the data searchable via a simple Google search.

Expectations are more vendors may follow.

The company has claimed data was “limited,” since it didn’t include payment card data.