CDP Institute

A UK class action alleges Facebook coerced 45 million users into providing personal data that resulted in billions gained in ad revenue for Meta, but no benefit for users. This follows a similar EU case that found Facebook in violation of GDPR but did not focus on monetary harms as this does. The case still must be certified by the UK Competition Appeal Tribunal before proceeding.

While the US still doesn’t have a federal data privacy law, it does have the Video Privacy Protection Act (VPPN) – a video rental-era holdover of a law that disallows sharing video viewership data without consent. Chick-Fil-A, which has been using a Meta pixel tracker for an ongoing series of Christmas videos, is facing a class action similar to VPPA lawsuits brought against nearly 50 other organizations, including the NBA, GameStop, CNN and BuzzFeed.

Slovenia, the last EU country to formally adopt GDPR, has put its Personal Data Privacy Protection Act (ZVOP-2) into effect. The law includes rules for transmission of personal data, video surveillance, regulation of biometrics and personal data collection, and legal basis for imposing sanctions under GDPR.

In the latest Whack-a-Mole privacy exposure reveal at Twitter, a former-employee whistleblower has told the US Justice Department, the Federal Trade Commission and members of Congress that as many as 4,000 Twitter engineers could have accessed user data, including after Musk’s takeover via a function nicknamed “GodMode.” Twitter, again having recently gutted its compliance and communications teams, had no comment.

Heads up! California’s Attorney General just issued warning of an investigative sweep targeting mobile apps, particularly in retail, travel and food service industries that fail to comply with the California Consumer Privacy Act (CCPA). Letters were sent to businesses that may fail to provide consumers opt-out mechanisms or fail to honor consumer opt-out and deletion requests.

The Optimove 2023 Consumer Trust of Retailers Survey of US consumers found more than half don’t trust brand handling of personal information, and 77% unsubscribe from brands when they feel information is misused. Interestingly, 64% of the 406 surveyed said they are loyal to and shop at brands they don’t trust – and indicated the most important action a brand can take to change that is, according to 56%, to have a policy that it won’t share personal information.

Digital Infrastructure for Knowledge (Diksha), a key public education tool operated by India’s Ministry of Education and used by millions of Indian students particularly during the pandemic, had its data left unprotected on a Microsoft Azure cloud server for more than a year. Wired, which has verified the story, reported this left the data searchable via a simple Google search.

Expectations are more vendors may follow.

The company has claimed data was “limited,” since it didn’t include payment card data.

T-Mobile informed US regulators that a bad actor gained access to data on roughly a third of the company’s 110 million customers. The breach, which was active for approximately six weeks before being discovered and then shut down within 24 hours, reportedly did not access the most sensitive data, such as financial data. Customers were informed that hackers did not gain access to full data sets, though information compromised can still be useful for hackers for phishing and identity theft.

ProPublica found that nine of eleven online pharmacies selling abortion pills used web trackers that share sensitive data with Google. This can put customers at risk since data could be shared with law enforcement. The 9: Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy and Online Abortion Pill Rx; collect web addresses visited; click, location and search data; and information on devices being used.

Meet DORA, the EU’s newly enacted Digital Operational Resilience Act, which is designed to strengthen IT security in the financial sector. It will be de rigueur for financial institutions; including banks, credit providers, securities and trading companies, and information and communication technology (ICT) organizations. DORA comes into full force in 2025, by which time companies and organizations should be compliant.