CDP Institute

While €8 million would be a big fine for most companies, it’s small potatoes for Apple. However, France’s data protection authority CNIL just levied that fine against Apple as a reminder that keeping one’s promises is important. In this case, Apple, which claims to pay close attention to keeping user data private, in fact was found to handle user data carelessly by collecting iPhone user data for targeted ads without obtaining consent.

Virtually all those helpful apps that make kids’ and parents’ lives easier after school – for homework, study skills, virtual classrooms, connecting with teachers, and the school community – are helping themselves to your family’s data, thank you very much! A recent survey of edtech apps in US schools from Internet Safety Labs, which conducts software product safety testing, found 96% of school apps were sharing data with 3rd parties and especially with Google (68%), which dominates the edtech space as a supplier of both hardware and software.

Alarmingly, the data link could expose the IDs of anonymous Twitter users and allow criminals to hijack accounts. Twitter, having gutted its communication team along with a large portion of the rest of its workforce, had no immediate comment.

In one of the highest privacy suit settlements anywhere, Meta has agreed to settle the famed Cambridge Analytica suit which in 2018 revealed Facebook was allowing third parties to access user data – and the Cambridge Analytica consulting firm had helped itself to up to 87 million user records. Now, Meta, in agreeing to $725 million to settle the class action, will have the dubious honor of being #1 for a US privacy payout – and one of the top (see below) globally for GDPR.

France’s Commission Nationale de l’Informatique et des Libertes (CNIL) found Microsoft Ireland in violation of its privacy laws because the Bing search engine deployed ad cookies on user browsers without consent. The €60 million fine was based on ad profits Microsoft was determined to have generated from the data collection.

On January 1, California added niche privacy protections for groups identified as needing special protections. These include: 1) The Student Test Taker Privacy Act which prohibits collecting and using student information unless it can be proven strictly necessary; 2) Assembly Bill 2089 which specifies information collected by mental health apps must be used only if necessary for health care; and 3) Senate Bill 1228 to protect sexual assault victims from having their DNA information available, except when there is an active police investigation.

The Biden administration passed a ban on TikTok in its spending bill this week. This is due to ongoing concern about TikTok, which is owned by ByteDance, over security practices. At the same time, ByteDance management has conceded several of their employees had gained inappropriate access to user data as reported this fall by Forbes, which claimed the company’s Internal Audit team planned to use data to surveil some individual American citizens.

The 9th US Circuit Court of Appeals revived a children’s privacy lawsuit which alleged Google, Hasbro, Mattel, Dreamworks and others had violated state laws that are similar to the federal Children’s Online Privacy Protection Act (COPPA) by tracking the YouTube activity of children under age 13 without parental consent for the purpose of ad tracking.

Malawi, which has no privacy law, currently has a children’s ID collection program underway with the intent to register 8.4 million of its children under age 16. The program is part of the national Digital Malawi program which has the goal of linking all Malawi citizens to a government database.  Privacy advocates are concerned about the scope of the data being collected, potential for use in government surveillance, and that biometric data is being collected on children as young as newborns.

This coincides with the Irish Data Protection Commission (DPC)’s announcement it is launching an investigation into Twitter, which admitted that a vulnerability affecting its servers and related to 5.4 million users had been exploited.

Information is processed locally on a smart device which adds protection, since it minimizes transmission to the Cloud.