CDP Institute

Poland’s Office for Personal Data Protection (UODO) is accusing ChatGPT creator, OpenAI of numerous violations of GDPR, including processing data in an unlawful, unreliable manner and not being transparent. This is in response to accusations brought by a privacy and security researcher.  While the regulator anticipates it will be a difficult investigation, the regulator is moving it along very rapidly.

Medtronic, a trusted medical device manufacturer, is alleged to have shared a trove of diabetes patient data with Google. If proven true, fears are that it will result in heightened scrutiny of medical device companies and others. The medical field has worked closely with tech giants since the pandemic and while there have been significant advances in healthtech, there are also major concerns about patient privacy resulting from vastly increased data collection.

The UK’s broad, newly passed Online Safety Bill places the onus on business to proactively screen for and regulate a range of online activity to proactively decide whether it is legal. This goes beyond what other Western countries have done and encompasses responsibility for reducing hate speech, online fraud and child safety.

The US Federal Trade Commission (FTC) wants businesses and influencers who post online ads for children to adhere to new formatting as outlined in its Protecting Kids from Stealth Advertising in Digital Media report, to clearly delineate advertising from content. In addition to providing icons to use, the FTC also recommends providing just-in-time disclosures to distinguish the ads.

Ontario’s government-funded birth registry and the US educational non-profit, the National Student Clearinghouse (NSC) are believed to be among thousands of organizations impacted by a mass-hack that targeted MOVEit, a file transfer tool organizations use to share large data sets over the internet. The National Student Clearinghouse breach impacted close to 900 schools and Ontario confirmed their data breach affected 3.4 million people who sought pregnancy care.

Deception’s not okay with California, so to ensure Google gets (and remembers) the message, CA’s Attorney General slapped a $93 million fine on the company for having led users to believe they were turning off location history, when in fact they either were not – or were inadvertently turning it back on. And Google also allowed personal ads to be shown after users toggled that option off. So, CA’s AG has helpfully sent Google (along with the fine) a list of a half dozen things it must do to comply.

X (formerly Twitter) used to own MoPub, the mobile ad platform accused of “illegal trafficking” of personal data of millions of Dutch users while Twitter owned it. The class action suit alleges MoPub collected people’s data and then shared and traded sensitive information with scores of companies without user knowledge or consent in clear violation of GDPR.

The Delaware Personal Data Privacy Act is now the 12th US state privacy law.  The Act allows residents to opt out of ads based on pseudonymous data collected over time – including data stored on cookies or other identifiers. Ads based on first-party data or contextual ads are still fine.

A UserTesting survey of consumers in the US, Australia and UK found consumers will consider trusting AI for a good retail deal. Of those surveyed – 2,000 US, and 1,000 each in Australia and the UK – 87% of US consumers were willing to exchange personal information for savings and exclusive deals, compared with 24% AU and 27% UK. Around a third (36% US, 28% AU, 39% UK) were willing to use AI for auto-ordering and shopping online.

Ireland’s Data Protection Commission (DPC) issued its ruling against TikTok, charging €345 million (~ $367 million) for its non-privacy-by-default settings that set children’s accounts to public by default on sign-up, which allowed their videos to be publicly viewable, their comments to be publicly read, and their “Family Pairing” links to adults to be linked to adults not verified to be a parent or guardian.

This is a concern because companies need to implement more inclusive data-privacy practices to ensure consumer protections are protected at levels to ensure compliance regardless of the state they live in.