CDP Institute

The European Data Protection Board (EDPB), in response to a request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA), issued an opinion against the so called “Pay or Ads” model that Meta and other big online platforms have used. The regulator concern is that by offering consumers only a binary choice, consumers are forced to opt in to services at a level of consent they don’t want and should be offered a free option of providing companies less or no personal data.

Gay dating app Grindr is facing a mass lawsuit from more than 650 UK users who say their highly sensitive data was shared, including HIV status and test results. The allegation is that the company made the information available to third parties for commercial use, a claim that Grindr is denying.

Nebraska is the sixteenth US state to pass a privacy law. It will take effect July 1, 2025 and provides consumers opt-out rights to protect against online ad targeting and grants universal rights for consumers to use opt-out tools on browsers, where companies they are dealing with honor similar signals from other states. The law is already being criticized for not requiring small businesses to comply and for having limited enforcement mechanisms.

The UK Information Commissioner’s Office (ICO) fined TikTok £12.7 million (~US $15.9 million), a penalty the company says it was pleased to accept (in lieu of the £27 million originally planned fine). While the company did express some regret for having been found to allow children under 13 use its site without their parents’ consent, we are still left with the questions: 1) Why didn’t they feel badly for doing this?, and 2) Why make these fines so affordable to them, when the message and penalty have no impact?

The data of 7.5 million customers of BoAt, which bills itself India’s top audio and wearables brand, has been exposed and has surfaced on the dark web, according to Forbes. Leaked data includes personal information including names, addresses, customer IDs and email IDs and may expose customers to phishing, fraud, and identity theft.

The US may have moved closer to a federal privacy bill with the newly fashioned American Privacy Rights Act (APRA). The bipartisan bill introduced by Washington State lawmakers, one a Democrat and the other a Republican, draws on US state privacy laws and on tenets of GDPR. It posits a private right of action for recourse against companies for non-deletion of data or not obtaining proper consent, a right for individuals to opt out of ads, and the right to prevent transfer or sale of their data.

Ethiopia is another country moving ahead with federal privacy legislation. Its House of Representatives passed the Personal Data Protection Proclamation (PDPP) to safeguard the data of individuals and legislate data collection and processing. This is being done in tandem with plans to issue digital IDs to all categories of citizens, including refugees.

Beyond buying and selling data, the data broker infrastructure also accrues data via feeds from third-party trackers, tags and pixels. A new report from privacy and security company, Lokker, looked at web privacy across more than 3,400 sites and shows broad use of these identifiers with 47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare.

Upping the game to protect minors, Meta is developing an AI “nudity protection” tool to use on Instagram. This after the company faced legal charges of exploiting young users to encourage use of their platforms despite knowledge that it harms mental health. The “sexploitation” protection mechanism will find and blur images containing nudity that were sent to minors, and then let recipients choose whether to see the images.  Not sure this is reassuring….

The company will be prohibited from sharing or selling sensitive data, have to delete or destroy location data it had collected, and is required to create a program to maintain a list of sensitive locations to ensure not to share, sell or transfer such information in the future.

It includes an anonymous VPN and personal information removal to protect against fraud, along with the company’s privacy browser and identity theft restoration.