CDP Institute

The first salvo testing Washington State’s My Health My Data Act, which took effect last March, has been launched with a suit claiming Amazon tracked user location data without consent – to use for targeted advertising via Amazon Ads SDKs (software development kits) that developers use. The law allows individuals to sue for as much as $25,000 for violations of sharing their health data.

Well beyond operational efficiency, Musk’s Department of Government Efficiency (DOGE) has just asked the Internal Revenue System (IRS) for access to accounts in the Integrated Data Retrieval System (IDRS) which holds individual personal ID numbers and bank account information for taxpayers and businesses. Scarily, those with access can also enter and adjust transaction data. Even if this were to promote efficiency, why do it in the midst of tax season – and why at all?

India’s government is proposing a bill to change tax law to allow broad access to taxpayer data when searches are conducted. This would include authorities having access to taxpayer emails, investment and bank accounts, and social media, which puts people at risk for harassment and unwarranted scrutiny.

Stop, stay, and strike seem to be watchwords the Trump administration and states are using for privacy regulations that had been underway when Republicans took over. Among changes: 1) a freeze on the Children’s Online Privacy Protection Act (COPPA) rule the Federal Trade Commission (FTC) had finalized; 2) recommended postponement of the Department of Justice (DOJ) Rule, which as of April was intended to prohibit sales or licensing of sensitive data to countries of concern (including Russia and China); and 3) rescinding the “Safe, Secure, and Trustworthy Development and Use... Read More >

TikTok is being sued by the parents of four British children ages 12-14 who they believe died after doing a blackout challenge. The intent is to force the firm to release their children’s data to better understand what happened, but TikTok says they aren’t entitled to that data without a court order and implied it may have been deleted.

This is something the company had previously said “subverted user choice” and was “wrong,” but apparently Google’s desire to give online advertisers a gift of unconsented data changed that.

The UK Home Office has cited the Investigatory Powers Act (IPA) to justify its claim it has a right to back-door access to the encrypted data of Apple users worldwide. This, which Privacy International has called an “unprecedented attack” that would set a “damaging precedent,” is similar to previous requests for back door access other governments have made and that Apple has refused.

Elon Musk’s Department of Government Efficiency (DOGE), which has run roughshod over protections intended to protect the privacy of US citizens, has prompted a class action by union groups representing 7.2 million people. The lawsuit brought against the US Treasury Department for providing social security numbers, tax and bank information, alleges Musk’s team data access violated the US Privacy Act.

Virginia’s Senate voted to pass the Consumer Data Protection Act by a large majority. The bill, which proposes to ban the sale of precise location data, now goes to the state legislature.

Teenspace, the telehealth company contracted (for $26 million in NY) to provide free online therapy to teens had responded to parents’ and privacy groups by agreeing to remove trackers from its website but either overlooked (or didn’t bother to change) the landing pages for Seattle and Baltimore. This discovered by Gizmodo has now prompted changes to those as well.

This was discovered after 150 sites, including virtual casinos, sports betting and online bingo sites, were tested by the newspaper and 52 were found automatically sharing data via Meta’s Pixel tracking tool.

The company did however note that, “as of now, European data residency can only be configured for new projects using the company’s API. Existing projects can’t be updated to have European residency.”