Privacy Roundup: Top 10 Stories of June

Privacy is taking a stronger grip as countries like the US and Canada introduce federal bills and reforms to strengthen their data privacy regime. Companies are also moving towards privacy by design as they roll out privacy-friendly features. Meanwhile, in the EU, tech giants continue to face regulatory heat for non-compliant practices. Here are the top stories from June that we don’t want you to miss.

The Canadian government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. The Bill builds on its predecessor, Bill C-11, which failed in the Canadian Senate. If passed, the bill would introduce the Consumer Privacy Protection Act (CPPA), which would replace the Personal Information Protection and Electronic Document Act (PIPEDA) and provide Canadians more control over their personal information and how digital platforms manage it. The other provisions introduced by the bill include a new administrative tribunal to enforce the CPPA and the Artificial Intelligence and Data Act, which would require companies to o disclose their rationale for creating AI and report on their compliance with the precautions outlined in the Act. Read story.

The United States Congress is debating the American Data Privacy and Protection Act (ADPPA), a bill that will regulate how organisations collect,  process, manage, and store personal information. The ADPPA would preempt most existing state laws, like the California Consumer Privacy Act and Colorado Privacy Act. The federal privacy bill provides data subject rights like access, delete or port data, allows consumers to opt-out of targeted advertisements, and includes provisions for protection for children and minors. ADPPA ​​is the first comprehensive national data privacy framework that has bipartisan support, more than any other federal privacy legislation introduced in the US in the past. Read story.

Consumer groups from several European countries filed formal complaints to regulators against Google alleging that the company violates GDPR. The group argued that Google uses deceptive design during account creation noting that “The language Google uses at every step of the registration process is unclear, incomplete, and misleading”. The complaints highlighted that Google has a one-click option that activates all tracking. However opting out requires several additional clicks, the complaints. By making it difficult for consumers to refuse to process their personal data, Google violates the privacy by design requirements under GDPR. Read story.

The California Privacy Protection Agency (CPPA) held a public meeting to discuss the proposed regulations in the California Privacy Rights Act (CPRA). ​​The board moved to approve the draft regulatory text to begin the formal rule-making process and public comment period. The draft regulations update existing CCPA regulations to harmonize them with the new rights and concepts introduced in the CPRA. The other takeaways include that the CPPA requires global opt-out preference signals, even though the CCPA/CPRA suggests that signal is voluntary. Read story.

The Italian Data Protection Authority (DPA), Garante, found that websites using Google Analytics violated GDPR by collecting users’ personal data and transferring it to the US without providing additional measures to ensure it met EU standards. It noted that the US is a “country without an adequate level of data protection.” In a press release, the DPA called out a web publisher for using Google Analytics that illegally transferred personal data to the US without necessary safeguards. The DPA has given the publisher 90 days to establish compliance. The Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found Google Analytics unlawful. Read story.

ISPs in Germany are considering the introduction of TrustPid, a new type of “supercookie” that works by creating a unique ID for every customer at the Internet Service Provider (ISP) level, and then associating all user activity with that ID. The profile will then be used for the distribution of targeted, personalized advertising. Cellular companies in Germany, including Vodafone and Deutsche Telekom are testing TrustPid which they describe as a “cross-operator infrastructure for digital advertising and digital marketing”. Privacy advocates meanwhile have raised concerns, and have dubbed Trustpid a supercookie and believe the trial should be halted and commercial plans of its use shelved. Read story.

German anti-trust watchdog Bundeskartellamt has launched a probe into Apple over concerns that the company is stifling competition and creating unfair barriers for other companies. The investigation pertains to Apple’s App Tracking Transparency (ATT) framework, where third-party apps can track using an IDFA identifier across apps and devices. The agency noted that Apple doesn’t apply the rules fairly to its own apps and services while third-party apps and services have to comply with Apple’s tracking rules. Read story.

Mozilla announced the rolling out of “Total Cookie Protection” which aims to block third-party cookie trackers and limit advertisers from tracking users across sites. A cookie created by one website or service will not be readable by other websites that a user visits. This feature is now available on Firefox for Desktop and is rolling out as a default feature. Firefox 102 has also been released with a new privacy feature that strips URL parameters used to track users around the web. The ‘Query Parameter Stripping’ feature will automatically strip URLs of various query parameters used for tracking users. To enable Query Parameter Stripping, go into the Firefox Settings > Privacy & Security and then change Enhanced Tracking Protection to ‘Strict‘. Read story.

The UK government has published a response to the consultation on the future of the UK data protection regime published in 2021. It has outlined the provisions that will be included in the forthcoming Data Reform Bill. With this, the UK aims to “reshape its approach to regulation outside of the EU, and seize opportunities with its new regulatory freedoms”. As per the government, the current EU data protection rules place disproportionate burdens on small businesses and the new reform bill seeks to make it easier for businesses and researchers to utilise data for economic growth. Read story.

Leading banking service in the US, Flagstar Bank disclosed a data breach that leaked the personal information of 1.5 million customers. The company indicated that hackers accessed names and other personally identifiable information (PII) and Social Security numbers of 1,547,169 customers in December 2021. The data breach occurred less than a year after a similar incident impacted the same number of customers. While Flagstar began notifying affected individuals only six months after the breach occurred. The Bank is facing three class-action suits from customers alleging negligence and violation of state data protection laws. Read story.