Privacy Roundup: Top 10 Stories of August

It was raining fines in August. Tech giants Google faces a $60 million penalty in Australia over Android settings while in a first-ever, California hit beauty retailer Sephora with a $1.2 million fine for violation of CCPA. On the other side of the globe, India withdraws the long-waited Personal Data Protection Bill over scrutiny from privacy advocates and tech giants. Here are all the top stories that we don’t want you to miss.

California Attorney General announced a $1.2 million penalty to the beauty giant, Sephora. The enforcement action comes after Sephora failed to disclose information about the sale of personal information in violation of California’s Consumer Privacy Act (CCPA). The company failed to process user requests to opt-out of any sale, including those received via the Global Privacy Control (GPC). Sephora was given a 30-day right to cure notice under the CCPA but failed to update its privacy policy and post the “Do Not Sell My Personal Information” link on its website. In addition to the fine, Sephora is required to implement a compliance program for two years and submit annual reports to the California AG. Read story

Meta’s Facebook will begin testing end-to-end encryption (E2EE) as the default option for some users of its Messenger app on Android and iOS. Meta launched a new online E2EE storage service named, Secure Storage for backing up encrypted chat histories. It’s also going to trial an ‘unsend’ feature like the “delete for all” option in WhatsApp group chats. Users currently have to opt-in to make their messages end-to-end encrypted. The development comes as the company is facing backlash in the wake of the reversal of Roe v. Wade in the United States. Read story

The Indian government has withdrawn the much-waited Personal Data Protection Bill, 2019 amidst rising criticism from big tech companies and privacy advocates. Tech giants like Facebook and Google had questioned the data localisation provision in the bill, which required companies to store certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would be prohibited. The government noted that it would be replaced by “a comprehensive legal framework,” that will be “designed to address all of the contemporary and future challenges of the digital ecosystem,”. Read story

Google has agreed to pay $60 million in fines over misleading users on the collection of personal location data. In a long-running court fight with the Australian competition watchdog, the Australian Competition and Consumer Commission (ACCC), the federal court found Google breached consumer laws by misleading Android device users into thinking the company was not collecting personal data about their location. The tech giant failed to communicate that it was continuing to collect location data even if the user’s “Location History” setting was turned off. Read more

An Irish draft decision to block Facebook’s parent company Meta’s data transfers from Europe to the US is stalled for now, as it faces objections from other data protection regulators in the EU. In July Ireland’s privacy regulator decided to block Meta from using standard contractual clauses (SCCs) to transfer large data like family pictures and direct messages to the US. The decision followed the 2020 Schrems ruling by the European Court of Justice that deemed major flows of data between Europe and the US illegally as it exposed EU residents to the US government’s surveillance. Meta has noted that the decision to block its transfers would force it to shut down Facebook and Instagram services in Europe. Read story

Criteo, a French ad tech company, has been fined €60 million (~$65 million) by the French data protection authority CNIL.  The fine is a result of an investigation after receiving complaints from Privacy International and NOYB, Max Schrem’s privacy advocacy group. The complaint raised concerns about whether Criteo was processing users’ data,  including sensitive data with the appropriate consent frameworks. Under the CNIL sanction procedures, Criteo has the right to respond to the findings and the sanction, following which there will be a formal hearing before the CNIL Sanction Committee. Read story

Google Chrome has rolled out a new privacy tool, the “Privacy Guide”  that aims at giving users a better understanding of Chrome’s privacy settings. It is a simple, step-by-step guided tour of existing privacy and security controls in the browser that will help users to “learn about the benefits, trade-offs and privacy implications of each setting so you can easily understand what happens when a particular one is on or off.” Google said. The company announced this feature in April and began rolling it out to users across the globe in recent weeks. Head to Chrome Settings then Privacy and security > Privacy Guide to try it. Read story

The privacy advocacy group, NOYB, has filed a complaint with France’s data protection authority CNIL against Google for sending unsolicited advertising emails directly to the inbox of Gmail users. NOYB claims Google is sending messages to Gmail users that look like normal emails but are adverts that the users never consented to receive. The CNIL had imposed a record fine of 150 million euros ($149 million) on Google earlier this year for failing to make it easy for internet users to refuse online trackers. Read story

In August, Twilio, a provider of two-factor authentication and communication services, confirmed that hackers accessed their database after phishing the credentials of employees. Content delivery network Cloudflare also revealed that it had been targeted in a similar manner. In August last week, food delivery giant DoorDash reported a data breach that exposed customers’ personal data and confirmed that the phishing is linked to the Twilio hackers. According to a report by TechCrunch, the hackers compromised more than 130 prominent companies during the month-long hacking spree. Read story

The US Federal Trade Commission issued an Advance Notice of Proposed Rulemaking aimed at a wide variety of data privacy and security issues. This is the first step by the agency to explore its rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. Specifically, the Commission is seeking public opinions on a  wide range of concerns about commercial surveillance practices including how businesses collect, use, analyze, and retain consumer data, and transfer, share, sell or monetize data through unfair or deceptive means. Read story