Privacy Roundup: Top 10 Stories of February 2024

From the UK’s intervention in Google’s third-party cookie phase-out to Italy’s concerns over ChatGPT, and California’s investigative sweep under the CCPA, regulatory bodies are tightening their grip. Catch all the top stories and updates from February.

Last November, the UK’s Information Commissioner’s Office (ICO) took action by sending warnings to 53 of the country’s top 100 websites regarding non-compliance with data protection laws concerning advertising cookies. The ICO reported that 38 organizations responded positively by adjusting their cookie banners to comply with regulations. The ICO plans to extend its initiative by contacting more websites, emphasizing the importance of providing users with a fair choice regarding advertising cookies. Read more

Italian data protection regulators have accused OpenAI’s ChatGPT of violating GDPR provisions. This follows a temporary ban imposed last year due to concerns about data processing practices. Despite OpenAI’s implementation of privacy controls, the Italian DPA found evidence of further breaches. OpenAI has 30 days to respond to the new allegations. The Italian Garante will consider input from the European Data Protection Framework task force in its final decision. Read more

California Attorney General Rob Bonta announced an investigative sweep ahead of Data Privacy Day, targeting businesses with popular streaming apps and devices for alleged non-compliance with the California Consumer Privacy Act (CCPA). The sweep focuses on CCPA’s opt-out requirements, ensuring consumers have an easy mechanism to stop the sale of their personal information. CCPA grants consumers increased privacy rights, including the right to know how businesses handle their data. Read more

Privacy rights campaigner Max Schrems has been granted permission by the High Court to participate in Meta’s challenge regarding the suspension of data transfer and storage from Europe to the US. Mr Schrems, an Austrian lawyer and activist with the privacy rights organisation NOYB, will join the proceedings as a notice party. He will be allowed to argue in two related cases brought by Meta against the Data Protection Commission’s decision to suspend US data transfers. The cases stem from an inquiry initiated by the DPC, resulting in a record €1.2 billion fine on Meta. Read more

The Competition and Markets Authority (CMA) has instructed Google to halt the phase-out of third-party cookies until concerns are resolved, potentially delaying the process beyond the scheduled completion by the end of the year. While Google is complying with some demands, significant issues remain regarding fair market competition and long-term governance of its Privacy Sandbox. The CMA will issue an update in April, including progress on cookie deactivation for a portion of Chrome users. Read more

Des Hogan and Dale Sunderland have been named to Ireland’s Data Protection Commission (DPC) for a five-year term starting on February 20, 2024. Helen Dixon’s nearly decade-long tenure as commissioner concludes on February 19th. Ireland’s DPC plays a pivotal role in GDPR enforcement throughout the EU. Minister for Justice Helen McEntee noted the significance of the appointment as “85% of the fines issued across Europe last year, including the EU, EEA, and UK, were issued by the DPC”. Read more

Two substantial data breaches have occurred in France, impacting around half of the nation’s residents. France has experienced its largest-ever cyberattack, affecting over 33 million people, nearly half of the country’s population. The attack targeted two French service providers for medical insurance companies – Viamedis and Almerys. The data leak included details like “the marital status, date of birth and social security number, the name of the health insurer and the cover provided by the policy” of the individuals impacted, according to the French Data Protection Authority (CNIL). Read more

Meta’s controversial decision in the European Union to charge users for an ad-free subscription to Facebook and Instagram, unless they consent to being tracked and profiled, has sparked complaints from consumer rights groups. Meta currently offers EU users the option to pay to avoid seeing ads per linked account. Alternatively, users can agree to track to access the platforms for free, effectively choosing between paying for privacy or sacrificing it for free access. Read more

A recent study conducted by the European data privacy group NOYB suggests that the majority of companies could violate privacy regulations if investigated by authorities. According to 70% of respondents, who were data protection professionals working in the EU, authorities need to issue clear decisions and enforce the GDPR to ensure compliance, while 74% say that authorities would find ‘relevant violations’ if they walked through the door of an average company. Read more

The Federal Trade Commission announced has ordered software provider Avast to pay $16.5 million in a settlement agreement. Additionally, Avast is prohibited from selling or licensing any web browsing data for advertising purposes. This settlement resolves allegations that Avast and its subsidiaries sold such information to third parties despite promising consumer protection from online tracking through their products. Read more