Regulators worldwide tighten privacy rules, with fines, investigations, and new policies impacting major tech firms. Catch all the stories in our privacy roundup.
Italy's Data Protection authority investigates DeepSeek
Italy’s Garante is seeking information from the Chinese AI model DeepSeek regarding its use of personal data. The regulator has requested details on data collection practices, sources, purposes, legal bases, and storage locations, particularly concerning storage in China. DeepSeek has 20 days to respond. This inquiry marks one of the first regulatory actions targeting DeepSeek. Read more
Dutch DPA fines website for unsolicited use of cookies
The Dutch Data Protection Authority (DPA) fined online retailer, Coolblue €40,000 for unlawfully processing personal data in 2020. The company used cookies to collect visitor data without explicit consent, assuming automatic agreement. Coolblue’s cookie statement implied consent, and pre-checked boxes were used, violating the GDPR requirement for active user choice. Read more
Noyb Files GDPR complaint against Chinese firms
The Austrian advocacy group Noyb has filed privacy complaints against six Chinese companies, including TikTok, Shein, and Xiaomi, alleging they unlawfully sent EU user data to China, violating GDPR provisions. Complaints have been filed in multiple EU countries, with potential fines up to 4% of global revenue. Noyb claims that these companies either admit to sending user data to China or to unspecified “third countries”. Read more
LinkedIn accused of using private messages for AI training
LinkedIn faces a class action lawsuit in California for allegedly using private messages from its premium users to train AI models without proper consent. The lawsuit claims LinkedIn updated its privacy settings in August 2024, opting premium subscribers into this data usage without their knowledge. Following public backlash, LinkedIn reportedly changed its privacy policy in September. The suit seeks damages for violations of the Stored Communication Act and other claims. Read more
Italy fines OpenAI for ChatGPT's data violations
Italy’s data protection watchdog, Garante, has fined OpenAI 15 million euros ($15.6 million) for violations related to ChatGPT’s collection of personal data. The investigation revealed that OpenAI processed users’ personal data without an adequate legal basis, violating transparency principles. Additionally, OpenAI was found lacking an adequate age verification system for users under 13, exposing them to inappropriate content. Read more
EU's proposal to scan digital communications raises privacy concerns
The European Union’s proposal to implement a system for scanning users’ digital communications on platforms like Facebook, Signal, and WhatsApp aims to combat child sexual abuse material. However, this initiative has significant implications for privacy and digital security, as it could undermine encryption and introduce vulnerabilities. Critics argue that mass scanning could be misused for broader surveillance beyond its intended purpose. Read more
Meta's revised ad-free service may breach EU privacy laws
The European Consumer Organisation (BEUC) has raised concerns that Meta Platforms’ new ad-free subscription service may still violate EU consumer and privacy laws, as well as antitrust regulations, despite revisions made last year. BEUC argues that Meta uses misleading practices, unclear terms, does not minimize data collection, and degrades the experience for those who do not consent to data use. Read more
FTC strengthens children's online privacy protections
The FTC has finalized updates to the Children’s Online Privacy Protection Rule (COPPA), requiring parental opt-in for third-party advertising and tightening rules on data collection and monetization. FTC Chair Lina M. Khan emphasized that the changes enhance protections by ensuring platforms cannot share or monetize children’s data without active parental consent. Read more
US judge rejects class action in Facebook data privacy case
A federal judge in California has denied a request for class action status in a lawsuit accusing Facebook’s parent company, Meta Platforms, of deceiving users about its data privacy measures to maintain market dominance. The judge ruled against the plaintiffs’ attempt to use an expert’s analysis suggesting that Meta would have compensated users $5 per month for their personal data, resulting in estimated damages of over $52 billion. Read more
FCC’s 1:1 consent rule postponed and struck down
The FCC’s 1:1 Consent Rule, which required individual vendor consent for telemarketing calls under the Telephone Consumer Protection Act (TCPA), was set to take effect on January 27, 2025. However, the FCC postponed the rule on January 24, citing ongoing judicial review. Shortly after, the Eleventh Circuit Court vacated the rule, and as a result, existing TCPA consent rules remain in effect. Read more