Google stalls its third-party cookie phaseout, the EU AI Act enters into force, and the European Commission flags Meta’s ‘Pay or Consent’ model as a DMA violation, dive into the top stories from July.
Google drops third-party cookie phaseout
Google is holding off third-party cookie depreciation in Chrome, opting instead to focus on new privacy-preserving alternatives. “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice…”, noted Google. This decision aims to balance user privacy, the needs of advertisers and publishers, and regulatory concerns around Privacy Sandbox. Read more
EU AI Act enters into force
The long-awaited EU AI Act enters into force on August 1, 2024, and will become generally applicable two years after this date, on 1 August 2026. Starting 1 February 2025, the ban on prohibited AI systems takes effect. These include biometric categorisation, social scoring, predictive policing, untargeted facial recognition, and real-time remote biometric identification in public spaces for law enforcement, with some exceptions. Read more
EC flags Meta's 'Pay or Consent' model as DMA violation
The European Commission has released preliminary findings that Meta’s Pay or Consent’ model, which forces users to choose between a paid ads-free version or a free version with personalized ads, is not compliant with Article 5(2) of DMA. Under the DMA, gatekeepers must obtain user consent for data and provide a viable alternative if consent is denied. Read more
Noyb releases consent banner report
After the EDPB’s cookie banner taskforce report, noyb released a Consent Banner Report comparing the task force’s findings with those of 15 national DPAs. The report addresses cookie banner guidelines and dark patterns such as pre-ticked boxes, deceptive button colours and inaccurately classified cookies. Read report
Brazil halts Meta’s AI tools over privacy concerns
Brazil’s data protection authority, ANPD, has temporarily prohibited Meta from using users’ personal data to train its AI algorithms. The decision comes after Meta updated its terms to permit the use of public content from Facebook, Messenger, and Instagram for training its AI algorithms. Non-compliance would daily fine of 50,000 Brazilian Reais (around $9,100). Read more
New York enacts law to protect minors on social media
New York Governor Kathy Hochul signed two legislations, to protect children from the harmful effects of social media. The Stop Addictive Feeds Exploitation (SAFE) for Kids Act, allows parents to block social media posts suggested by algorithms, on apps like TikTok and Instagram. The other law, New York Child Data Protection Act limits data collection from minors without consent and restricts its sale. Read more
FTC bans Avast from selling browsing data, orders $16.5 million payout
The FTC has banned Avast Limited from selling, disclosing, or licensing web browsing data for ads. This follows a $16.5 million settlement over allegations that Avast deceived consumers by selling their browsing data despite promising to protect it from online tracking. In February, the FTC alleged that Avast and its Czech subsidiary collected consumer browsing data through browser extensions and antivirus software without proper notice or consent. Read more
EC requests information from Amazon under the Digital Services Act
The European Commission issued Amazon a formal request for information (RFI) on its compliance with the Digital Services Act (DSA). The EC asked Amazon for information about the transparency of recommender systems, ad repository maintenance, and risk assessment reports. Read more
Oracle settles privacy class action for $115 million
Oracle has agreed to pay $115 million to settle a class action lawsuit accusing the software and cloud computing giant of illegal data collection and third-party sales of personal information. In the class-action lawsuit filed in California, the complaint alleged that Oracle benefitted financially from data aggregation and sale without user consent. The settlement covers people whose personal information Oracle collected or sold since August 19, 2018. Read more
Microsoft's Xandr accused of EU privacy breaches
A complaint filed by European privacy advocacy group, noyb in Italy alleges Microsoft’s ad tech subsidiary Xandr violated GDPR by failing to fulfil users’ access requests and using inaccurate data for targeted ads. In 2022, Xandr denied all 1,294 access requests and 600 data deletion requests. Xandr justified its decision by claiming the data it holds is pseudonymous. Read more