Privacy Roundup: Top 10 Stories of November

As new privacy regulations continue to be passed around the globe, the older laws are seeing amendments and updates to match the current times. Meanwhile, tech companies continue to face the heat of stricter enforcement and huge fines. Here are all the top stories that we don’t want you to miss.

The California Privacy Protection Agency (CPPA) recently published modified draft regulations for the California Privacy Rights Act (CPRA). Under the modified draft, businesses are no longer required to identify the names of the third parties that it allows to control the collection of personal information in their notice at collection. The CPRA comes fully into force on January 1, 2023, and the CPPA will start enforcing the CPRA on July 1, 2023. Read more

The Australian government has passed the Privacy Legislation Amendment Bill 2022 which will increase the penalty for companies that face serious or repeated data breaches. The maximum fines have increased from the current AU$2.22 million to AU$50 million or 30% of an entity’s adjusted turnover in the relevant period. The new bill reforms Australia’s Privacy Act (1988) and gives the Office of the Australian Information Commissioner (OAIC) significantly higher powers to enforce the regulation. Read more

The UK government has decided to remove the harmful clause from the controversial Online Safety Bill that’s been in the works for years. The clause required platforms like Facebook, Instagram, Twitter and YouTube to take down content that was “legal but harmful” and drew strong criticism from lawmakers and civil liberties groups as they feared it could lead platforms to curtail freedom of expression. Prime Minister Rishi Sunak, has now dropped the controversial part saying it could “over-criminalize” online content. Read more

The Publisher Advertiser Identity Reconciliation (PAIR) is a first-party data solution launched by Google that can help advertisers target and monetize audiences. Available through Display & Video 360 (DV360), PAIR is an add-on designed to help advertisers retarget in a privacy-safe way. It will allow publishers to use first-party data and share information about users without revealing their identities. Read more

The Irish Data Protection Commissioner has fined Facebook’s parent company Meta, €265 million ($277 million) for violation of GDPR. Meta has been fined for violating Article 25 of the GDPR, which deals with data protection by design and default. The fine follows a 2021 investigation in response to media allegations that revealed over 530 million Facebook users’ information, including email addresses and mobile phone numbers had been leaked on a public forum. The fine is the fourth time that Ireland has penalized Meta and its subsidiaries in the last 15 months. Read more

The Information Commissioner’s Office (ICO) has warned companies of the potential risks of using “emotion analysis technologies”. In a blog post, ICO noted that AI tools relying on emotion analysis process a range of personal data, including subconscious behavioural or emotional responses, that is riskier than biometric technologies that are used to verify or identify a person. Read ICO’s blog

Google has agreed to pay, nearly  $392 million in a  settlement with 40 US states over allegations that the company tracked individuals through their devices even after location tracking had been turned off. After a report by the Associated Press in 2018, the state prosecutors launched an investigation and found that Google misled users about its location tracking since at least 2014, violating state-level consumer protection laws. Read more

Months after withdrawing the data protection bill in response to criticism, India has re-introduced a draft version of the bill. The new bill eases cross-border data flow and increases penalties for breaches. “The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes”, the Government noted. The draft is open for public consultation until December 17, 2022. Read more

Apple is facing a class action lawsuit for allegedly collecting user data after misleading them through data-sharing settings. The lawsuit follows a recent report by Gizmodo on how multiple iPhone apps send Apple analytics data, even when the iPhone Analytics privacy setting is turned on or off. The lawsuit was filed in the California federal court on the grounds that Apple is violating the California Invasion of Privacy Act. Read more

A report by Bleeping Computer has found that a database of more than 5 million Twitter records, has been shared for free on the Breach Forums site, including private information such as telephone numbers and email addresses. The information appears to have been gathered using an API vulnerability, as first disclosed on HackerOne and later confirmed by Twitter. A security researcher, Chad Loder, has also claimed the existence of a more extensive database of stolen data collected using the same API vulnerability. Read more