The first state privacy agency in the US, California Privacy Protection Agency begins to take shape while companies are looking to adopt the new Global Privacy Standards. Meanwhile, from video conferencing companies to sport analytics firms, data privacy regulations continue to open up new challenges for businesses. 

Here are the interesting stories in this Privacy Roundup for October. We will be back with the top stories next month! 


California Privacy Protection Agency has a new head

California has selected Ashkan Soltani as the Executive Director of the California Privacy Protection Agency. Soltani is an independent researcher and privacy expert and has previously been the Chief Technologist of the Federal Trade Commission. He is one of the architects of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). As CPRA’s ​​lookback period begins on January 1, 2022, California is set to tackle enforcement hurdles and staff constraints with this appointment. Read more.


Australia has a new draft Online Privacy Bill

The Australian government released a draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, which aims to expand the country’s current Privacy Act. It is intended to enable the creation of a binding Online Privacy code for social media, data brokers and other online platforms. “The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy,” as noted in Bill’s explanatory paper.


FTC confirms ISPs collect a “staggering” amount of data

A new Federal Trade Commission (FTC) report noted that a “staggering breadth” of personal data is collected by six large internet service providers (ISPs) that make up approximately 98.8 percent of the mobile internet market in the US. The report details how AT&T, Verizon, Comcast, Charter, Google Fiber, and T-Mobile collect users personal data that is often shared with advertisers. FTC report found that ISPs “amass large pools of sensitive consumer data,” that they “gather and use data in unexpected ways that could cause harm to consumers”. Read report


Europe calls for a ban on facial recognition

European Parliament has called for EU lawmakers to institute a ban on the use of facial recognition in public spaces and to enforce strict safeguards for police use of artificial intelligence through surveillance tools. Member of European Parliament, MEPs voted in favour of the non-binding resolution and cited concerns over algorithmic bias in AI.  With this, the EU parliament first time an official position advocating for a ban on biometric mass surveillance. The measure also suggests the banning of facial recognition databases operated by private companies in the EU. Read the resolution.


Regulators issue guidance for teleconferencing tools

Six national data protection and privacy authorities including the UK, Australia, Canada, Gibraltar, Hong Kong SAR, China and Switzerland have issued guidance to video teleconferencing or VTC companies for improving their privacy measures. With the increasing use of VTC during the Covid-19 pandemic, regulators developed guidance in consultation with the largest video conferencing companies – Microsoft, Google, Cisco, Zoom and Houseparty. The joint signatories call for industry-standard encryption and the implementation of end-to-end encryption. Read report.


Minors can now remove their images from Google

Google will allow minors under the age of 18 or their guardians to remove their photos from the search engine results. This move is a follow up on Google’s announcements in August which pledged to block ads that target minors under age 18, based on their age, gender or interests. Google has committed itself to a safer experience online experience for minors after the 2019 allegations on Google’s subsidiary YouTube that it collected personal data from children without consent that lead to the company paying a $170 million settlement to state and federal regulators. Read the announcement


Footballers threaten data firms with GDPR legal action

Hundreds of professional football players have threatened to take legal action against gaming, betting and sports data companies that use their performance data, for alleged violation of GDPR.  850 players including current and former Premier League, English Football League, National League and Scottish Premiership demand compensation for trading their performance data over the past six years. The campaign called“Project Red Card” is led by the former Cardiff manager Russell Slade and if successful, could lead to a radical shakeup of the multi-billion pound industry that trades on players’ information. Read story.


Firefox joins Global Privacy Control

Mozilla Firefox has become the latest browser to test the Global Privacy Control  (GPC), calling itself “the first major web browser” to do so. The GPC is a browser setting that notifies the user’s privacy settings to websites and services and is spearheaded by a group of publishers and technology companies to create a global web standard for privacy. GPC is tailored for California’s Consumer Privacy Act (CCPA), which gives Californians the right to opt-out of the sale of their data. Currently, web browsers like Abine, DuckDuckGo, Brave, Disconnect and publications like the New York Times and The Washington Post have enabled the GPC. Read more


2021 sees a 17% increase in data breaches

To date,  there have been 1,291 breaches in 2021, compared to 1,108 in 2020.  Identity Theft Research Center (ITRC) reports that this year’s number has surpassed the total number in 2020 by 17%. According to IRTC, Phishing and ransomware are the two most popular tools of cyberattacks and nearly 281.5 million people have been affected by some sort of data breach. Another study by the Thales Group, also reported that 40% of organizations globally have experienced a cloud-based data breach in the past 12 months. Read more.


Amazon appeals $865 million GDPR fine

Amazon has officially appealed the record €746m fine issued by the Luxembourg data protection authority (DPA). The appeal was submitted to Luxembourg’s Administrative Tribunal to challenge the DPA’s fine issued in July over violation of GDPR’s data processing rules. It is the largest fine issued since the Regulation came into effect in 2018. The proposed fine adds to the existing antitrust investigations that Amazon is facing in Europe. Read more