Criteria for cookie wall evaluation issued by CNIL
The Commission Nationale de l’informatique et des libertés (CNIL), France’s data protection authority, published its criteria that will be the basis for third-party cookie walls evaluation. Part of the criteria is four considerations based on informed consent, such as alternative access to content, the price of that access, paid access without cookie placement, and potential embedded consent overrides. The criteria will carry out as part of case-by-case analysis.
New children’s privacy policy statement from the FTC
With a 5-0 vote, the US Federal Trade Commission approved a policy statement that will boost investigations of Children’s Online Privacy Protection Act (COPPA) violations that involves education technology companies. The statement maintains the COPPA provisions that limit education technology companies’ collection, use, retention, and security requirements for children’s data.
Source: IAPP, Federal Trade Commission
Google faces EUR 10 million from Spain’s DPA
For violating the EU General Data Protection Regulation (GDPR), Google faces a EUR 10 million from the Agencia Española de Protección de Datos, Spain’s data protection authority (DPA). The tech giant was investigated due to third-party data sharing with Lumen Project, which had no opt-out mechanism for data subjects. Personal identifiable data, email addresses, and individuals’ legal claims are some of the shared data. The penalty also asked Google to delete all the personal data shared with Lumen and cease using that data. Google to delete all the personal data shared with Lumen and halt further use of that data.
Uber receives EUR 4.2 million fine from Italy’s DPA
The Garante, Italy’s data protection authority, issued a EUR 4.2 million fine to Uber for supposedly data processing violations. Fifty-seven million users were affected after the Garante found that a subsidiary of Uber was processing users’ data without consent and without notifying supervisory agencies. According to the Garante, Uber’s management companies in the US and Netherlands violated Italian users’ personal data protection code.
Source: IAPP, The Garante