Weekly Privacy News Update – Episode 31

Criteria for cookie wall evaluation issued by CNIL

The Commission Nationale de l’informatique et des libertés (CNIL), France’s data protection authority, published its criteria that will be the basis for third-party cookie walls evaluation. Part of the criteria is four considerations based on informed consent, such as alternative access to content, the price of that access, paid access without cookie placement, and potential embedded consent overrides. The criteria will carry out as part of case-by-case analysis.

Source: IAPP, CNIL

New children’s privacy policy statement from the FTC

With a 5-0 vote, the US Federal Trade Commission approved a policy statement that will boost investigations of Children’s Online Privacy Protection Act (COPPA) violations that involves education technology companies. The statement maintains the COPPA provisions that limit education technology companies’ collection, use, retention, and security requirements for children’s data.

Source: IAPP, Federal Trade Commission

Google faces EUR 10 million from Spain’s DPA

For violating the  EU General Data Protection Regulation (GDPR), Google faces a EUR 10 million from the Agencia Española de Protección de Datos, Spain’s data protection authority (DPA). The tech giant was investigated due to third-party data sharing with Lumen Project, which had no opt-out mechanism for data subjects. Personal identifiable data, email addresses, and individuals’ legal claims are some of the shared data. The penalty also asked Google to delete all the personal data shared with Lumen and cease using that data. Google to delete all the personal data shared with Lumen and halt further use of that data.

Source: IAPP, AEPD

Uber receives EUR 4.2 million fine from Italy’s DPA

The Garante, Italy’s data protection authority, issued a EUR 4.2 million fine to Uber for supposedly data processing violations. Fifty-seven million users were affected after the Garante found that a subsidiary of Uber was processing users’ data without consent and without notifying supervisory agencies. According to the Garante, Uber’s management companies in the US and Netherlands violated Italian users’ personal data protection code.

Source: IAPP, The Garante

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author