France’s DPA provides an update on cookie compliance enforcement.
CNIL, France’s DPA, provided an update this week on the results of its second round of cookie compliance notices. Notably, 30 out of the 40 notices issued were resolved. Some of the remaining notices requested extension due to technical or operational issues, others have not acknowledged the notice.
Finland publishes updated cookie guidance.
Following the Helsinki Administrative Court’s new policy on cookie consent and storage issued in Spring 2021, Finland’s Transport and Communications Agency has updated its cookie guidelines to comply with that policy. The Agency provided information for end users about cookie consent choices (available here) including an FAQ on how to report sites that violate the guidelines, and guidelines for service providers (available here). The guides themselves did not appear to be readily available in English, but the IAPP reports the key takeaway is that legitimate interest is not always grounds for cookie use or storage.
Italy’s regulator is not cool with the shades.
Italy’s Data Protection Authority is urging Ireland’s DPA to investigate Facebook’s recently announced partnership with Rayban to create Rayban stories. Because Ireland’s EU HQ is in Ireland (i.e., Facebook’s main establishment), pursuant to GDPR’s standards for determining which EU member state supervisory authority is the lead authority, Facebook’s lead supervisory authority is Ireland’s Data Protection.
The GDPR also establishes protocol for things like requesting information and initiating investigations for the purposes of implementing and applying the regulation, which is why Italy’s DPA must ask the lead authority to take action – in this case to require Facebook to answer questions about the legal basis for the processing of personal data (particularly data from minors) from the glasses and to better understand how anonymization will work.
WhatsApp says the fine is not very appeal-ing.
This week, WhatsApp filed an appeal challenging the EUR 225 million fine imposed on the company by Ireland Data Protection Commission. The Irish DPC issued the fine for “severe” breaches of privacy laws. Whatsapp is claiming the DPC’s decision is unconstitutional and incompatible with the European Convention on Human Rights (ECHR) and that its rights to “fair procedures” have been breached.
US businesses can expect an increase in enforcement for privacy violations like deceptive statements and more following:
- Resolutions for higher case loads. An FTC announcement of eight new compulsory process resolutions to enable higher case loads. The categories include algorithmic bias, children under 18, and deceptive or manipulative conduct on the internet.
- A possible increase in funding and a new division for privacy and security. This week a federal proposal to increase funding to the FTC for a new privacy and security division saw movement in the House — passed by the U.S. House Energy and Commerce Committee. Next step is a House floor vote. The proposal would give the FTC $1 billion over 10 years to create a new unit for privacy and security.
ICO shows it’s not soft on the soft opt-in requirements for email marketing.
The UK Information Commissioner’s Office fined three companies a combined 450,000 GBP after sending over 354 million nuisance messages without consumer consent.
- We Buy Any Car was fined 200,000 GBP for sending more than 191 million marketing emails and 3.6 million nuisance texts without fully satisfying the requirements of the soft opt-in. 42 complaints were filed with the ICO. (Source: ICO)
- Saga Services and Saga Personal finance were fined 150,000 GBP and 75,000 GBP for 157 million marketing emails between the two of them without valid consent. (Sources: ICO, ICO)
- Sports Direct has been fined 70,000 GBP for sending 2.5 million marketing emails without consent. (Source: ICO)
Brazil wants to help you comply with LGPD
Brazil’s data protection authority published a guide to help consumers understand how to comply with LGPD, including clarification of when and what and who can process personal data in various situations. It also explains how consumers should respond in cases where data is shared improperly.
Saudi Arabia has a new privacy law!
The Council of Ministers of Saudi Arabia approved the Personal Data Protection Law. The law will take effect March 13, 2022. The law protects rights around processing of personal data, regulates sharing between entities, and explicitly prohibits sending marketing to individuals unless consent is obtained.
The law defines personal data as (among other things) “names, identification numbers, addresses, phone numbers, personal records, financial records, images, videos, or any other identifying data.”
Further reading from this week:
- Data privacy request metrics: Lessons for your privacy program (IAPP)
- Denham discusses potential for global privacy standard (IAPP)
- Key takeaways from the UK’s proposed data reform (IAPP)
- Top-10 takeaways from the CA AG’s CCPA enforcement case examples (IAPP)
- Irish DPC offers DPO qualifications recommendations (IAPP, DPC)
- Singapore’s PDPC revises guides on DPIAs and privacy programs (IAPP)
- France’s cybersecurity director calls to stop US access to EU data (Politico, IAPP)
- Judge rules in favor of Costco in Florida (Government Technology, IAPP)