Privacy News Roundup | January 2023

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended- and this is likely to complicate further the privacy regulatory landscape for businesses in California.

California employers should prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.

Generally, personal information that a business collects about business contacts will be subject to the same CPRA privacy rights and obligations.

Enforcement of the new CPRA provisions is set to begin in July 2023.

California Attorney General Rob Bonta announced an investigative sweep, sending letters to businesses with mobile apps that fail to comply with the California Consumer Privacy Act (CCPA).

The sweep focuses on popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data.

The sweep also focuses on businesses that failed to process consumer requests submitted via an authorized agent, as required by the CCPA.

The FTC announced two record-breaking settlements totaling $520 million against Epic Games, maker of video game Fortnite, related to children’s privacy violations under COPPA, dark patterns, and deceptive billing practices.

Epic will be required to change default settings, return millions of dollars, and pay a record fine.

FTC alleged that Epic collected PI of children less than 13 years old without notifying parents or getting parents’ consent, exposed minors to potential harm through on-by-default real time text and voice communications with strangers, and ignored parent requests for removal of child PI, or made it hard to secure.

For dark patterns, the FTC noted, among other things, that Epic Games had:

• deployed a variety of dark patterns aimed at getting consumers of all ages to make unintended in-game purchases;
• charged account holders without authorization;
• locked the accounts of customers who disputed unauthorized charges with their credit card companies.

Epic also charged account holders without authorization through intentionally confusing in-game buttons, fooling players to make unintended purchases.

NIST announced its intent to make new revisions to its Cybersecurity Framework (CSF) document, with an emphasis on cyberdefense and inclusivity across all economic sectors. The framework includes changes to the recommended cybersecurity best practices, sector-specific needs and new uses based on modifications to the framework.

While the CSF was initially established as a non-mandatory resource for critical infrastructure, the planned update aims to be more broadly tailored for organizations within government, academia and industry.

NIST also published the AI Risk Management Framework (AI RMF) 1.0 on January 26th, 2023. It is intended to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

NIST developed the AI RFM to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The AI RMF includes four functions and corresponding categories for organizations to use to mitigate risk throughout the development of AI.

The UK Information Commissioner's Office published a notice calling for more incorporation of privacy principles as companies build new technologies.

The ICO's stance is reflected in its Tech Horizons Report, which warns benefits of emerging tech over the next two to five years "could be lost if people feel companies are misusing their data." The report covers Internet of Things devices as well as tech in the health and financial space.

The Irish Data Protection Commission completed its inquiry into Meta platform’s WhatsApp, and fined the company 5.5 million euros related to forced user consent for the processing of their data.

In response to intervention by the European Data Protection Board, the Irish watchdog also stated, “It’s not up to the board to ‘instruct and direct an authority to engage in open-ended and speculative investigation’, adding it would ask the EU’s top court to annul the order because it’s “problematic in jurisdictional terms.” This opens a rift between the local privacy protection authorities and the EU privacy protection authorities.

For more information, read the Data Guidance News and the Washington Post report.

The Irish Data Protection Commission issued final decisions invalidating Meta's contract performance as a lawful basis for seeking user permission to collect data for personalized advertising on Facebook and Instagram.

In contrast, the European Data Protection Board (EDPB) joins the view of the Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish authorities, that behavioral advertisement is "objectively not necessary for the performance of Meta's alleged contract".

NOYB said the decisions — which followed complaints the group made in May 2018 on the day the EU General Data Protection Regulation took effect — "clearly shows massive disagreement" between the Data Protection Commission and the EDPB.