Privacy News Roundup | January 2023

US News

California employers should prepare to provide new privacy rights to employees

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended- and this is likely to complicate further the privacy regulatory landscape for businesses in California.

California employers should prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.

Generally, personal information that a business collects about business contacts will be subject to the same CPRA privacy rights and obligations.

Enforcement of the new CPRA provisions is set to begin in July 2023.

Investigative sweep to California business with apps

California Attorney General Rob Bonta announced an investigative sweep, sending letters to businesses with mobile apps that fail to comply with the California Consumer Privacy Act (CCPA).

The sweep focuses on popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data.

The sweep also focuses on businesses that failed to process consumer requests submitted via an authorized agent, as required by the CCPA.

Record breaking $520 million settlement for children’s privacy violations

The FTC announced two record-breaking settlements totaling $520 million against Epic Games, maker of video game Fortnite, related to children’s privacy violations under COPPA, dark patterns, and deceptive billing practices.

Epic will be required to change default settings, return millions of dollars, and pay a record fine.

FTC alleged that Epic collected PI of children less than 13 years old without notifying parents or getting parents’ consent, exposed minors to potential harm through on-by-default real time text and voice communications with strangers, and ignored parent requests for removal of child PI, or made it hard to secure.

For dark patterns, the FTC noted, among other things, that Epic Games had:

  • deployed a variety of dark patterns aimed at getting consumers of all ages to make unintended in-game purchases;
  • charged account holders without authorization;
  • locked the accounts of customers who disputed unauthorized charges with their credit card companies.

Epic also charged account holders without authorization through intentionally confusing in-game buttons, fooling players to make unintended purchases.

US National Institute of Standards and Technology (NIST) Publishes AI Risk Management Framework and Revises Cybersecurity Framework

NIST announced its intent to make new revisions to its Cybersecurity Framework (CSF) document, with an emphasis on cyberdefense and inclusivity across all economic sectors. The framework includes changes to the recommended cybersecurity best practices, sector-specific needs and new uses based on modifications to the framework.

While the CSF was initially established as a non-mandatory resource for critical infrastructure, the planned update aims to be more broadly tailored for organizations within government, academia and industry.

NIST also published the AI Risk Management Framework (AI RMF) 1.0 on January 26th, 2023. It is intended to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

NIST developed the AI RFM to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The AI RMF includes four functions and corresponding categories for organizations to use to mitigate risk throughout the development of AI.

International News

UK publishes more incorporation of privacy principles

The UK Information Commissioner's Office published a notice calling for more incorporation of privacy principles as companies build new technologies.

The ICO's stance is reflected in its Tech Horizons Report, which warns benefits of emerging tech over the next two to five years "could be lost if people feel companies are misusing their data." The report covers Internet of Things devices as well as tech in the health and financial space.

WhatsApp fined 5.5 million Euro for forced user consent in Ireland

The Irish Data Protection Commission completed its inquiry into Meta platform’s WhatsApp, and fined the company 5.5 million euros related to forced user consent for the processing of their data.

In response to intervention by the European Data Protection Board, the Irish watchdog also stated, “It’s not up to the board to ‘instruct and direct an authority to engage in open-ended and speculative investigation’, adding it would ask the EU’s top court to annul the order because it’s “problematic in jurisdictional terms.” This opens a rift between the local privacy protection authorities and the EU privacy protection authorities.

For more information, read the Data Guidance News and the Washington Post report.

France fines 3 million Euro to video game and smartphone company VOODOO

The French data protection authority (CNIL) imposed a fine of 3 million euros on the company VOODOO, which publishes video games for smartphones, for using an essentially technical identifier for advertising without the user's consent.

Major disagreement between Data Protection Commission and Data Protection Board in EU

The Irish Data Protection Commission issued final decisions invalidating Meta's contract performance as a lawful basis for seeking user permission to collect data for personalized advertising on Facebook and Instagram.

In contrast, the European Data Protection Board (EDPB) joins the view of the Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish authorities, that behavioral advertisement is "objectively not necessary for the performance of Meta's alleged contract".

NOYB said the decisions — which followed complaints the group made in May 2018 on the day the EU General Data Protection Regulation took effect — "clearly shows massive disagreement" between the Data Protection Commission and the EDPB.

Quebec calls for stronger data protections of minors’ data

The Quebec Commission on Access to Information (CAI) recommends prohibiting the collection, use, or disclosure of a minor's personal; prohibiting the sale of personal information concerning a minor in all circumstances; and increasing the resources allocated to education and awareness of risks of digital technology.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.