January 13, 2023
Issue 13: January is the worst — especially if you're Meta
Oh hey! Welcome to The Privacy Beat Newsletter!
Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you. Did you post a hot take you want included? Tag it #PrivacyBeatNews and see if it makes it into the next edition!
Two weeks ago, I was on a cruise ship breathing in the salty Bahamian air with a beheaded pineapple in my hand, sipping rum from its fleshy insides. Now, I find myself clanking my keypad in windy, gray DC. And while I’m certainly firmly on land, my body hasn’t quite caught up: I’m still walking around my apartment in a slightly squatted duck walk, my hands raised at my sides like a drunken townie, anticipating the ship’s rock side to side.
At least when you’re floor surfing on a ship, you’re also on your way to round two at the buffet. This is laptop-based sea sickness. The payoffs are less immediate.
So, yes, I’m in a mood. But you know who’s also probably in a mood? Meta.
Meta got some mega news on behavioral advertising
Ireland’s Data Protection Commission finally fined Meta a total of $414 million for violating the GDPR. But the shot heard ‘round the world? The DPC banned Meta from requiring EU users to agree to personalized ads. The company said it’ll appeal, but: Wow.
For an intense play-by-play (I literally gasped), you gotta check out this thread by Gabriela Zanfir-Fortuna. But I’ll summarize her summary because it’s very OMG.
In 2018, Facebook started processing personal data as part of the “contract” users agreed to when they signed up for the service, instead of relying on consent. If you wanted to sign up, you accepted personalized ads as part of the contract’s bundle of terms. While DPC chief Helen Dixon said Meta didn't sufficiently notify users of the change from "consent" to "contract" for processing their data, she did find Meta could process the data under the basis of contract. But Dixon's counterparts at the EDPB said personalized ads aren't necessary for the contract's fulfillment, and also required Dixon to increase the fine she'd proposed.
DRAMA! Four years of drama between nyob, which filed the initial complaint spurring the investigation, and the DPC. And now drama at the EDPB.
If the EDPB and Dixon were talking this out, it would have sounded something like this (in my head):
Dixon: Okay, Meta wasn’t transparent when it changed its practices, so I’ll slap it with a fine. But it’s cool if it processes data based on the contract. So, done. (Sips tea.)
EDPB: Um, no. Because two reasons. One, the fine you’re suggesting isn’t high enough, do more. Also, you’re wrong. Meta can’t bundle the data processing for behavioral advertising in its contract. Tell Meta to cut it out. Within three months. Oh, and launch an investigation on how Meta’s handling sensitive data and stuff.
Dixon: Mmmm, I’ll make the fine higher but not doing the investigation. You can’t make me. Thanks bye.
For real though, Dixon said the EDPB is overstepping its reach in asking the DPC to investigate further. The one-stop-shop went for the mic drop, but, Helen ain't having it.
Will Meta change its practices within the three-month window? Welp, it plans to appeal. So prolly not.
As Robert Bateman tweeted, the EDPB decision has plenty of sexy details, but one fun line of note: "The GDPR... treats personal data as a fundamental right... and not as a commodity data subjects can trade away through a contract."
Max Schrems, heading nyob, is displeased. He says the fine for such "forced consent" is too low. As an aside, while many of you in corporate compliance generally dislike Schrems for the carnage he’s created by obliterating two global data-transfer frameworks (so far), you gotta respect the artwork here. It feels vintage video game-y.
The big takeaways so far? Check your privacy notices. Check the basis your using for processing data and using it to advertise. Check the language you’re using to inform users to be sure it’s all in line with the EDPB’s binding decision on Meta.
The children! For the love of God, the children
I personally have opted out of breeding for two reasons: I’m scared I’ll mess them up, and I’m very selfish. But I still care about your kids. And so do European regulators. They called TikTok to Brussels recently to ask about its compliance with the GDPR. Namely, they wanted to know about "the recent press reporting on aggressive data harvesting and surveillance in the U.S," Reuters reports.
Like Meta, January is turning out to be a bit of a rough month for TikTok. Days after its meeting with EU officials, the CNIL slapped it with a €5 million fine because "TikTok.com users could not refuse cookies as easily as accept them and they were not informed in a sufficiently precise way about the purposes of the different cookies."
In the U.S., we're starting to see states introduce bills similar to California’s Age-Appropriate Design Code, which passed last year. West Virginia and Oregon have issued proposals. This of course follows the FTC’s settlement with EPIC games last year for $275 million for children’s privacy violations.
It's only month one of 12. Children’s privacy laws are about to come in hot this year. Brace yourselves.
And they’re off! States ain’t waiting around
Speaking of introducing laws, 2023 has birthed eight new state privacy bills already. Tennessee, New York, Kentucky, Oklahoma, Mississippi, Indiana, Iowa, and Washington State. Full disclosure: I haven’t absorbed them yet, but I’ll have a webinar on the important points next week. For now, here’s what’s on the table.
Tennessee Information Protection Act (SB 73)
Oklahoma Computer Data Privacy Act (HB 1030)
Mississippi Consumer Data Privacy Act (SB 2080)
Did you miss the latest Privacy Beat Podcast drops?
WELP, that was 2022, I guess
In this free-ranging episode, host Angelique Carson chats with longtime pals Gabe Maldoff, privacy attorney at Goodwin Procter, and Cobun Zweifel-Keegan, IAPP’s managing DC director, about the big privacy news in 2022. There’s lots of talk about CPRA, the Sephora case, California’s need to constantly pass laws, and why Gabe hates cruises.
CA Deputy AG Stacey Schesser on enforcing America’s flagship privacy law (Part 1)
In this interview (part 1 of 2), host Angelique Carson chats with California Deputy Attorney General Stacey Schesser on how everything changed with the CCPA. Schesser talks about the agency’s recent Sephora enforcement action, Global Privacy Controls, and how she’ll work with the newly-established CPPA. It’s a Privacy Geek’s buffet, if you will.
CA Deputy AG Stacey Schesser on enforcing America’s flagship privacy law (Part 2)
In this episode, part 2 of 2, California Deputy Attorney General Stacey Schesser talks about what she thinks the attorney general could have done differently, the Sephora case, and what’s going on with operationalizing Global Privacy Controls.