1 Gregg Turek, Author at Sourcepoint

USA

FTC Files Second AMENDED Complaint Against Kochava and Collective Data Solutions

After a February 2024 district court decision denying data broker Kochava’s motion to dismiss the FTC’s case against it, the FTC filed a second amended complaint adding a second defendant, Collective Data Solutions (CDS), to the case. CDS is a wholly-owned subsidiary of Kochava, to whom, according to the complaint, Kochava transferred at least part of its data broker business. FTC claims that CDS has continued the practices that the FTC alleges to invade consumers’ privacy, specifically the “practices of collecting, using and disclosing enormous amounts of private and sensitive information about consumers”, which the FTC claims causes or is likely to cause substantial injury in the form of stigma, discrimination, physical violence, emotional distress, and other harms that consumers are unable to take reasonable steps to avoid.

TAKEAWAY

Although the FTC’s second amended complaint is substantially similar to its first amended complaint (only taking the procedural step to add CDS to the complaint), the concurring statement of Commissioner Melissa Holyoak issued in conjunction with the filing is insightful, which she wrote separately to “highlight the significance of the Commission’s action to protect the privacy of consumers’ precise geolocation information.” Specifically, Commissioner Holyoak points out the importance of the district court’s opinion as “an important marker in how to consider ‘substantial injury’ in the context of privacy actions brought under Section 5” and that “any future court decision in this litigation will be another important marker for the Commission to consider.”

She also explains that, although the Kochava complaint “focuses on sales of precise geolocation data and related sensitive information to commercial purchasers, not law enforcement,” the description of the sensitivity of precise geolocation data in Fourth Amendment case law is instructive, “given how government officials can purchase precise geolocation data from commercial data brokers in ways that may circumvent Fourth Amendment protections.” She stresses that “for consumers to realize the benefits of technology, they must be able to trust that technology–including tools that hold their sensitive personal data–will remain secure from wrongful government surveillance” and cautions that “when private parties like the Defendants disclose precise geolocation information revealing political, medical, or religious activities, without consumers’ consent to willing purchasers, their conduct breaches that trust and jeopardizes Americans’ freedoms.”

Sourcepoint has sensitive data opt-in functionality as part of its Dialog consent management platform (CMP). Find out more details here.

EUROPE

The Dutch Data Protection Authority (AP) announced its imposition of a 600,000 euro fine against drugstore brand AS Watson, based on allegations its drugstore subsidiary, Kruidvat, collected and used personal data of millions of visitors to its website Kruidvat.nl through tracking cookies without user knowledge or consent in violation of the GDPR.

TAKEAWAY

The alleged violation was discovered as part of a broader investigative sweep to test whether various websites met the requirements for processing personal data obtained via tracking cookies, including whether, and the manner in which, consent was requested and given. In the case of kruidvat.nl, although the website had a cookie banner and a privacy statement revealing that tracking cookies are placed and the types of personal data, the purpose and basis of the processing, the types of cookies, the retention period, and information about sharing collected information with third parties, a technical investigation found that third-party tracking cookies and beacons were placed both before and after completing the consent procedure and that the data subject had to take several steps to find out whether and how advertising cookies were set and to refuse the setting of such cookies, which the DPA found to be in violation of GDPR. In its announcement of the fine, the AP warned that “the AP will check more often whether websites correctly request permission for tracking cookies or other tracking software” and cautioned that organizations must ensure a cookie banner that meets the legal requirements.

A solution for GDPR and consent management is vital to your enterprise, especially to avoid unexpected regulatory penalties. Learn more about Sourcepoint’s Consent Management Platform (CMP) Dialog.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

© Sourcepoint 2024. All Rights Reserved

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]