California AG announces new enforcement sweep

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

California AG Announces New Enforcement Sweep

California Attorney General Bonta announced a Data Privacy Day enforcement sweep focused on mobile applications’ compliance with the California Consumer Protection Act (CCPA).

The AG’s office sent letters to popular apps in the retail, travel and food services industries who either don’t offer consumers an opt-out mechanism or fail to comply with consumer opt-out requests. 

TAKEAWAY

It is unclear from the announcement what action has or will be taken against the recipients of letters in this latest enforcement sweep.

In past enforcement sweeps, targeted companies were given a 30-day period to cure the noncompliance, as required by CCPA.

The obligation to extend a cure period expired as of January 1, 2023, so this round of enforcement may take a different form than we’ve seen in the past. 

Indiana / Iowa Bills Progress as States Continue to Join the Party

Indiana’s SB5 unanimously passed the Senate Commerce and Technology Committee, and Iowa’s HSB 12 passed a House Economic Growth and Technology Subcommittee.

Meanwhile, New Hampshire, Vermont and Washington joined the states with active privacy legislation, bringing the total number to 14.

New Hampshire SB 255 largely borrows elements from existing comprehensive privacy laws, but Washington HB1616 would introduce a general opt-in consent requirement, and Vermont H 121 would introduce a number of requirements specific to data brokers, including a requirement to honor a Data Broker Opt Out List maintained by the Vermont Secretary of State. 

TAKEAWAY

Privacy legislation seems to be trickling in at a slower pace this year compared to 2022.

By this time last year, 22 states had introduced comprehensive privacy legislation, although only one bill (in Indiana) had advanced past committee. 

Chick-Fil-A and Times Publishing Join Growing List of VPPA Defendants

Class action lawsuits were filed against Chick-Fil-A and Times Publishing Company (tampabay.com), both alleging that the companies shared video viewing details and personal data with Facebook without user consent in violation of the Video Privacy Protection Act.

TAKEAWAY

Plaintiffs lawyers are rapidly filing class action suits against major websites that use Facebook pixels to collect video data, and at least four cases (against Boston Globe, NFL, Epoch Times, and WebMD) have overcome a motion to dismiss.

The law requires that companies disclosing identifiable video viewing information obtain consent in a form distinct and separate from other legal or financial terms and provide a clear and conspicuous opportunity for users to withdraw their consent. 

CANADA

Home Depot Found to Violate PIPEDA for Sharing Personal Data without Consent.

The Office of the Privacy Commissioner of Canada (OPC) highlighted in a press release its investigation finding that Home Depot shared details from e-receipts with Meta without consumer knowledge or consent in violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

The investigation revealed that Home Depot collected customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt but were also sending the email addresses, along with in-store purchase details, to Meta for measurement of ad effectiveness and conversion, as well as for Meta’s own purposes, such as targeted advertising unrelated to Home Depot.

Although certain disclosures were made in Home Depot’s privacy statement (accessible on its website and upon request at retail locations), such as that Home Depot may share information for business purposes with third parties, the OPC found that these disclosures did not clearly explain the practice and were not ready available to customers at the check out counter, which the OPC found to be “insufficient to support meaningful consent”.

TAKEAWAY

PIPEDA in its current form allows for the form of consent for the processing of personal information to vary, depending on the circumstances and the type of information, taking into account the sensitivity of the information as well as the reasonable expectations of the individual.

Express consent is required for the collection of sensitive information or use or disclosure outside the reasonable expectations of the individual or that creates a meaningful risk of significant harm to the individual.

In other cases, implied consent may be sufficient. In this case, although the OPC found that the data in question may not be sensitive in the circumstances of this case, Home Depot should have obtained express consent because customers would not reasonable expect, or have reason to suspect, that their e-mail address and offline purchase details would be shared with Meta for measuring the impact of ad campaigns. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.