California AG announces new enforcement sweep
January 30, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
California AG Announces New Enforcement Sweep
California Attorney General Bonta announced a Data Privacy Day enforcement sweep focused on mobile applications’ compliance with the California Consumer Protection Act (CCPA).
The AG’s office sent letters to popular apps in the retail, travel and food services industries who either don’t offer consumers an opt-out mechanism or fail to comply with consumer opt-out requests.
It is unclear from the announcement what action has or will be taken against the recipients of letters in this latest enforcement sweep.
In past enforcement sweeps, targeted companies were given a 30-day period to cure the noncompliance, as required by CCPA.
The obligation to extend a cure period expired as of January 1, 2023, so this round of enforcement may take a different form than we’ve seen in the past.
Indiana / Iowa Bills Progress as States Continue to Join the Party
Meanwhile, New Hampshire, Vermont and Washington joined the states with active privacy legislation, bringing the total number to 14.
New Hampshire SB 255 largely borrows elements from existing comprehensive privacy laws, but Washington HB1616 would introduce a general opt-in consent requirement, and Vermont H 121 would introduce a number of requirements specific to data brokers, including a requirement to honor a Data Broker Opt Out List maintained by the Vermont Secretary of State.
Privacy legislation seems to be trickling in at a slower pace this year compared to 2022.
By this time last year, 22 states had introduced comprehensive privacy legislation, although only one bill (in Indiana) had advanced past committee.
Chick-Fil-A and Times Publishing Join Growing List of VPPA Defendants
Class action lawsuits were filed against Chick-Fil-A and Times Publishing Company (tampabay.com), both alleging that the companies shared video viewing details and personal data with Facebook without user consent in violation of the Video Privacy Protection Act.
Plaintiffs lawyers are rapidly filing class action suits against major websites that use Facebook pixels to collect video data, and at least four cases (against Boston Globe, NFL, Epoch Times, and WebMD) have overcome a motion to dismiss.
The law requires that companies disclosing identifiable video viewing information obtain consent in a form distinct and separate from other legal or financial terms and provide a clear and conspicuous opportunity for users to withdraw their consent.
Home Depot Found to Violate PIPEDA for Sharing Personal Data without Consent.
The Office of the Privacy Commissioner of Canada (OPC) highlighted in a press release its investigation finding that Home Depot shared details from e-receipts with Meta without consumer knowledge or consent in violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
The investigation revealed that Home Depot collected customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt but were also sending the email addresses, along with in-store purchase details, to Meta for measurement of ad effectiveness and conversion, as well as for Meta’s own purposes, such as targeted advertising unrelated to Home Depot.
Although certain disclosures were made in Home Depot’s privacy statement (accessible on its website and upon request at retail locations), such as that Home Depot may share information for business purposes with third parties, the OPC found that these disclosures did not clearly explain the practice and were not ready available to customers at the check out counter, which the OPC found to be “insufficient to support meaningful consent”.
PIPEDA in its current form allows for the form of consent for the processing of personal information to vary, depending on the circumstances and the type of information, taking into account the sensitivity of the information as well as the reasonable expectations of the individual.
Express consent is required for the collection of sensitive information or use or disclosure outside the reasonable expectations of the individual or that creates a meaningful risk of significant harm to the individual.
In other cases, implied consent may be sufficient. In this case, although the OPC found that the data in question may not be sensitive in the circumstances of this case, Home Depot should have obtained express consent because customers would not reasonable expect, or have reason to suspect, that their e-mail address and offline purchase details would be shared with Meta for measuring the impact of ad campaigns.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The Federal Trade Commission sent warning letters to five...
Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...
How do different U.S. state laws define and protect...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.