CJEU Ruling Broadens Scope of Sensitive Data Under GDPR

Julie Rubash, Chief Privacy Counsel
August 8, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


CARU Finds COPPA Violations By “Mixed Audience” App

Firefly games, operator of the LOL Surprise! Room Makeover app, agreed to take corrective actions after the Children’s Advertising Review Unit (CARU) of BBB National Programs found the app to constitute a “mixed audience” app under the Children’s Online Privacy Protection Act (COPPA), triggering certain requirements that CARU found the app was failing to fulfill.

Notably, the app was found to be collecting, and allowing third parties to collect, personal information through its app without verifying age or obtaining parental consent of users under 13.

Additionally, the app’s privacy disclosures were found to be inconsistent with the app’s actual practices.


The FTC has made clear in its COPPA Frequently Asked Questions that “mixed audience” sites or services that are directed to children under 13 but not as the primary audience (e.g., the site also targets adults or older teens), should either treat all users as children or implement an age screen to collect personal information only from children 13 and older without parental consent.

These requirements may get even more protective of children and teens. Although COPPA currently only governs children under 13, a bill recently introduced by the U.S.

Senate would expand COPPA, requiring consent from minors ages 13-16 for targeted marketing and prohibiting targeted marketing to children under 13.

In the meantime, the Better Business Bureau’s Center for Industry Self-Regulation’s TeenAge Privacy Program Roadmap encourages businesses providing products or services appealing to teen audiences to establish the age of users and obtain opt-in consent before engaging in behavioral advertising to known teens, along with conspicuous disclosures that targeted ads may be shown and an explanation of tracking technologies.  

New Law Extends Funding / Privacy Directives to NIST

President Biden signed into law the Research and Development, Competition and Innovation Act, which, among other provisions, extends $1.5 billion in funding to the National Institute of Standards and Technology (NIST).

Among other directives, the act directs NIST to facilitate and support the development of best practices to improve privacy protections in systems, technologies and processes used by the public and private sector, as well as for the design, adoption and deployment of privacy enhancing technologies.


The NIST Privacy Framework is designed to serve as a common set of standards and terminology, compatible with domestic and international legal and regulatory regimes.

Although the framework is voluntary, Ohio introduced a state privacy law this year that would have created a safe harbor from its requirements for companies that comply with the NIST privacy framework. 


 Lower Saxony’s State Commissioner for Data Protection (LfD) imposed a 900,000 euro fine on a bank that used a service provider to profile users for advertising purposes based on digital usage behavior indicating an inclination for digital media (e.g., making purchases in app stores, using account statement printers, and making transfers in online banking).

Information about the practice was sent to customers in advance, but actual consent was not obtained. 


The press release notes the LfD’s increasing awareness of cases in which companies are processing information for profiling purposes that was initially lawfully processed for a different purpose.

State data protection officer Barbar Thiel pointed out that legitimate interest “does not allow profiles to be created for advertising purposes by evaluating large databases” and that, instead, consent must be obtained. 

CJEU Ruling Broadens Scope of Sensitive Data Under GDPR

 In a case referred by a regional court of Lithuania involving the online publication of certain personal information, including names of individuals and their spouses, the Court of Justice of the European Union found that, although the names are not inherently sensitive information under the GDPR, it is possible to deduce from the information the sexual orientation of the listed individuals.

The court found that in this case the publication of such information constitutes processing of special categories of personal data.

In its reasoning, the court noted that the data are “capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction.” 


The decision may indicate a need for companies to take a closer look at whether the data they gather may, in combination, be capable of revealing certain sensitive information, even if the data elements on their own would not fall into GDPR’s special categories of personal data.

Those special categories include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]