Class action against Twitter seeks profits from targeted ads

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Class Action Against Twitter Seeks Profits from Targeted Ads

A Twitter user is reportedly seeking to recover, as part of a class action lawsuit, any profits Twitter earned from targeted ads served using personal information that was allegedly deceptively collected. Papers filed in the Northern District of California assert that “because California law recognizes a legal interest in unjustly earned profits, plaintiff has adequately pleaded an entitlement to Twitter’s profits from targeted advertising”. 

ADDITIONAL BACKGROUND

The same activity that is the subject of this class action is also the subject of FTC allegations ordering Twitter to pay $150 million.    

NBA Sued for Sharing Viewing Information with Facebook

A class action lawsuit alleges that the NBA shared Facebook IDs and video viewing information of subscribers to nba.com with Facebook in violation of the federal Video Privacy Protection Act. The action is seeking damages of not less than $2,500 per plaintiff (consisting of allegedly hundreds of thousands of subscribers), plus punitive damages, attorneys’ fees and costs.

ADDITIONAL BACKGROUND

 The Video Privacy Protection Act requires that “video tape service providers” obtain user consent before disclosing “information which identifies an individual as having requested or obtained specific video materials or services.” The law was initially enacted in 1988, long before online videos or Facebook IDs were at issue. It has evolved over time through both amendment and case law, but questions about its application to digital identifiers in the online context still remain, creating some inconsistency across jurisdictions.  Most recently, a federal judge approved a $92 Million class-action settlement against TikTok based on allegations, among others, that TikTok violated the VPPA by sharing with Google and Facebook TikTok users’ device IDs and advertising IDs in combination with user video viewing history without user consent. 

Meta Sued for iPhone User Tracking

A proposed class action filed in San Francisco federal court alleges that Meta violated state and federal laws by circumventing Apple requirements and tracking iPhone user activity without consent. Specifically, the complaint alleges violations of the federal Wiretap Act, the California Invasion of Privacy Act, the California Unfair Competition Law, and common law claims of invasion of privacy and unjust enrichment.

TAKEAWAY

Apple implemented requirements for iPhone apps to obtain user consent before tracking certain user activity in 2021 as part of Apple’s iOS 14 update. Although the requirements are not law, circumvention of Apple’s requirements without notice to users may trigger lawsuits such as this one against Meta if users are misled or deceived into thinking their privacy settings are honored when they are not. 

EUROPE

Danish DPA Issues Guidance On Use of Google Analytics

In a September 21, 2022 press release, the Danish Data Protection Agency advised Danish companies using Google Analytics to implement supplementary measures to bring their use of the application into compliance with the GDPR. The DPA suggested pseudonymisation as one possible technical measure and cited guidance from the French CNIL regarding the so-called “reverse proxy” as a means to establish effective pseudonymization.

TAKEAWAY

The Danish DPA’s guidance is issued on the basis of previous decisions in Austria, France and Italy, in which use of Google Analytics, in the given circumstances, was found to be unlawful. The press release expresses the Danish DPA’s support of such cases and notes that the Danish DPA may reach the same result in a specific case with similar circumstances. However, the press release also notes that the DPA “cannot rule out that there may be circumstances or technical settings which the Danish DPA has not taken into account” and invites organisations and persons with special insight into the tool to provide additional information. 

GLOBAL

Indonesia Officially Passes Data Protection Bill

Indonesia’s parliament passed a personal data protection bill into law. The law includes a two-year adjustment period, after which companies could be fined up to 2% of their annual revenue or face up to six years in prison for certain violations of the law. Among other requirements, the law will require entities processing personal data of Indonesian residents to ensure the protection of such data and extend certain rights to users, including rights of access and deletion and the right to withdraw consent for use of their data. 

TAKEAWAY

The bill is the first comprehensive data protection law in Indonesia, which has historically addressed privacy only through sectoral laws, like much of the United States.

Quebec Bill 64 Goes Into Effect, in Part

Certain provisions of Quebec’s Bill 64 went into effect on September 22, 2022. Specifically, companies subject to the law are now obligated to disclose on their website the title and contact information of the designated person responsible for data protection in the company, comply with certain recordkeeping and disclosure obligations in the event of confidentiality incidents, make certain disclosures to the Commission regarding collection of biometric information, and comply with a new framework for disclosure of personal information without consent for research purposes. A checklist was made available to help companies comply.

TAKEAWAY

Quebec’s Bill 64 was passed in September 2021 and goes into effect in phases, with most of the law going into effect in September 2023. The Act as a whole requires the development of data governance processes, data management policies, technical solutions for transfer and de-indexing of data, and internal guidelines. It also requires specific, express consent in certain circumstances, such as for processing sensitive personal information like medical or biometric information.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.