FTC warns against illegal use of algorithm training data

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Message from FTC: Get algorithm training data lawfully

The FTC posted a statement warning businesses about lessons learned from recent cases against Amazon and Ring.

Specifically, the FTC made clear that it “will hold companies accountable for how they obtain, retain, and use consumer data that powers algorithms”, that “any company that undermines consumer control of their data can face FTC enforcement action”, and that if companies “illegally obtain or misuse consumer data” they may be required to delete data products, like algorithms, models and other tools, derived from ill-gotten data. 

TAKEAWAY

The FTC doesn’t make clear in its statement what, specifically, companies should do to ensure data is legally obtained and to give consumers appropriate control of their data, but the statement does mention that Ring had obtained only “check-the-box consent”, which the FTC found to be “not enough to ensure that users are really in control of what happens to their information”. 

EUROPE

Swedish DPA Fines Spotify for Lack of Personal Data Transparency

The Swedish Authority for Privacy Protection (IMY) announced a fine of SEK 58 million against Spotify for “not having provided sufficiently clear information to individuals”. Specifically, in connection with an audit of how Spotify handles the right for individuals to access their personal data, the IMY found that, although Spotify appropriately releases the personal data the company processes when individuals request it, it does not inform clearly enough about how and for what purposes the data is used by the company.

The IMY also mentioned that personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. The decision was made in cooperation with other data protection authorities in the EU. 

TAKEAWAY

This fine, although not necessarily specific to digital advertising, is consistent with a report published by the European Commission in January 2023 titled “Towards a more transparent, balanced and sustainable digital advertising ecosystem”.

Among other findings, the report posits that “the focus on identifiers in digital advertising makes it very hard for users to exercise their rights of access, because they are often not able, either due to lack of transparency or technical and legal barriers, to access and prove the provenance of the identifiers connected to them.”

Ultimately, the report concludes that there is a need to improve transparency and accountability in the digital advertising ecosystem, including regarding the collection, use and dissemination of personal data, and that there is a need to increase individuals’ control over how personal data is used for digital advertising. 

GLOBAL

Nigeria President Signs Data Protection Bill into Law

The Nigerian Data Protection Bill, 2023 has reportedly become law after President Bola Tinubu signed the bill.

The new law establishes the Nigeria Data Protection Commission and imposes certain obligations on controllers, including that they have a lawful basis to process personal data, that they disclose certain information to data subjects, that they minimize the processing and retention of personal data, and that they inform the Commission of data breaches.

The law also extends certain rights to users, including the right to withdraw consent to the processing of personal data. 

TAKEAWAY

Failure to comply with the Nigerian Data Protection Bill could potentially have severe consequences.

The Act provides for enforcement through two avenues: enforcement actions from the Nigeria Data Protection Commission and civil proceedings brought by adata subject. The law also criminalizes failure to comply with the orders of the Commission, punishable by a fine or imprisonment term. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.