Oregon enacts privacy law; Fandom VPPA suit allowed to proceed
July 24, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Oregon Governor Signs Privacy Law
Oregon SB 619 was signed into law, making Oregon the eleventh state to sign a comprehensive privacy law (twelve, if you count Florida), adding to California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah and Virginia.
The Oregon law is a Connecticut-style privacy law with some exceptions.
For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.
The law also requires that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”.
HHS and FTC Send Warning Letters to hospitals and telehealth providers
The Federal Trade Commission announced that it sent joint letters, with the U.S. Department of Health and Human Services, to 130 hospitals and telehealth providers, warning of the privacy and security risks from use of online tracking technologies, such as the Meta pixel and Google analytics, on their websites and apps.
Specifically, the letters warned that use of the technologies could impermissibly reveal sensitive information and cautioned that companies, including those not covered by HIPAA, must monitor and exercise extreme caution with respect to such flow of information, which could violate HIPAA, the FTC Act and/or the FTC’s Health Breach Notification Rule.
The FTC Office of Technology also recently issued guidance on the “hidden impacts of pixel tracking” identifying concerns with pixel tracking, including that there is a lack of clarity around data collection and use and that many consumers may not realize that pixels exist.
Fandom VPPA Suit Gets Greenlight to Proceed
A Northern District of California judge denied Fandom’s motion to dismiss a class action lawsuit (case Case 4:22-cv-04423-JST) alleging that the gaming and entertainment website’s transmission of user video viewing information using the Meta pixel violated the Video Protection Protection Act (VPPA).
Specifically, the court found that the defendant’s creation of a Fandom account, provision of her name and email address, and use of Fandom to watch videos was sufficient to plead that the defendant was a “consumer” within the meaning of the VPPA.
Additionally, the court found that sharing of a Facebook Profile ID plausibly alleges the disclosure of PII under the VPPA, because the court could reasonably infer that an ordinary person could readily identify a specific Facebook user on the basis of a Facebook Profile ID.
The court also found that the defendant plausibly alleged that Fandom disclosed her video viewing information, which included disclosure of the full name of each video a user watched.
Finally, the court found that the alleged disclosure, to collect analytical data about how users use the website and, in turn, target more specific ads to its users, was not incident to the ordinary course of business.
Class actions under the Video Privacy Protection Act have been filed at an increasing rate over the last few years, primarily alleging violations based on the sharing of video information with Meta through use of the Meta pixel.
The success of these cases have had mixed results, with some getting thrown out based on arguments that the plaintiffs were not “consumers” under the law or that the video at issue was not prerecorded.
Several such cases have overcome motions to dismiss, however, giving companies reason to keep a closer eye on the use of the Meta pixel in connection with video content.
Norway Temporarily Bans Facebook / Instagram from Targeted Advertising
The Norwegian Data Protection Authority (Datatilsynet) announced that it has issued a temporary ban, through October, prohibiting Meta from advertising based on monitoring and profiling on Facebook and Instagram.
If Meta does not comply with the decision, the company could receive a fine of NOK 1 million per day. The European Data Protection Board will determine whether to extend the decision beyond October.
The decision comes in response to a recent judgment from the European Court of Justice finding that Meta’s behavior-based marketing is not compliant, even after some adjustments.
The Norwegian DPA’s announcement states several reasons for its concern over behavior-based marketing, including impacts on freedom of expression and information in society, reinforcement of sterotypes, unfair discrimination, and the difficulty for most people to understand it.
Ultimately, according to the head of the international section of the Norwegian DPA, “all business models must respect privacy as a human right. Users must have sufficient control over their own data, and tracking must be limited.”
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
California Attorney General Bonta announced a settlement with Doordash based on...
Explore the intricate landscape of Consent or Pay models...
A blog post from the FTC reminded companies that simply changing...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.