Oregon enacts privacy law; Fandom VPPA suit allowed to proceed

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Oregon Governor Signs Privacy Law

Oregon SB 619 was signed into law, making Oregon the eleventh state to sign a comprehensive privacy law (twelve, if you count Florida), adding to California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah and Virginia.

Most of the Oregon law will go into effect July 1, 2024, with certain provisions (including those requiring companies to honor universal opt-out mechanisms) going into effect January 1, 2026. 

TAKEAWAY

The Oregon law is a Connecticut-style privacy law with some exceptions.

For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.

The law also requires that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”.

HHS and FTC Send Warning Letters to hospitals and telehealth providers

The Federal Trade Commission announced that it sent joint letters, with the U.S. Department of Health and Human Services, to 130 hospitals and telehealth providers, warning of the privacy and security risks from use of online tracking technologies, such as the Meta pixel and Google analytics, on their websites and apps.

Specifically, the letters warned that use of the technologies could impermissibly reveal sensitive information and cautioned that companies, including those not covered by HIPAA, must monitor and exercise extreme caution with respect to such flow of information, which could violate HIPAA, the FTC Act and/or the FTC’s Health Breach Notification Rule.  

TAKEAWAY

These letters follow FTC enforcement actions against digital healthcare platforms Betterhelp, GoodRx and Premom based on their use tracking technologies.

The FTC Office of Technology also recently issued guidance on the “hidden impacts of pixel tracking” identifying concerns with pixel tracking, including that there is a lack of clarity around data collection and use and that many consumers may not realize that pixels exist.  

Fandom VPPA Suit Gets Greenlight to Proceed

A Northern District of California judge denied Fandom’s motion to dismiss a class action lawsuit (case Case 4:22-cv-04423-JST) alleging that the gaming and entertainment website’s transmission of user video viewing information using the Meta pixel violated the Video Protection Protection Act (VPPA).

Specifically, the court found that the defendant’s creation of a Fandom account, provision of her name and email address, and use of Fandom to watch videos was sufficient to plead that the defendant was a “consumer” within the meaning of the VPPA.

Additionally, the court found that sharing of a Facebook Profile ID plausibly alleges the disclosure of PII under the VPPA, because the court could reasonably infer that an ordinary person could readily identify a specific Facebook user on the basis of a Facebook Profile ID.

The court also found that the defendant plausibly alleged that Fandom disclosed her video viewing information, which included disclosure of the full name of each video a user watched.

Finally, the court found that the alleged disclosure, to collect analytical data about how users use the website and, in turn, target more specific ads to its users, was not incident to the ordinary course of business. 

TAKEAWAY

Class actions under the Video Privacy Protection Act have been filed at an increasing rate over the last few years, primarily alleging violations based on the sharing of video information with Meta through use of the Meta pixel.

The success of these cases have had mixed results, with some getting thrown out based on arguments that the plaintiffs were not “consumers” under the law or that the video at issue was not prerecorded.

Several such cases have overcome motions to dismiss, however, giving companies reason to keep a closer eye on the use of the Meta pixel in connection with video content. 

EUROPE

Norway Temporarily Bans Facebook / Instagram from Targeted Advertising

The Norwegian Data Protection Authority (Datatilsynet) announced that it has issued a temporary ban, through October, prohibiting Meta from advertising based on monitoring and profiling on Facebook and Instagram.

If Meta does not comply with the decision, the company could receive a fine of NOK 1 million per day. The European Data Protection Board will determine whether to extend the decision beyond October. 

TAKEAWAY

The decision comes in response to a recent judgment from the European Court of Justice finding that Meta’s behavior-based marketing is not compliant, even after some adjustments.

The Norwegian DPA’s announcement states several reasons for its concern over behavior-based marketing, including impacts on freedom of expression and information in society, reinforcement of sterotypes, unfair discrimination, and the difficulty for most people to understand it.

Ultimately, according to the head of the international section of the Norwegian DPA, “all business models must respect privacy as a human right. Users must have sufficient control over their own data, and tracking must be limited.” 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.