Privacy Enforcement Wave: €1.1M Pharmacy Fine, Spotify Court Loss, and New US Children’s Data Protection Laws Signal Tightening Regulations

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Europe

Finland DPA Fines Pharmacy Over Use Of Online Tracking Services

University Pharmacy was fined 1,100,000 euros based on allegations the online pharmacy was using cookies, analytics services, and other tracking technologies, resulting in information about pharmacy transactions (e.g., adding a specific medicine to the shopping cart and pressing the order button), along with IP addresses and other identifying information, to be sent to third parties such as Google, Meta and New Relic.

TAKEAWAY

One interesting comment in the decision is that, although the Commissioner found the data at issue “may, at least in some respects, constitute special categories of personal data within the meaning of Article 9 of the GDPR”, the Commissioner did not find its decision to hinge on that determination. Rather, it was enough for the Commissioner that the general nature of the data transmitted to the tracking services was highly personal data concerning a person who visited a pharmacy website or his or her close circle. Based on that determination, the Commissioner held that the pharmacy did not take measures appropriate to the risk involved in protecting the data. As examples, the Commissioner noted that the pharmacy did not mask all information about medicines from GET and POST calls before transmitting them to the service providers and did not choose a tracking solution that does not collect identifying information or with options to anonymize it (despite having such alternative options). As guidance, the Commissioner outlined several measures that should be taken “if it is necessary for an online pharmacy to monitor website users in relation to medicines”, including selecting a solution where the controller has effective control over the processing of personal data and can ensure the regular deletion of personal data collected, and ensuring that URL addresses do not include information belonging to special personal data groups or otherwise at risk when the data is forwarded to third parties. 

Spotify Fine Upheld By Swedish Appeals Court

Two years after the Swedish DPA (the IMY) fined Spotify AB SEK 58 million for lack of personal data transparency, the Swedish Court of Appeal upheld the decision and the fine. The Court found that Spotify violated the GDPR by: (a) not providing in a clear and easily accessible manner the information that is necessary for the data subject to be able to exercise their rights under the Regulation; (b) not providing information about, and criteria for determining, storage periods; and (c) not providing sufficient information about appropriate safeguards when transferring personal data to a third country or an international organization. 

TAKEAWAY

The underlying decision in this case hinged on whether Spotify provided sufficient information to enable data subjects to understand how their personal data are processed, stating that “it must always be possible to clearly and easily determine which information is applicable in which situations” and the information provided “shall not give rise to any ambiguity as to whether the data subject is concerned by the information in question or not based on his or her individual situation”. The IMY found that Spotify did not provide sufficiently clear information because, for example, disclosures lumped personal data into categories such as “user data” without further description of what personal data was included in each category. Information on purposes, source and recipients of processing was then divided based on those categories, making it impossible for data subjects to easily understand which personal data were processed for what purposes, obtained from what source, or provided to a particular recipient. Similarly, information on retention periods and third country transfers was not clearly linked to the personal data covered by the different retention periods and transfers.  

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Oregon Bill Banning Sale of Location and Children’s Data Signed by Governor
• Connecticut and Nevada Send Children’s Privacy Bills to Governor

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.