Hello all, and happy new year! Privacy Insider is back and running after our holiday hiatus. Although we may have been on a break, the world of data privacy didn’t see fit to pause for the holidays.
Plenty happened over the course of the previous few weeks—namely, plenty of end-of-year fines and penalties. Take a look at our newsletter below to see who got dinged for data privacy violations over the holidays as well as other data privacy developments and news.
And for those of you who came to this newsletter looking for CPRA guidance now that January 1st has come and gone, just scroll down to access our CPRA Survival Kit. In the coming weeks and months, as the CPRA and other 2023 laws come into force, we’ll be sure to continue to serve up actionable resources to help you maintain compliance.
Cyber attacks set to become ‘uninsurable’, says Zurich chief
Mario Greco, chief executive of one of Europe’s biggest insurance companies, warned that cyber attacks may become uninsurable. As ransomware and other cyberattacks continue to rise and payments to resolve those incidents spirals higher, insurers may struggle to develop adequate policies for both insurers and insureds.
Twitter faces data-protection probe after '400 million' user details up for sale
A hacker operating under the pseudonym "Ryushi" is demanding $200,000 (£166,000) to delete data associated with 400 million user accounts. As a response to the leak, Irish data protection authorities have launched a probe into Twitter’s compliance data protection laws in relation to the incident.
Draft adequacy decision on EU-U.S. Data Privacy Framework published by the European Commission
The European Commission has published its draft adequacy decision on the new EU-U.S. Data Privacy Framework, essentially affirming that the framework provides a comparable level of safeguards for data subjects as the GDPR. As a next step, the European Data Protection Board will perform its own assessment and publish its opinion.
Epic Games to pay $520 million over FTC claims of children’s privacy violations
Epic Games, the publisher of the popular video game Fortnite, has settled an FTC lawsuit by paying $520 million. The FTC alleged that Epic Games unlawfully collected personal information and illegally used digital dark patterns to bill Fortnite users for unintentional in-game purchases. This included saving and using credit card information without parental consent, making it difficult for parents to review in-game purchases, alternating the buttons for previewing and purchasing an item to encourage mistaken purchases, and more.
New draft regulations for Colorado’s privacy law
The Colorado Attorney General has released a second set of draft regulations on the Colorado Data Privacy Act, which goes into effect July 1 of 2023. The draft regulations make updates related to the definitions of employee, employment records, and biometric identifiers, among other terms; notice requirements; universal opt-out mechanisms; security measures; consent; and data protection assessment requirements.
Meta agrees to pay $725 million to settle privacy lawsuit
After improperly disclosing the personal information of 87 million users in the Cambridge Analytica scandal, Meta has agreed to settle a class-action lawsuit with a $725 million payment. The settlement follows on the heels of a $5 billion payment made to the FTC over the same scandal as well as a $100 million payment to the SEC.
Irish data protection authorities levy a $400 million fine against Meta
After a European Court found that Meta’s legal justification for personalized ads was not valid, Irish data protection authorities have enforced that decision with a $400 million penalty and an order to identify a different legal basis. Previously, Meta argued that users consented to personalized advertising by reviewing their terms and conditions, an approach which European authorities have invalidated.
Meta paid over 80% of the EU’s 2022 GDPR fines
Of the €832,000 in fines levied out by European data protection authorities for GDPR violations in 2022, Meta paid more than 80%. This figure comes from a recent analysis by Atlas VPN on the GDPR enforcement in 2022. In total, Meta has paid over a billion euros in GDPR fines over the years.
Osano’s CPRA survival kit
2023 is here and with it, the CPRA. Since you’re subscribed to this newsletter, you’ve surely heard us ring the alarm bells about getting prepared for the CPRA—right?! If CPRA compliance at your organization is still a work in progress, don’t panic. We’ve gathered all of our most actionable CPRA-related resources on one page. Consider bookmarking it to review at your leisure.
Review the survival kit
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.