Privacy Insider newsletter: April 13, 2021

Welcome to Privacy Insider, a round-up of the week's most important stories.

We've all made decisions as kids we wish we hadn't. It wasn't our fault; we couldn't see the big picture. Our worlds were small, and our experiences were limited. So we did things like ride our bikes without a helmet or stay out past our curfews. All we knew was we were after more fun for longer, and our parents' rules just seemed to get in the way. 

But our parents enforced dreadful rules (over our screams) because our ability as kids to assess risk hadn't fully developed, which could put us in some risky situations. It's for those same reasons, in part, that a U.S. privacy law aims to protect those 13 years and younger. 

The consent framework here in the U.S. operates on notice and choice: A company gives the adult notice they're going to take their data and use it, and the adult can choose to say yes or no. Sometimes, saying no means losing access to the service. The Children's Online Privacy Protection Act requires websites and online services to gain parental consent before collecting children's online data. After all, the parents (ostensibly) understand the risks of sharing personal data in a way kids cannot.

Plenty of sites violate COPPA all day long, 365 days a year. They're just flying under the radar. The 2019 settlement between YouTube and the Federal Trade Commission (FTC) was the latest COPPA enforcement to make a splash. The FTC collected $170 million, the COPPA settlement to date. But many more would exist if the FTC had the resources to sweep the web for potential cases constantly. 

That's why today's news that Disney and several ad-tech firms settled a case alleging they tracked children online without consent is big. The settlement mandates they delete the software used to track underage users. But more importantly, it's a message to industry: Just because kids are easy targets doesn't make them fair game.

Enjoy reading, and I'll see you next week! 

1. Judge approves Disney, ad-tech settlements over alleged tracking of children
   A California district judge has approved three settlements that "could reshape the children's app market," The New York Times reports. The lawsuits accused Disney and several large ad-tech companies of using software to track and profile children using gaming apps. They allegedly did so without obtaining parental consent, required by the U.S. children's privacy law. Under the settlement, the companies have agreed to remove the software in question. 
   Read Story
2. Critics: Google's plan a 'FLoC you to privacy'
   This month, Google Chrome will sort users into behavior-based groups and share those groups with advertisers. The Federated Learning of Cohorts (FLoC), as Google's called the new browser standard, is the company's answer to its phase-out of third-party cookies and claims to be a privacy-protective way to support the online advertising industry. But Forbes reports there are significant privacy issues, including websites' ability to employ a users' FLoC ID to "target and fingerprint you." 
   Read Story
3. Hamburg privacy regulator blocks WhatsApp from sharing Germans' data with Facebook
   In January, WhatsApp announced it would change its privacy policy to share more data with Facebook, its parent company. WhatsApp assured EU privacy regulators that EU users wouldn't be affected. But this week, Hamburg's data protection authority (DPA) said it would block those data transfers within Germany. The DPA initiated the "urgency procedure" under the EU General Data Protection Regulation, which allows it to issue an "immediately enforceable order blocking Facebook's further absorption of WhatsApp user data," Fortune reports. 
   Read Story
4. Antitrust and privacy enforcement could be on a 'collision course' 
   Facebook faces antitrust lawsuits for getting lax on privacy as it got big, and Google is facing antitrust lawsuits for its plan to eliminate third-party cookies on its site. While antitrust enforcers continue to bring cases against giant tech companies and states pass privacy laws, companies make privacy changes of their own. But, writes Gilad Edelmon in WIRED, "If policymakers and enforcers can't figure out the right way to think about how to reconcile privacy law with competition law, they risk badly screwing up both." 
   Read Story
5. Vaccine passports present potential threats to privacy
   As schools, businesses and restaurants start to re-open, it's unclear the best way for individuals to prove they're vaccinated against COVID-19. There's some discussion about creating apps for "vaccination passports," but privacy advocates say that's not a good plan. It's possible that data stored by vaccine passport apps could be shared with the government or private databases, said privacy expert Alexander Howard of the Digital Democracy Project. "We've got a supercomputer in our pocket that gives us godlike powers but that can also be used against us."
   Read Story
6. Will EU lead on AI regulation like it has on privacy?
   The EU is already the leader in privacy enforcement, thanks to the EU General Data Protection Regulation. But now it looks poised to become the "top AI cop too," Bloomberg reports. The European Union plans to propose new rules next week that could require companies using artificial intelligence to undergo an audit first. But that enforcement could conflict with the EU's goal to boost technology startups to compete with the U.S. and China on tech. 
   Read Story