Welcome to Privacy Insider, a round-up of the week's most important stories.
Last week, I wrote to you about the class-action settlement between private citizens and companies, including Disney, Viacom and Comcast. The companies and some of their partners got in trouble for tracking kids online and collecting their data without consent. It's not a story that a ton of my "privacy friends" are tweeting. But it seems like a huge deal. Even the New York Times said the settlements could "reshape the children's app market." So I've been thinking about why it's not making a bigger splash.
Looking at it from my tiny bubble, I realize I've always ignored children's privacy issues. After all, I don't have any kids. And I don't have any big plans to have any soon. (After all, taking a husband is hard enough. When you cast a global pandemic on the dating scene, finding a partner becomes a project for another year.)
But I've always loved the Ghandi quote, "The true measure of any society can be found in how it treats its most vulnerable members." I think I wasn't attracted to children's privacy issues because it seemed they didn't apply to me. It was someone else's battle to fight for the sake of their offspring. But that's not true.
The way children are cared for and protected by a company says a lot about not only its values but also the competitive ecosystem they're operating within. When sites or apps surreptitiously track children, they're often doing so because they can get away with it. And if it's a well-known secret that many of their peers are too, it doesn't seem so naughty. But that illustrates decision-making based not on respect for the customer but this grab-all-the-data-you-can frenzy. We've all heard the expression "data is the new oil," and getting a hold of children's data doesn't take much digging if you're thwarting parental consent and following them around the web because your software happens to allow it.
If we care about profit more than we care about protecting some of the most vulnerable — the little kids with their runny-noses and pigtails and incessant questions — how do you think these companies view their duties to you and me? We're way less cute. And we've got credit card data on our persons.
For more on why the settlements could significantly impact the adtech ecosystem, see my new feature below. It was a super fun story to write.
Enjoy reading, and I'll see you next week!
- Leaked draft indicates EU seeks to ban AI for mass surveillance
In a leaked draft that made the rounds on Twitter last week, the EU indicated plans to ban artificial intelligence (AI) for specific uses, The Verge reports. The draft suggests the EU aims to forbid AI-deployment for the purposes of mass surveillance and social credit scores. The regulations also indicate member states would be required to set up “assessment boards” to test “high-risk AI systems.” Companies that illegally develop or sell prohibited AI technology could face fines up to 4% of their global revenue, the report states.
2. Irish privacy regulator investigating Facebook breach affecting 533 million
The Irish Data Protection Commissioner has launched an investigation into Facebook’s data breach, reported earlier this month. The breach affected some 533 million users globally. The DPC said in a statement that based on information Facebook Ireland provided, the regulator is “of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data.” Facebook said it’s fully cooperating with the investigation.
3. Settlement indicates SDKs are on the hook for privacy
April 13, a California judge approved settlements in three separate class-action lawsuits involving Disney, Viacom, Comcast and several adtech firms. The settlement doesn’t include monetary relief, but it does require the companies to make changes to their databases and processes to prevent them from collecting children’s data without parental consent or tracking children online. Some say the settlement will impact the entire adtech ecosystem.
4. EU, US officials getting serious on Privacy Shield replacement
As companies eagerly await a new proposal, EU and U.S. officials are “intensifying negotiations” on a cross-border data flow framework, CNBC reports. The European Court of Justice invalidated the Privacy Shield agreement in 2020 in what’s referred to as the Schrems II judgment. Privacy Shield replaced the Safe Harbor agreement, which the court also struck down. Neither mechanism protected Europeans from mass surveillance, the court reasoned.
5. Florida aims to join Virginia, California in passing state privacy law
Despite pushback from industry, privacy bills in the Florida House and Senate will see final votes this week. Businesses are unhappy with the House bill in question (HB 1734) because it would allow private citizens to sue them for data privacy violations, the Herald-Tribune reports. But the bill’s sponsor says the time has come to regulate given that, “We all sort of feel uncomfortable about the role technology has in our lives without us knowing what’s going on.”
6. Perhaps the most misunderstood privacy law: HIPAA
In an explainer, Vox discusses one of the most commonly misunderstood and misspelled information privacy laws: HIPAA. While the Health Insurance Portability and Accountability Act does include privacy provisions, they’re much more narrow than people believe. HIPAA applies only to covered entities, like doctors and pharmacies, as well as their contracted third parties. But the pandemic revealed all kinds of misunderstandings about the law, including that individuals could opt-out of mask mandates because of it.