Category: Surveillance & Privacy
FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed order, filed by the…
Meta Fined €390 Million by Irish DPC for Alleged Breaches of GDPR, Including in Behavioral Advertising Context
On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and,…
Whole Foods Settles BIPA Voiceprint Class Action
On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers. In the…
Top U.S. court backs WhatsApp suit over Pegasus spyware
The U.S. Supreme Court has rejected a bid by NSO Group to block a WhatsApp lawsuit accusing the Israeli tech firm of allowing mass cyberespionage of journalists and human rights activists. The Supreme Court denied NSO’s plea for legal immunity and ruled that the case, which targets the company’s Pegasus software, can continue in a California federal court, a court…
EU & Ireland: Meta’s legal basis for targeted ads found to breach GDPR
Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram platforms lacked proper legal grounds for processing millions of Europeans’ personal data for targeted advertising. In addition to posing challenges for Meta’s business model, the DPC’s two decisions reflect growing disagreement among…
CNIL Fines Apple 8 Million Euros Over Personalized Ads
On December 29, 2022, the French Data Protection Authority (the “CNIL”) announced that it imposed an €8,000,000 fine on Apple for violations of the French rules on targeted advertising and the use of cookies and similar tracking technologies. Background The CNIL received a complaint concerning Apple’s ad personalization practices on the App Store and carried out several investigations between 2021…
TikTok employees spied on journalists investigating social network
An internal investigation by parent company ByteDance confirms that employees obtained personal data from reporters who were probing Beijing’s influence on the app’s activities ByteDance, the Chinese technology giant that owns TikTok, admitted Thursday that several employees of the social network spied on journalists from Forbes magazine who were investigating the link between the company’s US branch and China. The…
Germany arrests intelligence service employee, Carsten L, suspected of spying for Russia
German authorities said on Thursday they had arrested an employee of its foreign intelligence service (BND) on suspicion of sharing state secrets with Russia this year and thereby committing treason. Police arrested the suspect, a German citizen identified as Carsten L, on Wednesday in Berlin, the federal prosecutors office said. It said police also raided his flat and workplace as…
Mark Zuckerberg-Backed Byju’s Accused Of Buying Children’s Data and Threatening Parents
Meta Platforms Inc CEO Mark Zuckerberg’s Chan-Zuckerberg Initiative-backed Byju’s —India’s largest online education firm — has been accused of bullying parents to buy courses. What Happened: India’s National Commission for Protection of Child Rights, or NCPCR, said the edtech company is targeting first-generation learners and forcing parents to buy courses after purchasing their phone numbers, ANI reported. Priyank Kanoongo, the…
Epic Games Inc., Developer of Fortnite Video Game, Agrees to $275 Million Penalty and Injunction for Alleged Violations of Children’s Privacy Law
The Department of Justice, together with the Federal Trade Commission (FTC), today announced a settlement that, if approved by a federal court, will require Epic Games Inc. (Epic Games) to pay $275 million in civil penalties as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA…
Portuguese Data Protection Authority fines the National Institute of Statistics € 4.3 million
On 2 November 2022, the Portuguese Data Protection Authority (“CNPD”) issued a Decision imposing a fine of € 4,300,000 (four million three hundred euros) to the National Institute of Statistics (“INE”) for multiple violations in the processing of data subjects’ sensitive data during the Census 2021 operation. Background On the 27th of April 2021, after launching an investigation into the…
Ocenture LLC and Carelumina LLC Settle Allegations of Kickbacks, Genetic Testing Fraud Scheme
Ocenture LLC, a privately held company headquartered in Jacksonville, Florida, and its subsidiary, Carelumina LLC (collectively, “Ocenture”), have agreed to pay $3 million to resolve allegations that they caused the submission of false claims to Medicare by paying and receiving kickbacks in connection with genetic testing samples. The United States alleged that Ocenture participated in a genetic testing fraud scheme…
Former Twitter Employee 42 Prison Sentence for Acting as Foreign Agent, Selling User Data
WASHINGTON – A California man was sentenced yesterday to 42 months in federal prison for his role in accessing, monitoring and conveying confidential and sensitive information that could be used to identify and locate Twitter users of interest to the Saudi Royal Family. Ahmad Abouammo, 45, formerly of Walnut Creek and currently residing in Seattle, was convicted of acting as…
Meta Slapped with €265 Million for Privacy Violations
On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide. In the decision, the DPC argued that Meta failed to comply with the GDPR’s requirement of providing privacy “by design and default” when it failed…
Class Action Lawsuits Continue Targeting Companies For Tracking Users’ Website Activity
Listen to this post
As reported in the the Retail Industry Law Resource blog:
Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back user’s interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which chat the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consent may be warranted.
Plaintiffs’ claims arise from the wiretapping or interception provisions of various state laws that prohibit the recording of confidential communications without the consent of all parties to the communication. California courts, for example, have experienced a surge of class action filings pursuant to the California Invasion of Privacy Act (“CIPA”). Specifically, section 631 of CIPA prohibits (1) intentional wiretapping of any telegraph or telephone wire, line, or cable; (2) willfully and without the consent of all parties attempting to learn the contents of a communication in transit; and (3) attempting to use or communicate information obtained as a result of engaging in either activity. CIPA entitles plaintiffs to $5,000 per violation. A violation arguably occurs each time a user visits a website. Thus, these penalties can grow quickly.
Further, recent case law has encouraged the Plaintiffs’ bar with favorable interpretations of these state statutes. For example, the Third Circuit recently took a narrow view of the direct-party exception defense under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, resulting in the initiation of several class actions. The direct-party exception works to exempt a party from liability pertaining to communications directly with another party. In Popa v. Harriet Carter Gifts, Inc., however, the Third Circuit held that the legislature “codified only a law-enforcement exception, thus limiting any direct-party exception to that context” and remanded the case for further consideration by the District Court, which had not reached the issue of consent. Thus, companies facing claims under the Pennsylvania statute cannot avoid liability merely by showing that plaintiff and the company were the direct parties to the communication. If successful, the Pennsylvania statute entitles plaintiffs to $100 a day for each day of violation, or $1,000, whichever is higher.
Accordingly, it is important for companies to be aware of how their website software is being utilized, what information they and their vendors are collecting from website users, and what disclosures or consents may be warranted in light of the above. User consent is consistently a defense under state wiretapping statutes. Therefore, companies should evaluate their website terms of service and privacy policies to confirm that they include sufficient and clear disclosures and/or obtain user consent depending on the type of activity taking place on company websites by the company and its service providers.