Privacy & Information Security Law Blog

On November 14, 2022, Google LLC (“Google”) agreed to a $391.5 million settlement with the attorneys general of 40 U.S. states over the company’s location tracking controls available in its user account settings.   

The investigation by the state attorneys general found that, between 2014 and 2020, Google misled users by failing to disclose that toggling the “Location History” setting to off did not disable all tracking activities. The settlement noted that Google retained the ability to track users’ location via the “Web & App Activity” setting, and used the information for targeted advertising purposes.

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.

On November 1, 2022, the Federal Trade Commission hosted their annual PrivacyCon 2022, which was available to the public via webcast. The FTC held seven different panels highlighting the latest research and trends in consumer privacy and data security.

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

On October 31, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced that it will re-open the public comment period on their October 2021 Orders for six large technology companies operating payments platforms to provide information about their business practices. The October 2021 Orders requested that Amazon, Apple, Facebook, Google, PayPal and Square provide information about their data collection and use, their policies for removing individuals and businesses from their platforms, and their policies and practices for providing consumer protections such as addressing disputes and errors.

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

On October 25, 2022, the U.S. Department of Justice (“DOJ” or the “Department”) announced that Google had entered into an agreement to resolve a dispute over the loss of data responsive to a search warrant issued in 2016.

On November 3, 2022, the Federal Trade Commission announced a proposed order to settle an action against an internet phone service provider, Vonage, that would require Vonage to pay $100 million in refunds to customers harmed by its practices, which the FTC alleged included “dark patterns” that made it difficult for customers to cancel their service. The order also would require Vonage to not use dark patterns and provide a simple and transparent way for customers to cancel their service. 

SHIFT Counsellors at Law reports from Indonesia that The People’s Representative Council of the Republic of Indonesia has ratified Indonesia’s draft law on personal data protection. The draft law came into effect on October 17, 2022. The law, which is partly modeled on the EU General Data Protection Regulation, is Indonesia’s first “umbrella regulation” on personal data protection. The law will provide certain protections to Indonesian citizens’ data, and provide more legal certainty to parties processing such data.

Read SHIFT Counsellors’ article on the ...

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.