Hello Friends,
A data fiduciary is required to obtain a verifiable consent of the parent or the lawful guardian of a child or a person with disability before processing any of their personal data. The DPDPA prohibits tracking or behavioural monitoring of children or targeted advertising directed at children. A data fiduciary should not process personal data that is likely to cause detrimental effect on the well-being of a child. However, if the central government is satisfied that a data fiduciary is processing children’s personal data in a verifiably safe manner, it may exempt the data fiduciary from certain obligations.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
FTC announced $5M fine against NGL Labs for anonymous messaging app and AI content moderation.
The Federal Trade Commission (FTC) pronounced an order against NGL Labs, LLC and its co-founders for the active marketing of their social media app to children and minors to prevent cyberbullying. They did not use any form of age screening in signing up. Finally, the FTC determined that NGL Labs collected the personal information of children under the age of 13 without notifying parents or obtaining verifiable parental consent. NGL Labs was considered to possess actual knowledge that they are collecting and maintaining personal information from children.
Lithuania VDAI fines Vinted €2.38M for violation of data processing principles
The Lithuania state data protection inspectorate (VDAI) highlighted that it received complaints forwarded by the French data protection authority (CNIL) and the Polish data protection authority (UODO) alleging that Vinted had not properly implemented data subject erasure and access requests. Vinted further failed to provide all the reasons for inaction related to the data subject request and the purposes for which the data subject's data would continue to be processed. Therefore, Vinted was found to have violated the GDPR in relation to the failure to provide transparent information, communication, and conditions for the exercise of data subject rights.
Data Breach
Turkey KVKK announces Adnan Özen İnşaat data breach.
Turkey personal data protection authority (KVKK) announced that Adnan Özen İnşaat notified them of the breach. The breach occurred through a leak in the application programming interface (API) from which the car rental reservations of the data controller are taken. The number of persons affected by the breach is 185. The database contains the personal data of approximately 12,000 customers, and technical investigations regarding the breach are ongoing.
AT&T says criminals stole phone records of “nearly all” customers in new data breach.
U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers. In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages during a six-month period between May 1, 2022, and October 31, 2022. AT&T published a website with information for customers about the data incident. AT&T also disclosed the data breach in a filing with regulators on Friday.
Privacy in Spotlight
NOYB filed complaint with Italian Garante for GDPR violations by Xander.
None of Your Business (NOYB) filed a complaint with the Italian data protection authority (Garante) alleging failure to adhere to principles related to transparency, right of access and the use of inaccurate information about users and hence violating the General Data Protection Regulation (GDPR) by Xander Inc. Xander, a Real Time Bidding platform, is said to have collected sensitive personal data about individual’s health, sex life or sexual orientation, political or philosophical opinions, religious beliefs and financial status.
RockYou2024 leak: Largest stole password collection uploaded to crime forum.
Security researchers from Cyber news say they have uncovered what appears to be the biggest collection of stolen and leaked credentials ever seen on the Breach Forums criminal underground forum. Containing what is said to be an astonishing 9,948,575,739 unique passwords, all in plaintext format, the RockYou2024 compilation apparently comprises an earlier credentials database known as Rock You 2021, which featured 8.4 billion passwords, adding approximately 1.5 billion new passwords into the mix.
Regulations
Florida Digital Bill of Rights: effective July 1, 2024.
The Florida Digital Bill of Rights (FDBOR) will apply to persons that conduct business in Florida or produce products or services used by Florida individuals or households. It will also apply to processing or engaging in sale of personal data. Like other state privacy laws, FDBOR includes the rights to access, correct, delete and port personal information, as well as the rights to opt out of the processing of personal information for the purposes of targeted advertising, the sale of data or profiling. However, FDBOR will introduce several unique opt-in and opt-out requirements.
Quebec Act respecting Health and Social Services Information comes into force.
Quebec Commission on Access to Information (CAI) announced that the Act Respecting Health and Social Services Information (LRSSS) had come into effect on July 1, 2024. The Act introduces obligations for health and social services organizations to protect health and social services information and provides individual rights regarding health and care data.