Hello Friends,
The draft Colorado Privacy Act rules retain the hallmarks of what makes the Colorado Privacy Act rules unique but contain some notable revisions and clarifications.
Enjoy reading!
Privacy Enforcement
Voodoo to pay 3 Million Euros over alleged Nonconsensual User Tracking
France's data protection authority, the Commission Nationale de l'informatique et des libertés, issued a 3 million euro fine to mobile application developer Voodoo over alleged nonconsensual user tracking. The CNIL's investigation found the company applies a technical identifier that processes the information linked to the browsing habits for advertising purposes when a Voodoo app is downloaded from Apple's App Store. Voodoo allegedly applies the tracker despite user opt-outs via its consent mechanism.
WhatsApp to pay 5.5 Million Euros to Irish DPC, fissure with EDPB continues
Ireland's Data Protection Commission completed its inquiry into Meta platform’s WhatsApp and fined the company 5.5 million euros related to forced user consent for the processing of their data. The DPC said the fine was significantly less than recent fines issued to Facebook and Instagram because WhatsApp was fined 225 million euros in 2021. However, the DPC decision did not resolve its ongoing jurisdictional fight with the European Data Protection Board related to the EDPB's ability to mandate the scope of a member state's data protection inquiry.
Data Breach
Password Manager Parent Company breached Using Previously Stolen Credentials
Hackers stole customers' encrypted data during a November 2022 security breach of GoTo, the parent company of password manager LastPass. The breach was a direct result of an August 2022 breach, in which an unauthorized party accessed a shared GoTo-LastPass cloud storage service. In November, hackers used the stolen data to access unencrypted customer files.
Cyberattack of UK Sportswear Company exposes Data of 10M Customers
10 million customers of U.K. sportswear chain JD Sports had their data exposed in a cyberattack. The breach reportedly affected online sales data from 2018-2020, including personally identifiable information. JD Sports representatives said they were contacting affected customers, working with leading cyber-security experts and talking with the U.K. Information Commissioner’s Office to respond to the breach.
Privacy in Spotlight
New Claims allege more Twitter Privacy Issues
U.S. Congress obtained a whistleblower complaint alleging additional privacy and data security issues at Twitter before and shortly after Elon Musk's takeover. The unnamed whistleblower claimed approximately 4,000 Twitter employees had access to administrative settings that allowed a full takeover of any private account without user consent.
Online Pharmacies share Sensitive Data with Third Parties
Some online pharmacies selling abortion pills are using tracking technology that shares sensitive data with third parties, which could potentially lead to prosecution from law enforcement. Web trackers, including a Google Analytics tool, were found on at least nine of 11 sites selling the pills. Data shared through the trackers include web addresses visited, items clicked on, search terms, and location and device information, as well as a unique identifier linked to a user's browser.
Regulations
Attorney General releases Latest Revisions to Colorado Privacy Act Draft Rules
The Colorado attorney general's office released the second set of revisions to the Colorado Privacy Act draft regulations. Changes from the last revisions released in January include tweaks to business requirements for privacy notices, universal opt-out mechanisms, and honoring consumer rights and opt-out requests. With rules for universal opt-out mechanisms, the updates work to create more interoperability between U.S. comprehensive state privacy laws. Colorado's privacy law is effective July 1.
2023 Canada Private-Sector Privacy Law Reform: Keeping Track of Moving Parts
Canada is strengthening provincial and federal laws for privacy. Not only the authorities are being given more power, but also more stringent compliance requirements are being placed on corporations including EU GDPR-level, multimillion-dollar fines, and enhancing individual rights.
Privacy By Design to become an ISO Standard Next Month
The International Organization for Standardization will adopt ISO 31700 on privacy by design. The new standard will not be a conformance standard when it first comes online. It features 30 requirements and guidance on privacy-by-design principles for effectuating consumer rights, relevant roles and authorities, privacy control designs, and more.