Data Digest № 032

Data Digest ¦ November 5th, 2020, 11:00 pm

Welcome to Datawallet’s Data Digest, where we review and occasionally analyze the latest news and the most critical developments in the data industry. Here’s a look at the latest developments:

Californians vote in Proposition 24: The CPRA

On November 3, 2020, the California Privacy Rights Act (CPRA was passed. The CPRA builds upon the California Consumer Privacy Act (CCPA) and solidifies California’s position of having the strongest privacy laws in the United States. The data privacy law grants consumers more control over how companies use their information and establishes a new enforcement agency. While many of the revisions won’t be enforceable until 2023, the CPRA does align California’s privacy regulations more closely with Europe’s General Data Protection Regulation (GDPR). In preparation for these updated regulations, companies that handle consumer data, especially in the online ecosystem, should properly map and define what constitutes personal information and also understand which partners or third parties may have access to it. Find the Datawallet Overview here.

The EU parliament backs tighter regulations on microtargeting 

The EU has backed a call for tighter rules on behavioral ads (“microtargeting”) in favor of less intrusive forms of advertising. Commission lawmakers have been urged to assess further regulatory options, potentially including a full ban. Members of the European Parliament also want Internet users to be able to opt out of algorithmic contact curation. This comes at a time when the Commission lawmakers are working on updates to ecommerce rules via the Digital Service Act (DSA), which is slated to be introduced next month. While the DSA package is being drafted, the mass surveillance of Internet users for ad targeting will be a major point of contention. LINK

Amazon alerted customers of potential data breach 

Amazon alerted certain customers of a data breach that potentially affected email addresses. The data leak came at the fault of an Amazon employee, who has since been fired. The alerts came in the form of an email and left many customers confused over whether the data leak was an isolated incident that solely targeted the particular customer who received the email alert, or if other customers have been affected as well. One customer tweeted: “Did anyone else get a weird email from Amazon about this data breach or was I just targeted solo?" While there were many customers who had been potentially affected by the breach, Amazon has not released just exactly how many customers were impacted. LINK

Uber faces lawsuit by UK drivers over potential GDPR violations due to ‘robo-firing’ practices 

The App Drivers & Couriers Union (ADCU) filed a lawsuit with a court in the Netherlands, in efforts to challenge Uber’s practice of ‘robo-firing’ drivers. ‘Robo-firing’ is the use of automated systems to identify fraudulent activity and terminate drivers' employment based on that analysis. The ADCU alleges that Uber drivers in the UK and Portugal have been wrongly accused of fraudulent activity without the opportunity to exercise the right of appeal. LINK

Facebook dating app has finally launched in Europe, after a 9 month delay over privacy concerns

Facebook Dating has now been released throughout Europe, allowing users to create a profile at Among some of the features of the dating app are the ability to utilize a Secret Crush feature which allows you to select up to nine Facebook friends or Instagram followers who you have a “crush” on. If any of the same users also secretly select you as one of their “crushes,” then you will be notified of a match. Facebook Dating also syncs up other Facebook features on your profile, such as Events and Groups. As users who opted in to the service would be providing even more of their personal information to Facebook, the dating app raised privacy concerns and led to a regulatory intervention by the Irish Data Protection Commision (DPC). Facebook ended up providing detailed clarifications on how they would process personal data collected through Dating and have made the appropriate changes to ease the DPC’s concerns. LINK

US "deeply concerned" about EU/US data transfer issue

US Secretary of Commerce Wilbur Ross expressed his worries over the Schrems II decision, which he says will lead the US and the EU to face “severe economic consequences.” Ross expressed that the Trump administration is committed to finding an enduring solution that will allow for transatlantic data flows and strong privacy protections. LINK

NY Senate Bill S9073 (the "It's Your Data Act) is currently in Senate Committee

NY Senate Bill S9073, introduced by Senator Leroy Comrie, would establish the “It’s Your Data Act.” The Act would expand the “right to privacy” and provide protections and transparency in the collection, use, retention and sharing of personal information. This is not the only data protection law proposed by the NY Senate this year, as the New York Privacy Act was stalled in the Senate. Although there has been multiple attempts to push a New York data privacy law, some have warned that rushing to adopt privacy protections may have “vast and unintended consequences.” LINK

ICO fines Marriott £18.4 million for failing to keep customers personal data secure 

In 2014, Marriott estimated that 339 million guest records were affected in a cyber attack.The attack had gone undetected for four years, until September 2018. Marriott’s penalty only relates to the breach from May 25th 2018, when the GDPR regulations came into effect. The ICO took the steps that Marriott had taken to mitigate the effects of the incident and the economic impact of COVID-19 on their business into consideration when determining a final penalty amount. LINK

GDPR lawsuit against Oracle and Salesforce moves forward

Oracle and Salesforce, two of the world’s largest software companies, will face the biggest privacy class action lawsuit ever filed. Rebecca Rumbul, privacy campaigner and specialist, is seeking damages in excess of £10 billion. This amount could lead to £500 in awards to every person in the UK who uses the internet. The lawsuit focuses on the collection and processing of personal information by advertising platforms owned by the two software companies, which use third-party cookies to track online browsing data and sell it to platforms to serve targeted ads. The lawsuit will take place in the High Court of England and Wales after the outcome of the Lloyd vs. Google case. LINK

Get the Data Digest in your inbox