November 14, 2024
Issue 37 — Latest in privacy & security
In today's email…
- Virginia police face lawsuit over vehicle tracking
- The service caught letting civilians track anyone’s geolocation
- Key takeaways from the €310 million LinkedIn GDPR fine
- US federal and state regulatory priorities
- TerraTrue’s new AI-powered document analysis feature
- Upcoming webinars & events
Latest in Privacy and Security
Two Norfolk, Virginia residents have sued city police for tracking the movement of area drivers. The police use automatic license plate readers and AI to record the movement of all cars in the area. The lawsuit alleges that this mass surveillance violates the Fourth Amendment protection from unreasonable search and seizure. Read more A service called Locate X may be enabling civilians to track anyone’s cellphone geolocation. The service is supposed to be limited to law enforcement, but a private investigator was given a free trial, and told the company doesn’t actually check. Read more
Regulations / Fines
GDPR Lawful Basis
- Two tech giants are facing enforcement actions for failing the GDPR’s lawful basis standard in their advertising practices::
- LinkedIn was fined €310 million (over $332 million) by the Irish Data Protection Commission (DPC) for conducting behavioral analysis and targeted advertising that didn’t meet the GDPR’s standards for consent, legitimate interest, or contractual necessity.
- An advocacy group has filed a complaint that Pinterest tracks user data by default, using a false legitimate interest justification, and failed to provide detailed information in response to a Data Subject Access Request (DSAR).
- Key takeaways:
- Multiple justifications won’t protect you if you misapply GDPR standards. LinkedIn justified its practices under consent, legitimate interest, and contractual necessity, but the DPC rejected all three rationales.
- Take user consent very seriously. Users need to know exactly what you’re collecting and why, and have the option to opt out.
- Answer DSARs precisely. “Your personal data might be with company X, Y, and/or Z” won’t cut it. You need to report exactly who has access to each piece of user data.
US Regulatory Priorities
- Federal enforcement continues to prioritize children’s privacy. Several recent enforcement actions have targeted children’s entertainment companies for unlawful data collection practices, dark patterns, and other issues. The FTC has also proposed new rules to give parents more information and better control over data sharing.
- On the state level, new comprehensive privacy laws are going into effect in 2025 in Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. The New Jersey law starts on January 15, 2025, with the other four beginning on January 1.
Feature Focus
- TerraTrue now offers AI-powered document analysis. The platform scans SOC 2 reports, contracts, and DPAs automatically, extracting key details to spot issues and exceptions in the review process. Read more.
Upcoming Events
- IAPP Data Protection Intensive: UK | Mar 10-11, 2024 | London
- IAPP Europe Data Protection Congress | Nov 18, 2024 | Brussels, Belgium
- FutureCon Nashville | November 14, 2024 | Nashville, TN and Online
- FutureCon Boston | Nov 21, 2024 |Boston, MA and Online
- IAPP ANZ Summit 2024 | November 26-29 | Melbourne, Australia
- IAB State Privacy Law Summit | Nov 19, 2024 | New York City, NY
Job Board
- Snap: Privacy Program Manager
- Sony: Director of Privacy & Data
- Bayer: Senior Director Digital Product Security
Upgrading Your Privacy & Security Program for 2025?
Let us help you think through how to plan, budget, and design your program.