Amazon's €32M GDPR Fine, FTC Action on Data Brokers, CPPA's CCPA Opt-Out Guidance

Show Notes

In this episode of The Privacy Corner, the first highlight is the French DPA's hefty fine on Amazon over its intrusive employee monitoring program. Up next is the Federal Trade Commission's (FTC) stern action against data broker, InMarket, for mishandling sensitive location data. The episode concludes with useful guidance from the California Privacy Protection Agency (CPPA) on universal opt-out signals. 

Transcript

0:00

Hello, I'm Robert Bateman, and this is The Privacy Corner, where I talk you through my top three picks for privacy developments each week. And a big thank you, as always, to Privade AI for supporting these videos. So this week, I'll be talking you through the FTC's latest action, another one, This time, again, against a data broker and involving sensitive location data. Uh, the French DPA has fined Amazon over its employee monitoring program. And the CPPA, the California, uh, Privacy Protection Agency, has put out some very useful guidance. On universal opt out signals before I go on, I might have mentioned that Provido AI is hosting a bridge summit next week on the 31st of January. I'll be appearing on a panel called privacy as a brand differentiator, getting to grips with how Privacy can actually set you apart from other companies. Sounds nice in theory. We'll look at how to actually, you know, leverage that. And, uh, it should be great. There's lots of technical privacy information provided, put out some great stuff on that. So do come along and have a watch. Hope to see you there. Um, So first up, France. Last week, we looked at a cookie fine against Yahoo. This week is Amazon and their employee monitoring program. So this is their warehouse employees and how they scan, uh, and track every. Basically everything they do at work, the CNO is not happy about it and says that it's a violation of the 32 million euro fine here. So pocket change for Amazon, but still quite a significant fine in the, in the scheme of things. And the CNOA says that Amazon have been monitoring every single detail of the employee's quality and productivity. Um, they store this data for a month, well, 31 days. And, uh, there are 31 days in some, yes, that's right. This month, in fact, has 31 days in it. And The C node, that's not a massive retention period, you know, compared to the one we'll look at in the next item. But the C node didn't seem to think they should be retaining this data at all. There's quite a lot in there about how Amazon can Monitor its employees, but they've just gone a bit too far and they haven't complied with the data minimization principle in particular. They shouldn't be According to the C NIL retaining this data at all because supervisors can see it in real time So that's enough to achieve the purposes that they're going for. There are also some issues on lawfulness so the certain types of Um, monitoring were deemed to have no lawful basis by the CNO and are even illegal, it says. Stow machine gun, uh, is one of these types of, uh, indicators. I don't know if that's a weird translation. Machine gun doesn't sound like something you should be taking as work. But it basically shows how quickly these employees are scanning things. Uh, they scan too fast, there might be quality issues. They scan too slow. Perhaps Amazon will think they're being lazy. There's a lot about tracking break times here. Um, different types of tracking for breaks up to 10 minutes and over 10 minutes. And overall. There's just disproportionate according to the French regulator. Temporary workers didn't used to get a privacy notice until April 2020. And there was not enough information about, uh, CCTV either. And also the, the software associated with the CCTV. Uh, there was, the, the access controls were not properly configured according to the CNA. So that's Article 32 violation. So lots in there. And I think employee monitoring will be a theme throughout 24, that's a prediction. Uh, the ICO has put out some stuff about it recently in the UK. We know from last year that California is looking at it too under the CCPA. So I think we'll see some more stuff on employee surveillance this year. Now the FTC, we looked at the X mode, uh, order last year. This one is quite similar against a data aggregator called InMarket. And InMarket has its own apps. And it also has an SDK that it puts into its own app and third party apps. So it gets lots of location data from different sources and it puts users into audience segments as they're called. So buckets according to their interests and characteristics and backgrounds. And they keep this data for five years. That's quite a long time. I think some of it's very sensitive. So the FTC sites, the, uh, the, the, when the device is moving, this SDK apparently records its location every few seconds and they've got a hundred million different unique devices tracked each year. So the sorts of locations that the FTC is really concerned about is places of worship. Uh, where their children go to school, where they receive medical treatment, and also potentially where they go to rallies or demonstrations or protests. So we've got health data, children's data, religious beliefs, political affiliations, and these are all sensitive data types according to the FTC. There was a bit of an issue with how InMarket requested consent. So the consent pop up would say something like, You know, if, if you let us track your location, we can offer you great savings when you, when you go to. store that we have, uh, coupons for, or whatever. And, in fact, of course, they did use the creation data for that purpose, but they also collected it and sold it. So the FTC does not consider that they have consent for this. The real problem is saying that they were getting consent, because that falls under the FTC Act as misleading. We've also got this little guy here. I am quite disturbed by this character. This kind of avatar, listy or whatever, who asks for your permission for location tracking. I would not trust this little critter. Um, perhaps they thought that would appeal to people, but I, it kind of freaks me out. It's a bit like Clippy, but slightly more sinister sort of look about him. So the FTC's order is quite rigorous, as always. They have to destroy the relation, delete or destroy location data that they've collected. They need to tell users of their own apps about this investigation. So that's going to be quite embarrassing, I suppose. And they have to set up these compliance programs to make sure they're scrubbing sensitive information from location data. And also put a general comprehensive privacy program in place. So the FCC is not messing around. We had a lot of action last year. And this January, I mean, three privacy actions together with all their consumer protection and antitrust stuff as well. So expect it to be another busy year for that agency. Finally, the California Privacy Protection Agency, the CCPPA, has put out some guidance about universal opt out mechanisms. So because it's California, they have to have their own way of doing things and they are calling these OOPS. Other states have gone with UOOM, Universal Opt Out Mechanism. California's gone with, uh, Opt Out Preference Signal, OOPS, O O P S. So this is quite useful guidance actually, and, um, because In California, there's no list of protocols that you have to recognize. So this is a browser signal. So the user configures their browser to tell websites that they don't want to be tracked, they don't want their data to be sold, and so on. And in California and several other states soon, You have to respond to such a signal and stop, you know, treat it as a, as a request under the right to opt out. So this guidance is only a few pages, but it really tells you everything you need to know, uh, apart from the lawyery sort of detail. The, um, businesses have to obey signals, uh, from any protocol, as long as it's in a commonly used format. So an HTTP header or JavaScript. And also the. The, the protocol has to tell the consumer that that is what it would do. So that could, there could be quite a few covered there, including GPC, which has already been cited in CCPA enforcement from 2021, 2020 against Sephora. So we know California is serious about this stuff. And the guidance also details. What you have to do if you get a signal. So don't sell the data. Don't share it for contextual advertising purposes. Cross context behavioural advertising. And you've got 15 business days, uh, maximum. To respond and there are different types of, uh, you mustn't associate personal information that you sell or share with a browser, a profile or the actual consumer. If they have neglected to opt out of the sale of their personal information, or if they somehow consented to that, uh, then the browser signal takes precedence. So you have to treat the oops as a valid request to opt out. They also include some of the, the more complicated aspects around financial incentive schemes. So like loyalty schemes where you have to share data and you give a discount for, for, for data sales and also the frictionless response. So if you respond to opt out mechanisms in a frictionless manner, you don't have to have the do not sell link, but it's, uh, it's quite complicated. This is also, it's all in the CPPA's regulations, which have not. which are not enforceable yet. So I'm not clear on how to advise on this. Uh, it doesn't seem to be a clear answer on the frictionless stuff. Uh, you'll know what I mean if you are familiar with those parts of the law. And if not, then definitely take a look at this little PDF they've put out. There's a link in the newsletter. So that's all from me this week. Thanks so much for your attention and I hope to see you at Pravado's Bridge Summit. Goodbye from me and this creepy guy that wants to track your location and I'll see you next week.