Data Privacy Highlights

This Week in Data Privacy, we are covering a lot of subjects, including GoodRX being fined for sharing consumer data with social media platforms for advertising, a federal bill proposing to ban social media use for anyone 16 and under, a massive 2022 data breach, Red Clover's Jodi Daniels joining CMO Convo to discuss data privacy in the C-suite, and the final draft of CPRA being approved by the CCPA!

GoodRX Fined for Sharing Data; Health Data Provided to Facebook, Google, Other Third-Party Firms for Advertising

GoodRX, a widely used online health app, has agreed to pay a $1.5M fine and permanently stop sharing patient data for advertising purposes as a result of an ongoing FTC case.

Summarized by Dan Desko the FTC said GoodRX has done the following:?

1. Shared personal health information with several social media giants.
2. User personal health information to target its users with ads.
3. Failed to limit third-party use of personal health information.
4. Mis-represented its HIPAA compliance.
5. Failed to implement policies and procedures to protect personal health information.

This is the first fine brought out using the newly updated FTC Health Breach Notification Rule, specifically targeting health apps that collect sensitive data but avoid HIPAA records handling requirements due to not being a health care provider.?

GoodRX admits to no wrongdoing in the case as they claim the data shared could not identify an individual’s health condition though some users recall being served ads on Facebook and Instagram that were specific to their particular conditions.?

For more on the GoodRX case and settlement: https://www.cpomagazine.com/data-privacy/goodrx-fined-for-sharing-data-health-data-provided-to-facebook-google-other-third-party-firms-for-advertising/

A new bill would ban anyone under 16 from using social media

A movement to keep children and young teenagers entirely off of social media is gaining traction amongst U.S policymakers and federal officials as concerns for their well-being and mental health grow.?

U.S. Surgeon General Vivek Murphy recently stated that “13 is too-early for kids to be joining app like Instagram and TikTok…creating a distorted environment that often does a disservice to kids”.?

Following this statement a House Republican introduced a bill to ban kids and teens under 16 from using social media. This bill would:?

1. Require companies to verify users’ age
2. Allow parents to sue if the social media platform fails to keep those under 16 off their sites?
3. Empower federal and state agencies to enforce standards?

Industry and human rights groups have cautioned against cutting off kids and teens from social media as it would also be effectively removing access to positive digital resources and communities.?

“There are very real concerns about the ways that Big Tech companies’ business practices harm kids, but we need better solutions than just cutting kids off from online community and educational resources.” - Evan Greer, Director of Fight for the Future

For more: https://www.washingtonpost.com/politics/2023/02/02/new-bill-would-ban-anyone-under-16-using-social-media/

T-Mobile Data Breach Includes Massive Compromise of Google Fi Service, Unknown Quantity of Customer Records Exposed

An unknown quantity of Google Fi data has been potentially exposed after being caught up in the T-Mobile data breach that occurred late in 2022.?

Though the 32 million records that were caught up in the T-Mobile breach were made up of basic customer contact and profile information, the Google Fi service breach is more concerning as there are reports that SIM card serial numbers were included in the breach.?

There is no concrete number as to how many users of Google Fi were impacted. Lior Yaari, CEO and co-founder at?Grip Security, noted “Given the serious nature and impact of the breach, it’s surprising that Google has not disclosed the number of customers impacted, like what we have seen in other major breaches.”

Erich Kron (security awareness advocate at?KnowBe4) warns that “Cellular networks are very concerning when it comes to a breach as many people protect financials using Multi Factor Authentication (MFA) through SMS messages. If bad actors are able to SIM swap or receive these messages in place of the user, it can render the protection otherwise provided by MFA, useless. No matter whom you are contracting services from, it’s important to understand the risks which you then accept as part of that partnership. Security measures should be reviewed on a regular basis and consideration, up to and including termination of contracts, must be made when a subcontractor fails to protect your data.”

For more on the Google Fi/T-Mobile data breach: https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-includes-massive-compromise-of-google-fi-service-unknown-quantity-of-customer-records-exposed/

CMO Convo | Building brand trust with data privacy ft. Jodi Daniels

What if data privacy isn't a burden for CMOs? What if was actually a benefit for building brand trust?

Jodi Daniels, joined CMO Convo to share how she believes CMOs and their brands need to be approaching data privacy in a way that's transparent and displayed proudly.

Rather than trying to make your audience forget about data privacy concerns by hiding your policy away, sharing your policy in the right way can be the ultimate way to build trust in your brand. Check out the episode to find out more!

https://www.cmoalliance.com/cmo-convo-building-brand-trust-with-data-privacy-jodi-daniels/

On Feb 3, 2023 the California Privacy Protection Agency approved the final draft of the regulation under the CPRA. These regulations amend the regulation under the CCPA and are now in the 30 day review period.?

The provisions to the Regulation include:?

Purpose Limitations?

The CPRA requires business collection, use, retention and sharing of consumer data to be necessary and proportionate to?

• achieve the purposes for which the business collects or processes personal information?OR
• the disclosed purpose compatible with the in which the business collects personal information?

If business fails to meet the above requirements they must obtain explicit consent from data subjects to collect and process personal information with reasonable expectations of the consumer with the use, storage, and sharing for personal information being reasonably necessary and proportionate to the purposed laid out by businesses.

Right to Limit the Use of Sensitive Personal Information?

If a business is only collecting or processing sensitive personal information for a few explicit purposes the the?business does not need to provide consumers with notice of their right to limit the use and disclosure of such sensitive personal information.

The?use or disclosure of the personal information must be reasonably necessary and proportionate to the disclosed purpose.

Opt-Out Preferences?

Businesses must recognize universal out-out preference signals as a valid request from a consumer to opt out from the sale of personal information or sharing of personal information?for cross-context behavioral advertising.?

As laid out in the regulation is optional

1. for a business to display the status of whether the business has processed an opt-out preference signal as a valid request to opt-out of the sale/sharing personal information on its website.?
2. for a business to inform consumers of any conflict between an opt-out preference signal and participation in an incentive programs.

Audits and Enforcements??

The California Privacy Protection Agency?may give prior notice or not to?audit a business, service provider, contractor or person to ensure compliance with any provision of the CCPA and CPRA.

Enforcement is slated to begin on July 1, 2023 means businesses should actively be working towards compliance now.

Source:?https://www.mondaq.com/unitedstates/privacy-protection/1280086/cpra-regulations-just-around-the-corner-approved-by-the-california-privacy-protection-agency