Meta NHS Scandal, Texas Data Privacy Act, Amazon's COPPA Settlement, TikTok SDK Lawsuit

By Robert Bateman and Privado.ai

The week’s Privacy Corner Newsletter covers:

• A Meta Pixel privacy scandal in the UK’s National Health Service (NHS).
• Texas’s imminent Data Privacy and Security Act.
• Amazon’s $25 million COPPA settlement.
• A California class action concerning the TikTok SDK.

---

Live Talk: My Health My Data Act

Join our talk on the MHMD Act to explore key provisions, compliance requirements, and the importance of privacy and consent in healthcare data management.

Save Your Seat

---

UK Health Services Exposing Sensitive Data Via Meta Pixel

A media investigation has revealed how UK National Health Service (NHS) trusts have been “sharing intimate details about patient’s medical conditions, appointments, and treatments with Facebook without consent and despite promising never to do so.”

• The investigation revealed that 20 NHS trusts had integrated the Meta Pixel tracking tool into websites concerning “HIV, self-harm, gender identity services, sexual health, cancer, (and) children’s treatments…”
• The organizations served around 22 million people and were found to have shared data, including the user’s IP address and Facebook ID, along with information about prescription drugs, health information that the patient had viewed, and sensitive browsing history.
• The majority of NHS trusts removed their Meta Pixels once confronted by the journalists conducting the investigation.

Some further thoughts…

Across much of Europe, the ePrivacy Directive and the GDPR (versions of both of which remain in force in the UK) require website operators to obtain opt-in consent before enabling most tracking technologies, including pixels and cookies.

But recently, most high-profile enforcement action in this area has taken place “across the pond.” As explored in previous Privacy Corner Newsletters—this year, the US Federal Trade Commission (FTC) has acted against four companies accused of tracking people with consent.

The use of the Meta Pixel across NHS websites bears many similarities to the recent FTC cases against health-related companies GoodRX, BetterHelp, and Premom.

As with those US firms, many NHS trusts allegedly passed health data to Meta without consent and despite promising never to do so.

Judging by the trusts’ responses, it appears that many either did not know why they had installed the Meta Pixel on their websites or did not even know that the tool was present.

Meta and Google’s tracking products are near-ubiquitous across websites and apps. Due to the GDPR’s strict rules on US data transfers, some regulators have found that such tools cannot be used lawfully in the EU.?

The UK’s data protection authority, the Information Commissioner’s Office (ICO), takes a less hardline position on this part of the law. It seems unlikely that the ICO would deem the Meta Pixel unlawful by default, provided that the rules on notice and consent were followed.

But even in the UK, the presence of pixels and non-essential cookies on sensitive websites—such as those concerning sexual development, mental health, and prescription drugs—is arguably always inappropriate and unarguably illegal without consent.

Texas Data Privacy and Security Act Passes Both Houses

The Texas Data Privacy and Security Act (HB 4) has passed both houses and awaits the state governor’s signature.

• Texas’s HB 4 shares many similarities with other “Virginia-style” US privacy laws but includes some unique provisions.
• The law will apply to any person conducting business in Texas that processes or sells personal data (with the usual exemptions) but excludes “small businesses” as defined by the US Small Business Administration from almost all requirements.
• Among other provisions, the law will require controllers to obtain opt-in consent before processing sensitive data. Small businesses must also obtain opt-in consent before selling sensitive data.

Some further thoughts…

Texas is the fifth US state to pass a comprehensive privacy law so far this year, along with Iowa, Indiana, Montana, and Tennessee. The state’s governor is expected to sign the bill soon.?

Here’s an overview of some of the important provisions in the Texas Data Privacy and Security Act.

The law applies to any person that:

• Conducts business in Texas or produces products and services consumed by Texas residents, and
• “Processes” or “engages in the sale of” personal data, and
• Is not a small business as defined by the US Small Business Administration (with one exception.

Some commentary by respected US privacy experts has suggested that the law only applies to businesses that sell personal data.?

I can’t read the law that way. The definition of “processing” seems as broad as ever, and the law seems to cover businesses that process OR sell personal data. But please take a look for yourself and let me know if I’m mistaken.

The usual exemptions apply to state agencies, Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GBLA)-covered entities, nonprofits, and some other organizations.

“Selling” personal data means “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration.”

The law provides the following consumer rights:

• The right to confirm whether a controller is processing the consumer’s personal data and accessing that data.
• The right to correct inaccuracies in personal data.
• The right to delete personal data.
• A right amounting to “data portability.”
• The right to opt out of:
• Targeted advertising.
• The sale of personal data.
• Certain forms of profiling.

A controller that sells sensitive or biometric data must provide a prominent disclaimer to this effect in its privacy policy.

Controllers must obtain opt-in consent before processing sensitive data. All organizations, including small businesses, must obtain opt-in consent before selling sensitive data.

The bill’s effective date is July 1, 2024—earlier than any of the other four US privacy laws to pass this year.

Amazon Settles FTC Kids’ Privacy Allegations For $25 Million

Amazon has agreed to pay a $25 million civil penalty to the FTC and the Department of Justice (DoJ) for alleged breaches of the Children’s Online Privacy Protection Act (COPPA).

• Amazon’s settlement relates to the collection and retention of children’s voice recordings via its Alexa smart speaker product.
• The FTC alleges that Amazon “kept sensitive voice and geolocation data for years,” failed to comply with parents’ deletion requests, and used personal data collected from children for its own purposes.
• In addition to paying a fine, Amazon can no longer use “geolocation, voice information, and children’s voice information” for the “creation or improvement of any data product.”

Some further thoughts…

Last week’s Privacy Corner Newsletter discussed the FTC’s case against ed-tech provider Edmodo, suggesting that the FTC will now focus on children’s privacy after several cases involving health.

This week’s COPPA settlement with Amazon seems to confirm this prediction.

The case is also further evidence that the FTC is making extensive use of the limited privacy law it has available.?

Amazon was apparently treating children’s data in much the same way as data about all users: Storing it indefinitely, using it for purposes other than the primary purpose for which it was collected, and neglecting to facilitate consumers’ requests over it.

Those activities might have been lawful with regard to adult users. But because Amazon did not properly distinguish children’s voice recordings, the company must now apply stronger privacy protections across the board.

TikTok Faces Class Action Over Data Collection

TikTok is the target of a class action California lawsuit accusing the company of conducting an “ongoing campaign to illicitly harvest an enormous amount of private data on US residents”.

• Representative plaintiff Bernadine Griffith alleges that sites integrating the TikTok SDK have intercepted and collected private data about TikTok users and non-users without consent.
• A key focus of the complaint is how the TikTok SDK allegedly circumvents browser privacy settings by effectively “transmuting a first-party cookie into a third-party cookie”.
• The case cites causes of action including California’s Invasion of Privacy and Unfair Competition Law statutes and the federal Computer Fraud and Abuse Act.

Some further thoughts…

TikTok has defended against its share of class action lawsuits and regulatory interventions, including a $5.7 million FTC settlement with the company when it was trading under its previous name, Musical.ly.

An interesting feature of this particular complaint is about the TikTok SDK’s alleged ability to override browser privacy protections against third-party cookies.

The plaintiff describes a “first-party” cookie as a cookie whose data is initially accessible only to the website that sets the cookie. A “third-party” cookie shares information with parties other than the website owner.

Browsers such as Safari, Firefox, and Brave block third-party cookies by default. Other browsers, such as Chrome, include optional third-party cookie privacy settings.

The TikTok SDK enables a website owner to deploy the TikTok Pixel—a piece of javascript code not unlike the Meta Pixel, discussed in our first story (above).

According to the complaint, the TikTok Pixel (and, impliedly, other companies’ pixels) shares user data with TikTok, a third party, and thus circumvents browser privacy protections designed to restrict data sharing to first parties.

In a previous edition of the Privacy Corner Newsletter, we discussed Meta’s response to a similar case regarding the Meta Pixel. The company argued that Meta merely provided the tracking tools, and website operators were responsible for their use.

TikTok could attempt to mount a similar defense against this case against its SDK. The company provides software, advertising, and analytics services. It’s up to website and app operators to use TikTok’s products and services in a legally compliant way.