This Week in Data Privacy

?? Pinterest Under Fire for Alleged GDPR Violations in EU Privacy Complaint

?? LinkedIn’s €310M GDPR Fine: Key Takeaways for Data Privacy Compliance

?? Siri’s New ChatGPT Integration: Enhanced Privacy with a Catch

?? China’s Landmark Judgment on Cross-Border Data Transfers: Key Compliance Insights

?? Kids' Data on Sale? College Board’s Student Information Practices Under Fire

?? X’s New Block Feature Sparks Privacy Concerns

?? Employers Caught in Legal Crossfire Over Medical History Requests

??? Building Trust with Smart Data Privacy in E-commerce

?? Insights from IANS CISO Compensation and Budget Survey

and the She Said Privacy / He Said Security Podcast celebrates 4 years!

———

As Cybersecurity Month wraps up, this edition brings essential updates on the evolving data privacy landscape, highlighting major cases, regulatory shifts, and strategic privacy practices. Dive into the latest privacy challenges facing top platforms, employers, and e-commerce businesses, along with actionable insights for privacy leaders.

Pinterest Under Fire for Alleged GDPR Violations in EU Privacy Complaint

Pinterest is facing a new privacy complaint in the EU as nonprofit noyb alleges the company has breached GDPR rules by tracking users without their explicit consent. Filed with France’s CNIL, the complaint accuses Pinterest of using a “legitimate interest” basis to track and profile users for ads, despite a recent EU court ruling that such personalized advertising requires explicit consent. Additionally, Pinterest allegedly failed to fulfill a data access request from a user who found her data shared with third parties. If found in violation, Pinterest could face fines up to 4% of its global turnover. This complaint underscores growing scrutiny of ad-funded platforms and their impact on data privacy.?Read more.

LinkedIn’s €310M GDPR Fine: Key Takeaways for Data Privacy Compliance

LinkedIn’s recent €310 million fine by Ireland’s Data Protection Commission (DPC) is a major warning for tech companies operating in the EU.?

Triggered by concerns over LinkedIn’s use of user data for behavioral targeting without explicit consent, the case underscores how vital transparency, consent, and clear legal basis are in data processing. The DPC found LinkedIn failed to meet GDPR’s stringent standards for lawful data use, pushing them to revise their advertising policies.?

This ruling highlights the urgent need for companies to review and align their data practices with GDPR mandates, safeguarding both regulatory compliance and user trust in Europe’s privacy-focused market.?Read more.

Siri’s New ChatGPT Integration: Enhanced Privacy with a Catch

Apple's upcoming iOS 18.2 brings a groundbreaking ChatGPT integration to Siri, allowing more advanced responses while upholding Apple’s strict privacy standards—but only if users don’t sign into an OpenAI account. If you use ChatGPT without logging in, OpenAI processes your Siri requests without storing data or using it for model training, and Apple obscures IP addresses for added privacy. However, signing into an OpenAI account, such as a ChatGPT Plus subscription, enables access to enhanced features but applies OpenAI’s less stringent privacy policies.

This feature-rich upgrade gives Siri capabilities to answer complex questions and use Visual Intelligence for image-based searches, though Apple’s safeguards aren’t absolute. Apple collects minimal data to run the service, and users opting to improve Siri can anonymously share interactions. This integration highlights a pivotal choice: prioritize privacy or functionality, as Apple navigates the fine line between smart assistance and user data security.?Read more. ?

China’s Landmark Judgment on Cross-Border Data Transfers: Key Compliance Insights

In a first-of-its-kind ruling, China’s Guangzhou Internet Court highlighted the importance of localizing data protection policies for cross-border data transfers under China’s Personal Information Protection Law (PIPL). This case underscores that multinational companies must tailor global compliance to meet PIPL standards, especially regarding user consent for transferring personal data abroad.?

The court ruled that LinkedIn’s approach, which relies on GDPR standards, wasn’t enough. To comply with PIPL, companies must secure explicit consent for data transfers and provide detailed information about overseas data recipients. This judgment serves as a critical reminder: compliance with PIPL mandates clear, localized data policies and transparent consent mechanisms, especially for multinational operations in China.?Read more.

Kids' Data on Sale? College Board’s Student Information Practices Under Fire

Despite privacy laws, student data is still being sold without full parental consent, raising alarms. After his 15-year-old son received college pamphlets post-PSAT, journalist David Winter discovered that College Board collects and shares student data via its "student search service."?

While College Board claims students “opt-in” to share data with colleges and scholarships, the reality is that student names, addresses, scores, and even parental information are distributed to a range of organizations. Privacy advocates warn that this data can reach third parties like credit card companies and loan servicers, all without parental oversight. Families concerned about data privacy can disable the opt-in option on the College Board's platform, though protections vary by state, with only 20 states banning data sales.?Read more.

X’s New Block Feature Sparks Privacy Concerns

X (formerly Twitter) is redefining its block feature, allowing blocked accounts to view public posts while restricting interactions like likes and replies. This update breaks from traditional blocking practices, raising privacy concerns for users vulnerable to harassment.?

Privacy advocates warn this change forces users to choose between public engagement and safety, limiting control over who can see their content. Many worry about the implications for content creators, who may need to rethink their strategies, and users who may turn to private accounts or alternative platforms.?

While X claims the update promotes transparency, critics argue it compromises user privacy and personal security. This shift signals a potential new direction in social media privacy controls, as the platform balances openness with user safety.?Learn more.

Employers Caught in Legal Crossfire Over Medical History Requests

Employers are increasingly facing lawsuits under Illinois’ Genetic Information Privacy Act (GIPA) for allegedly requiring job applicants to disclose family medical history. The Illinois law, along with the federal Genetic Information Nondiscrimination Act (GINA), restricts companies from collecting genetic data without consent, but recent cases suggest many employers may be in violation.?

Key companies like United Airlines and Union Pacific are under scrutiny for such practices, as employees claim breaches of their genetic privacy rights. GIPA allows employees to seek damages, and the law’s broad interpretation means any family medical information might be deemed “genetic.”?

Employers should implement strict data handling protocols and clear disclosures to avoid substantial penalties, as workers gain traction in similar privacy cases.?Learn more.

Building Trust with Smart Data Privacy in E-commerce

In e-commerce, balancing data collection with respect for customer privacy builds trust and drives sales. Here’s how to excel:

• Map Your Data: Create a comprehensive data inventory to track what you collect, why, where it’s stored, and who has access. This helps you comply with regulations like GDPR and informs privacy notices.
• Honor Privacy Rights: Enable customers to view, correct, or delete their data easily. Having clear internal procedures and responsive teams is key to handling requests under laws like GDPR and CCPA.
• Transparent Opt-Out Options: Include “Do Not Sell” links and allow consumers to opt out of data sales. Ensure cookie consent banners comply with legal standards and offer genuine choices.
• Optimize Cookie Management: Regularly audit cookies and consent tools to maintain accuracy and transparency.

By committing to privacy transparency, e-commerce businesses boost consumer trust, paving the way for long-term loyalty and increased sales.

Read the full article?here .?

Insights from IANS CISO Compensation and Budget Survey

In this episode of?She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Nick Kakolowski , Senior Research Director at IANS , to explore the evolving role of the CISO. Drawing on IANS’ latest research, Nick discusses how CISOs are now leading initiatives in privacy, AI, and security governance. He highlights the critical need for business and leadership skills in this role, along with cross-team collaboration, as boards increasingly rely on CISOs for strategic security governance and risk management.?

Here’s a glimpse of what you’ll learn:

• Nick Kakolowski’s career journey from teaching to becoming Senior Research Director at IANS
• IANS mission and research initiatives
• Insights from IANS annual CISO Compensation and Budget Survey and key findings on the compensation gap among CISOs
• Why CISOs are increasingly taking ownership of privacy
• How the role of a CISO is evolving to include business skills and leadership
• Nick’s personal security tip

Listen to the podcast episode?here .?

She Said Privacy / He Said Security Podcast celebrates 4 years!

The first episode of She Said Privacy / He Said Security podcast hosted by Jodi Daniels and Justin Daniels aired 4 years ago. Since then it has produced 190 episodes with nearly 100 hours of content. Check out their celebratory video with all the highlights here !