In this episode of 'The Privacy Corner', Robert Bateman shares his top three privacy news developments for the week. He discusses the significant privacy fine and order imposed on UK based antivirus company Avast by the Federal Trade Commission (FTC). He also talks about DoorDash's settlement under the California Consumer Privacy Act (CCPA) and the ongoing investigation of TikTok under the Digital Services Act (DSA). Throughout the video, Bateman breaks down the privacy and data protection related elements of each case, offering insightful commentary on these important developments.
Episode Transcript
Hello, I'm Robert Bateman, andthis is The Privacy Corner,
where I talk you through my topthree picks for privacy news
development every Friday.
And thank you so much, asalways, to Privado AI for
sponsoring these videos.
So this week, from mynewsletter, which I recommend
you subscribe to, I will link inthe comments, the FTC has hit a
(00:23):
vast, with a highly significantPrivacy order and fine.
Very significant case this one.
California, also significant,has settled with DoorDash under
the CCPA.
And Calopper who remembers thatold chestnut so I'll take a look
at that.
And TikTok is looking at aninvestigation under the DSA, the
(00:46):
Digital Services Act.
So I'll talk you through.
the privacy and data protectionrelated elements of that
investigation.
So first up Avast the UK basedantivirus company with a Czech
subsidiary operating via asubsidiary based in Delaware has
(01:07):
been subject to a proposed orderby the FTC still yet to be
approved but there's a fine,civil penalty of around 16 and a
half million dollars and somepretty stringent compliance
requirements.
So very interesting that the FTChas taken action against a non
U.
S.
company.
Remember, the FTC Act hasextraterritorial application
(01:30):
just like the GDPR and so on.
If you're operating in the U.
S.
and you meet certain otherconditions, then you are up for
enforcement.
And as we know, the FTC is very,very busy.
I honestly do not understand howthey are managing to impose all
these various consent ordersand, and, and civil penalties.
(01:51):
So Avast is an antivirus companyand they have a subsidiary
called JumpShot.
They are in trouble in the EU.
Well, I'll talk about that in amoment.
So, their products allegedlyhelped to block annoying
tracking cookies that collectdata about your browsing
activities and protect yourprivacy by preventing web
(02:14):
services from tracking youronline activity.
But, in fact, Avast itself wasallegedly selling data about its
users browsing activities andthey said they were doing so in
anonymous and aggregate form.
The FTC disagrees and says thatthis data was non aggregate and
(02:36):
re identifiable.
I mean I think in Europe we canjust call it identifiable,
indirectly.
Identifiable, but personal databy most standards, nonetheless,
very interesting though that theFTC continues to apply this very
broad notion of personalinformation under the FTC Act.
So this happened in CzechRepublic last year.
(03:00):
Avast got three and a halfmillion euro or so fine for.
basically packaging up dataabout its users and selling it
to Google Home Depot, Sephora,subject to the first CCPA
settlement.
We'll come back to that.
But this is a similar case.
I mean, not directly, notidentical, but.
(03:22):
Avast made lots of claims abouthow everything was anonymous and
you know, it was all aggregate.
They had an opt out buttonhidden deeply within their
settings somewhere.
The FTC is not happy that theydid not proactively tell people
about this button.
And also, They still use theword anonymized here.
Sometimes when I'm using aproduct that I rather like, and
(03:45):
I like the company behind it, Iwill keep the anonymized
information, analytics, un well,I'll, I'll remain opted in, or I
will opt in.
even to help improve the productand so on.
This gives me pause about thatbecause this data was not
anonymized as, as Avast said,and in fact was being used for
(04:07):
commercial purposes.
And that is not clear from thisbutton that they had for the
benefit of those listeningrather than watching.
It says we may share anonymizedinformation with third parties,
data sharing.
And a little orange switch.
So the other sorts of claimsthat were made were all about
anonymization, but the FTC foundthat Avast's data, the data it
(04:33):
sold, could reveal religiousbeliefs, health concerns,
political leanings, location,financial status, visits to
child directed content, and Aninterest in prurient content.
I think what they mean by that,well, they have an example,
cosplay erotica.
So porn and, and such, I supposebeing shared, people's browsing
(04:56):
behaviors.
Revealing that they had visitedsuch websites.
Also political candidacyannouncements, academic paper on
the symptoms of breast cancer.
A very broad view on whatconstitutes sensitive
information from the FTC here.
Broader, I think, than we see inmost consumer privacy laws that
(05:19):
are passing state by state, theyare really on a rampage and it's
very impressive and very robust,very bold enforcement activity.
I am slightly nervous aboutthese decisions being challenged
just because the toolkit, thelegal regulatory toolkit
available to the FTC is soarchaic and based on consumer
(05:43):
protection.
But we'll see, I mean, theyreally are doing some very
impressive work if you likeprivacy.
So lots of stuff about whatAvast said about their
practices, that it would bestripped of personally
identifiable information andused to help us better
understand new and interestingtrends.
I mean, we've all seen this kindof privacy washing corporate
(06:06):
speak, and it's a great exampleof what not to say when you are
selling.
personal data.
So they Also looked at whetherthe countervailing benefits to
consumers or competitionoutweighs the potential injuries
to consumers.
This is one reason why you mightbe allowed to do certain risky
things under the FTC Act andfound that it did not.
(06:28):
So we've got the usual array ofpretty Stringent compliance
requirements, the standard stuffabout not breaking the law in
future, and a pretty hefty finehere for Avast, well worth
reading the complaint and theorder.
So next up, DoorDash is subjectto the second CCPA settlement
(06:49):
ever.
This has been very slow CCPAenforcement, could speed up
soon, after the CPPA, the newregulator.
successfully appealed thedecision to hold off on its
enforcement activities a coupleof weeks ago.
So DoorDash was involved in amarketing cooperative, and this
(07:10):
came to light after a customerused a pseudonym for their
DoorDash account and startedgetting mail ads addressed to
that pseudonym from othercompanies.
So she thought, well, it musthave come through DoorDash quite
a good little kind of Canary ina coal mine there using a
pseudonym with certain companiesSo the problem here was that
(07:35):
DoorDash was not getting anymoney for Sending personal
information to this marketing coop.
But of course The CCPA'sdefinition of selling personal
information is very broad.
So it covers any benefit thatyou might receive for that
personal information, anyvaluable consideration.
(07:57):
And the most interesting thingabout this case for me is that
the California Attorney Generaloffered Dordash the notice and
cure period that was mandatoryat the time and is now optional
for the authorities.
And DoorDash stopped sellingpersonal information and they
(08:19):
told the marketing cooperativeto delete their customers
personal information.
But it was too late.
The personal information hadalready been sold to downstream
companies, including a databroker that resold the data many
times over.
And the contract with themarketing co op didn't let
(08:40):
DoorDash audit who the data hadgone to, as is a requirement
when you're selling personalinformation under the CCPA.
I can't Remember if that wasadded with the CPRA, but it's in
there now.
And therefore they couldn't curethe violation.
Attorney General takes an Notthat surprisingly, it takes
(09:02):
quite a broad view of whatcuring means, not just stopping
doing the violation, but alsoputting everything right,
putting consumers back to wherethey were before you did the bad
thing, and DoorDash could not dothat, even if it had wanted to.
So we have a minuscule fine of375, 000, a pretty mild
(09:26):
compliance program they have toenter into, But very interesting
takeaways from this case,nonetheless.
Finally, TikTok is in troublewith the European Commission
under the Digital Services Act.
Why am I talking about a contentmoderation law, essentially?
Well, there are some privacybits in the DSA.
(09:48):
So they have, well, thecommission accuses them of all
sorts of things.
I was not terribly impressed byhow this was handled by a
particular commissioner.
that I won't name initially, butthe Article 28.
1 of the DSA requires a highlevel of privacy, safety and
(10:09):
security for miners.
So let's take a look at that inparticular.
If your online platform isaccessible to miners, It's not
directed to children as in theGDPR, but, and various other
laws, but accessible to minors,you have to put appropriate and
proportionate measures in placeto ensure a high level of
(10:30):
privacy, safety, and securityfor those minors.
So we're not talking about coalminers here, by the way, this is
children of a particular age.
And the The GDPR case againstTikTok last year, well, both
from the Irish and the UKauthorities looked at this
issue.
Age verification in the UK won.
(10:53):
Very, very hard area of GDPRcompliance.
I keep saying this, we might getsome answers from the CJEU at
some point, who knows.
So that's all from me this week.
There are two of me on thisfinal slide if you're watching
the video.
Not sure why that's happened,but there we are, and I'll see
you next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Ruthie's Table 4
For more than 30 years The River Cafe in London, has been the home-from-home of artists, architects, designers, actors, collectors, writers, activists, and politicians. Michael Caine, Glenn Close, JJ Abrams, Steve McQueen, Victoria and David Beckham, and Lily Allen, are just some of the people who love to call The River Cafe home. On River Cafe Table 4, Rogers sits down with her customers—who have become friends—to talk about food memories. Table 4 explores how food impacts every aspect of our lives. “Foods is politics, food is cultural, food is how you express love, food is about your heritage, it defines who you and who you want to be,” says Rogers. Each week, Rogers invites her guest to reminisce about family suppers and first dates, what they cook, how they eat when performing, the restaurants they choose, and what food they seek when they need comfort. And to punctuate each episode of Table 4, guests such as Ralph Fiennes, Emily Blunt, and Alfonso Cuarón, read their favourite recipe from one of the best-selling River Cafe cookbooks. Table 4 itself, is situated near The River Cafe’s open kitchen, close to the bright pink wood-fired oven and next to the glossy yellow pass, where Ruthie oversees the restaurant. You are invited to take a seat at this intimate table and join the conversation. For more information, recipes, and ingredients, go to https://shoptherivercafe.co.uk/ Web: https://rivercafe.co.uk/ Instagram: www.instagram.com/therivercafelondon/ Facebook: https://en-gb.facebook.com/therivercafelondon/ For more podcasts from iHeartRadio, visit the iheartradio app, apple podcasts, or wherever you listen to your favorite shows. Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com