Google to Pay Texas $1.4 Billion in Privacy Settlement

Texas Attorney General Ken Paxton (R) announced a nearly $1.4 billion settlement with Google in a case about the company's unlawful tracking and collecting of user's personal information, including geolocation and biometric data. Paxton filed the lawsuit against Google in October 2022, alleging violations of the Texas Capture or Use of Biometric Identifier Act (see 2210200075).

“In Texas, Big Tech is not above the law. For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services. I fought back and won,” said Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust."

This settlement comes less than a year after another $1.4 billion settlement between Texas and Meta, in a case alleging the social media company captured biometric information in violation of state law (see 2407300030).

Calif. Privacy Agency Fines Menswear Retailer $345K for Alleged CCPA Violations

The California Privacy Protection Agency (CPPA) dressed down national menswear retailer Todd Snyder with a $345,178 fine Tuesday for alleged violations of the California Consumer Privacy Act (CCPA).

The privacy agency said Todd Snyder agreed to pay the fine and change its business practices to resolve various allegations, including that it failed to oversee and properly configure technical infrastructure of its privacy portal. That failure led to a 40-day period in which the company failed to process consumer requests to opt out of selling and sharing personal information, the CPPA said.

In addition, the clothing retailer required consumers to submit more information than necessary to process privacy requests, the agency alleged. Also, Todd Snyder inappropriately required consumers to verify their identity before they could opt out, said the agency. The company didn’t comment Tuesday.

“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, the CPPA’s enforcement head. “Using a consent management platform doesn’t get you off the hook for compliance.”

CPPA Executive Director Tom Kemp said the CPPA decision “should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”

Irish Privacy Watchdog Fines TikTok $600 Million for GDPR Breaches

TikTok's transfer of Europeans' personal data to China violated the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced Friday. It fined the social media platform $600 million (530 million euros) and ordered it to clean up its act within six months or face suspension of its data transfers to China. TikTok said it will appeal.

The transfers infringed the GDPR because the company failed to verify, guarantee and demonstrate that the personal data of users in the European Economic Area (EEA), remotely accessed by staff in China, was given a level of protection essentially equivalent to that guaranteed by the EU, said DPC Deputy Commissioner Graham Doyle. The company also breached GDPR transparency requirements related to how it informed users of the transfers to China, he said.

Seen through the lens of tariffs, trade and national security, the decision will be a source of uncertainty for organizations beyond TikTok, emailed IAPP Research Director Joe Jones. Regulatory, geopolitical and industry developments are "carving the world up into greenlisted, redlisted and firewalled blocs for data sharing, making international data transfers a renewed priority and a heightened area of complexity for organisations and policymakers."

FTC to Finalize COPPA Rule June 23

The FTC is finalizing its Children’s Online Privacy Protection Rule with changes from the prior administration’s proposal, the agency said in a Federal Register notice scheduled for publication Tuesday.

The final rule is set to take effect June 23, but companies will have a year to come into compliance with most of its provisions. Those with an immediate compliance date include annual reporting for the COPPA Safe Harbor program and disclosures about collecting children’s audio. The commission said it also reserves the right to revoke and issue new Safe Harbor exemptions based on new requirements.

The commission said it’s not finalizing the prior regime’s proposed amendments to the rule related to education technology and the “role of schools at this time.” The FTC wants to avoid conflicts with the Family Educational Rights and Privacy Act, an education records law that the Department of Education enforces.

Senate Confirms Meador to the FTC on 50-46 Vote

The Senate voted 50-46 Thursday to confirm Mark Meador as an FTC commissioner, as expected (see 2503030044).

Chairman Andrew Ferguson now has a 3-0 Republican majority with the addition of Meador. Recently fired Democrats Rebecca Kelly Slaughter and Alvaro Bedoya are suing the Trump administration to be reinstated on the commission (see 2503270056).

Ferguson in his congratulatory statement cited Meador's antitrust background, saying he will be a "great asset" to the Trump administration FTC.

DOJ Confirms April 8 as Effective Date for Data Transfer Rule

DOJ’s data transfer rule is scheduled to go into effect April 8, the department confirmed Wednesday.

A large group of global American companies requested an extension to the deadline, citing potential complications with compliance (see 2503180058).

“As indicated in the federal register, the rule is scheduled to go into effect on April 8, 2025,” the department said in a statement. “We’ll decline to comment further at this time."

District Court Grants Preliminary Injunction Against Calif. Age-Appropriate Design Code

The U.S. District Court for Northern California on Thursday granted NetChoice’s request for a preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) aimed at protecting the privacy and safety of children online. California Attorney General Rob Bonta (D) and his office are enjoined from enforcing the act.

“This Court finds that the CAADCA’s coverage definition is content-based,” said Judge Beth Labson Freeman in case 22-cv-08861. “Under well-established precedent, a plaintiff’s showing that a statute is content-based shifts the burden to the State to show that the statute is narrowly tailored to promote a compelling Government interest… The demonstration of a compelling interest is not sufficient to satisfy strict scrutiny, however. The State must show that ‘the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way,’” which the state does not do.

“Today’s ruling reaffirms -- for the third time in California -- that the government cannot control what lawful speech Americans see, say, or share online,” said Chris Marchese, NetChoice’s director of litigation. “While protecting children online is a goal we all share, California’s Speech Code is a trojan horse for censoring constitutionally protected but politically disfavored speech. This decision puts other states on notice that censorship regimes masquerading as ‘privacy protections’ will not survive judicial review.”

California DOJ Is "reviewing the order and will respond appropriately in court," a spokesperson said.

Honda Promises to Change Privacy Ways Amid CPPA Auto Sweep

Honda must pay $632,500 and change various privacy practices under an agreement with the California Privacy Protection Agency announced Wednesday. The CPPA board decided Friday to approve a settlement resolving the privacy agency's claims that the car manufacturer’s North American subsidiary violated the California Consumer Privacy Act (CCPA).

American Honda takes “our responsibility to protect consumer privacy seriously and are committed to continually striving to ensure that our practices meet the highest standards,” a spokesperson said in an emailed statement. “We have cooperated fully with the CPPA throughout their investigation and have already begun implementing the changes to our processes required by the order. These changes include modifications to our methods for submitting consumer privacy requests, enhancing our cookie management tools, and updating our contract management processes.”

The California agency’s Enforcement Bureau found that American Honda Motor Co. violated the CCPA by (1) requiring Californians to verify themselves and give "excessive personal information" to exercise their privacy rights to opt out and to limit use and disclosure of their sensitive personal information; (2) using an online cookie management tool that failed to offer consumers privacy choices in a symmetrical or equal way; (3) making it hard for consumers to select authorized agents to exercise privacy rights on their behalf; and (4) sharing consumers’ personal information with ad tech companies without producing contracts with necessary privacy terms. The CPPA action came as part of an ongoing sweep of connected car manufacturers' data privacy practices.

Honda also agreed to simplify the process for Californians to assert their privacy rights, the CPPA said. Additionally, Honda must certify its compliance, train its employees and consult a user-experience designer to evaluate its methods for submitting privacy requests; change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and support the Global Privacy Control, a browser-based universal opt-out mechanism.

“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations," said Michael Macko, head of the CPPA's Enforcement Division. "Today’s resolution reflects Honda’s early cooperation and commitment to make things right.”

CPPA Takes Action Against National Public Data for Registration Failure

National Public Data faces a $46,000 fine from the California Privacy Protection Agency for failing to register as a data broker and pay an annual fee, the CPPA said Thursday. It's the CPPA’s sixth action stemming from an investigative sweep of California Delete Act compliance that it announced Oct. 30.

Last October, the CPPA Enforcement Division filed a claim against the Florida-based data broker in the U.S. Bankruptcy Court for the Southern District of Florida, alleging that the company had to pay an administrative fine for failing to register with the CPPA, the agency said. The company had filed for bankruptcy after confirming that a data breach in April 2024 exposed 2.9 billion records, including names and social security numbers. Since the court dismissed the company’s bankruptcy petition, the Enforcement Division has filed an administrative action against National Public Data to recover the $46,000 fine, the CPPA said.

Under state law, data brokers must pay $200 every day they fail to register with the CPPA. Companies that operated as data brokers in 2023 were required to register on Jan. 31, 2024, but National Public Data registered 230 days late, on Sept. 18, the CPPA alleged.

“We will pursue data brokers who violate the law, plain and simple,” said Michael Macko, CPPA enforcement head. “The Enforcement Division will use all available tools, including litigation, to make sure that data brokers aren’t operating in the dark.”

National Public Data has closed, according to its website.

Unanimous Supreme Court Upholds TikTok Divestment Law

A unanimous U.S. Supreme Court on Friday upheld a law forcing ByteDance to divest TikTok, citing Congress’ “well-supported national security concerns.”

After oral argument Friday, the court in its “expedited" decision said TikTok’s “scale and susceptibility to foreign adversary control, together with the vast swaths of sensitive data the platform collects, justify differential treatment to address the government’s national security concerns.”

Free speech standards are satisfied because the regulation “promotes a substantial government interest that would be achieved less effectively absent the regulation” and it does not “burden substantially more speech than is necessary.”

The court said TikTok offers a “distinctive and expansive outlet for expression, means of engagement, and source of community” for 170 million users in America, but Congress “has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.”

TikTok didn’t immediately comment. ByteDance attorney Noel Francisco argued Friday that Congress could have passed a less restrictive law banning the company from sharing sensitive data with ByteDance or China. The law's divestment deadline goes into effect Sunday.

FTC Issues Long-Awaited COPPA Rule Update

The FTC is finalizing changes to its children’s online privacy regulations “to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children,” it said in a Thursday news release.

Under the long-awaited final rule, websites and online service operators covered by the Children’s Online Privacy Protection Act (COPPA) will be required to get opt-in parental consent before disclosing children’s personal information to third-party companies for targeted advertising or other purposes. The rule also sets limits on data retention, and requires FTC-approved COPPA Safe Harbor programs to disclose membership lists and other information. The commission voted 5-0 to finalize the changes.

The FTC declined to adopt proposed requirements that would have limited the use of push notifications to children without parental consent, as well as changes involving requirements for educational technology companies operating in schools.

The changes to the FTC’s COPPA regulations take effect 60 days after publication in the Federal Register. Entities subject to the final rule then will have a year to come into full compliance with most provisions, though compliance is required earlier for provisions involving COPPA Safe Harbor programs. A Federal Register publication date has not yet been scheduled, the FTC said.

“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina Khan in the news release. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”