Calif. Privacy Agency Fines Data Broker $55K for Failing to Register, Pay Annual Fee

The California Privacy Protection Agency (CPPA fined Washington-based Accurate Append $55,400 for failing to register as a data broker and pay the annual fee required by the state’s Delete Act. The company failed to register by the Jan. 31, 2024 deadline for its 2023 activities, and only registered after the Enforcement Division contacted Accurate Append, the CPPA alleged.

“This settlement shows, once again, the peril faced by data brokers who fail to register,” said CPPA's head of enforcement, Michael Macko, in a release. “We are committed to bringing transparency to the data broker industry, and vigorous enforcement of California's registration requirement is one way to do that.”

The fine is a part of the CPPA’s investigative sweep of data broker registration the agency announced in October 2024. In addition to the monetary penalty, Accurate Append agreed to injunctive terms, including paying the Enforcement Division’s attorney fees and costs that resulted from non-compliance, the CPPA said.

CPPA Board Clears Controversial Rules on Automated Decisions

The California Privacy Protection Agency approved rules on automated decision-making technology and other subjects at a partially virtual meeting Thursday. CPPA Board members voted 5-0 to clear the rulemaking package, which also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations.

Earlier this week, CPPA staff said the agency wouldn't make further changes to draft regulations in the controversial rulemaking (see 2507220043). Thursday’s CPPA Board approval allows staff to submit the rulemaking package to the California Office of Administrative Law, which, in turn, will have 30 business days to decide if the rules may become final.

Chair Jennifer Urban supported the proposed regulations: “They are strong. They are reasonable. They are clear.”

Board member Drew Liebert expects "all sides will still have a lot of unhappiness” with the rules, but the test can't be to make everyone happy, he said. “We were required to do our best and to keep improving these regulations, and we will do so.”

Nebraska AG Sues GM, OnStar for Collecting, Selling Driver Data Without Consent

Nebraska Attorney General Mike Hilgers (R) sued General Motors and its subsidiary OnStar on Tuesday for the alleged unlawful collection, processing and sale of sensitive driving data from state residents without their knowledge or consent. In a press conference Tuesday morning, Hilgers announced the suit, claiming violations of the Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act.

Since around 2015, “when you would buy a car from GM, ... they would generally take your data, and they would sell it to third-party companies,” Hilgers said. “Those third-party companies, in turn, would sell it to insurance companies. Those insurance companies would use the data that they received from General Motors … including how fast you were driving, how hard your stops were, where you went, whether you had your seat belt [on], and they used that data to make decisions regarding people's insurance.”

Such data collection and use requires GM and OnStar to notify customers, but “nowhere in any of their disclosures did GM tell people that this is what they were going to do,” Hilgers said.

This lawsuit follows similar complaints filed by other states against GM for its collection and sale of data, starting with Texas in 2024 (see 2501160029). Arkansas filed its suit in February (see 2502260044) and Indiana in March (see 2503270040). In January, the FTC also proposed a nonmonetary settlement with GM and OnStar over allegations that the companies collected and sold consumers’ location data without proper consent (see 2501170068).

Connecticut AG Reveals $85K Privacy Settlement with TicketNetwork

Connecticut Attorney General William Tong (D) announced an $85,000 settlement with online marketplace TicketNetwork on Tuesday, the result of an investigation into potential violations of the Connecticut Data Privacy Act (CTDPA). The AG said over two dozen cure notices were sent to the company in four separate sweeps addressing privacy notice deficiencies, and that TicketNetwork repeatedly said they have fixed the issues when that was not true.

“The Connecticut Data Privacy Act gives consumers powerful baseline rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising,” said Tong in the press release. “Covered businesses must maintain clear privacy notices that describe these rights. This law has now been in effect for two years. There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy.”

TicketNetwork must also comply with CTDPA requirements, keep metrics on consumer rights requests received under the Act and provide a report of these metrics to the AG under the settlement agreement. Tong said his office sent its first cure notice to the company in November 2023 regarding issues with its privacy notice, but TicketNetwork didn't fix the problems within the 60-day window to cure.

Healthline to Pay $1.55M Under Largest CCPA Privacy Settlement

Healthline must pay California $1.55 million under the largest proposed settlement yet under the California Consumer Privacy Act, Attorney General Rob Bonta (D) said Tuesday. The settlement, which is pending final court approval, also includes a novel injunctive term prohibiting the company “from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition,” the AG's office said.

The settlement would resolve allegations that the company’s use of online tracking technology on Healthline.com violated the CCPA, said the AG's office, which submitted a complaint Tuesday to the California Superior Court for San Francisco. A California DOJ investigation found that Healthline failed to let consumers opt out of targeted advertising. Also, the company shared data with third parties without CCPA-mandated privacy protections, including information suggesting individuals had serious health conditions, the AG's office said.

“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance -- including by website publishers,” said Bonta.

Healthline didn’t immediately respond to a request for comment.

U.S. Supreme Court Allows Texas Law Requiring Age Verification for Porn Sites

In a 6-3 decision, the U.S. Supreme Court on Friday upheld a Texas law requiring age verification for access to porn sites. The ruling sided with Attorney General Ken Paxton (R) in support of the state's HB-1181, which the Free Speech Coalition, an adult industry trade association, challenged in a 2023 lawsuit, saying it violated the First Amendment (see 2409170012).

"Age-verification laws like H. B. 1181 fall within States’ authority to shield children from sexually explicit content," said Justice Clarence Thomas, who wrote the majority opinion. "The First Amendment leaves undisturbed States’ traditional power to prevent minors from accessing speech that is obscene from their perspective. ...

"That power necessarily includes the power to require proof of age before an individual can access such speech," Thomas continued. "It follows that no person -- adult or child -- has a First Amendment right to access speech that is obscene to minors without first submitting proof of age."

Chief Justice John Roberts and Justices Neil Gorsuch, Samuel Alito, Brett Kavanaugh and Amy Coney Barrett joined Thomas in the majority opinion. Justices Elena Kagan, Ketanji Brown Jackson and Sonia Sotomayor dissented, with Kagan writing the dissent.

Google to Pay Texas $1.4 Billion in Privacy Settlement

Texas Attorney General Ken Paxton (R) announced a nearly $1.4 billion settlement with Google in a case about the company's unlawful tracking and collecting of user's personal information, including geolocation and biometric data. Paxton filed the lawsuit against Google in October 2022, alleging violations of the Texas Capture or Use of Biometric Identifier Act (see 2210200075).

“In Texas, Big Tech is not above the law. For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services. I fought back and won,” said Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust."

This settlement comes less than a year after another $1.4 billion settlement between Texas and Meta, in a case alleging the social media company captured biometric information in violation of state law (see 2407300030).

Calif. Privacy Agency Fines Menswear Retailer $345K for Alleged CCPA Violations

The California Privacy Protection Agency (CPPA) dressed down national menswear retailer Todd Snyder with a $345,178 fine Tuesday for alleged violations of the California Consumer Privacy Act (CCPA).

The privacy agency said Todd Snyder agreed to pay the fine and change its business practices to resolve various allegations, including that it failed to oversee and properly configure technical infrastructure of its privacy portal. That failure led to a 40-day period in which the company failed to process consumer requests to opt out of selling and sharing personal information, the CPPA said.

In addition, the clothing retailer required consumers to submit more information than necessary to process privacy requests, the agency alleged. Also, Todd Snyder inappropriately required consumers to verify their identity before they could opt out, said the agency. The company didn’t comment Tuesday.

“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, the CPPA’s enforcement head. “Using a consent management platform doesn’t get you off the hook for compliance.”

CPPA Executive Director Tom Kemp said the CPPA decision “should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”

Irish Privacy Watchdog Fines TikTok $600 Million for GDPR Breaches

TikTok's transfer of Europeans' personal data to China violated the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced Friday. It fined the social media platform $600 million (530 million euros) and ordered it to clean up its act within six months or face suspension of its data transfers to China. TikTok said it will appeal.

The transfers infringed the GDPR because the company failed to verify, guarantee and demonstrate that the personal data of users in the European Economic Area (EEA), remotely accessed by staff in China, was given a level of protection essentially equivalent to that guaranteed by the EU, said DPC Deputy Commissioner Graham Doyle. The company also breached GDPR transparency requirements related to how it informed users of the transfers to China, he said.

Seen through the lens of tariffs, trade and national security, the decision will be a source of uncertainty for organizations beyond TikTok, emailed IAPP Research Director Joe Jones. Regulatory, geopolitical and industry developments are "carving the world up into greenlisted, redlisted and firewalled blocs for data sharing, making international data transfers a renewed priority and a heightened area of complexity for organisations and policymakers."

FTC to Finalize COPPA Rule June 23

The FTC is finalizing its Children’s Online Privacy Protection Rule with changes from the prior administration’s proposal, the agency said in a Federal Register notice scheduled for publication Tuesday.

The final rule is set to take effect June 23, but companies will have a year to come into compliance with most of its provisions. Those with an immediate compliance date include annual reporting for the COPPA Safe Harbor program and disclosures about collecting children’s audio. The commission said it also reserves the right to revoke and issue new Safe Harbor exemptions based on new requirements.

The commission said it’s not finalizing the prior regime’s proposed amendments to the rule related to education technology and the “role of schools at this time.” The FTC wants to avoid conflicts with the Family Educational Rights and Privacy Act, an education records law that the Department of Education enforces.

Senate Confirms Meador to the FTC on 50-46 Vote

The Senate voted 50-46 Thursday to confirm Mark Meador as an FTC commissioner, as expected (see 2503030044).

Chairman Andrew Ferguson now has a 3-0 Republican majority with the addition of Meador. Recently fired Democrats Rebecca Kelly Slaughter and Alvaro Bedoya are suing the Trump administration to be reinstated on the commission (see 2503270056).

Ferguson in his congratulatory statement cited Meador's antitrust background, saying he will be a "great asset" to the Trump administration FTC.

DOJ Confirms April 8 as Effective Date for Data Transfer Rule

DOJ’s data transfer rule is scheduled to go into effect April 8, the department confirmed Wednesday.

A large group of global American companies requested an extension to the deadline, citing potential complications with compliance (see 2503180058).

“As indicated in the federal register, the rule is scheduled to go into effect on April 8, 2025,” the department said in a statement. “We’ll decline to comment further at this time."

District Court Grants Preliminary Injunction Against Calif. Age-Appropriate Design Code

The U.S. District Court for Northern California on Thursday granted NetChoice’s request for a preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) aimed at protecting the privacy and safety of children online. California Attorney General Rob Bonta (D) and his office are enjoined from enforcing the act.

“This Court finds that the CAADCA’s coverage definition is content-based,” said Judge Beth Labson Freeman in case 22-cv-08861. “Under well-established precedent, a plaintiff’s showing that a statute is content-based shifts the burden to the State to show that the statute is narrowly tailored to promote a compelling Government interest… The demonstration of a compelling interest is not sufficient to satisfy strict scrutiny, however. The State must show that ‘the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way,’” which the state does not do.

“Today’s ruling reaffirms -- for the third time in California -- that the government cannot control what lawful speech Americans see, say, or share online,” said Chris Marchese, NetChoice’s director of litigation. “While protecting children online is a goal we all share, California’s Speech Code is a trojan horse for censoring constitutionally protected but politically disfavored speech. This decision puts other states on notice that censorship regimes masquerading as ‘privacy protections’ will not survive judicial review.”

California DOJ Is "reviewing the order and will respond appropriately in court," a spokesperson said.

Honda Promises to Change Privacy Ways Amid CPPA Auto Sweep

Honda must pay $632,500 and change various privacy practices under an agreement with the California Privacy Protection Agency announced Wednesday. The CPPA board decided Friday to approve a settlement resolving the privacy agency's claims that the car manufacturer’s North American subsidiary violated the California Consumer Privacy Act (CCPA).

American Honda takes “our responsibility to protect consumer privacy seriously and are committed to continually striving to ensure that our practices meet the highest standards,” a spokesperson said in an emailed statement. “We have cooperated fully with the CPPA throughout their investigation and have already begun implementing the changes to our processes required by the order. These changes include modifications to our methods for submitting consumer privacy requests, enhancing our cookie management tools, and updating our contract management processes.”

The California agency’s Enforcement Bureau found that American Honda Motor Co. violated the CCPA by (1) requiring Californians to verify themselves and give "excessive personal information" to exercise their privacy rights to opt out and to limit use and disclosure of their sensitive personal information; (2) using an online cookie management tool that failed to offer consumers privacy choices in a symmetrical or equal way; (3) making it hard for consumers to select authorized agents to exercise privacy rights on their behalf; and (4) sharing consumers’ personal information with ad tech companies without producing contracts with necessary privacy terms. The CPPA action came as part of an ongoing sweep of connected car manufacturers' data privacy practices.

Honda also agreed to simplify the process for Californians to assert their privacy rights, the CPPA said. Additionally, Honda must certify its compliance, train its employees and consult a user-experience designer to evaluate its methods for submitting privacy requests; change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and support the Global Privacy Control, a browser-based universal opt-out mechanism.

“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations," said Michael Macko, head of the CPPA's Enforcement Division. "Today’s resolution reflects Honda’s early cooperation and commitment to make things right.”

CPPA Takes Action Against National Public Data for Registration Failure

National Public Data faces a $46,000 fine from the California Privacy Protection Agency for failing to register as a data broker and pay an annual fee, the CPPA said Thursday. It's the CPPA’s sixth action stemming from an investigative sweep of California Delete Act compliance that it announced Oct. 30.

Last October, the CPPA Enforcement Division filed a claim against the Florida-based data broker in the U.S. Bankruptcy Court for the Southern District of Florida, alleging that the company had to pay an administrative fine for failing to register with the CPPA, the agency said. The company had filed for bankruptcy after confirming that a data breach in April 2024 exposed 2.9 billion records, including names and social security numbers. Since the court dismissed the company’s bankruptcy petition, the Enforcement Division has filed an administrative action against National Public Data to recover the $46,000 fine, the CPPA said.

Under state law, data brokers must pay $200 every day they fail to register with the CPPA. Companies that operated as data brokers in 2023 were required to register on Jan. 31, 2024, but National Public Data registered 230 days late, on Sept. 18, the CPPA alleged.

“We will pursue data brokers who violate the law, plain and simple,” said Michael Macko, CPPA enforcement head. “The Enforcement Division will use all available tools, including litigation, to make sure that data brokers aren’t operating in the dark.”

National Public Data has closed, according to its website.

Unanimous Supreme Court Upholds TikTok Divestment Law

A unanimous U.S. Supreme Court on Friday upheld a law forcing ByteDance to divest TikTok, citing Congress’ “well-supported national security concerns.”

After oral argument Friday, the court in its “expedited" decision said TikTok’s “scale and susceptibility to foreign adversary control, together with the vast swaths of sensitive data the platform collects, justify differential treatment to address the government’s national security concerns.”

Free speech standards are satisfied because the regulation “promotes a substantial government interest that would be achieved less effectively absent the regulation” and it does not “burden substantially more speech than is necessary.”

The court said TikTok offers a “distinctive and expansive outlet for expression, means of engagement, and source of community” for 170 million users in America, but Congress “has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.”

TikTok didn’t immediately comment. ByteDance attorney Noel Francisco argued Friday that Congress could have passed a less restrictive law banning the company from sharing sensitive data with ByteDance or China. The law's divestment deadline goes into effect Sunday.

FTC Issues Long-Awaited COPPA Rule Update

The FTC is finalizing changes to its children’s online privacy regulations “to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children,” it said in a Thursday news release.

Under the long-awaited final rule, websites and online service operators covered by the Children’s Online Privacy Protection Act (COPPA) will be required to get opt-in parental consent before disclosing children’s personal information to third-party companies for targeted advertising or other purposes. The rule also sets limits on data retention, and requires FTC-approved COPPA Safe Harbor programs to disclose membership lists and other information. The commission voted 5-0 to finalize the changes.

The FTC declined to adopt proposed requirements that would have limited the use of push notifications to children without parental consent, as well as changes involving requirements for educational technology companies operating in schools.

The changes to the FTC’s COPPA regulations take effect 60 days after publication in the Federal Register. Entities subject to the final rule then will have a year to come into full compliance with most provisions, though compliance is required earlier for provisions involving COPPA Safe Harbor programs. A Federal Register publication date has not yet been scheduled, the FTC said.

“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina Khan in the news release. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”