Data collection and sharing without consent; A summary of recent lawsuits, fines and cases
Regulatory bodies and privacy watchdogs are enforcing user privacy rights by investigating and imposing fines on companies that violate existing privacy regulations. In the case of the GDPR, for instance, express consent is required for the processing of individual's data. Article 7.1 of the GDPR states, "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
In the United States, the CCPA mandates that individuals must be informed of the collection of their data prior to its collection. Section 7012 outlines the Notice at Collection of Personal Information.
"The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business's use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information.
Section 7002 of the CCPA outlines the restrictions on the collection and use of personal data. One major area that regulatory bodies are focusing on is when companies collect and/or share the personal data of individuals without their knowledge and consent. This happens through different kinds of technology like cookies or pixels.
Below is a summary of fines, settlements, and cases of collection and sharing of personal data without consent that stood out and can serve as a reference.
1. Criteo | CNIL | June 2023
Criteo was fined €40 million by CNIL for failing to obtain proof of consent for the processing of individuals' data.
Summary: Post complaints filed by Privacy International and None Of Your Business, NOYB, CNIL launched an investigation on an advertising company specializing in 'behavioural retargeting', which is displaying internet users with advertisements based on their online behaviour or navigation. To do this, the Criteo tracker (cookie) is placed on the terminals of users whenever they visit the websites of any of Criteo's partner companies. It was found that the company's partners, those using the Criteo cookie to track user's behaviour, failed to obtain the consent of the users.
Even though obtaining consent is the responsibility of Criteo's partner, Criteo is not exempt from their responsibility to verify and demonstrate that consent was obtained. It was also found that DSA requests to withdraw consent and delete data were not honored.
Outcome: The CNIL found the following GPDR infringements by Criteo
Failure to demonstrate that the data subject gave their consent (Article 7.1)
Failure to comply with the obligation of information and transparency (Article 12&13)
Failure to respect the right of access (Article 15.1)
Failure to comply with the right to withdraw consent and erasure of data (7.3 & 17.1)
Failure to provide for an agreement between joint controllers (Article 26)
As a result, a €40 million fine was imposed.
Key Takeaways: It is the responsibility of all parties involved in the collection of data to obtain user consent, be it the party whose website uses the cookie or the party who owns the tracker and collects the user's data.
Link to full resource: Personalised advertising: CRITEO fined EUR 40 million | CNIL
2. OpenAI | California Federal Court | June 2023
OpenAI faces a lawsuit for allegedly violating the copyrights and privacy of users while scraping the internet to train its generative AI systems.
Summary: A California-based law firm filed a class action lawsuit in federal court in the northern district of California against OpenAI for allegedly violating the copyrights and privacy of millions online by using social media comments, blog posts, articles, etc., to train their systems. Significantly, two California-based authors have also sued OpenAI under the claim that the company misused their works for their training by mining data copied from thousands of books, infringing authors' copyrights.
The same law firm has filed a similar lawsuit against Google under similar claims.
Outcome: The outcome of the lawsuit is pending and will be updated here accordingly.
Link to further resource: ChatGPT maker OpenAI faces class action lawsuit over data to train AI - The Washington Post
3. BetterHelp | Federal Trade Commission | March 2023
For sharing sensitive mental health data with third parties for targeted advertising purposes, BetterHelp has been fined $7.8 million by the FTC.
Summary: Online mental health services company BetterHelp, based in California, has been fined by the FTC for sharing the sensitive mental health data of their clients with third parties such as Facebook, Snapchat, Criteo, and Pinterest. Clients were made to fill out a questionnaire providing their personal information, such as their mental health history, experiences of depressive episodes, suicidal thoughts, medications, etc, along with their name, email, and such. Third parties like Facebook were instructed to use such data to identify similar individuals and advertise BetterHelp's counseling services to them. The collection of sensitive data was done without the consent of clients, and privacy misrepresentations were shown to them.
Outcome: The proposed order by the FTC required BetterHelp to:
Obtain user consent prior to sharing personal information with third parties for any purpose.
Implement a privacy program that protects consumer data.
Have the third parties delete the personal data shared with them.
Implement and follow a retention schedule.
In addition to the requirements, BetterHelp has been fined $7.8 million, which will be used to provide partial refunds to those users who signed up for the company's services between 1st August 2017 and 31st December 2020.
Key Takeaways: Express consent must be obtained before sharing of sensitive data with third parties. Privacy policies cannot be misrepresented to users. Limits should be placed on the usage of data by third parties.
4. GoodRx | Federal Trade Commission | February 2023
GoodRx is to pay a $1.5 million fine for sharing sensitive health information with companies like Facebook and Google and failing to disclose the same to consumers.
Summary: The California-based digital health platform, GoodRx, provides healthcare services and helps consumers find deals on prescription medication. The FTC found that GoodRx violated the FTC Act by
Sharing personal health information with Facebook, Google, etc
Used personal health information for targeted advertising purposes
Failed to limit third-party use of personal health information
Misrepresented its HIPAA Compliance
Failed to implement policies to protect sensitive personal health information
Outcome: In addition to the $1.5 million penalty imposed on GoodRx, the FTC ordered that GoodRx:-
Cease the sharing of health data for advertising purposes
Obtain affirmative consent for sharing of health data
Direct third parties to delete the health data that was shared
Practice data retention
Set up a privacy program
Key takeaways: Companies should refrain from sharing sensitive information, such as health data, with third parties. Consent should be obtained before sharing other categories of data.
5. Home Depot | Office of the Privacy Commissioner of Canada | January 2023
Canadian DPA found that retailer Home Depot shared personal data with Meta without the consent of consumers.
Summary: The issue was brought to light when a consumer found, while deleting his Facebook account, Meta had a record of his in-store purchases from Home Depot. He had initially approached Home Depot, who conveyed that they had not shared his data with Meta, before approaching the federal watchdog. Data shared with Meta included email addresses and in-store purchase details. The information was used to analyze advertisement effectiveness for user profiling and general advertising purposes.
Outcome: Home Depot stated that they were worried about 'consent fatigue' and that their privacy statement is accessible throughout the website, highlighting that they use de-identified information for their purposes. However, the DPA found their actions insufficient as meaningful consent could not be obtained.
Home Depot agreed to stop disclosing personal information to Meta and to employ more meaningful consent practices.
Key Takeaways: Even trivial data collected from different sources can be pooled together to create a comprehensive data set that could be considered personally identifiable data. Measures should be put in place to get informed consent from users before processing or sharing their information. 'Consent fatigue is not a valid reason for failing to obtain meaningful consent' Federal privacy commissioner Philippe Dufresne.
6. Google LLC | Spanish DPA | May 2022
Post investigation, the Spanish DPA, the AEPD imposed a fine of 10mil euros on Google for violating the GDPR by transferring data to a third party without legitimacy and hindering the consumer's right to delete.
Summary: Google transferred the removal of content requests from its various platforms, such as Google Search Engine and YouTube, to a third party, the Lumen Project. This included their identification, email address, reasons stated, and the URL claimed. Further, the forms used for the submission of the request to remove content did not provide any facility or option to exercise the right to erase personal data or oppose its transfer.
The company was fined and ordered to hereby comply with the privacy regulations and delete the personal data so requested by the users.
Key Takeaways: Data transfer to third parties cannot occur without a legitimate basis and proper informed consent. Adequate facilities must be provided to oppose the transferring of personal data to a third party and the facility to exercise the right to erase information from third-party databases.
7. Chick-fil-A | January 2023
Chick-fil-A faces a privacy lawsuit in the U.S. for tracking and storing data through Meta Pixel.
Summary: The website on which Chick-fil-A puts out its annual Christmas video contains an embedded Meta pixel. This tracker sends data about the website visitor to Meta. The data collected contains unique ID numbers that can be used to identify users.
Chick-fil-A allegedly violated Video Privacy Protection Act (VPPA) by sharing viewership data without consent. The law in question states that 'video tape service providers cannot disclose personally identifiable information about the videos viewers watched without informed consent.
Outcome: While the proceedings of this case are ongoing, importance will be given to how the courts define 'personally identifiable information.'
Key Takeaways: Companies should refrain from sharing personally identifiable information with third parties. Consent should be obtained before sharing other categories of data.
Link to further resource: Chick-Fil-A Hit With Privacy Lawsuit Over Video Data Collection
8. ITMedia Solutions LLC | Federal Trade Commission | January 2022
ITMedia Solutions settled with FTC for $1.5 million for misusing and sharing consumer financial data.
Summary: The California-based lead-generation company, which operates hundreds of personal loan and payday loan websites, was found in violation of the Fair Credit Reporting Act and Section 5 of the FTC Act by collecting and selling personal information of consumers without informed consent by claiming to connect consumers with lenders while completing online loan applications, the information shared included social security numbers and bank account information.
Outcome: As part of the settlement, the company: -
Is prohibited from making misleading statements to customers, especially in regard to how their personal information will be used.
Is prohibited from selling personal information other than under specific circumstances.
Is required to screen recipients of the personal information shared
Key takeaways: Companies are required to be forthcoming and transparent about their proceedings. Misleading, deceiving statements about privacy practices are prohibited and are a breach of privacy regulations.
Link to full resource: Lead Generator that Deceptively Solicited Loan Applications from Millions of Consumers and Indiscriminately Shared Sensitive Info Agrees to Pay $1.5 Million FTC Penalty | Federal Trade Commission
9. VIZIO Inc. | FTC | February 2017
VIZIO agreed to pay $2.2 million to settle the charges made by the FTC and the Office of the New Jersey Attorney General for collecting and sharing data without consent.
Summary: Smart TVs manufactured by VIZIO captured second-by-second viewing information of users (data about the video being displayed). Further, VIZIO attached demographic information to the viewing data, such as age, sex, household size, etc. This information was sold to third parties and was used for various purposes, including targeted advertising. All this occurred without the knowledge or consent of users.
In addition to violating the FTC Act, this unfair and deceptive data tracking violated the New Jersey consumer protection laws.
Outcome: The $2.2 million fine was divided into two parts; $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, with the $300,000 suspended.
Key Takeaways: Unfair and deceptive methods of collecting and sharing users' personal data should be avoided. All data collecting and sharing processes should be disclosed to users, and consent should be obtained.
Link to full resource: VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users' Consent | Federal Trade Commission
10. Grindr | Norwegian DPA | January 2021
For sharing personal information such as sexual orientation, mental health details, and location data, Grindr was fined 100 million kroner, or about $11.7 million, by the Norwegian Data Protection Authority.
Outcome: The NDPA found Grindr's activities unacceptable and hence imposed a 100 million kroner fine on the company. Grindr agreed to converse with the NDPA to enhance their privacy practices.
Key takeaways: Companies should refrain from sharing sensitive information with third parties and should provide clear and transparent communication to users about their data processing and sharing, and should obtain affirmative consent.
Link to further resource: Norwegian DPA: Intention to issue € 10 million fine to Grindr LLC | European Data Protection Board
11. Twitter | FTC | May 2022
Twitter was fined a penalty of $150 million by the FTC for deceiving consumers into providing personal information, which was then used to serve targeted advertisements
Summary: The Federal Trade Commission found that from 2013 up to 2019, Twitter convinced users to provide personal information such as phone numbers and email addresses under the pretense of collecting it for security purposes such as MFA and account recovery. In addition to the claim of collecting data to 'Safeguard your account', Twitter used this data to serve users targeted advertisements.
Outcome: In addition to the penalty, Twitter was ordered
Not to use phone numbers and email addresses to serve ads
To inform customers about their processes and should allow them to turn off personalized ads
To provide MFA that does not require a phone number to be provided
To enhance their privacy program and strengthen their security program
Key Takeaways: Misguided practices to collect and use personal data should be avoided. Data collected for one reason cannot be used for another, especially without proper informed consent.
12. Video Privacy Protection Act (VPPA) Violations | 2022
The use of Meta's Pixel tracking tool has led to nearly 50 class action lawsuits being filed against nearly 50 companies.
Summary: Similar to the case of Chick-Fil-A, Meta's Pixels collected the data of those visitors who watched videos on the websites containing the pixels. The data collected was then shared with Facebook. Data collected and shared included the name of the video, the URL, the visitor's name, and their email address. This was done without the visitor's knowledge and consent. Various companies faced the lawsuits, mostly news agencies, streaming platforms, and sports entities like Boston Globe, NFL, NBA, HBO, Hulu, ESPN, Warner Bros, Paramount Global, AMC Networks, and Scripps Network, to name a few.
Outcomes: The outcomes of these lawsuits have been varied. Boston Globe Media Partners reached a $5 million settlement. The settlement will affect those individuals having a Facebook account and a digital or home delivery subscription to Boston Globe any time from February 5th, 2020, to May 25th, 2023. Those included in the settlement will receive a pro-rata portion of the Settlement Fund.
On the other hand, some of the lawsuits have been dismissed. In the case of Warner Bros, a district judge found that subscribers of the Warner Bros Newsletter are not actual 'subscribers' as they didn't purchase any goods or services.
A court in the Southern District of California found that 'consumers' are only those who rent, purchase, or subscribe to products from the video service provider, and VPPA only defends 'consumers.'
In the U.S. District Court for the Middle District of Tennessee, the lawsuit against Paramount Global was dismissed. In this case, the plaintiff viewed videos and other content on a sports website owned by Paramount Global. The plaintiff also subscribed to a free newsletter from this website. The court found that subscribing to a newsletter would not make the plaintiff a consumer as the newsletter is not "audio-visual content."
Key Takeaways: Even though the outcomes of these lawsuits have varied, there are steps that can be taken to avoid the risks of such lawsuits.
Avoid using pixels that collect and share personal information with third parties.
Avoid collecting and sharing personal data with third parties without consent, especially in the case of videos embedded with pixels and tracking technologies; obtain separate consent.
Privacy policies should include information about the various ways in which data is collected and shared, especially in cases data is collected and shared through pixels and tracking technologies.