|
|
 |
Car data is the new gold rush... Automakers and third-party companies know where we drive, what we buy, eat, our texts.
- Consumer Watchdog, California buyer advocacy non-profit
|
|
|
👋 Welcome back to Snippets—and the first week of August!
With connected vehicles (CV) collecting data on everything from how often you stop at Starbucks to whether you’ve recently gained weight, the California Privacy Protection Agency (CPPA) started the week with a splash—announcing a timely probe into what CVs do with the data they collect and whether it’s in-line with California’s privacy laws.
We’re also looking at advocacy group’s efforts to expand a new HIPAA rule, why European regulators have Worldcoin in their cross-hairs, Dior’s failed attempt to cool class action lawsuits under the Biometric Information Privacy Act, and more.
|
|
|
|
|
CPPA scrutinizing CV data collection
|
 |
|
iStock
|
California’s newly-minted privacy regulator, the California Privacy Protection Agency (CPPA) has launched its first case—investigating the data collection practices of connected vehicles (CV).
|
- The CPPA will review how CV manufacturers handle the data they collect, which includes precise geolocation, smartphone integrations, camera images, and more.
- In fact, McKinsey estimates CVs collect as much as 25 gigabytes of data per hour.
- Vehicle data is sought after by data brokers, insurance companies, and businesses, as it can offer intimate details of someone’s habits, preferences, and home life—especially when combined with other web data.
- CPPA Executive Director, Ashkan Soltani, noted that “Modern vehicles are effectively connected computers on wheels,” and that the agency is “making inquiries” into CV manufacturer’s compliance with California’s privacy laws.
|
|
|
|
|
|
|
Announcing the launch of Apprised on AI
|
|
A brand new bi-weekly newsletter, Apprised on AI brings you a skimmable summary of AI regulation in flight in the US and worldwide.
Subscribe now to keep yourself (and your team) ahead of the curve on what’s next in AI legislation. Apprised on AI hits your inbox every other Wednesday, starting Aug 9!
|
|
|
|
|
|
|
|
Advocacy groups seek to expand HIPAA rule
|
 |
|
Drew Angerer/Getty Images
|
Planned Parenthood, Human Rights Campaign, and others are urging the Department of Health and Human Services to expand a proposed HIPAA rule to shield both reproductive health data and information involving gender-affirming care.
|
- If accepted, the rule would prevent medical providers and insurance companies from sharing data related to reproductive services, as long as they were obtained in states where those services are legal.
- The call to expand the rule comes as LGBTQ and reproductive rights face challenges across the country, with 20 states sporting laws that limit gender-affirming care.
- Casey Pick, Director of Law and Policy at the Trevor Project, noted that if an “individual leaves their state to [...] receive that care, that home state should not be able to drag back health information about what care [they] received…”
|
|
|
|
|
|
|
|
EU regulators eye Worldcoin
|
 |
|
Tools for Humanity
|
European data protection authorities are investigating Worldcoin, OpenAI CEO Sam Altman’s crypto startup, as the company continues its global rollout—offering crypto tokens in exchange for retina scans, in order to verify humanness and assign scanned individuals a World ID.
|
- Worldcoin pop-ups have appeared in the UK, France, Germany, and Spain, where there have been “crazy lines” to trade retina scans for digital tokens.
- EU regulators, including the UK Information Commissioner’s Office (ICO) and France's CNIL, have expressed concerns—beginning investigations into the legality of Worldcoin's data collection practices.
- Worldcoin relies on user consent to process biometric data, but the exchange is incentivized and the information on how that data will be used is only provided in a 7,000+ word document.
- With this as the backdrop, commentators are dubious that European regulators will view this consent as “freely given.”
|
|
|
|
|
|
|
|
- Parenting influencers flip-flop on protecting their children’s privacy.
- Facebook looks to boost engagement with friendly AI chatbots.
- Aug. 25 is the last day to claim cash from the Cambridge Analytica class action.
- Privacy experts weigh in on Threads’ privacy policy.
- The congressional fight over crypto privacy continues.
|
|
|
|
|
|
Judge rejects Dior's bid to slow BIPA lawsuits
|
 |
|
Stephanie Lecocq/File Photo
|
As Biometric Information Privacy Act (BIPA) class actions continue to increase, a judge has denied fashion house Dior’s attempt to slow the number of cases brought under the law.
|
- Following a dismissed BIPA case against the fashion house, Dior requested that a federal judge order the suit’s plaintiffs to reimburse the company’s legal fees.
- If accepted, this fee-shifting could have established a legal precedent that may have deterred would-be plaintiffs from bringing BIPA suits.
- According to Dior, the request was meant to deter legal “abuses” under BIPA and limit the number of bad-faith lawsuits.
- In her ruling, US District Judge Elaine Bucklo, stated, “Exposing plaintiffs bringing BIPA suits in good faith [...] to attorneys’ fees would unduly chill the sole enforcement mechanism for a law [...] clearly intended to protect critical privacy interests.”
|
|
|
|
|
|
|
|
Meta proposes opt-in ads for EU users
|
 |
|
Dado Ruvik/Illustration/File photo
|
Following five years of litigation and several high profile fines, Meta agreed to implement opt-in consent for highly-targeted ads within EU borders—stating it would need three months to implement these changes.
|
- As context, GDPR offers six legal bases for running targeted ads in the EU, and Meta has pursued nearly all in an effort to continue running ads without consent.
- This July, the door closed on the final legal basis (except consent) when the Court of Justice of the European Union (CJEU) ruled that running targeted ads could not be considered integral to fulfilling Meta’s contract with users.
- Meta’s proposal doesn't include the UK, drawing a terse statement from the country’s data protection authority.
|
|
|
|
|
|
|
Transcend's approach to AI governance
|
|
As the data governance provider for some of the world’s largest companies, we’ve been fielding a lot of questions about how to put the right safeguards in place to responsibly use generative AI platforms and tools, like:
- “How can I monitor that my teams aren’t entering confidential information into ChatGPT?”
- "How will I know if an AI chat feature is sending inappropriate information to an end-user?”
- "How can I ensure PCI or HIPAA-covered data is not being sent into third-party LLMs?”
Here’s how we’re responding.
|
|
|
|
|
|
|
|
|
Snippets is delivered to your inbox every Thursday morning by Transcend. We're the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack. Learn more.
|
|
|
|
You received this email because you subscribed to Snippets. Did someone forward this email to you? Head over to Transcend to get your very own free subscription! Curated in San Francisco by Transcend.
|
|
|
|
|
|
