ClickZ Data and Data Privacy Round-up Analysis: June Edition

#1. Clarkson Law Firm filed a class-action lawsuit against OpenAI for allegedly using “stolen” personal data to train ChatGPT and Dall-E

The complaint filed in the Northern District of California court accuses OpenAI of scraping 300 billion words from the internet, including personally identifiable information from social media platforms like Twitter and Reddit. The lawsuit aims to establish legal boundaries for AI algorithm training and seek compensation for individuals whose data was used without consent. The legal challenges come as the AI industry faces increased scrutiny and the potential for regulation. (Source)

• 🚫 Italy had previously banned ChatGPT due to concerns about inadequate user data protection, especially for minors, based on Europe’s General Data Protection Regulation (GDPR).
• 💰 OpenAI has profited from the data it collected without compensating the source, through investments from Microsoft and ChatGPT Plus subscriptions.

Actionable advice

Senior marketers and brands should closely monitor the progress of the Clarkson firm class-action lawsuit against OpenAI, as it has the potential to establish significant legal boundaries for AI algorithm training. Doing so can help proactively plan and adjust strategies. Considering data collection practices and compliance regularly review and enhance data protection policies in liaison with cross-team collaboration with your IT and data compliance. Decision-makers can ensure that user data is handled with consent and robust security measures are in place. While evaluating partnerships and investments in AI companies, carefully consider the associated risks and controversies surrounding their data practices. This in turn will enable them to adapt strategies in response to evolving privacy regulations and public concerns about data usage and help foster ethical and responsible data safeguarding practices.

#2. The UK and U.S. pledge to (Read more...) a ‘Data Bridge’ to uphold privacy standards and save costs caused from contract clauses for data protection

The data bridge would facilitate smoother data transfers, streamline operations, reduce costs, and expand opportunities for British businesses to operate and trade internationally. The announcement comes with a commitment to establish a data bridge, allowing the free flow of data between organizations in both countries. This represents a significant milestone in their efforts to establish a reliable mechanism for U.S.-UK data flows, promoting responsible innovation, protecting data subjects’ rights, and benefiting individuals and businesses in both nations. (Source)

• 💻 The UK exported over £79 billion of data-enabled services to the US in 2021, accounting for 30% of the UK’s total data-enabled services exports.
• 🔐 The UK Extension to the Data Privacy Framework would establish the data bridge, allowing approved US companies to receive UK personal data under the new framework.
• 🌍 International data transfers play a crucial role in modern business transactions, and the United States is a prominent trading partner for the UK in terms of data-enabled exports.
• 📊 The data bridge’s establishment will contribute to trans-Atlantic research and innovation by providing certainty for organizations collaborating and sharing data with partners across the Atlantic, fostering scientific advancements and borderless innovation.

Actionable advice

Stay updated on the progress of the UK-US data bridge, which simplifies data transfers between the UK and the US under the EU-US Data Privacy Framework (DPF). Understanding the bridge’s scope and requirements will enable your organization to streamline data transfer processes, reduce legal and regulatory burdens, and ensure compliance. Familiarity with available data transfer mechanisms such as the International Data Transfer Agreement, UK Addendum to EU SCCs, and Binding Corporate Rules for informed decision-making. Conduct Transfer Risk Assessments to evaluate data protection in the destination country to proactively adapt to changes in data protection laws, safeguarding customer data privacy effectively.

#3. EU reaches agreement to empower users with increased control over their data

The Data Act has four goals: ensuring fair distribution of data value, stimulating competition in the data market, fostering data-driven innovation, and enhancing data accessibility. It will introduce provisions for switching data processing service providers, safeguarding against unlawful data transfers, and developing interoperability standards. The legislation also grants individuals and businesses greater control over their data through reinforced portability rights. Safeguards against unlawful data transfer by cloud service providers are included in the Data Act, along with measures to facilitate switching data processing service providers. (Source)

• 🌍 Brussels has set global standards for personal data protection and privacy, aiming to tackle technology companies effectively.
• 📆 Negotiators from the European Council and the European Parliament   reached an agreement on the data act, first proposed in February 2022.
• 💡 The EU wants to ensure that European citizens regain control of their data from companies due to the increasing use of internet-connected products.
• 🔁 The law aims to make data sharing easier between customers, companies, and other firms, enabling users to gain access to their data.

Actionable advice

Prioritize user data control, aligning practices with the Data Act to build trust and ensure compliance. Leverage data-sharing opportunities to enhance customer experiences, personalize marketing strategies, and forge innovative partnerships. By exploring the economic and societal potential of data, marketers can tap into new business models and emerging market opportunities. Additionally, staying ahead of forthcoming AI regulations allows senior marketers and brands to proactively. Stay tuned to this column for updates on the Data Act’s implications to help inform decisions. Align AI strategies with evolving legal requirements, foster collaborations, and leverage data-driven opportunities while addressing industry concerns and consumer expectations.

#4. Microsoft settles Xbox accounts illegal data collection case under the Children’s Online Privacy Protection Act violations, agrees to pay $20 million civil penalty

Microsoft has reached a settlement with US federal regulators in response to allegations of illegal data collection on children with Xbox accounts. The company was found to have violated the Children’s Online Privacy Protection Act by failing to obtain proper parental consent and retaining personal data for longer than necessary. Microsoft retained Xbox account data from 2015 to 2020, even when parents did not complete the setup process, sometimes for several years. (Source)

• 🎮 Xbox users are required to create an account to access certain services, and information such as full name, email address, and date of birth is collected during setup.
• 👪 The company failed to inform parents about the data it was collecting, including the user’s profile picture and the distribution of data to third parties.
• 🔒 Microsoft committed to implementing new safety protections for children and deleting all personal data after two weeks if no parental consent is obtained.

Actionable advice

Senior marketers and brands should prioritize COPPA compliance by reviewing their data collection practices safeguarding children’s privacy. Enhance privacy protections, inspired by Microsoft’s measures for the Xbox system, to strengthen privacy measures for their own platforms catering to children. Transparent disclosures and proper parental consent are crucial, and brands must necessitate clear and comprehensive communication with parents about data collection. Additionally, marketers should handle user data, especially children’s data, with caution, ensuring compliance and obtaining appropriate consent before sharing it with third parties. Consider additional privacy measures like data deletion systems, notifying parents, obtain retroactive consent. Also look into building an effective communication cadence with third-party partners to fortify adherence to children’s privacy laws, enhance privacy protections, and maintain the trust of parents and young users.

#5. Apple unveils latest privacy and security enhancements at its annual Worldwide Developers Conference 2023

The updates include enhancements to Safari’s private browsing, communication safety features for children, live voicemail with transcriptions, improved lockdown mode, and app privacy improvements among other things. (Source)

• 🛡️ Major Updates to Safari Private Browsing: Safari now provides even greater protection against trackers and fingerprinting techniques, and it automatically locks when not in use, allowing users to keep tabs open.
• 📸 Photos Privacy Permission Improvements: Users can now share specific photos with apps while keeping the rest of their library private. They receive more information about what they’re sharing and occasional reminders of their choice.
• 🧲 Link Tracking Protection in Messages, Mail, and Safari Private Browsing: Apple removes extra tracking information from links shared in Messages, Mail, and Safari Private Browsing, without affecting their functionality.
• 📱 App Privacy Improvements: Developers now have more information about third-party software development kits (SDKs) they use, enabling them to provide accurate Privacy Nutrition Labels and adding another layer of protection against abuse.
• 👨‍👩‍👧‍👦 Communication Safety: This feature now covers video content in addition to still images, warning children about receiving or sending photos or videos containing nudity. It can be integrated into third-party apps and offers safety measures for AirDrop, FaceTime, and more.
• 🚫 Sensitive Content Warning: Adult users can avoid unwanted explicit images and videos in Messages, AirDrop, FaceTime, and the Phone app. The same privacy-preserving technology is used for this feature.

Actionable advice

The insights on Apple’s new privacy and security features from its Worldwide Developers Conference offer valuable opportunities for senior marketers and brands. By prioritizing user privacy, child safety, responsible content delivery, enhanced user experiences, app privacy transparency, and alignment with industry standards, senior marketers and brands can build trust and differentiate themselves. By capitalizing on these advancements, marketers can address user concerns, target family-oriented audiences, deliver content responsibly, enhance user experience, build trust, and demonstrate a proactive approach to user privacy.

#6. Spotify faces a €5 million fine in Sweden for GDPR data access breach

The fine comes more than four years after a complaint was filed by a privacy rights group, alleging that Spotify failed to provide adequate information in response to a subject access request (SAR) under the General Data Protection Regulation (GDPR). Swedish Authority for Privacy Protection (IMY) claims that Spotify did not clearly inform customers about how their data is used. (Source)

• 📝 Lack of data practice disclosures: The IMY asserts that Spotify failed to provide clear information to customers regarding how their data is used by the company.
• 📢 Spotify’s defense and appeal: Spotify defended its actions and stated its intention to file an appeal against the fine. The company claims to offer comprehensive information about data processing to its users.
• 🗂️ Layered personal data: Swedish officials acknowledged that Spotify segregates personal data into layers, making it easier for customers to access the information they are most likely to seek. However, shortcomings were found in the clarity of the information provided by Spotify.
• 🌐 Language requirement: Swedish privacy regulators emphasized that technical personal data should be explained in the individual’s native language, which Spotify was found lacking in.
• 📰 Investigation details: The investigation into Spotify’s data practices began in 2019 following three user complaints from 2018. Swedish officials considered the shortcomings to be of a low level of seriousness.

Actionable advice

Senior marketers and brands should take note of Spotify’s data practice case to enhance their data privacy strategies. By ensuring clear information disclosure to customers about data usage and compliance with regulations like GDPR, they can build trust and meet regulatory expectations. Examining Spotify’s defense and appeal provides insights to improve data privacy practices, while implementing data segregation techniques enhances transparency and accessibility. Learning from investigations, marketers can assess their own practices and identify areas for improvement or compliance, ultimately enhancing data privacy strategies and maintaining customer trust.

#7. BBC, British Airways, Boots, and Aer Lingus, impacted by mass hacking including potential data theft

Several prominent organizations, including the BBC, British Airways, Boots, and Aer Lingus, have fallen victim to a mass hack that potentially resulted in the theft of personal data, including national insurance numbers and bank details. Additionally, Zellis, a UK-based payroll services provider, revealed that data from eight of its client firms were also compromised. The attack was carried out using MOVEit Transfer, a software designed to securely handle sensitive files. (Source)

• 🔍 Security researcher Kevin Beaumont noted that many affected firms have not installed the security patch, leaving their databases vulnerable.
• 🛡️ Organizations are reminding their staff to remain vigilant against suspicious emails that could lead to further cyber attacks.

Actionable advice

Businesses must carefully select and collaborate with trustworthy service providers, review partnerships and assess security measures implemented by providers in the wake of this data hack. The prompt installation of security updates is equally critical, and communication about the importance of timely updates should be prioritized at an organizational level. Stakeholders must invest in cybersecurity awareness among employees to combat phishing attacks. By implementing these practices, brands, and marketers can enhance data security measures and mitigate risks effectively.