Kids, Cookies Seen as Common Stumbling Blocks in Privacy Compliance
When seeking to comply with privacy laws, companies often fall short in a few key areas, including cookies, kids’ privacy and the collection of sensitive data, an Entertainment Software Rating Board (ESRB) official said Wednesday during a webinar by compliance vendor Privado.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Some of the most common issues include “the presence of tracking technologies … collecting information” in unintended ways, “the unnecessary collection of sensitive data” and “misconfigured opt-outs or opt-outs that just don't work as represented,” said Stacy Feuer, senior vice president at ESRB Privacy Certified, the self-regulatory organization of the U.S. video game industry.
Other common issues include “privacy information and privacy choices presented in a way that could be viewed as misleading at worst or buried at best,” things that don’t “align with the consumer's reasonable expectations,” and general privacy issues around kids, she added.
Some of the issues stem from "simple misunderstandings, or not-really-understandings,” said Privado CEO Vaibhav Antil. For instance, miscommunication between teams can lead to “miscategorizing cookies."
Feuer agreed that can be a big issue. She noted that the New York attorney general looked at around a dozen cookies as part of a non-public sweep in the summer of 2024, and “that was a recurring issue across all of the companies.” The resulting “guidance basically said, ‘Clean it up everybody.’”
Beyond cookies, regulators are very concerned about sensitive data, Feuer said. “We call it sensitive data for a reason,” she said. “The collection, use and sharing of that data can have important and sometimes adverse consequences for consumers.”
Antil said regulators have been focused on health and location data, as exemplified by the Healthline settlement (see 2507030026).
Location data is particularly interesting “because this is a data type that gets collected automatically or is observed on browsers, you can infer it through IP addresses as well,” he said. A big “problem we've seen is, once you allow location data for your own use case, that permission then flows to a lot of other SDKs -- including ad SDKs -- which leads to location data collection by multiple ad partners through a single mobile app.”
Feuer noted that various states consider kids' data as sensitive data, and even if not, “there is a recognition that children's data ... deserves special protections.” This year there has been “an intensifying focus on children's data,” which is “part of a larger concern that is not only about their privacy, but also about safety, sometimes about content, sometimes about advertising.”
There has also been a lot of recent enforcement around children’s data, she said, including multiple suits against streaming platform Roku (see 2510140024 and 2504290068) and the California settlement with Sling TV (see 2511070023). Feuer also pointed to FTC Chair Andrew Ferguson emphasizing a focus on COPPA cases in a talk at a Family Online Safety Institute event last week (see 2511100028).
An emerging issue is dark patterns, Antil said. Feuer agreed it's “an issue that has come to prominence” in the last decade.
Feuer, who spent 22 years at the FTC, said during her tenure there were lots of international discussions about what is deceptive, unfair and misleading. But today there's “an understanding that the way that you design your user interface can have important consequences and effects on users’ ability to make choices."
Though it’s not always referred to as dark patterns, it's “something that the states have definitely picked up on and will continue to pick up on, because it also overlaps not just with privacy law, but with traditional consumer protection law and prohibitions against unfair or deceptive acts or practices,” she added.
But both panelists agreed that privacy is constantly evolving. “We're seeing a much broader push on the regulatory front in terms of what kinds of products, devices [and] platforms that they are interested in,” like the aforementioned Sling TV settlement and suits against Roku, Feuer said. “I think we're going to see much broader enforcement … really looking at some of the newer ways where data is being collected and used.”
“The basic takeaway is that privacy enforcers are going where the consumers are and wherever companies are collecting, using and sharing personal data,” she added.