Federal Court Blocks Texas App Store Accountability Act From Taking Effect Jan. 1
A U.S. district court Tuesday granted a preliminary injunction against Texas’s App Store Accountability Act, blocking it from going into effect as intended on Jan. 1. The U.S. District Court for Western Texas ruled the law likely violates the First Amendment.
“It is far from clear that Texas has a compelling interest in preventing minors’ access to every single category of speech restricted by SB 2420,” said Judge Robert Pitman. Further, the law “is not narrowly tailored,” so it “fails strict scrutiny.” Its requirements “exclusively target speech,” meaning that “SB 2420 is unconstitutional in the vast majority of its applications” due to the First Amendment.
Additionally, some provisions are “impermissibly vague,” as they hold developers and app stores “liable for knowingly misrepresenting an age rating” without providing “meaningful guidance” as to determining app age ratings, the judge added.
The Computer & Communications Industry Association sued Texas over the law in October (see 2510160034), which started case 1:25-cv-01660. Texas Attorney General Ken Paxton (R) has defended the measure as constitutional (see 2511200039).
Gov. Hochul Vetoes Health Data Privacy Bill, Signs New York AI Bill
New York Gov. Kathy Hochul (D) vetoed a controversial state health data privacy bill (S-929) on Friday, an aide to Assembly sponsor Linda Rosenthal (D) told us.
However, even as President Donald Trump seeks to stop state regulation of AI via executive order, Hochul signed the New York Responsible AI Safety and Education (Raise) Act (S-6953) with chapter amendments, said Hochul and sponsor Assemblymember Alex Bores (D).
It’s possible to modify bills after they're signed by the governor through New York’s chapter amendment process, which some had predicted with the health and AI bills. Under that process, legislators and the governor agree on changes before a bill is signed, and then the governor lets it become law with a commitment from the legislature to amend the measure, which usually happens in January.
On the Raise Act, Bores and Hochul negotiated various changes, including a reduction in penalties, according to a summary by Bores' office. Previously, the penalty was $10 million for the first violation and $30 million for subsequent violations, but the negotiated bill is $1 million for the first and $3 million for the second, it said.
"Today is a major victory in what will soon be a national fight to harness the best of AI’s potential and protect Americans from the worst of its harms," said Bores. "We defeated last-ditch attempts from AI oligarchs to wipe out this bill" and "defeated Trump’s -- and his donors’ -- attempt to stop RAISE through executive action greenlighting a Wild West for AI."
The vetoed New York Health Information Privacy Act goes beyond HIPAA protections to cover wearables and other consumer devices. Privacy attorneys who represent businesses had warned that the bill would be more burdensome for compliance than Washington state’s similar 2023 My Health My Data Act (see 2501280023).
S-929 quickly passed the legislature back in January, but amid intense lobbying at the governor’s office, the New York Senate didn’t deliver the legislation to Hochul until Dec. 8 (see 2512090016).
The health privacy legislation had run into staunch opposition (see 2512030041) from industry groups and companies including Tech:NYC, Partnership for New York City, TechNet, NetChoice, the State Privacy & Security Coalition, DoorDash and Warby Parker. While seeking a veto, they said changes to the bill proposed so far wouldn’t address their concerns (see 2512020069).
But the privacy bill also had many supporters, including the New York Civil Liberties Union, Ben & Jerry’s, more than 200 health care providers and many public advocates. In addition, the bill’s Assembly sponsor had cited support from the New York attorney general’s office.
Trump Takes Aim at State AI 'Patchwork' With Executive Order
President Donald Trump issued an executive order to combat a “patchwork” of AI laws in the states, as expected (see 2512110056 and 2512080056). Trump's order is identical to a draft proposal, circulated in November that drew significant bipartisan opposition.
The EO that dropped Thursday sets up an AI Litigation Task Force within DOJ to challenge state AI laws with “onerous” laws that conflict with a statement in the order that says it’s “the policy of the United States to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.”
In addition, the order restricts non-deployment funding from the $42.5 billion BEAD broadband program for states that the Trump administration determines have AI laws that are overly burdensome. The order requires the FCC to begin a proceeding within 90 days “to determine whether to adopt a Federal reporting and disclosure standard for AI models that preempts conflicting State laws.” It would also order the FTC to “issue a policy statement on the application of the FTC Act's prohibition on unfair and deceptive practices … to AI models.”
In addition, the "Special Advisor for AI and Crypto and the Assistant to the President for Science and Technology shall jointly prepare a legislative recommendation establishing a uniform Federal policy framework for AI that preempts State AI laws that conflict with the policy set forth in this order,” it said. That proposed bill wouldn't preempt certain kinds of state laws, including those related to child safety, it said.
“We have to be unified,” Trump said during a signing ceremony for the order. “China is unified because they have one vote and that’s President Xi [Xinping].” The U.S. has “a different system, but we have a system that’s good. But we only have a system that’s good if it’s smart.” Commerce Secretary Howard Lutnick, Senate Commerce Committee Chairman Ted Cruz, R-Texas, and White House AI czar David Sacks attended the signing.
California Gov. Gavin Newsom (D) swiftly derided Trump's order. Trump and Sacks “aren’t making policy -- they’re running a con,” Newsom said in a statement. “And every day, they push the limits to see how far they can take it. California is working on behalf of Americans by building the strongest innovation economy in the nation while implementing commonsense safeguards and leading the way forward.”
Connecticut, New York, California Settle for $5.1M in Student Privacy Case
Illuminate Education failed to use basic security measures to protect student data, which led to a breach affecting millions of children, attorneys general from Connecticut, New York and California announced Thursday in a $5.1 million settlement with the education software company.
Connecticut said it's the first settlement reached under the state’s Student Data Privacy Law. AG William Tong (D) noted that the law requires “online educational providers to maintain data security measures that meet or exceed industry standards and that are designed to protect student data from unauthorized access or disclosure.”
Illuminate Education provides schools with software that tracks attendance, grades and academic behavior. The AGs alleged that in December 2021, hackers used credentials from a former Illuminate employee to access online accounts, including unencrypted personal data from millions of students.
According to Thursday's announcement, the breach affected 3 million students in California, 1.7 million in New York and nearly 30,000 in Connecticut. The company has agreed to pay $3.3 million to California, $1.7 million to New York and $150,000 to Connecticut. Illuminate didn’t immediately comment.
California DOJ Announces $530K Settlement With Sling TV
SAN DIEGO -- Sling TV is in violation of the California Consumer Privacy Act (CCPA) because the streaming platform's methods for consumers to opt out of sharing personal information are "confusing" and hard to effectuate, said Stacey Schesser, supervising deputy attorney general at the California DOJ.
She announced at IAPP's privacy conference Thursday that the state filed a $530,000 settlement against the platform that day in Los Angeles Superior Court. It was the fifth settlement filed under the CCPA, Schesser noted, and stemmed from the investigative sweep of streaming services announced in January 2024.
The complaint alleges that consumers have to go to another web form and click through multiple confirmation steps in order to opt out of sharing their data. Additionally, there's no option to create kids' profiles on Sling TV, which the settlement said makes it hard to limit targeted advertising for minors, as well as to obtain authorization or consent, as the CCPA requires for those younger than 16.
While Schesser didn't announce the details of the settlement, a press release from the attorney general's office outlined the proposed judgment. In addition to the monetary penalty, Sling TV must provide an opt-out mechanism on living room devices so downloading a mobile app isn't required; ensure that consumers seeking to effectuate their opt-out rights aren't rerouted to cookie preferences; and allow kid profiles, among other things,
In an email to Privacy Daily, a Sling TV spokesperson said the company "respect[s] the privacy rights of our customers, and thus, we intend to comply with this order while continuing to offer customers the programming they want with the flexibility they deserve."
Florida AG: Roku Violated State Privacy Law by Mishandling Kids' Info
Video-streaming box maker Roku “collected, sold and enabled reidentification of sensitive personal data” without receiving authorization or providing meaningful notice, the Florida attorney general’s office said Tuesday. AG James Uthmeier filed a complaint under Florida’s comprehensive privacy law and its Deceptive and Unfair Trade Practices Act in the state’s 20th Judicial Circuit Court.
The sensitive data included kids’ viewing habits, voice recordings and other information, the AG’s office said. Roku violated the two statutes by failing to obtain parental consent and by misrepresenting the effectiveness of privacy and opt-out controls, argued the state.
“Roku acknowledges processing, disclosing, and selling to third parties a wide variety of personal and sensitive data about its users,” said the Florida complaint. “Yet Roku does not acknowledge that it continues processing, disclosing, and selling this personal data even when it has every reason to know the data was collected from children. Worse still, Roku shares with and sells this data to intrusive data brokers, including Kochava, a company that has constructed profiles of tens of millions of children and physically tracks and discloses individuals’ precise geolocation data collected from their personal devices.”
Roku didn’t comment immediately.
Newsom Signs California Bills on Universal Opt-Outs, Data Deletion and Brokers
California Gov. Gavin Newsom (D) signed universal opt-out legislation and two other privacy bills Wednesday.
AB-566 requires all web browsers to include functionality that lets users automatically opt out of selling or sharing personal information across the web. The bill, which passed the legislature Sept. 11 (see 2509110066), was introduced by Assemblymember Josh Lowenthal (D) and had support from the California Privacy Protection Agency (CPPA) and state Attorney General Rob Bonta (D).
Newsom also signed a social media deletion bill (AB-656) by Assemblymember Pilar Schiavo (D). In addition to governing how users may delete their accounts, the legislation requires platforms to treat such cancellations as California Consumer Privacy Act requests to delete users’ personal information (see 2509050003).
The third bill signed into law was SB-361, which requires data brokers to disclose to the CPPA more types of personal information in their state registrations than they do now (see 2508270041). It was sponsored by state Sen. Josh Becker (D).
2 More States Join Consortium of Privacy Regulators
Attorneys general from Minnesota and New Hampshire joined states’ Consortium of Privacy Regulators, the California Privacy Protection Agency (CPPA) said Wednesday.
The bipartisan group now includes 10 enforcers from nine states. Minnesota and New Hampshire, which each had comprehensive privacy laws take effect earlier this year, will join the CPPA and AG offices from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.
The California agency looks “forward to collaborating with Minnesota, New Hampshire, and states nationwide as we continue growing our collective privacy enforcement apparatus,” said Michael Macko, CPPA's head of enforcement, in a news release. CPPA Executive Director Tom Kemp added, “Collaboration with states across the country makes it easier for us to protect Californians.”
After the group was announced April 16, some lawyers speculated that it could be a sign that more enforcement and higher fines were ahead (see 2506020004). Outside the auspices of the consortium, privacy regulators from California, Colorado and Connecticut announced last month that they're jointly sweeping for companies not complying with the Global Privacy Control (see 2509090045).
Calif. Privacy Agency Fines Tractor Supply $1.35M for CCPA Violations
The California Privacy Protection Agency assessed its largest-ever penalty, ordering Tractor Supply Co. to pay a $1.35 million fine and change its business practices, the CPPA said Tuesday.
The CPPA Board’s decision said the Tennessee-based rural lifestyle retailer failed to maintain a privacy policy notifying consumers of their rights; notify California job applicants of their privacy rights and how to exercise them; and provide consumers with an effective opt-out mechanism, including through universal opt-out preference signals. Also, the retailer disclosed personal information to other companies without entering into contracts that sufficiently protect privacy, the agency said.
Tractor Supply agreed to pay the fine and “implement broad remedial measures, such as scanning its digital properties to inventory tracking technologies, and require a corporate officer or director to certify compliance annually for the next four years,” the agency said.
"Tractor Supply takes our responsibilities to our Team Members, customers and applicants seriously," a company spokesperson said in an emailed statement. "We are committed to complying with all privacy laws and protecting the trust placed in us. The Company has already addressed the issues raised by the state of California."
The enforcement action came about two months after the CPPA filed a court petition alleging that Tractor Supply, which has more than 2,500 outlets in 49 states, failed to comply with an investigative subpoena seeking information about its compliance with the California Consumer Privacy Act (see 2508060070). The agency said it will end that litigation given Tuesday’s resolution.
“We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike,” said Michael Macko, the CPPA’s enforcement head. At a CPPA Board meeting Friday, Macko revealed that the agency has “hundreds” of investigations open, and in most instances, the targeted businesses don’t know about them yet (see 2509260039).
CPPA Has Hundreds of Open Investigations and Most Targets Don't Know
The California Privacy Protection Agency’s head enforcer heralded “a new era of privacy enforcement,” in an update at the CPPA Board’s Friday meeting. The agency has “hundreds” of investigations open, and in most cases the targeted businesses don’t know about them yet, said Michael Macko, deputy director of enforcement. "We haven't surfaced yet."
The CPPA’s enforcement division has seen a growing number -- and rate -- of consumer complaints, Macko told the board. “We're receiving about 150 complaints ... every single week,” said Macko. “That number has been increasing over time."
"We spoke about the influx of consumers who are submitting complaints to us about potential violations,” and “we also have a historic need … to develop precedent under our law,” added Macko. “When you put these two together, it really does add up to a new era of privacy enforcement, and new era of state enforcement, in particular, and … it's pretty historic."
Calif. Legislature Passes Universal Opt-Out Preference Signals Bill
The California legislature agreed on a bill Thursday to require web browser support for universal opt-out preference signals (OOPS). The Assembly voted 44-2 to concur with Senate changes to AB-566, closely watched legislation that was endorsed by the California Privacy Protection Agency.
Recent amendments narrowed the measure to web browsers and delayed the effective date until Jan. 1, 2027. In addition, it gave web browser companies that put global OOPS functionality into their browsers immunity from liability in California for violations by businesses receiving the signals.
The Senate voted 30-7 for the bill Wednesday (see 2509100070). It next needs a signature from Gov. Gavin Newsom (D). Last year, Newsom vetoed similar legislation that had also covered mobile operating systems, but this year, the measure’s scope was narrowed to browsers.
2nd Circuit Upholds FCC Data Fine Against Verizon
The 2nd Circuit U.S. Court of Appeals on Wednesday upheld a $46.9 million fine against Verizon for violating FCC data rules. Judges heard the case in April and appeared skeptical of claims that Verizon had the right to a jury trial before the FCC handed down the fine (see 2504290060).
“We conclude that device-location data is statutorily protected, that the FCC reasonably determined Verizon’s liability, and that the forfeiture order neither violates the applicable statutory limits nor Verizon’s asserted Seventh Amendment rights,” said a decision written by Judge Alison Nathan. “The customer data at issue plainly qualifies as customer proprietary network information, triggering the Communication Act’s privacy protections.”
In August, the D.C. Circuit upheld a similar fine against T-Mobile (see 2508150044), while the 5th Circuit earlier rejected a fine imposed on AT&T (see 2504180001). Industry observers said the issue could be headed to the U.S. Supreme Court to decide, given the split in the circuits.
Texas Sues PowerSchool for Data Breach Affecting Nearly 900,000 People
Software company PowerSchool’s failure to protect the personal information of nearly 900,000 Texas schoolchildren and educators is a violation of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act, alleged Attorney General Ken Paxton (R) in a lawsuit Wednesday.
“For years, PowerSchool has misrepresented the nature and extent of its data privacy and security protections to Texas schools who entrust PowerSchool with their students’ and teachers’ highly sensitive personal information, including social security numbers and protected health information,” Paxton's complaint said. “In December of 2024, these failures resulted in a catastrophic data breach impacting over 800,000 Texas students and teachers.”
Paxton said PowerSchool profits off of the collected data, by using it to develop products and sell the data to third parties. The complaint asks the Texas District Court in Collin County to stop the software company from continuing to violate the laws and to pay monetary penalties for each violation.
DC Circuit Upholds FCC Data Breach Fine Against T-Mobile
The U.S. Court of Appeals for the D.C. Circuit rejected T-Mobile’s challenge of an $80 million data breach forfeiture in a unanimous opinion Friday.
The court rejected the carriers’ arguments that the FCC forfeiture process violates the Seventh Amendment right to a jury trial and that the customer real-time location data involved in the breach wasn’t covered by FCC rules. In the opinion, Judge Florence Pan said language in the Communications Act that allows entities to go before a jury if they don’t pay their FCC forfeitures satisfied the requirements of the Seventh Amendment.
“The statutory procedure at issue allowed the Carriers to obtain a jury trial before suffering any legal consequences,” Pan wrote. “They chose not to wait for such a trial and therefore waived that right.”
The 5th U.S. Circuit Court of Appeals took the opposite stance in a ruling on a similar data breach forfeiture against AT&T in April, vacating a $57 million fine because the FCC’s processes didn’t sufficiently guarantee a jury trial.
The D.C. Circuit Friday also rejected carrier arguments that the data involved wasn’t covered under the rule or that the FCC erred by considering the breaches as ongoing violations. “The penalties assessed by the Commission were lawful and reasonably accounted for the Carriers’ ability to pay and the egregiousness of their conduct.”
6th Circuit Upholds FCC Data Breach Notification Rules
A three-judge panel of the 6th U.S. Circuit Court of Appeals upheld the FCC’s data breach notification rules in an opinion Wednesday. The rules were approved 3-2 in 2023 by the previous FCC, with then-Commissioners Brendan Carr and Nathan Simington dissenting. The Ohio Telecom Association, the Texas Association of Business, CTIA, NCTA and USTelecom filed petitions for review against the rules, arguing that they were outside the FCC’s authority and violated the Congressional Review Act because Congress vetoed similar requirements included with other privacy rules in 2017. But the court said the Congressional Review Act doesn’t prevent agencies from issuing new rules that are similar to parts of rules nullified by CRA resolutions. If Congress had wanted the CRA to do that, “it could have said so,” said the opinion from Judge Jane Stranch. “That is not the language it chose.” The 2017 rules and the 2024 FCC data breach order also aren’t “substantively identical,” the opinion said.
Calif. Privacy Agency Fines Data Broker $55K for Failing to Register, Pay Annual Fee
The California Privacy Protection Agency (CPPA fined Washington-based Accurate Append $55,400 for failing to register as a data broker and pay the annual fee required by the state’s Delete Act. The company failed to register by the Jan. 31, 2024 deadline for its 2023 activities, and only registered after the Enforcement Division contacted Accurate Append, the CPPA alleged.
“This settlement shows, once again, the peril faced by data brokers who fail to register,” said CPPA's head of enforcement, Michael Macko, in a release. “We are committed to bringing transparency to the data broker industry, and vigorous enforcement of California's registration requirement is one way to do that.”
The fine is a part of the CPPA’s investigative sweep of data broker registration the agency announced in October 2024. In addition to the monetary penalty, Accurate Append agreed to injunctive terms, including paying the Enforcement Division’s attorney fees and costs that resulted from non-compliance, the CPPA said.
CPPA Board Clears Controversial Rules on Automated Decisions
The California Privacy Protection Agency approved rules on automated decision-making technology and other subjects at a partially virtual meeting Thursday. CPPA Board members voted 5-0 to clear the rulemaking package, which also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations.
Earlier this week, CPPA staff said the agency wouldn't make further changes to draft regulations in the controversial rulemaking (see 2507220043). Thursday’s CPPA Board approval allows staff to submit the rulemaking package to the California Office of Administrative Law, which, in turn, will have 30 business days to decide if the rules may become final.
Chair Jennifer Urban supported the proposed regulations: “They are strong. They are reasonable. They are clear.”
Board member Drew Liebert expects "all sides will still have a lot of unhappiness” with the rules, but the test can't be to make everyone happy, he said. “We were required to do our best and to keep improving these regulations, and we will do so.”
Nebraska AG Sues GM, OnStar for Collecting, Selling Driver Data Without Consent
Nebraska Attorney General Mike Hilgers (R) sued General Motors and its subsidiary OnStar on Tuesday for the alleged unlawful collection, processing and sale of sensitive driving data from state residents without their knowledge or consent. In a press conference Tuesday morning, Hilgers announced the suit, claiming violations of the Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act.
Since around 2015, “when you would buy a car from GM, ... they would generally take your data, and they would sell it to third-party companies,” Hilgers said. “Those third-party companies, in turn, would sell it to insurance companies. Those insurance companies would use the data that they received from General Motors … including how fast you were driving, how hard your stops were, where you went, whether you had your seat belt [on], and they used that data to make decisions regarding people's insurance.”
Such data collection and use requires GM and OnStar to notify customers, but “nowhere in any of their disclosures did GM tell people that this is what they were going to do,” Hilgers said.
This lawsuit follows similar complaints filed by other states against GM for its collection and sale of data, starting with Texas in 2024 (see 2501160029). Arkansas filed its suit in February (see 2502260044) and Indiana in March (see 2503270040). In January, the FTC also proposed a nonmonetary settlement with GM and OnStar over allegations that the companies collected and sold consumers’ location data without proper consent (see 2501170068).
Connecticut AG Reveals $85K Privacy Settlement with TicketNetwork
Connecticut Attorney General William Tong (D) announced an $85,000 settlement with online marketplace TicketNetwork on Tuesday, the result of an investigation into potential violations of the Connecticut Data Privacy Act (CTDPA). The AG said over two dozen cure notices were sent to the company in four separate sweeps addressing privacy notice deficiencies, and that TicketNetwork repeatedly said they have fixed the issues when that was not true.
“The Connecticut Data Privacy Act gives consumers powerful baseline rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising,” said Tong in the press release. “Covered businesses must maintain clear privacy notices that describe these rights. This law has now been in effect for two years. There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy.”
TicketNetwork must also comply with CTDPA requirements, keep metrics on consumer rights requests received under the Act and provide a report of these metrics to the AG under the settlement agreement. Tong said his office sent its first cure notice to the company in November 2023 regarding issues with its privacy notice, but TicketNetwork didn't fix the problems within the 60-day window to cure.
Healthline to Pay $1.55M Under Largest CCPA Privacy Settlement
Healthline must pay California $1.55 million under the largest proposed settlement yet under the California Consumer Privacy Act, Attorney General Rob Bonta (D) said Tuesday. The settlement, which is pending final court approval, also includes a novel injunctive term prohibiting the company “from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition,” the AG's office said.
The settlement would resolve allegations that the company’s use of online tracking technology on Healthline.com violated the CCPA, said the AG's office, which submitted a complaint Tuesday to the California Superior Court for San Francisco. A California DOJ investigation found that Healthline failed to let consumers opt out of targeted advertising. Also, the company shared data with third parties without CCPA-mandated privacy protections, including information suggesting individuals had serious health conditions, the AG's office said.
“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance -- including by website publishers,” said Bonta.
Healthline didn’t immediately respond to a request for comment.
U.S. Supreme Court Allows Texas Law Requiring Age Verification for Porn Sites
In a 6-3 decision, the U.S. Supreme Court on Friday upheld a Texas law requiring age verification for access to porn sites. The ruling sided with Attorney General Ken Paxton (R) in support of the state's HB-1181, which the Free Speech Coalition, an adult industry trade association, challenged in a 2023 lawsuit, saying it violated the First Amendment (see 2409170012).
"Age-verification laws like H. B. 1181 fall within States’ authority to shield children from sexually explicit content," said Justice Clarence Thomas, who wrote the majority opinion. "The First Amendment leaves undisturbed States’ traditional power to prevent minors from accessing speech that is obscene from their perspective. ...
"That power necessarily includes the power to require proof of age before an individual can access such speech," Thomas continued. "It follows that no person -- adult or child -- has a First Amendment right to access speech that is obscene to minors without first submitting proof of age."
Chief Justice John Roberts and Justices Neil Gorsuch, Samuel Alito, Brett Kavanaugh and Amy Coney Barrett joined Thomas in the majority opinion. Justices Elena Kagan, Ketanji Brown Jackson and Sonia Sotomayor dissented, with Kagan writing the dissent.
Google to Pay Texas $1.4 Billion in Privacy Settlement
Texas Attorney General Ken Paxton (R) announced a nearly $1.4 billion settlement with Google in a case about the company's unlawful tracking and collecting of user's personal information, including geolocation and biometric data. Paxton filed the lawsuit against Google in October 2022, alleging violations of the Texas Capture or Use of Biometric Identifier Act (see 2210200075).
“In Texas, Big Tech is not above the law. For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services. I fought back and won,” said Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust."
This settlement comes less than a year after another $1.4 billion settlement between Texas and Meta, in a case alleging the social media company captured biometric information in violation of state law (see 2407300030).
Calif. Privacy Agency Fines Menswear Retailer $345K for Alleged CCPA Violations
The California Privacy Protection Agency (CPPA) dressed down national menswear retailer Todd Snyder with a $345,178 fine Tuesday for alleged violations of the California Consumer Privacy Act (CCPA).
The privacy agency said Todd Snyder agreed to pay the fine and change its business practices to resolve various allegations, including that it failed to oversee and properly configure technical infrastructure of its privacy portal. That failure led to a 40-day period in which the company failed to process consumer requests to opt out of selling and sharing personal information, the CPPA said.
In addition, the clothing retailer required consumers to submit more information than necessary to process privacy requests, the agency alleged. Also, Todd Snyder inappropriately required consumers to verify their identity before they could opt out, said the agency. The company didn’t comment Tuesday.
“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them,” said Michael Macko, the CPPA’s enforcement head. “Using a consent management platform doesn’t get you off the hook for compliance.”
CPPA Executive Director Tom Kemp said the CPPA decision “should serve as an important reminder that our Enforcement Division is scrutinizing what businesses are doing to honor Californians’ privacy rights.”
Irish Privacy Watchdog Fines TikTok $600 Million for GDPR Breaches
TikTok's transfer of Europeans' personal data to China violated the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced Friday. It fined the social media platform $600 million (530 million euros) and ordered it to clean up its act within six months or face suspension of its data transfers to China. TikTok said it will appeal.
The transfers infringed the GDPR because the company failed to verify, guarantee and demonstrate that the personal data of users in the European Economic Area (EEA), remotely accessed by staff in China, was given a level of protection essentially equivalent to that guaranteed by the EU, said DPC Deputy Commissioner Graham Doyle. The company also breached GDPR transparency requirements related to how it informed users of the transfers to China, he said.
Seen through the lens of tariffs, trade and national security, the decision will be a source of uncertainty for organizations beyond TikTok, emailed IAPP Research Director Joe Jones. Regulatory, geopolitical and industry developments are "carving the world up into greenlisted, redlisted and firewalled blocs for data sharing, making international data transfers a renewed priority and a heightened area of complexity for organisations and policymakers."
FTC to Finalize COPPA Rule June 23
The FTC is finalizing its Children’s Online Privacy Protection Rule with changes from the prior administration’s proposal, the agency said in a Federal Register notice scheduled for publication Tuesday.
The final rule is set to take effect June 23, but companies will have a year to come into compliance with most of its provisions. Those with an immediate compliance date include annual reporting for the COPPA Safe Harbor program and disclosures about collecting children’s audio. The commission said it also reserves the right to revoke and issue new Safe Harbor exemptions based on new requirements.
The commission said it’s not finalizing the prior regime’s proposed amendments to the rule related to education technology and the “role of schools at this time.” The FTC wants to avoid conflicts with the Family Educational Rights and Privacy Act, an education records law that the Department of Education enforces.
Senate Confirms Meador to the FTC on 50-46 Vote
The Senate voted 50-46 Thursday to confirm Mark Meador as an FTC commissioner, as expected (see 2503030044).
Chairman Andrew Ferguson now has a 3-0 Republican majority with the addition of Meador. Recently fired Democrats Rebecca Kelly Slaughter and Alvaro Bedoya are suing the Trump administration to be reinstated on the commission (see 2503270056).
Ferguson in his congratulatory statement cited Meador's antitrust background, saying he will be a "great asset" to the Trump administration FTC.
DOJ Confirms April 8 as Effective Date for Data Transfer Rule
DOJ’s data transfer rule is scheduled to go into effect April 8, the department confirmed Wednesday.
A large group of global American companies requested an extension to the deadline, citing potential complications with compliance (see 2503180058).
“As indicated in the federal register, the rule is scheduled to go into effect on April 8, 2025,” the department said in a statement. “We’ll decline to comment further at this time."
District Court Grants Preliminary Injunction Against Calif. Age-Appropriate Design Code
The U.S. District Court for Northern California on Thursday granted NetChoice’s request for a preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) aimed at protecting the privacy and safety of children online. California Attorney General Rob Bonta (D) and his office are enjoined from enforcing the act.
“This Court finds that the CAADCA’s coverage definition is content-based,” said Judge Beth Labson Freeman in case 22-cv-08861. “Under well-established precedent, a plaintiff’s showing that a statute is content-based shifts the burden to the State to show that the statute is narrowly tailored to promote a compelling Government interest… The demonstration of a compelling interest is not sufficient to satisfy strict scrutiny, however. The State must show that ‘the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way,’” which the state does not do.
“Today’s ruling reaffirms -- for the third time in California -- that the government cannot control what lawful speech Americans see, say, or share online,” said Chris Marchese, NetChoice’s director of litigation. “While protecting children online is a goal we all share, California’s Speech Code is a trojan horse for censoring constitutionally protected but politically disfavored speech. This decision puts other states on notice that censorship regimes masquerading as ‘privacy protections’ will not survive judicial review.”
California DOJ Is "reviewing the order and will respond appropriately in court," a spokesperson said.
Honda Promises to Change Privacy Ways Amid CPPA Auto Sweep
Honda must pay $632,500 and change various privacy practices under an agreement with the California Privacy Protection Agency announced Wednesday. The CPPA board decided Friday to approve a settlement resolving the privacy agency's claims that the car manufacturer’s North American subsidiary violated the California Consumer Privacy Act (CCPA).
American Honda takes “our responsibility to protect consumer privacy seriously and are committed to continually striving to ensure that our practices meet the highest standards,” a spokesperson said in an emailed statement. “We have cooperated fully with the CPPA throughout their investigation and have already begun implementing the changes to our processes required by the order. These changes include modifications to our methods for submitting consumer privacy requests, enhancing our cookie management tools, and updating our contract management processes.”
The California agency’s Enforcement Bureau found that American Honda Motor Co. violated the CCPA by (1) requiring Californians to verify themselves and give "excessive personal information" to exercise their privacy rights to opt out and to limit use and disclosure of their sensitive personal information; (2) using an online cookie management tool that failed to offer consumers privacy choices in a symmetrical or equal way; (3) making it hard for consumers to select authorized agents to exercise privacy rights on their behalf; and (4) sharing consumers’ personal information with ad tech companies without producing contracts with necessary privacy terms. The CPPA action came as part of an ongoing sweep of connected car manufacturers' data privacy practices.
Honda also agreed to simplify the process for Californians to assert their privacy rights, the CPPA said. Additionally, Honda must certify its compliance, train its employees and consult a user-experience designer to evaluate its methods for submitting privacy requests; change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and support the Global Privacy Control, a browser-based universal opt-out mechanism.
“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations," said Michael Macko, head of the CPPA's Enforcement Division. "Today’s resolution reflects Honda’s early cooperation and commitment to make things right.”
CPPA Takes Action Against National Public Data for Registration Failure
National Public Data faces a $46,000 fine from the California Privacy Protection Agency for failing to register as a data broker and pay an annual fee, the CPPA said Thursday. It's the CPPA’s sixth action stemming from an investigative sweep of California Delete Act compliance that it announced Oct. 30.
Last October, the CPPA Enforcement Division filed a claim against the Florida-based data broker in the U.S. Bankruptcy Court for the Southern District of Florida, alleging that the company had to pay an administrative fine for failing to register with the CPPA, the agency said. The company had filed for bankruptcy after confirming that a data breach in April 2024 exposed 2.9 billion records, including names and social security numbers. Since the court dismissed the company’s bankruptcy petition, the Enforcement Division has filed an administrative action against National Public Data to recover the $46,000 fine, the CPPA said.
Under state law, data brokers must pay $200 every day they fail to register with the CPPA. Companies that operated as data brokers in 2023 were required to register on Jan. 31, 2024, but National Public Data registered 230 days late, on Sept. 18, the CPPA alleged.
“We will pursue data brokers who violate the law, plain and simple,” said Michael Macko, CPPA enforcement head. “The Enforcement Division will use all available tools, including litigation, to make sure that data brokers aren’t operating in the dark.”
National Public Data has closed, according to its website.
Unanimous Supreme Court Upholds TikTok Divestment Law
A unanimous U.S. Supreme Court on Friday upheld a law forcing ByteDance to divest TikTok, citing Congress’ “well-supported national security concerns.”
After oral argument Friday, the court in its “expedited" decision said TikTok’s “scale and susceptibility to foreign adversary control, together with the vast swaths of sensitive data the platform collects, justify differential treatment to address the government’s national security concerns.”
Free speech standards are satisfied because the regulation “promotes a substantial government interest that would be achieved less effectively absent the regulation” and it does not “burden substantially more speech than is necessary.”
The court said TikTok offers a “distinctive and expansive outlet for expression, means of engagement, and source of community” for 170 million users in America, but Congress “has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.”
TikTok didn’t immediately comment. ByteDance attorney Noel Francisco argued Friday that Congress could have passed a less restrictive law banning the company from sharing sensitive data with ByteDance or China. The law's divestment deadline goes into effect Sunday.
FTC Issues Long-Awaited COPPA Rule Update
The FTC is finalizing changes to its children’s online privacy regulations “to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children,” it said in a Thursday news release.
Under the long-awaited final rule, websites and online service operators covered by the Children’s Online Privacy Protection Act (COPPA) will be required to get opt-in parental consent before disclosing children’s personal information to third-party companies for targeted advertising or other purposes. The rule also sets limits on data retention, and requires FTC-approved COPPA Safe Harbor programs to disclose membership lists and other information. The commission voted 5-0 to finalize the changes.
The FTC declined to adopt proposed requirements that would have limited the use of push notifications to children without parental consent, as well as changes involving requirements for educational technology companies operating in schools.
The changes to the FTC’s COPPA regulations take effect 60 days after publication in the Federal Register. Entities subject to the final rule then will have a year to come into full compliance with most provisions, though compliance is required earlier for provisions involving COPPA Safe Harbor programs. A Federal Register publication date has not yet been scheduled, the FTC said.
“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina Khan in the news release. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”