At the end of June, California enacted what has been billed as a comprehensive privacy law. By all accounts, it was a rush job, negotiated in a week behind closed doors in a desperate and successful attempt to keep Californians for Consumer Privacy Campaign Chairman Alaistair MacTaggart’s privacy initiative off the November ballot. As sometimes happens, the law’s proponents and a few reporters may have overhyped the legislation – both given its current contents and because many expect it to change before its effective date in January 2020.
Back in 2011, the Federal Trade Commission alleged that Facebook deceived consumers by failing to keep its promises to protect user privacy. The two parties agreed to settle the charges through something called an “agreement containing consent order.” The Commission also signed a consent agreement with Google that same year. The FTC issued a final Decision and Consent Order regarding the Facebook allegations in 2012. (A consent order is an FTC enforcement tool that operates like a legal settlement.) Without admitting to the complaint’s counts, the parties involved signed a document that basically says, “we both agree to enter this agreement to resolve the allegations in the complaint, so now you have to do the following things, and if you fail to do any of them, the FTC is going to impose financial penalties.”
Yesterday, reports surfaced that Facebook formed data-sharing partnerships with device makers, enabling companies like Amazon and Apple to access Facebook users’ and their friends’ data -- without those friends’ consent. Reports indicate that the shared data includes data pertaining to users who expressly denied Facebook permission to share their information with any third parties.
Today, the European Union’s General Data Protection Regulation goes into effect. The GDPR seeks to give European consumers control of their personal data in the digital era. It creates stringent rules for the collection, processing, and transfer of personal data of European residents. It also emphasizes the importance of explicit consent as a basis for data collection and processing, lists users’ rights, and encourages companies to adopt more privacy and security-oriented approaches to the collection and processing of personal data.