News Alerts and Breach Report for Week of November 14, 2022
Google Pays $392 Million For Ad-Tracking Violations
A probe into Google’s ad-tracking practices concluded with a settlement announced this week. According to NPR, the attorneys general of 40 U.S. states say that “since at least 2014, Google broke consumer protection laws by misleading users about when it secretly recorded their movements. It then offered the surreptitiously harvested data to digital marketers to sell advertisements, the source of nearly all of Google’s revenue.” As part of the settlement, Google has agreed to pay $392 million.
Apple Sued for Tracking
Though Apple has focused its marketing on privacy, the tech giant is not as hands-off as it says it is. According to a recent lawsuit, Apple violated the California Invasion of Privacy Act by making users think they could turn off keystroke tracking. Tommy Mysk and Talal Haj Bakry—app developers from the software company Mysk—ran a recent test and found that iOS users cannot actually turn off all data collection. Mashable reports, “a user looking at the App Store app on their iPhone would have their search data, what they tapped on, and how long they were checking out an app all sent to Apple in real-time. Using Apple’s Stocks app? Apple will receive a list of the user’s watched stocks, any articles they read in-app, and the names of any stocks they searched for. The timestamps for which a user viewed stock information will be sent over too. Some of Apple’s apps even collect detailed information about the user’s iPhone such as the model, screen resolution, and keyboard language.” The data Apple collects may or may not be within reason, but the problem—and the premise of the lawsuit filed last week—is that the company gives users the perception that they can stop that data collection.
CFPB Finalizes Transparency Rules
The Consumer Financial Protection Bureau (CFPB) has finalized changes to its nonbank supervision policies. Though the CFPB primarily regulates banks, the Consumer Financial Protection Act (CFPA) enables the CFPB to regulate non banking entities when it has reasonable cause to believe that those entities are acting in a way that puts consumers at risk. In April, the CFPB says it amended its “procedures for making supervisory risk designations so that we can publicly release the Director’s decision that supervision of a company is warranted. Under the amended procedures, the nonbank entity has an opportunity to provide us input as to whether the decision should be withheld or redacted.” Last week, after incorporating public input concerning remedy periods and FOIA exemptions, the CFPB codified this amendment. The agency has also released Consumer Financial Protection Circulars and advisory opinions to provide further transparency into its practices and goals.
* * * * * * *
To read our article on Cybersecurity and Infrastructure Security Agency’s newly developed cybersecurity framework titled “Cross-Sector Cybersecurity Performance Goals”, click here.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts.
Our most recently released episodes:
80 | Cyber Command: Its role in Cybersecurity and National Security (with guests Gary Corn & Jamil Jaffer)
79 | Understanding 5G Cybersecurity Issues (with guest Carlos Solari)
78 | The Nexus Between Privacy, Cybersecurity & National Security (with guest, Corey Simpson)
Stay tuned this week for episode 81 | Looking at Cyber Leadership & Costly Mistakes with guests Rachel Briggs and Richard Brinson from Savanti, a UK-based cybersecurity consulting entity.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.