Your Phone, Computer,
and Internet Are NOT Safe!

• Apple fined €8M in French privacy case: France’s data protection authority CNIL fined Apple €8 million for privacy violations. The regulator found that the U.S. tech giant did not “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.” The case was initiated by a complaint lodged by startup lobby France Digitale in March 2021. Apple expressed disappointment and plans to appeal the decision (source).

• France fines Apple over App Store ad targeting ePrivacy breach: France’s data protection watchdog, the CNIL, imposed a sanction of €8 million (~$8.5 million) on Apple for not obtaining local mobile users’ consent prior to placing (and/or reading) ad identifiers on their devices, breaching local data protection law. The CNIL acted under the European Union’s ePrivacy Directive. Apple plans to appeal the decision and asserts that it prioritizes user privacy in serving search ads in the App Store (source).

• Microsoft Flags Over $400 Million Charge for Irish Privacy Violation Fine on LinkedIn: Microsoft expected to take a charge of about $425 million in the current quarter for a potential fine from an Irish regulator over alleged privacy violations at its unit LinkedIn. The Irish Data Protection Commission (IDPC) launched an investigation into LinkedIn in 2018 over whether its targeted advertising practices violated European data protection law. Microsoft said that LinkedIn was informed about the preliminary decision in April and added it would dispute the proposed fine after receiving a final order (source).

• Microsoft Agrees to Pay $20 Million Civil Penalty for Alleged Violations of Children’s Privacy Laws: The Justice Department, together with the Federal Trade Commission (FTC), resolved a case against Microsoft regarding its practices for collecting and retaining personal information from children who use Microsoft’s Xbox Live service. The stipulated order requires Microsoft to pay $20 million in civil penalties and imposes injunctive relief to settle allegations that Microsoft violated the Children’s Online Privacy Protection Act (COPPA) and the Children’s Online Privacy Protection Rule (COPPA Rule) in connection with the Xbox Live service (source).

• FTC Will Require Microsoft to Pay $20 Million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent: Microsoft will pay $20 million to settle FTC charges that it violated COPPA by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their consent, and by illegally retaining children’s personal information. The proposed order will require Microsoft to bolster protections for child users of its Xbox system (source).

• Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law: Google and its subsidiary YouTube agreed to pay a record $170 million to settle allegations by the Federal Trade Commission (FTC) and the New York Attorney General. They were accused of illegally collecting personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Act (COPPA). The settlement required Google and YouTube to pay $136 million to the FTC and $34 million to New York. This penalty was the largest amount the FTC had ever obtained in a COPPA case since the law was enacted in 1998 (source).

• Google Is Fined $170 Million for Violating Children’s Privacy on YouTube: This article from The New York Times also covers the same fine, emphasizing that regulators accused YouTube of knowingly and illegally harvesting personal information from children and using it to profit by targeting them with ads. Critics denounced the fine as insufficient for protecting children’s privacy (source).

• Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser: Google agreed to pay a $22.5 million civil penalty to settle FTC charges that it misrepresented privacy assurances to users of Apple’s Safari browser. Google was accused of placing tracking cookies or serving targeted ads to Safari users, violating an earlier privacy settlement with the FTC. This settlement was the largest FTC penalty ever for a violation of a Commission order at the time (source).

• FTC and DOJ Charge Amazon with Violating Children’s Privacy Law: Amazon was charged with violating the Children’s Online Privacy Protection Act (COPPA) by keeping children’s Alexa voice recordings forever and undermining parents’ deletion requests. The proposed order requires Amazon to pay $25 million and delete children’s data, geolocation data, and other voice recordings. The complaint filed by the Department of Justice on behalf of the FTC accuses Amazon of keeping sensitive voice and geolocation data for years and using it for its own purposes. The proposed order must be approved by the federal court to go into effect. (source)

• Amazon fined $887 million for GDPR privacy violations: Amazon was fined 746 million euros ($887 million) for violating the EU’s General Data Protection Regulation (GDPR) rules on how to process personal data. The decision was made by the Luxembourg National Commission for Data Protection on July 16, 2021. Amazon announced its intention to appeal the decision, stating that there had been no data breach and that they strongly disagreed with the ruling. (source)

• Amazon to pay $31 million in privacy violation penalties for Alexa and Ring: Amazon agreed to pay a $25 million civil penalty to settle Federal Trade Commission allegations that it violated a child privacy law (COPPA) and deceived parents by keeping children’s voice and location data recorded by its popular Alexa voice assistant. Separately, the company agreed to pay $5.8 million in customer refunds for alleged privacy violations involving its doorbell camera Ring. (source)

• FTC Imposes $5 Billion Penalty on Facebook: In July 2019, the Federal Trade Commission (FTC) imposed a record-breaking $5 billion penalty on Facebook to settle charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. The penalty was the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. The settlement also imposed new restrictions on Facebook’s business operations and created multiple channels of compliance to ensure accountability and transparency (source).

• European Union Fines Meta $1.3 Billion for Violating Privacy Laws: In May 2023, the European Union fined Meta (Facebook’s parent company) nearly $1.3 billion for breaching European Union privacy laws. The fine was related to Meta’s continued transfer of user data from countries in the European Union and the European Economic Area to the United States, despite being suspended from doing so in 2021. The unprecedented penalty was intended to send a strong signal to organizations about the serious consequences of privacy infringements. Meta announced plans to appeal the ruling and criticized the decision as flawed and unjustified (source).

1. CNET Article: Verizon was fined $1.35 million for using “supercookies” to track customers’ web activity. The Federal Communications Commission (FCC) reached a deal with Verizon, and as part of the agreement, Verizon shifted from an opt-out policy to a more explicit opt-in policy for consumers. The fine was related to the use of permanent cookies that tracked customers’ web activity, and the settlement came as the FCC prepared to take a more active role in consumer privacy. (CNET, March 7, 2016). (source) 

2. Reuters Article: Verizon Communications Inc agreed to pay a $1.35 million fine and entered into a three-year consent decree after the FCC found that the company’s wireless unit violated the privacy of its users. The issue was related to “supercookies,” unique, undeletable identifiers inserted into web traffic to identify customers for targeted ads. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. (Reuters, March 7, 2016). (source) 

• T-Mobile: In 2021, T-Mobile reached a $500 million settlement in a class-action lawsuit filed by customers after the company disclosed that sensitive data had been breached in a cyberattack. The hacking affected 76.6 million people, and T-Mobile agreed to pay $350 million to settle the customers’ claims and spend $150 million over the next few years to bolster its cybersecurity protection and technologies (source).
• Additionally, in July 2022, T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members and commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023 (source).

The Hemisphere Project, also known as Hemisphere (codename Hudson Hawk), is a mass surveillance program conducted by the U.S. telephone company AT&T. It is paid for by the White House Office of National Drug Control Policy (ONDCP) and the Drug Enforcement Administration (DEA). (source)

1. Credit Card Companies and Privacy Concerns: Credit card companies have access to a vast amount of detail about customers’ lives, including spending on travel, restaurants, political or religious donations, liquor stores, sex shops, etc. The major credit card companies have turned their access to consumer transactions into a new revenue stream, and this information is bought, sold, traded, and accumulated by the private sector. Google has made secret data-sharing agreements with credit card companies and now has access to 70% of the nation’s credit and debit card transactions. (source)