5 Privacy Stories You Might Have Missed Over the Break

1. Louisiana Pornhub Users Face ID Requirement Following New Law

Louisiana-based porn-watchers hoping to access popular streaming sites have started facing on-site pop-ups requiring them to upload government-issued ID.

The change is thanks to HB 142; a law passed in June last year and effective since 1 January requiring users to “comply with a commercial age verification system” when accessing sites with over 33.3% pornographic content.  

Pornhub and other sites have implemented an app called “LA Wallet”, which requires a Louisiana state ID or driver’s license to verify a visitor’s age.  

There are, obviously, concerns about the privacy implications of this process. Pornhub claims it does not collect personal information during the verification process, which is carried out by “reputable” service providers. 

Utah senator Mike Lee has also recently proposed a national US law requiring age verification for accessing porn websites.

2. Twitter Faces DPC Investigation Over Data Breach

The Irish Data Protection Commission (DPC) launched an investigation into Twitter on 23 December after a data breach reportedly affecting over 5 million users. 

The breach originates from a vulnerability first reported to Twitter last January. In July, Twitter learned that some users’ contact details had appeared for sale online. The company posted a blog post in August reporting the breach.

It’s unclear exactly how many people have been affected. But media reports claim that the profile details of 5.4 million users were shared online, including email addresses and phone numbers.

This is not the first time the DPC has taken action against Twitter. Back in 2020, the company got a €450,000 fine for a separate data breach. More recently, the DPC has fined several other US tech firms (all Meta companies, such as Facebook, WhatsApp and Instagram).

3. Progress for Cross-Border Data Flows at the OECD

On 14 December, the Organization for Economic Cooperation and Development (OECD) adopted the first intergovernmental agreement on common approaches to safeguarding privacy when accessing personal data for national security and law enforcement purposes. 

The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities aims to improve trust in cross-border data flows by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks. 

Thirty-nine OECD members, including the United States and the EU, signed the declaration during the OECD’s 2022 Digital Economy Ministerial Meeting. 

The declaration complements the OECD Privacy Guidelines and sets out shared principles that reflect commonalities drawn from OECD member countries’ existing laws and practices and that aim to protect privacy and other human rights and freedoms.

4. CNIL Rapporteur Recommends Apple Fine

The rapporteur for France’s data protection agency, the CNIL, has recommended that Apple be fined €6m for violating the ePrivacy Directive due to the exceptions Apple has made to its App Tracking Transparency (ATT) framework for its own pre-installed apps. 

The ATT framework requires third-party app developers to present users with a standard notification about targeted ads and ask for their consent—but Apple reportedly excluded several of its own apps from this requirement. 

The complainants argue that the ATT rules should apply even if the data collected is kept within Apple’s ecosystem and not shared with third parties. 

Apple has included consent notifications in iOS 15, released in September 2021, but may have been in violation of the ePrivacy Directive before that. 

The recommendation follows a complaint from the industry group France Digitale, made up of representatives from France’s tech startup and venture capitalist scenes.

The CNIL rapporteur’s recommendations are not binding. Still, they can carry significant weight in the CNIL’s final decisions.

5. Google to Pay Nearly $30m to Settle Two Location-Tracking Lawsuits

Google will pay $29.5m to settle US lawsuits in Washington DC and Indiana, adding to a bill of nearly $400m paid out over the company’s allegedly deceptive location-tracking tendencies.

The allegations around Google’s activities date back to 2018, when Google was found to be obscuring users’ ability to turn off location monitoring. 

Users who disabled “Location History” reportedly continued to have their whereabouts tracked via the “Web & App Activity” setting—leading Indiana’s Attorney-General to claim that Google has “deceived and misled users about its practices since 2014”.

The two settlements, announced on 30 December, follow $391.5m worth of settlements with 40 US states over similar issues. Two further states, Texas and Washington, are also bringing cases against Google’s location-tracking practices.