Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
The SEC proposed new rules in July 2023 to address conflicts of interest related to predictive data analytics used by broker-dealers and investment advisers. The proposal has faced opposition from industry groups and lawmakers, leading to the introduction of the Protecting Innovation in Investment Act. The SEC's Investor Advisory Committee recommended narrowing the scope of the proposed rules, expressing concerns about unintended consequences and overly broad requirements. You can access the full article here.
Meta lost a claim in the legal battle against Bright Data, an Israeli tech firm it sued for data scraping from Facebook and Instagram. The court ruled in favor of Bright Data on Meta’s breach of contract claim, stating Meta failed to prove Bright Data scraped non-public data. Interestingly, Meta had previously paid Bright Data for web-scraping services. The court also dismissed Meta's arguments regarding tools used to bypass access restrictions. Despite Meta's efforts to discourage data scraping, the court upheld the right to access public information on the web. You can access the full article here.
The FTC proposed consent orders with Outlogic (formerly X-Mode Social) and InMarket Media regarding their collection and monetization of precise geolocation data. Both companies are accused of collecting location data through SDKs without adequate consent and using it for targeted advertising without notifying consumers. The actions address the industry's alleged failure to protect consumers' information and define "sensitive location data." These settlements indicate heightened scrutiny and suggest that blanket privacy policies are no longer sufficient for consent. You can access the full article here.
New Jersey and New Hampshire have both passed comprehensive privacy legislation, joining several other states in implementing strict regulations. In New Jersey, S.B. 332 was signed into law on January 16, 2024, taking effect 365 days after enactment. It grants consumers rights such as access, deletion, and portability, and requires opt-in consent for processing sensitive data and for certain activities related to teenagers' personal data. On the other hand, New Hampshire's SB255, set to take effect on January 1, 2025, grants consumers rights similar to those in other state laws, and requires opt-in consent for processing sensitive data. You can access the full article here.
Taylor Swift's legal team has sent a cease-and-desist letter to Jack Sweeney, a University of Central Florida student, who tracks the private jets of celebrities, politicians, and billionairbroes using public data and social media. Swift's camp alleges that Sweeney's tracking of her private jet could pose a threat to her safety by potentially aiding stalkers. Sweeney defends his actions, stating that tracking such information is important for transparency reasons. You can access the full article here.
EU
The Co-Directors of the Brussels Privacy Hub released a statement on Data Protection Day 2024, highlighting the significance of the occasion and reflecting on the developments in data protection. They celebrated the enforcement of the GDPR and emphasized the importance of cooperation between different stakeholders to address emerging challenges. They also discussed the impact of AI on individual rights and democratic processes, expressing the need for ongoing scrutiny and research. You can access the full article here.
The Belgian Supervisory Authority imposed sanctions on a data broker for GDPR violations, including processing personal data without a legal basis and failing to meet transparency obligations. The data broker collected data from various sources and sold it to third parties for advertising purposes, but the SA found these practices unlawful. You can access the full article here.
The European Data Protection Board (EDPB) has initiated a coordinated action involving 26 data protection authorities across Europe to examine the role and position of data protection officers (DPOs). The coordinated action aims to assess whether DPOs fulfill their obligations outlined in Articles 37-39 of the GDPR and have the necessary resources for their tasks. You can access the full article here.
The Data Governance Act, already in effect, along with the forthcoming Data Act and European Health Data Space, regulate the transfer of non-personal data outside the EU. These regulations aim to safeguard intellectual property and prevent non-personal data from becoming identifiable, addressing concerns such as industrial espionage and re-identification risks. You can access the full article here.
UK
The Information Commissioner’s Office (ICO) initiated a consultation series on generative AI to explore how data protection laws should apply to the development and utilization of this technology. The first consultation focuses on determining the legality of training generative AI models using personal data collected from web scraping activities. You can access the full article here.
The ICO, led by Stephen Almond, reports a positive response from top UK websites following a November warning about non-compliant advertising cookies. Of the 53 contacted, 38 have updated their cookie banners for compliance, with four more committed to doing so soon. Some are exploring alternative solutions like contextual advertising or subscription models. You can access the full article here.
China
China's Cyberspace Administration (CAC) and Hong Kong's Innovation Technology and Industry Bureau (ITIB) have jointly introduced Standard Contractual Clauses (SCCs) for the transfer of personal information within the Greater Bay Area (GBA). These GBA SCCs are designed for entities registered or individuals located within specific cities in the GBA, excluding Macau for now. You can access the full article here.
Industry Commentary
Denas Grybauskas, Head of Legal at Oxylabs, on ethical web scraping:
“Several broad principles define ethical web scraping: respect for privacy, as we’ve discussed previously; respect for the target website, meaning that scraping activities mustn’t hinder its functionality; robust KYC policy, guaranteeing that scraping infrastructure is provided to legitimate businesses and use cases, and utilizing only ethically sourced proxies, meaning that there must be explicit consent and rewards for the users who are voluntarily participating in the proxy network. Unfortunately, not all companies have the same understanding of ethical conduct.” You can access the full commentary here.