Eagle Alpha Legal Wrap - March 2024

Eagle Alpha rounds up some of the most  relevant  legal and compliance  articles surrounding the alternative data space over the past month.

US

The FTC banned Avast from selling browser data as the company allegedly deceived customers by promising to protect their privacy while harvesting and selling their online browsing data to third parties. The data collected included sensitive information like religious beliefs, health concerns, and financial status. As part of a settlement with the FTC, Avast agreed to pay $16.5 million in compensation to consumers and is prohibited from selling or licensing user browsing data for advertising purposes. You can access the full article here.

DoorDash settled a case with the California Department of Justice regarding privacy violations under the California Consumer Privacy Act (CCPA). The company was found to have sent users' personal information to third-party marketing firms without providing notice or an opt-out option. As part of the settlement, DoorDash will pay a $375,000 civil fine and adhere to additional CCPA enforcement terms. You can access the full article here.

Citadel Securities and the American Securities Association have raised concerns to the 11th US Circuit Court of Appeals regarding the SEC's approval of a new market-tracking database, known as the Consolidated Audit Trail (CAT). They argue that the database, aimed at safeguarding market integrity, exceeds the SEC's statutory authority and poses significant privacy risks by collecting personal information from all US securities traders. You can access the full article here.

FTC Chair Lina Khan highlighted that sensitive personal data like health, location, and web browsing history should be excluded from training artificial intelligence models. Companies must actively inform users if they plan to repurpose collected data for AI training as concerns over privacy and security have arisen due to the rapid advancement of generative AI technology, which can mimic individuals. You can access the full article here.

The Biden administration has tasked the Commerce Department with investigating the national security risks posed by Chinese-made smart cars, which have the capability to collect sensitive data about their drivers. Commerce Secretary Gina Raimondo expresses concern about the potential scenario of millions of Chinese cars gathering data on Americans and transmitting it to Beijing. You can access the full article here.

The FTC filed a complaint against H&R Block, accusing the tax prep company of deliberately deleting customer data and misleadingly advertising free tax filing services. The FTC alleges that H&R Block made it difficult for customers to switch to cheaper options by requiring them to contact customer service, resulting in the deletion of entered information. You can access the full article here.

EU

Consumer groups in the EU are filing legal complaints against Meta alleging privacy violations under the GDPR. These complaints center around Meta's "pay-or-consent" model, which gives users the choice to either pay for an ad-free experience or consent to data collection for advertising purposes. The groups argue that this model breaches data protection principles, such as purpose limitation, data minimization, fair processing, and transparency. You can access the full article here.

The European Commission started investigating whether TikTok violated the new Digital Services Act (DSA). The investigation focuses on several aspects, including the protection of minors, advertising transparency, data access for researchers, and managing the risks of addictive design and harmful content. You can access the full article here.

The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2024, focusing on the implementation of the right of access. The right of access is chosen due to its significance in data protection and frequent exercise by individuals. Participating DPAs will use various methods, such as questionnaires and formal investigations, to assess organizations' compliance with this right. You can access the full article here.

UK

The Information Commissioner's Office (ICO) issued an enforcement notice and warning to the UK Home Office for failing to adequately assess the privacy risks of a pilot scheme involving GPS monitoring of migrants. The ICO found that the Home Office did not provide clear information to participants regarding the data being collected and its purpose. The Home Office failed to sufficiently justify the continuous collection of location information and did not consider the impact on vulnerable individuals. You can access the full article here.

China

President Biden's administration issued an executive order aimed at preventing the transfer of genomic data to China and other countries deemed security risks. The order also restricts bulk transfers of Americans' geolocation, biometric, health, and financial data to specific countries, including Russia, Iran, North Korea, Cuba, and Venezuela. This directive targets Chinese gene companies like BGI, emphasizing the risks associated with processing genomic information in China. You can access the full article here.