Privacy and data protection regulations impact every marketing and PR communications professional around the globe. There is an immense variety of regulations and legislation within the USA, and within more and more countries around the world. W2O’s team is tracking  privacy news and changes that impact our industry.

Here’s the latest news we’re paying attention to right now:

Facebook disclosed a massive hack, and faces the threat of a 1.63 billion dollar fine in the EU

Facebook disclosed last week that attackers gained access tokens to 50 million accounts, which could give them full control of profiles and linked apps. This forced Facebook to reset access tokens of upwards of 90 million users. According to an EU privacy watchdog, The Journal, the breach could trigger the maximum GDPR fines. European regulators have not yet begun to hand out GDPR fines yet, and it is unclear whether they would apply the maximum penalty in this case, or any penalty at all.

What this might mean for brands – Everyone is watching EU regulators closely to understand how they will enforce the GDPR. Between Facebook and British Airways hacks, privacy professionals are waiting to see how the ICO will respond. While complaints are soaring across Europe, enforcement has yet to begin in earnest.

Uber settles data breach investigation for $148 million

According to a wide-ranging FTC investigation, in 2016 a hacker gained access to 57 million profiles of Uber riders and drivers, including 600,000 driver’s license numbers. Uber did not disclose that breach, and instead paid the hacker $100,000 through an internal “bug bounty” program to keep quiet. A year later, Uber announced the breach as a “failure” and fired two employees. Now Uber is settling for what seems to be about 2 percent of their 2017 revenue for failing to “safeguard user data and notify authorities when it was exposed”. They have also recently hired a chief privacy officer and chief trust and security officer.

What this might mean for brands – While the USA has had a variety of state and federal privacy laws for a very long time, this fine is noteworthy for its size. Even if the regulations are not as prescriptive as in the EU (yet – federal hearings have begun in response to CaCPA, which may or may not override California’s law), privacy regulations and enforcement actions are gaining more attention.

California signs country’s first IoT security law

In June, California passed what some observers feel is the country’s toughest data privacy law (the California Consumer Privacy Act) – and now they have added a new Internet of Things bill, SB327, making the state the first in the nation to have such a regulation.

What this might mean for brands – Some observers say this new law is too vague. The law reads that any maker of an Internet-connected device must ensure that there is “reasonable security features”, “designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” While there are some specifics about unique preprogrammed passwords, and a requirement for a first-time user generated authentication, a lot of other points are described only as “reasonable security feature”.

CaCPA amendments begin

64 days after passing the California Consumer Privacy Act, the California legislature passed a technical corrections bill. This amendment primarily adds a six-month grace period, and excepts data that is already covered by other data privacy bills such as HIPPA. It also clarifies several other points including the private rights of action, and data elements in the definition of personal data.

What this might mean for brands – If your organization is not yet paying attention to and planning for CaCPA, now is the time. While there are more potential amendments, as well as potential preemption by a federal law, studies show that organizations who put privacy and transparency first see improved consumer trust and engagement.

The materials published on [our web properties] do not constitute legal advice and are for informational purposes only. The opinions expressed at or through our web properties are the opinions of the individual author and may not reflect the opinions of W2O Group. Please seek independent counsel for all legal needs.  


If you’re interested in learning about W2O, check out our About and Healthcare pages.

Want to chat? Drop us a line.