USA TRENDS AND DEVELOPMENTS Contributed by: Paul Lanois, Fieldfisher
• the right to obtain a portable copy of their personal data; • the right to opt out of targeted advertising; • the right to opt out of the sale of personal data; • the right to opt out of profiling with significant effects (except Iowa and Tennessee); and • the right to not be discriminated against for exercising data privacy rights. The laws also give consumers the right to appeal decisions regarding their consumer rights requests, and give data controllers 45 days to comply with a consumer privacy rights request, with an additional 45-day extension to the extent reasonably necessary. Most US states also impose certain obligations in relation to the processing of “sensitive data”, although the scope of what constitutes “sensi - tive data” differs across US states. Finally, most US states require controllers to conduct data protection assessments for activi - ties that present a heightened risk of harm to consumers – eg, in relation to: • the processing of personal data for targeted advertising; • selling personal data; • conducting profiling that carries a risk of unfair or deceptive treatment, unlawful dis - crimination or disparate impact, or potential injury to consumers; and • the processing of sensitive data. Growing enforcement from US State Attorney Generals In February 2024, the California Attorney Gen - eral announced a settlement with DoorDash, whereby the company was required to pay a USD375,000 civil penalty to resolve allegations
that it violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The investigation by the California Department of Justice claimed that DoorDash sold the personal information of its California customers without providing notice or an opportunity to opt out of that sale in violation of both the CCPA and CalOPPA. The sale allegedly occurred in connection with Door - Dash’s participation in a marketing co-operative, where businesses contribute the personal infor - mation of their customers in exchange for the opportunity to advertise their products to each other’s customers. In addition to the financial penalty, the company is required to comply with California require - ments that apply to businesses that sell personal information, including reviewing contracts with marketing and analytics vendors and reviewing the use of technology to evaluate whether it is selling or sharing consumer personal informa - tion. In June 2024, the California Attorney General announced a USD500,000 settlement with Tilt - ing Point Media LLC, resolving allegations that the company violated the CCPA and COPPA by collecting and sharing children’s data with - out parental consent in its popular mobile app game “SpongeBob: Krusty Cook-Off”. Accord - ing to the California Attorney General, the app was first investigated by the Children’s Advertis - ing Review Unit (CARU), a division of the Bet - ter Business Bureau National Programs that investigates potential deceptive or inappropriate data collection from children online. CARU found that the privacy and advertising practices of the SpongeBob app failed to comply with COPPA and CARU’s industry guidelines.
547 CHAMBERS.COM
Powered by FlippingBook