As we move forward into the new year, it’s always good to take a look back at where we came from. Reviewing data privacy 2022 milestones not only gives us an accurate picture of the privacy industry right now, but also gives us a good indication of what 2023 might hold. Let’s review several of the major privacy news stories of 2022.

Facebook Stock Drop & Mass User Exodus

In what was quite possibly the biggest privacy news story of 2022, Facebook faced significant repercussions for its history of poor data handling. The company’s stock dropped by 26% in January 2022, setting a new record for the highest recorded stock drop in a US company. Over a million users also left the platform never to return. Facebook isn’t going away anytime soon, but it seems that the platform’s poor privacy track record may be causing it some significant problems.

Weight Watchers Fined for Data Mishandling

Facebook was far from the only company to face consequences for privacy violations. In March 2022, WW International (formerly known as Weight Watchers) was fined $1.5 million for children’s privacy violations through Kurbo, a WW-run app aimed at children and teens. The company’s list of offenses include COPPA violations, lack of informed consent, and creating algorithms based on illegally collected data. This case demonstrated an alarming lack of concern for the private data of minors, especially considering that some users of the Kurbo app were as young as 8 years old.

Irish Data Protection Commission Sued by Watchdog Group

The Irish Data Protection Commission (DPC) exists to uphold privacy rights and enforce GDPR regulations in Ireland. However, the Irish Council for Civil Liberties (ICCL), a watchdog group, was unsatisfied with what it perceived as inaction on the DPC’s part. The group’s primary complaints were twofold. First, they believed that the DPC focused on promoting new privacy laws rather than enforcing existing ones, which could allow ongoing privacy violations to continue unchecked. Secondly, they believe this misplaced focus resulted in the DPC ignoring what the ICCL labeled “the worst data breach in history”. As of this blog, the case appears to still be ongoing.

FTC Steps Up Efforts to Protect Children’s Privacy

COPPA violations, like the highly publicized WW fine in early 2022, prompted the FTC to respond with an increased focus on protecting children’s privacy. In May, the FTC announced its intent to examine apps and websites that may have illegally collected children’s data and crack down more severely on violations. This is particularly significant in the aftermath of increased remote school post-COVID. With children’s data more at risk than ever, the FTC’s actions will hopefully bring positive change.

Maryland’s Data Breach Notification Law Updated

Maryland’s Personal Information Protection Act (PIPA), or Data Breach Notification Law as it’s also known, received substantial updates in late May 2022. The updates expanded on PIPA’s already robust requirements and especially emphasized the need to inform consumers of risks to their personal data. These updates went into effect as of October 2022.

Meta Discrimination Lawsuit Settled for $115K

Facebook makes another appearance on our roundup. In June 2022, a lawsuit against Facebook’s parent company Meta was settled and the company was ordered to pay $115K in fines. According to the Department of Justice, Meta collected highly sensitive and legally protected user data and constructed marketing algorithms based off this information. The DOJ explained that “Meta is liable for disparate impact discrimination because the operation of its algorithms affects Facebook users differently on the basis of their membership in protected classes”. Meta was ordered to develop and implement a legally compliant ad algorithm under court supervision by the end of 2022.

American Data Privacy Protection Act Shows Promise

Individual states have their own privacy laws, but America has yet to pass a federal privacy regulation. That could be about to change. The most recently proposed federal data privacy law, the American Data Privacy Protection Act (ADPPA), has made it the farthest of any law of its kind so far and has enjoyed bipartisan support. It remains to be seen whether it will actually pass. The bill has also generated some controversy as concerns over its ability to override state privacy laws arise. We’ll just have to keep an eye on this one in 2023.

UK Privacy Officials Reprimand Organizations Over DSAR Failures

The UK’s Information Commissioner’s Office (ICO) demonstrated their commitment to DSAR enforcement in September 2022. Seven prominent UK-based organizations were formally reprimanded for their failure to comply with DSAR legal requirements and stonewalling users’ efforts to obtain their data. The ICO’s reprimand highlights several personal stories from users who submitted DSARs and were forced to wait for far longer than the legal time limit, if they received their data at all. The organizations in question were ordered to shape up within 3-6 months or face legal action.

Instagram Fined €405 Million Over Children’s Privacy Violations

Both Meta and the Irish Data Protection Commission (DPC) make another appearance on this list in a story from September 2022. The DPC highlighted Instagram users’ ability to convert a personal account into a business account, which makes more account data visible to other users. The complaint claimed that users under 18 were able to convert their accounts and expose their data to significant risk. In response to this violation, the DPC ordered Meta to pay €405 million (approximately $396.2 million) in fines. Meta responded that the claim was based on settings that were fixed long ago. The case appears to still be ongoing.

UK Lawmakers Debate GDPR Replacement Law

Even after Brexit, the UK still uses the GDPR as its privacy law. The government intends to replace it, but that replacement has been difficult to pin down. Discussions and proposed changes have been in progress since mid-2021. In June 2022, “substantial changes” were announced to previously suggested GDPR alterations. Later, in October 2022, a government spokesperson announced these reform efforts were on hold as they considered other options. This story has the potential to continue developing in 2023 and deserves our attention.

Epic Games Fined $250 Million Over COPPA Violations

Epic Games, creator of the popular game Fortnite, was fined $250 million by the FTC in December 2022. This is the highest fine for breaking an FTC regulation levied to date. Complaints alleged that Epic Games allowed users under 13 to register for and play Fortnite without parental consent, leading to their data being compromised. Epic Games has stated that they will take more precautions to ensure the safety of their underage users and avoid further COPPA violations.

Coming Up in 2023

Data privacy and all laws associated with it present a constantly shifting landscape of ideas and regulations. 2022 was certainly an eventful year in the privacy field. As we move forward into 2023, make sure you’re ready to stay on top of future developments.

For more information on data privacy in 2022, predicted privacy law changes, and how you can keep up, contact us today.