All news with #privacy engineering tag

🛑 The California Privacy Protection Agency ordered Rickenbacher Data LLC, operating as Datamasters, to stop selling Californians' health and personal information and fined the firm $45,000 for failing to register as a data broker under the California Delete Act. Regulators found Datamasters bought and resold hundreds of millions of records—names, emails, addresses and phone numbers—targeting people by medical conditions, age, perceived race, political views and purchases. The agency ordered deletion of previously acquired California records by the end of December, requires any newly received Californian data to be purged within 24 hours, and imposed five years of compliance measures; CalPrivacy also fined S&P Global $62,600 for an administrative registration lapse.

⚖️ The State of Texas secured a temporary restraining order against Samsung, barring it from collecting audio and visual data about what Texas consumers watch on Samsung smart TVs using Automated Content Recognition (ACR). The court found the enrollment process deceptive and opaque, relying on 'dark patterns' that make informed consent impractical. The order halts ACR use, sale, transfer, and data collection for Texas-based TVs pending further proceedings.

🛑 A Texas district court briefly issued a temporary restraining order barring Samsung from collecting audio and visual data from Texas smart TVs under its Automated Content Recognition (ACR) program, citing deceptive enrollment practices and allegations that the Chinese Communist Party could access the information. The TRO, signed Jan. 5, said users were subjected to confusing disclosures and 'dark patterns' that defeat meaningful opt-out and claimed screenshots could be captured roughly every 500 milliseconds. The order initially blocked ACR activity relating to Texas consumers until Jan. 19, but the judge vacated the TRO the next day; the underlying lawsuit remains pending and a hearing is scheduled for Jan. 9.

🩺 OpenAI announced ChatGPT Health, a sandboxed space that lets users discuss health topics and optionally connect medical records and popular wellness apps (Apple Health, Function, MyFitnessPal, Weight Watchers, AllTrails, Instacart, Peloton) for tailored responses, lab-test insights, nutrition advice, meal ideas and suggested workouts. The feature is rolling out to Free, Go, Plus and Pro users outside the EEA, Switzerland and the U.K., and OpenAI says it is designed to support medical care, not replace diagnosis or treatment. Health operates in a silo with purpose-built encryption and isolation; conversations are not used to train OpenAI's foundation models, and connected apps require explicit permission and additional security review.

🔎 The New York City Wegmans is reportedly collecting biometric information about customers through in-store cameras and analytics systems. Bruce Schneier highlights that this appears to amount to facial recognition or at least biometric profiling without clear customer notice or consent. The piece raises concerns about transparency, retention policies, and potential misuse of sensitive data. It calls attention to gaps in oversight and urges better disclosure and regulation.

⚖️ Italy's antitrust authority has fined Apple €98.6 million after finding that its App Tracking Transparency (ATT) framework restricted App Store competition by imposing a burdensome double-consent process on third-party developers. The AGCM said Apple used its dominant distribution position to unilaterally set consent rules without consulting developers. Regulators noted they are not contesting Apple's privacy goals but found the ATT consent requirements disproportionate and harmful to ad-supported developers. Apple said it will appeal and defended its privacy protections.

🔔 Italy's competition authority (AGCM) has fined Apple €98.6 million for using App Tracking Transparency (ATT) in a way the regulator says abused its dominant position in mobile app advertising. The AGCM found that ATT requires third-party apps to show a standardized tracking prompt while exempting Apple's own apps, creating a burdensome double-consent process because the ATT prompt does not satisfy GDPR requirements. Apple says it will appeal and continues to defend ATT as a privacy protection.

🕶️ MSC Cruises has added smart glasses and similar wearable devices to its list of prohibited items in public areas, citing the risk of covert recording and security exposures. The new rule means devices such as Ray‑Ban Meta or Google Glass may be confiscated by ship security if used in restricted spaces. The line argues that smart glasses are harder for bystanders to notice than phones or cameras, increasing privacy concerns. Critics counter the ban restricts helpful features like translation and accessibility.

📰 Texas Attorney General Ken Paxton has sued five TV manufacturers — Sony, Samsung, LG, Hisense, and TCL — alleging they used Automated Content Recognition (ACR) to secretly record and transmit users' viewing activity without consent. The complaints filed in Texas state courts claim some TVs capture screenshots every 500 milliseconds, monitor viewing in real time, and send that data to corporate servers where it is allegedly sold for advertising. Paxton also raised concerns that the China-based vendors may be subject to China's National Security Law, potentially exposing U.S. consumer data to foreign authorities. An LG spokesperson declined to comment on the pending matter; other vendors had not responded at the time of reporting.

🔐A new anonymous phone service allows users to register with only a ZIP code, foregoing typical identity checks like full address or payment verification. The design prioritizes ease and a veneer of privacy, but it also raises substantial operational and legal questions. Experts warn that metadata, device identifiers, and carrier cooperation can still de-anonymize users. Individuals and organizations should weigh convenience against potential misuse and regulatory scrutiny.

🔒 The Information Commissioner's Office found that an unredacted settlement document related to the long-running Horizon scandal exposed the names, home addresses and postmaster status of 502 litigants on the Post Office website between 25 April and 19 June 2024. The ICO considered a fine just under £1.1m but issued a reprimand under its public sector approach after concluding the breach was not 'egregious'. The regulator criticised the Post Office for lacking documented publishing policies, quality assurance and sufficient staff training; the organisation has offered compensation and 24 months of identity protection and taken steps to remove cached copies and strengthen controls.

🕹️ The UK Information Commissioner's Office has launched a focused review of 10 popular mobile games to assess compliance with the Children’s Code (Age-Appropriate Design Code). The review will scrutinize default privacy settings, geolocation controls, targeted advertising and other design features that could affect children’s privacy. The ICO cited parental research showing high levels of concern about data collection, exposure to strangers and harmful content in mobile games.

🔒 Wisconsin lawmakers are advancing legislation that would require age verification on sites deemed potentially sexual and mandate blocking users who access content via VPNs. The measure, A.B. 105 / S.B. 130, expands definitions of harmful to minors and would force site operators to verify age and detect or block VPN connections. Critics argue it undermines privacy, free expression, and effective safety outcomes, and advocates such as the EFF call the proposal a terrible idea.

🔒 AWS now enables AWS Clean Rooms to generate privacy-enhancing synthetic datasets for training regression and classification ML models without exposing raw records. The capability de-identifies subjects in the original data and reduces the risk of models memorizing sensitive information, allowing partners to collaborate on model training while preserving privacy. Typical use cases include campaign optimization, fraud detection, and medical research.

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.

📱 Google has made Quick Share interoperable with Apple's AirDrop, enabling two-way file transfers between Pixel devices and iPhones starting with the Pixel 10 family. The implementation uses AirDrop's "Everyone for 10 minutes" direct, device-to-device mode with no server intermediaries. Google says it applied threat modeling, internal security and privacy reviews, Rust parsing to reduce memory risks, and independent NetSPI testing. Users must manually confirm recipients before sharing.

🛡️ Mozilla announced it will end its partnership with Onerep and discontinue Monitor Plus on Dec. 17, 2025. Current subscribers will retain access through the wind-down period and receive prorated refunds for any unused portion of their subscriptions. Mozilla said it will continue to offer its free Monitor breach service integrated with Firefox’s credential manager and is focusing on integrating more privacy and security features, including its VPN. The company cited high vendor standards and the realities of the data broker ecosystem as reasons for ending the collaboration after reporting revealed Onerep’s founder maintained ties to other people-search services.

🔒 India’s new Digital Personal Data Protection (DPDP) Rules, 2025 impose strict consent, verification, and fixed deletion timelines that require large platforms and enterprises to redesign how they collect, store, and erase personal data. The rules create Significant Data Fiduciaries with added audit and algorithmic-check obligations and formalize certified Consent Managers. Organizations have 12–18 months to adopt automated consent capture, verification, retention enforcement, and data-mapping across cloud, on‑prem, and SaaS environments.

🤖 AI companion apps can feel intimate and conversational, but many collect, retain, and sometimes inadvertently expose highly sensitive information. Recent breaches — including a misconfigured Kafka broker that leaked hundreds of thousands of photos and millions of private conversations — underline real dangers. Users should avoid sharing personal, financial or intimate material, enable two-factor authentication, review privacy policies, and opt out of data retention or training when possible. Parents should supervise teen use and insist on robust age verification and moderation.

🤝 Organizations are creating a chief trust officer (CTrO) to elevate trust as a business differentiator, responding to breaches, product-safety worries and AI-related uncertainty. The CTrO typically complements the CISO by focusing on reputation, ethics, transparency and customer confidence while CISOs retain technical controls, incident response and security operations. Leaders stress the role must produce measurable outcomes and avoid becoming mere 'trust theatre' by tracking signals such as customer sentiment, retention and external certifications.