Why Privacy Settings Can’t be Set to “Consent” by Default
On September 14, South Korea’s Personal Information and Protection Commission (the “Commission”) announced it will levy more than $70 million in fines against Alphabet Inc.’s Google (Google) and Facebook’s parent Meta Platforms Inc. (Meta) over alleged privacy violations. According to the Commission, these companies collected and utilized personal information for targeted advertising without obtaining user consent.
The Wall Street Journal reports that Google failed to inform South Korean consumers about the collection of their personal information when they entered their data into new account signup pages. Additionally, the data storage settings were limited in scope at the time, and the setting for consent was set to “agree” by default since 2016. Similarly, Facebook’s new account sign-up page did not disclose the intended uses of a person’s data and did not request consent for this usage.
According to Yoon Jong-in, chairperson of the Personal Information Protection Commission, “accumulation of user-specific data collection activities can result in serious privacy violations . . . In that respect, we consider these acts to be grave violations.”
Due to the seriousness of their alleged violations, Google will be fined 69.2 billion won, which is the equivalent of $49.6 million, and Meta will be fined 30.8 billion won, which is the equivalent of $22.1 million. Additionally, the Commission ordered the companies to ensure that users can “easily and clearly” understand and exercise their consumer rights to their personal information.
In response, Google and Meta have released statements. Google’s spokesperson reportedly stated, “we’ve always demonstrated our commitment to making ongoing updates that give users control and transparency, while providing the most helpful products possible. We remain committed to engaging with the PIPC to protect the privacy of South Korean users.”
A Meta spokesperson said “while we respect the commission’s decision, we are confident that we work with our clients in a legally compliant way that meets the processes required by local regulations. As such, we do not agree with the commission’s decision, and will be open to all options including seeking a ruling from the court.”
The Commission is not the only international organization to take action against data privacy violations. On September 15, 2022, Ireland’s Data Protection Commission issued a €405 million fine, which is reportedly the second largest fine the European Union has ever assessed, against Instagram for allegedly mishandling children’s data or data relating to children.
As such, organizations should be sure to comply with all applicable data practices and guidance to ensure that their business can be shielded from similar regulatory scrutiny.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: Phishing Attacks on the Rise and other Data Privacy Trends in Asia; California Governor Signs New Law Protecting Children’s Privacy and IAPP’s Review of the Proposed Changes to the Federal Data Privacy Act, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
This week our guest, Cory Simpson, Founder & CEO of Gray Space Strategies LLC, will join our host Jody Westby to discuss the relationship between privacy, cybersecurity, and national security. New episodes are generally released each week, here. They can be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
77 | Privacy & Cybersecurity Whistleblowers: A New Trend?
76 | Privacy Governance v. Cybersecurity Governance
75 | Cybersecurity and Cyber Insurance: Claims, Costs, and Chaos
Next week’s guest, Carlos Solari, VP of Product for SecureG, Inc., will be on to discuss 5G availability, how an orchestrated 5G attack could occur, how to rethink the security problem with 5G, and how 5G is connected to national security.