CDP Institute

Google had a bad fall kick off, tackled with a €325 million ($379 million) fine from France's CNIL for not obtaining user consent for tracking. (Clothing retailer Shein was fined €150 million [$175 million] in the same ruling.) Plus, Google must pay $425 million for collecting user data after customers disabled a tracking feature. On the bright side for Google, it evaded $31 billion in damages plaintiffs wanted.

Mind if Anthropic changes the rules on how its AI tool Claude uses your data? Well, not up for discussion: the new plan is for your conversation to train its AI and for Anthropic to keep your data for up to five years. You do have the option to opt-out by September 28.

The EU and Brazil are establishing data adequacy protocols to strengthen economic ties and facilitate data transfers. This is one of the broadest agreements offered by the EU and recognizes Brazil’s strict privacy protection in keeping with GDPR. In the EU, the decision will require approval from EU member states.

It took a little prompting and a Reuters investigative report, but Meta’s decided teen safety could be a good thing, so it’s going to start training its AI chatbots not to engage with teen users on self-harm, suicide, disordered eating, or potentially inappropriate romantic conversations. That is of course good, although Meta could have done even better to be proactive about it.

While the company claims personal credit information was not compromised, hackers did get names, birth dates, and social security numbers.

What to say when your government moves your most sensitive data to a vulnerable cloud server?? The Department of Government Efficiency (DOGE) which is not exactly US government, but empowered to disrupt, moved a copy of 450,000,000+ records of citizen social security records to an unsecured cloud site, according to an agency whistleblower. Big problem? Not unless you mind your sensitive financial and health data potentially accessible to the public.

A June Google breach attributed to a hacker group, has put the data of 2.5 billion Gmail users, stored in a Google database managed by Salesforce, at risk. While no passwords were stolen, data from the breach has already been seen on forums and users are reporting phishing attacks and fraudulent text & phone outreach.

Massachusetts’ newly signed Shield Act 2.0 is designed to strengthen a 2022 law by prohibiting business entities operating in the state from disclosing information on legally protected health care services, including reproductive health, abortion, or gender-affirming care. It goes into effect in November.

With less than three months to enforcement mid-December, the Australian government has published findings of a study that determined companies there should be able (with reasonable certainty) to accurately verify age to ensure under-16s can’t access social media. There are of course risks of false positives or false negatives and questions about how companies will comply, given they won’t be told what verification products to use.

The initiative was led by privacy group noyb (None of Your Business).