Dear readers,
Welcome to this edition of the Privacy Corner Newsletter where we bring you the latest updates on privacy-related news. Let’s dive right in:
Nice try: General court shuts down Meta’s challenge to EDPB ‘consent or pay’ opinion
The EU’s General Court recently dismissed Meta’s attempt to annul an opinion from the European Data Protection Board (EDPB) regarding ‘consent or pay’ models. Meta’s action sought to overturn EDPB Opinion 8/2024, which addressed valid consent for such models used by large online platforms. However, the Court ruled that the opinion is not legally binding and therefore cannot be challenged directly by Meta.
In case T-319/24, Meta’s challenge was based on Article 263 of the Treaty of the Functioning of the European Union (TFEU), which allows for the judicial review of certain EU acts. Despite the ruling, Meta can still challenge any subsequent binding decisions made by national DPAs based on the EDPB opinion.
Broken cookie mechanism and excessive ID requirements land Todd Snyder a $345k CCPA fine
Fashion retailer Todd Snyder, Inc. has agreed to pay a $345,178 fine and revamp its privacy practices to settle allegations by the California Privacy Protection Agency (CPPA) for violating the CCPA. The company had a broken cookie preferences center on its website for 40 days, preventing users from opting out of the sale or sharing of their personal information. Additionally, Todd Snyder required excessive verification, including a government-issued photo ID, for opt-out requests.
Under the settlement, Todd Snyder must make significant changes to its opt-out mechanisms, verification procedures, and employee training to ensure compliance with the CCPA.
EDPB greenlights short extension for UK adequacy—just this once
The European Data Protection Board (EDPB) has approved a six-month "technical extension" of the UK’s current EU adequacy decisions, extending the expiry date to December 27, 2025. This extension is to allow the UK to finalize its ongoing data protection and privacy reforms through the Data (Use and Access) Bill (DUAB) before a full assessment of the UK’s data protection standards.
While this extension is a one-time measure, businesses relying on UK adequacy should stay informed about the progress of the DUAB through the legislative process.
That’s all for this edition. Stay tuned for more privacy updates in the future!
Best regards,
[Your Name]
