In this edition of AdGuard’s Digest: Meta’s surveillance-fueled ads face pushback in the EU, Google gives users more data controls, while its attempt to stop ‘incognito mode’ lawsuit fails, TikTok-linked app (allegedly) collects biometric data without consent, India adopts privacy law, as connected cars become first target of California’s privacy watchdog.

Meta fights Norway’s fine over surveillance-based ads, as pressure increases

Meta, the owner of Facebook and Instagram, is trying to stop a Norwegian regulator from fining it $97,000 a day from August 14 for at least three months. The fine is for monitoring users online without their consent and then targeting them with highly personalized ads. While $100,000 a day is peanuts for Meta, Norway’s move could have far-reaching consequences for Mark Zuckerbeg’s brainchild. That’s because Oslo plans to refer its decision to the European Data Protection Board, which can make it permanent and extend it to most of Europe.

In an effort to prevent this, Meta is now seeking an injunction against the order, pending a court hearing scheduled for the end of August. The threat of a fine and looming EU-wide privacy legislation has already prompted Meta to change its pretext for collecting data for “behavioral advertising” from “legal interests” to "user consent." But because it’s unclear when and how Meta will start asking for that consent, Norway is pushing ahead with the fine. Another country taking Meta to task is the UK. The British watchdog is furious with Meta’s decision to allow users throughout the EU and EEA to decide whether they want to opt in to behavioral advertising, but not in the UK.

Meta’s ad-based business model is under increasing pressure, as the concerted efforts of European data protection authorities to limit covert data collection are finally yielding results. Meta is being compelled to make its data collection practices more transparent and give users more of a choice. But the company’s combativeness in response to these new challenges also reveals its desire to do business as usual, which means we're in for a tough fight.

Google makes it easier to wipe your personal data off search

Google has made it easier for users to find and erase results that include their personal information, such as phone number, home address, and email from Google Search. Users will be able to receive alerts when this information appears anywhere on the Web, and request that it be removed using the revamped “results for you” tool in their Google account. One thing to keep in mind, though, is that in order for Google to be able to monitor such information, it needs to be privy to it first.

In addition, Google will also allow users to request the removal of their explicit images from search, even if they originally posted them. The previous version of the policy only allowed for the removal of non-consensual explicit images.

While it’s great that users will have more control over their data with this new feature, it’s important to remember that this data will not be wiped from the face of the Internet. While it may be harder to find certain information about you on Google, it is still accessible on the websites where it has been posted. Moreover, it can also be accessed through other search engines, such as Bing.

California privacy watchdog takes on data-hungry cars

The California Privacy Protection Agency (CPPA), a privacy watchdog created to enforce California’s landmark privacy law, is taking on the burgeoning industry of Internet-connected vehicles. The target of its new investigation is the data collection practices of automakers, who are stuffing cars with cameras, sensors, and built-in apps. They do this to provide cutting-edge service, but also to learn about users and share their data with third parties, such as insurance companies.

Depending on the settings, the personal information of drivers and passengers that becomes known to manufacturers can include their location, voice data and images. Manufacturers also enrich this information with data from other sources to build a detailed profile of the users. The California watchdog wants to know how automakers handle this sensitive data and whether their privacy practices comply with California’s strict data protection requirements.

We have written about the risks of Internet-connected cars and how the amount of electronics they now have is a double-edged sword. It gives automakers and any third parties they share user data with unprecedented control over the vehicles, up to being able to remotely repossess them in the future.

TikTok-linked app accused of collecting biometric data without consent

CapCut, a video-editing app owned by TikTok parent, ByteDance, has been accused of harvesting users’ biometric data, such as face scans and voiceprints, without their consent. The lawsuit filed with the court in the US state of Illinois claims the company made the app’s privacy policy deliberately vague, so that users could not understand what they were agreeing to. The suit also mentions that apart from biometric data, the app also collects information about users’ location, gender and birthday to target them with ads.

The lawsuit accuses ByteDance of “unjustly profit[ing] from the secret harvesting of a massive array of private and personally identifiable CapCut user data and content that they can use for targeted advertising.” The complaint also alleges that the company has ties to the Chinese government, and that any data shared with CapCut could potentially end up in Beijing’s hands. ByteDance has repeatedly denied that it does the bidding of the Chinese Communist Party.

ByteDance has been in hot water before for spying on journalists through TikTok, so it will always be under suspicion as far as its data collection practices go. But regardless of the country of origin, social media in general thrive on user data because they need it to serve ads. Collecting that data, often in secret, is part and parcel of their operation. This is the risk that users must accept when using these apps.

Lawsuit accusing Google of tracking in ‘Incognito mode’ goes forward

If you thought browsing the web in ‘incognito mode’ would protect your privacy from Google, think again. A judge has ruled that a lawsuit accusing Google of secretly tracking users even when they are in ‘incognito mode’ can proceed. The lawsuit, filed in 2020, alleged that Google hid the fact that its tools, such as Google Analytics and Ad Manager, which are used by 70% of websites, allow it to track users even when they are surfing the web ‘incognito.’

Google has denied the allegations and argued that it clearly informs users that ‘incognito mode’ only prevents other people who use their device from seeing their activity, not Google or the websites they visit. However, Judge Yvonne Gonzalez Rogers ruled that the $5 billion lawsuit can move forward. It means it will either go to trial or have to be settled. Justifying her decision, Rogers said that the plaintiffs managed to prove that their data is a commodity, which Google forced them to give up for free. The judge also said that the burden was on Google to prove that it had obtained explicit consent from users, and that does not appear to be the case.

Labels such as “incognito” may indeed lead users to believe that everything they do in this mode remains top secret. But this is not the case: users’ browsing activity is still tracked by the websites and could potentially be combined with their “regular” browsing history. Regardless of the outcome of this lawsuit, the good news is that more people will now be aware of this trickery.

India inches closer to having its own privacy law

The US might not have its federal privacy law yet, but India is on the brink of finally having one. That is after the upper house of the Indian parliament passed the country’s data protection bill, that how user data can be transferred and used, and penalties for violations.

Among other things, The Digital Personal Data Protection Bill gives the right to the government to limit access to certain information for the cause of public good, and block access to specific sites and platforms if they repeatedly break the law. As the bill was going through the legislative process, it has been somewhat watered down. In particular, companies that deal with personal data now are generally allowed to transfer it abroad for processing, except for some countries that will be blacklisted. The bill still drew backlash from privacy groups, arguing it gives too much power to the government, and does not include “any meaningful safeguards against overbroad surveillance.”

Having a controversial privacy bill is better than having none, so despite its flaws, its approval is a positive sign. However, a lot depends on how it will be implemented.