The CFPB is permanently banning BloomTech from consumer lending activities and its CEO, Austen Allred, from student lending for a period of ten years.
Allred founded BloomTech, which rebranded from the Lambda School in 2022 after cutting half its staff, in 2017.
(According to the CFPB, BloomTech originated “at least” 11,000 such loans.)
BloomTech didn’t market the loans as such, saying that they didn’t create debt and were “risk free,” and advertised a 71%-86% job placement rate.
And, unbeknownst to many students, BloomTech was selling a portion of its loans to investors while depriving recipients of rights they should’ve had under a federal protection known as the Holder Rule.
The European Data Protection Board (EDPB) has published new guidance which has major implications for adtech giants like Meta and other large platforms.
The guidance, which was confirmed incoming Wednesday as we reported earlier, will steer how privacy regulators interpret the bloc’s General Data Protection Regulation (GDPR) in a critical area.
The full opinion of the EDPB on so-called “consent or pay” runs to 42-pages.
However a market leader imposing that kind of binary choice looks unviable, per the EDPB, an expert body made up of representatives of data protection authorities from around the EU.
“Online platforms should give users a real choice when employing ‘consent or pay’ models,” Talu wrote.
Yet a binary choice (aka “consent or pay”) is exactly what Meta is currently forcing on users in the region.
The European Data Protection Board (EDPB) has been meeting this week to discuss adopting an opinion on so-called “consent or pay”, following a request made back in February by a trio of concerned data protection authorities.
A spokeswoman for the EDPB confirmed to TechCrunch that it adopted an opinion on “consent or pay” on Wednesday morning, saying it will be published later today.
However the choice Meta gives EU users is a binary one: Either consent to its use of personal data for targeted advertisng or pay a monthly fee to access ad-free versions of its social networks.
But on the core issue of whether Meta’s mechanism complies with the EU’s long-standing data protection framework the Board’s opinion is key.
Additionally, in a notable step last month, the European Union opened a formal investigation into whether Meta’s tactic breaches obligations that apply to Facebook and Instagram under the competition-focused Digital Markets Act (DMA).
The Board’s opinion on “consent or pay” is expected to provide guidance on how the EU’s General Data Protection Regulation (GDPR) should be applied in this area.
It’s worth noting the Board’s opinion will look at “consent or pay” generally, rather than specifically investigating Meta’s deployment.
Nor is Meta the only service provider pushing “consent or pay” on users.
“However, the current ‘Consent or Pay’ model sets in stone a coercive dynamic, leaving users without an actual choice.
Privacy-focused consumer tech company DuckDuckGo launched a new Privacy Pro subscription on Thursday that bundles a VPN service, personal information removal, and identity theft restoration.
This is the company’s first move towards a subscription service built into the DuckDuckGo browser.
With personal information removal service, DuckDuckGo scans dozens of data broker sites to find details like your name and address.
(At that time, Removaly’s founder, Kyle Krzeski, posted on X that a privacy company acquired the startup without naming it.)
The third feature of DuckDuckGo’s privacy pro plan is identity theft restoration, where an advisor would help you recover your identity-related loss around the clock.
The European Data Protection Supervisor (EDPS) has warned key planks of the bloc’s data protection and privacy regime are under attack from industry lobbyists and could face a critical reception from lawmakers in the next parliamentary mandate.
Any shift of approach by incoming lawmakers could have implications for the bloc’s high standard of protection for people’s data.
But he particularly highlighted industry lobbying, especially complaints from businesses targeting the GDPR principle of purpose limitation.
Wiewiórowski did not explicitly blame generative AI for driving the “strong attacks” on the GDPR’s purpose limitation principle.
So any AI-driven weakening of EU data protection laws in the near term is likely to have long term consequences for citizens’ human rights.
Controversial crypto biometrics venture Worldcoin has been almost entirely booted out of Europe after being hit with another temporary ban — this time in Portugal.
The order from the country’s data protection authority comes hard on the heels of the same type of three-month stop-processing order from Spain’s DPA earlier this month.
Portugal’s data protection authority said it issued the three-month ban on Worldcoin’s local ops Tuesday after receiving complaints Worldcoin had scanned children’s eyeballs.
By contrast, EU data protection law gives people in the region a suite of rights over their personal data, including the ability to have data about them corrected, amended or deleted.
As Tools for Humanity’s lead DPA, under the one-stop-shop (OSS) mechanism in bloc’s General Data Protection Regulation (GDPR), it is responsible for investigating privacy and data protection complaints about the company.
“[W]e await feedback from the Irish Data Protection Commission [DPC], our lead data protection regulator in the EU,” he added.
While Meta’s compliance with the GDPR is led by the Irish DPC, under the regulation’s one-stop-shop.
This structure does not mean the Irish authority gets final say on Meta’s compliance with EU privacy rules, though.
In the case of Meta, this has frequently led to objections from other data protection authorities which have landed stiffer enforcements than the DPC originally proposed.
So who gets the final say on the GDPR compliance of Meta’s consent mechanism is complex too.
Multinational technology giant Fujitsu confirmed a cyberattack in a statement Friday, and warned that hackers may have stolen personal data and customer information.
Fujitsu also did not say what kind of personal information may have been stolen, or who the personal information pertains to — such as its employees, corporate customers, or citizens whose governments use the company’s technologies.
Headquartered in Japan, Fujitsu has about 124,000 employees and serves government and private sector customers globally.
Fujitsu said it reported the incident to Japan’s data protection authority, Personal Information Protection Commission, “in anticipation” that personal information may have been stolen.
The company has not said whether it has filed required data breach notices with any other government or authority, including in the United States.
“The trajectory of privacy and data protection is at a critical juncture, and it is imperative that all stakeholders, including tech giants like yours, uphold their responsibilities to safeguard these rights.
One of the signatories, Pirate Party MEP Patrick Breyer, summarizes Meta’s demand for a “privacy fee” as “economic coercion”.
noyb has subsequently filed another GDPR complaint against Meta’s model, focused on how easy/not is it for people to withdraw consent.
There are also a series of consumer protection complaints in the mix — which argue Meta’s approach breaches EU consumer protection rules.
Completing the circle, consumer right groups have filed as series of GDPR complaints against Meta’s ‘pay or okay’ model, too.
