Banner image with a qwerty keyboard showing a red sell button where the enter button should be as well as a title saying biggest privacy fails of 2021

Calling Out 3 of the Biggest Privacy Fails of 2021

Privacy Awareness Week 2022 runs from 2-8 May. To highlight this year’s theme: Privacy – The Foundation of Trust, we’re highlighting some of the biggest privacy fails of 2021: 

3 of the Biggest Privacy Fails of 2021: Privacy 108’s Picks

Mark Zuckerberg and the Metaverse Targeting Teens 

An April 2021 report by Reset Australia made headlines when it revealed that Meta (formerly Facebook) allowed targeted advertising to 13-18-year-olds for gambling, smoking, and extreme weight loss for as little as $3.03.  

In a July 27 response, Meta claimed that “starting in a few weeks, we’ll only allow advertisers to target ads to people under 18 (or older in certain countries) based on their age, gender and location”. It also noted that it would remove targeting options based on interests or young people’s activity on other apps and websites.  

While it appears to have removed third-party options for targeted advertising, Meta still engages in targeted advertising to teens and young children opting to use a highly-trained AI Delivery System to deliver the advertising instead. According to the November report by Reset Australia (and others), this may result in worse outcomes for children and teens.  

“Replacing ‘targeting selected by advertisers’ with ‘optimisation selected by a machine learning delivery system’ does not represent a demonstrable improvement for children, despite Facebook’s claims in July. … This practice is especially concerning, given ‘optimisation’ might mean weight loss ads served to teens with emerging eating disorders or an ad being served when, for instance, a teen’s mood suggests they are particularly vulnerable.” – Text from a cross-industry Open Letter to Mark Zuckerberg. 

Meta responded to the November research by stating that it no longer used the data it collected to target teens and younger children with individualised advertising. However, the company stopped short of explaining why it continues to collect data on children and teens.  

Given Meta’s poor track record of responding to user concerns, we aren’t optimistic about it self-regulating (even though 82% of 16–17-year-old respondents to a recent survey indicated that they have felt uncomfortable with targeted advertising). We’re watching with interest to see whether Meta is held accountable by any regulators around the world for its continuing targeting of young people – or if any future legislative changes might interrupt the practice.    

Florida Healthy Kids Fails to Patch Vulnerability for 7 Years 

2021 was the second-worst year on record for healthcare data breaches in the US. While the Accellion breach was the largest, the Florida Healthy Kids Corporation (FHKC) breach wasn’t far behind – with 3.5 million records breached.  

What’s notable about the FHKC breach is that it was caused by the failure of a third-party website hosting vendor to patch vulnerabilities for more than 7 years.  Hackers could access, and in some cases manipulate, information for this entire period – between 2013 and December 2020. (The data breach wasn’t reported until 2021, which is why it falls under this year.) 

The specific vulnerability exploited by hackers allowed them to access personal and sensitive information provided by respondents to an online application for Florida KidCare benefits and those renewing their health or dental coverage. 

Hackers accessed full names, birth dates, email addresses, telephone numbers, geographic information, Social Security numbers, and financial information, amongst other information.  

This highlights the importance of vetting and auditing third-party vendors 

Flo Health App Secretly Sells Intimate User Details 

The FTC announced a settlement with Flo Health Inc in July 2021, requiring the app to obtain affirmative consent of users before sharing their personal health information with others. This settlement was in response to a flood of complaints that the data of more than 100 million users were being sent to Facebook, Google and other marketing firms without user consent.  

Given that the Flo app collected information such as when users had sexual intercourse, whether it was protected or unprotected, and whether they experienced certain common symptoms throughout their menstrual cycle, users (understandably) felt ““outraged”, “victimized”, and “violated”” by the sharing of information.  

Users trusted the Flo app because it stated in its privacy policy that it would not share information “for any other purpose except to provide services in connection with the App”.  

As part of the FTC settlement, the Flo app is prohibited from misrepresenting the purposes for which is collects, maintains, uses, or discloses data and the extent to which users can control the use of their data.  

Bonus 2021 Privacy Fail: Grindr’s Dark Patterns Data Breach  

Grindr’s poor privacy practices, which lead to a 6.5 million Euro fine, also top our privacy fails list for 2021. You can read more about it in our blog post. 

If you’re concerned about your organisation’s privacy practices, contact us using the form below. Our experienced privacy lawyers regularly work with companies, universities, and other organisations to develop robust privacy programs and policies.

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.