Data & Privacy News for January 2024

Co-founder and President of Termageddon

Happy New Year! To close out 2023, we made updates to customer policies for the Utah Consumer Privacy Act and interviewed privacy professional Odia Kagan on the differences between data processors and controllers. If you are unfamiliar with these GDPR terms, make sure to check out the episode where we discuss the differences between the two as well as compliance requirements that processors and controllers are required to follow. We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field and wish you a happy and productive 2024!

What’s new in privacy?

Below are some of the most notable news in privacy from this month:

Utah Consumer Privacy Act goes into effect. On December 31, 2023, the Utah Consumer Privacy Act (UCPA) went into effect. The new law provides the following privacy rights to residents of Utah: the right to confirm whether a controller is processing the consumer’s personal data, the right to access, the right to delete, the right to portability, the right to opt out of the processing of personal data for the purpose of targeted advertising, and the right to opt out of sales of personal data. The law also requires companies to provide certain disclosures in their Privacy Policies – Termageddon has released these updates in early December. Learn more here.
UK ICO releases cookie compliance issues letter. The United Kingdom’s Information Commissioner’s Office (ICO) has released to the public a letter that it sent to the UK’s top 100 most visited websites informing them that their cookie consent banners may not be compliant with UK privacy laws. The letter can serve as guidance to other companies in how to avoid violations. Learn more here.
FTC settles complaint with Rite Aid regarding facial recognition technology. The complaint stems from the alleged unfair and discriminatory outcomes from Rite Aid’s practices in using facial recognition to question, detain, and ban customers from stores. As part of the settlement, Rite Aid is banned from using facial recognition technologies for five years. Read more here.
NOYB files a complaint against X. Privacy advocacy group, NOYB, has filed a complaint against X claiming that its ad targeting breached the General Data Protection Regulation (GDPR). The complaint alleges that X unlawfully used people’s political views and religious beliefs to target them with advertisements. This practice may also be a violation of the Digital Services Act, which states that companies must not display targeted ads based on the sensitive data of a user. Learn more here.
Comcast experiences a cyberattack. Comcast has experienced a cyberattack affecting nearly 36 million customers due to a Citrix networking security vulnerability known as CitrixBleed. It appears that customer data, including usernames and hashed passwords were acquired by the attackers. Read more here.
Norway’s DPA fines company NOK10 million for GDPR violations. The fitness club SATS was fined for infringements of GDPR by failing to comply with access and erasure requests. The DPA found that the company also lacked a legal basis for processing certain personal data. Learn more here.
CJEU rules that credit bureau violated GDPR via automated decision-making and data retention. The Court of Justice of the European Union rendered a decision prohibiting automated credit scoring and extended data retention practices under GDPR. The CJEU found that the German credit bureau SCHUFA violated GDPR by retaining certain data for more than six months and by using automated decision-making to determine whether to grant credit to certain customers. Read more here.
23andMe data breach affects 6.9 million individuals. The genetic testing company initially reported that 14,000 individuals were affected by the breach but, apparently, there were 6.9 million affected individuals in total. Hackers accessed the personal information of customers who opted in to the 23andMe DNA Relatives feature and stole data including names, birth years, relationship labels, percentage of DNA shared with relatives, ancestry reports and self-reported location. Read more here.
Major US pharmacies release customer prescription data to the policy without a warrant. The information obtained from the US Department of Health and Human Services Xavier Becerra found that eight of the largest pharmacy chains maintained that they are only required to respond to law enforcement subpoenas, instead of a search warrant signed by a judge. Read more here.
Google takes steps to protect location history. Google has announced that it will shorten the length of time location history stored on its devices, save a person’s timeline of locations on their device and give them the ability to delete that information at any time. Learn more here.

What privacy bills are we tracking?

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals:

Can’t get enough of talkin’ privacy? Be sure to subscribe to our podcast, Privacy Lawls, where we have fun talking to some of the biggest names in privacy.

Thanks for reading!

About the Author

Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site