What’s new in privacy?
Below are some of the most notable news in privacy from this month:
- Montana Consumer Data Privacy Act (MCDPA) goes into effect. The MCDPA, a comprehensive state privacy law, went into effect on October 1st, 2024. If you are or your clients are Termageddon customers, we sent you an email with steps on how to update your policies for this new law. Read our Compliance Guide here.
- Walmart sued for alleged violations of the Video Privacy Protection Act. A class action lawsuit was filed against Walmart alleging that the company violated the VPPA by sharing customer personal data and the titles of videos that they purchased with Meta. The plaintiffs alleged that they never consented to nor agreed to Walmart sharing their video purchase histories with Meta. Read more here.
- Federal Trade Commission announces actions against five AI companies. The FTC suspended operations at three businesses that claimed to help individuals generate passive income by opening eCommerce stores. The FTC also settled with DoNotPay, a company that claimed to provide AI legal services and with Rytr, an AI writing tool that the FTC stated was used to generate fake product reviews. Learn more here.
- NOYB files a privacy complaint against Mozilla. The digital rights group None Of Your Business (NOYB) filed a complaint with the Austrian Data Protection Authority against Mozilla over tracking user behavior on websites without consent. The complaint centers against a privacy preserving attribution feature that NOYB claims turned the Firefox browser into a tracking tool for websites without informing or obtaining consent from users. Read more here.
- Colorado Attorney General proposes amendments to the Colorado Privacy Act Rules. The amendments to the Rules will be discussed from September 25th to November 7th. Proposed amendments include:
- Providing the Attorney General of Colorado with authority to issue opinion letters and interpretive guidance;
- How businesses may obtain an opinion letter;
- Purpose, scope and effect of opinion letters;
- Definition of terms such as Biometric Identifier Notice, Child Employee, Interpretive Guidance, Minor, and Opinion Letter;
- Requirement for employers to obtain the consent of employees prior to processing Biometric Identifiers.
- Reforms to Australia Privacy Act 1988 introduced. Lawmakers in Australia have proposed reforms to Australia Privacy Act 1988. The reforms would include an enhanced civil penalty regime that would increase enforcement measures and fines for violations, increasing the budget and structure for developing the Children’s Online Privacy Code, and increased transparency requirements for businesses engaging in automated decision-making. Learn more here.
- Car Privacy Rights Act introduced. Senator Jeff Merkley from Oregon has introduced new legislation that would protect consumers’ privacy from companies who collect and sell their car data. The bill would require any company or third party that collects car data to get explicit consent from the consumer to share or sell data. The bill also would require those entities to allow consumers to opt out of the collection of their data entirely. Learn more here.
- FTC report finds that social media and streaming companies engage in “vast surveillance” of individuals. The scathing report claims that social media and video streaming companies collect vast troves of data from users and non-users, profit off of this data, retain the data indefinitely, share it with many third parties, do not provide adequate privacy safeguards, and specifically harm children and teens. Read more here.
- LinkedIn stops processing user data to train AI models in the UK. This development comes after an investigation by the United Kingdom Information Commissioner’s Office. LinkedIn was investigated by the ICO after posting an updated Privacy Policy that stated that it uses personal data to train AI models without explicit consent from the individual. While individuals could opt out of such use, the ICO investigated this practice and LinkedIn determined that it will not continue this practice any longer. Read more here.
- GM updates Privacy Policy over backlash and at least one lawsuit. General Motors has updated its Privacy Policy after it was sued by the Texas Attorney General over failing to adequately disclose the fact that GM sells consumer data to data brokers and insurance companies. The lawsuit alleges that the data sold and shared included when drivers got behind the wheel, how fast they were going, how far they drove, and more. The lawsuit alleged that consumers were confused with more than 50 pages of privacy disclosures and at least six different Privacy Policies. GM responded by combining all of the documents into one Privacy Policy that went more in-depth on how data is handled. Learn more here.
What privacy bills are we tracking? As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.
Illinois – IL HB3385;
Massachusetts – MA HD2281/SB745;
Massachusetts – MA HD3263/SD1971;
Massachusetts – MA HD3245
Pennsylvania – PA SB1279;
Events
Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals:
The EU-US Data Privacy Framework: first anniversary and looking ahead – November 14, 2024.
Pixel perfect: privacy compliance for website tracking technologies – October 17, 2024;
Don’t panic: the privacy professional’s guide to the AI galaxy – November 6, 2024;
That about wraps it up for the month of October. We should also have a new Privacy Lawls episode going out in a few weeks, so be sure to subscribe to Privacy Lawls wherever you listen to your podcasts.
See you next month!