Privacy and Data Protection News for March 2024

What’s new with privacy? Glad you asked!

First, be sure to take a listen to our new Privacy Lawls episode where we speak with privacy attorney Helen Oscislawski about whether or not you should trust healthcare apps with your data: https://termageddon.com/podcast/ep-10-can-you-trust-healthcare-apps-with-your-data-guest-helen-oscislawski/.

We hope that you find this blog helpful for staying up to date with the myriad changes in the privacy field!

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

1. State appeals court rules first CPRA regulations are enforceable. The California 3rd District Court of Appeals has ruled that the CPPA can begin to enforce the regulations for the California Privacy Rights Act. If you are using the Termageddon Privacy Policy generator for CPRA-ready Privacy Policies, the generator has included the CPRA regulations prior to their initial enforcement date. Learn more here. 
2. California Chamber of Commerce petitions for CPRA regulations review.  The California Chamber of Commerce has petitioned the California Supreme Court to review the decision allowing the California Privacy Rights Act regulations to be enforced. THe Chamber of Commerce is arguing that the CPPA failed to develop the final regulations on time and should not be allowed to begin enforcement until the completion of the one year grace period. Learn more here. 
3. Ireland’s High Court to allow Schrems into Meta case. Ireland’s High Court will allow NOYB’s Max Schrems to participate in two cases connected to Meta being barred from transferring the personal data of European Union residents into the United States. In this role, Max Schrems will be allowed to make arguments in two cases over data transfers by Meta. Learn more here. 
4. Poland’s Data Protection Authority announces compliance inspection plan. Poland’s Data Protection Authority has released a plan to inspect the following types of data processing for compliance with GDPR: (1) processing of personal data through the use of web applications; (2) authorities process personal data in the Schengen Information System and the Visa Information System; (3) Correct fulfillment of the information obligations by private entities. Read more here. 
5. Bavaria’s Data Protection Authority announces results of cookie banner inspection. Bavaria’s Data Protection Authority inspected 1,000 websites and found that one third of such websites had cookie banners that did not comply with applicable privacy laws. The DPA used automatic measures to scan websites for cookie banner non-compliance. The violations consist of the use of dark patterns to entice users to accept tracking cookies. Read more here.
6. Temu faces a privacy class action lawsuit. The lawsuit alleges that the online retailer violated multiple privacy laws by installing malware and spyware to collect information such as biometrics, passwords, contacts, calendars, photo albums, social media accounts, geolocation, chats and texts. The lawsuit also alleges that the Temu app can access phone cameras and microphones to spy on individuals. The lawsuit alleges that Temu took actions to purposefully cloak and obscure the actions that the app takes to collect personal information and does not provide adequate information to consumers as to what information the app collects. Read the Complaint here. 
7. Connecticut Attorney General publishes report on the Connecticut Data Privacy Act. The Report states that the Attorney General has sent over a dozen notices of violations of the Act focusing on: (1) the lack of appropriate Privacy Policy disclosures; (2) Privacy Policy disclosures that do not sufficiently inform Connecticut residents of their privacy rights, (3) confusing Privacy Policy disclosures, (4) Lack of rights mechanisms, (4) burdensome rights mechanisms, and (5) broken or inactive rights mechanisms. Read the full report here. 
8. FTC fines software provider $16.5 million over privacy issues. The Federal Trade Commission has issued a $16.5 million fine to software provider Avast over alleged unfulfilled privacy claims. Avast indicated that its products would block third-party tracking while collecting, retaining and selling the data without proper notice or consent. However, the FTC found that the software led to the sale of user browsing data without consent. Learn more here. 
9. Doordash hit with a $375,000 fine. The California Attorney General has reached a settlement with the Doordash app over CPRA and CalOPPA violations. The fine was issued due to Doordash failing to provide consumers with an opportunity to opt out of the sale of their personal information and failing to provide consumers with information that their data will be sold. Learn more here. 
10. European Commission investigates TikTok over potential DSA violations. The European Commission has launched an inquiry as to whether TikTok violates the Digital Services Act. The investigation will focus on whether TikTok’s algorithms lead to addictive engagements, if adequate default privacy settings are in place and whether TikTok provides a searchable database of advertisements on its platform as required by the DSA. Read more here.

What privacy bills are we tracking? As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

• Georgia – GA HB798;
• Georgia – GA S473;
• Hawaii – HI SB1110/HB1497;
• Hawaii – HI SB 974;
• Hawaii – HI S 3018;
• Illinois – IL HB3385;
• Illinois – IL SB3517;
• Kentucky – KY S 15;
• Kentucky – HB24;
• Kentucky – HB15;
• Maine – ME SB807;
• Maine – ME HB1270;
• Maryland – MD HB 567 / SB 541
• Massachusetts – MA HD2281/SB745;
• Massachusetts – MA HD3263/SD1971;
• Massachusetts – MA HD3245
• Michigan – MI SB659
• Minnesota – MN SF950;
• Minnesota – MN HB2309;
• Nebraska LB 1294;
• New Hampshire – NH SB255;
• New York – NY S2277;
• New York – NY SB365;
• New York – NY SB3162;
• New York – NY AB4374;
• North Carolina – NC SB525;
• Oklahoma – OK HB1030;
• Pennsylvania – PA HB708;
• Pennsylvania – PA HB1201;
• Pennsylvania – PA HB1947;
• Vermont – VT HB121
• Vermont – VT SB 269
• Washington – WA HB1616;
• West Virginia – WV HB5112;

Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

1. Children’s Privacy – what you need to know now and into 2024 – March 7, 2024.
2. TIPS Cybersecurity Data Privacy Conference – March 14, 2024 to March 15, 2024.
3. Explore SciTech: A Virtual Fireside Chat with the ePrivacy Law Committee – March 19, 2024; 
4. Cloud/Privacy/AI: Trends and Legal Implications: March 14, 2024.

That’s it for this month. Hope you found this helpful and we’ll see you in April!