Two new privacy laws were signed into law (Kentucky and Nebraska) and a federal privacy bill has been proposed as well, making this an interesting month in privacy. We also interviewed Michael Power, a privacy attorney and one of the drafters of PIPEDA, Canada’s privacy law, on our podcast, Privacy Lawls. Check out this episode where we discussed the importance of privacy rights here.
What’s new in privacy?
Below are some of the most notable news in privacy from this month:
- Kentucky passes privacy law. On April 4, 2024, the Governor of Kentucky signed KY HB15, a comprehensive privacy law that will go into effect on January 1st, 2026. This privacy law will require certain businesses to have a comprehensive and up to date Privacy Policy and will provide privacy rights to residents of Kentucky. Read the Compliance Guide here.
- Nebraska Data Privacy Act signed into law. On April 17, 2024, the Governor of Nebraska signed the Nebraska Data Privacy Act, enacting this comprehensive privacy law that will go into effect on January 1, 2025. This law provides the right to access, correct, delete, portability, non-discrimination and the right to opt out of profiling, targeted advertising and the sale of personal data to residents of Nebraska. Read the Compliance Guide here.
- Colorado Privacy Act amended. The Colorado legislature has recently passed an amendment to the Colorado Privacy Act adding biological data to the law’s definition of “sensitive data.” This amendment aims to protect residents of Colorado from privacy invasion from tools such as Meta’s wristband, which uses a neural interface to control smart glasses and other devices, and the Neuralink brain implant, which allows an individual to control devices through their thoughts. Learn more here.
- American Privacy Rights Act proposed. A new federal privacy bill has been proposed in the United States, the American Privacy Rights Act. This privacy bill is subject to much debate as it has the effect of pre-empting certain state privacy laws and allows consumers to sue businesses directly for certain privacy violations. Read more here.
- EDPB issues opinion on pay or consent models. The European Data Protection Board has issued an opinion regarding platforms using a consent model that asks individuals to consent to cookies or pay to not be tracked. The opinion stated that in most cases, such a consent model will be in violation of GDPR. The EDPB stated that large platforms should provide individuals with an alternative that does not entail the payment of a fee. Learn more here.
- FTC fines company $7 million for Privacy Policy violations. The Federal Trade Commission has issued an order fining Cerebral, a mental telehealth provider, for Privacy Policy violations. The company disclosed customers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its promise of easy cancellation of the service. The company’s Privacy Policy did not clearly state that users’ personal information would be shared for advertising and stated that personal information would not be shared without customer consent. Learn more here.
- Financial services company sued for allegedly violating BIPA. The financial services company Global Payments has been sued in a class action lawsuit for alleged violations of the Biometric Information Privacy Act. The lawsuit alleges that employees whose businesses used Global Payments had their biometric information collected and stored without their consent. Read more here.
- CNIL fines retail chain 525,000 Euros for GDPR violations. France’s Data Protection Authority, CNIL, has fined a retail chain Hubside.Store 525,000 Euros for spam messages. CNIL claims that the company purchased customers’ personal data from data brokers and then used that data to make unsolicited phone calls and text messages to promote products. CNIL claims that the company failed to obtain valid consent from individuals to target them for marketing calls and text messages. Learn more here.
- Bill signed forcing the sale of TikTok. A law was recently signed that will force the Chinese company ByteDance to divest itself of ownership of TikTok in the next year. If TikTok does not find a new buyer for the company, then TikTok will be banned in the United states. The law stems from concerns that TikTok’s parent company sends sensitive user data to the Chinese government. Learn more here.
- FTC sending refunds to Ring customers. The Federal Trade Commission is sending $5.6 million worth of refunds to customers of the Ring camera who were affected by the company’s allegedly insufficient data security and nonconsensual data use for algorithm tracking. The FTC claims that the lack of security allowed hackers to take control of customers’ accounts, cameras, and videos. Read more here.
What privacy bills are we tracking?
As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.
- Georgia – GA HB798;
- Georgia – GA S473;
- Hawaii – HI SB1110/HB1497;
- Hawaii – HI SB 974;
- Hawaii – HI S 3018;
- Illinois – IL HB3385;
- Illinois – IL SB3517;
- Kentucky – KY S 15;
- Kentucky – HB24;
- Louisiana – LA HB947;
- Maryland – MD HB 567 / SB 541
- Massachusetts – MA HD2281/SB745;
- Massachusetts – MA HD3263/SD1971;
- Massachusetts – MA HD3245
- Michigan – MI SB659
- Minnesota – MN SF950;
- Minnesota – MN HB2309;
- Nebraska LB 1294;
- New York – NY S2277;
- New York – NY SB365;
- New York – NY SB3162;
- New York – NY AB4374;
- North Carolina – NC SB525;
- Oklahoma – OK HB1030;
- Pennsylvania – PA HB708;
- Pennsylvania – PA HB1201;
- Pennsylvania – PA HB1947;
- Vermont – VT HB121
- Vermont – VT SB 269
- Washington – WA HB1616;
- West Virginia – WV HB5112;
Events
Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals:
- Privacy by the numbers – May 7, 2024;
- Pixels, cookies and website analytics: navigating landmines – May 8, 2024;
- AI in education: addressing biases and discrimination, privacy and surveillance – May 22, 2024.
If you made it this far, you must enjoy your privacy as much as we do. Be sure to subscribe to Privacy Lawls, the podcast where we talk to the biggest names in privacy on a monthly basis. See you there!