Privacy & Data Protection News for October 2023

It has been a busy month in privacy.

We recently released a new episode of the Privacy Lawls podcast, where we talk with attorney Rian Kinney about why you should care about privacy. You can listen to the episode here: https://termageddon.com/podcast/why-you-should-care-about-privacy-or-else/. We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field. 

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

1. Poland’s Data Protection Authority investigating OpenAI.  Poland’s Data Protection Authority has opened an investigation into OpenAI’s ChatGPT. The investigation stems from a complaint alleging that ChatGPT violates multiple provisions of GDPR, including processing data in an unlawful and unreliable manner. Learn more here. 
2. Delaware Personal Data Privacy Act passed. On September 11, 2023, the Governor of Delaware passed DE H 154, which will go into effect on January 1, 2025. The law provides privacy rights to residents of Delaware such as the right to correct, delete, portability, and to opt out of certain processing of data such as processing for targeted advertising. Read the compliance guide here.
3. FTC Commissioner nominees call on Congress to pass privacy regulations.  During a confirmation hearing, the three nominees to the Federal Trade Commission asked Congress to pass regulations on privacy, data brokers and artificial intelligence. The nominees stated that it is crucial that Congress pass a federal privacy bill. Learn more here. 
4. UK-US Data Bridge becomes law. With the Data Bridge, which goes into effect on October 12, 2023, organizations in the UK will be able to transfer personal data to US organizations certified to the “UK Extension to the EU-US Data Privacy Framework” without the need for future safeguards. Companies will need to certify to the Data Privacy Framework List to be able to transfer the data. Read more here.
5. The Office of the Privacy Commissioner of Canada alleges Canada Post violated the Privacy Act.  An investigation and report claims that Canada Post collected personal data without consent and built a marketing database with personal information pulled from mail items in violation of the Privacy Act. Read more here. 
6. Federal judge issues injunction against California Age-Appropriate Design Code Act. The US District Court for the Northern District of California granted a preliminary injunction against the California Age-Appropriate Design Code Act, citing that the Act likely does not “pass constitutional muster” and is likely violating the first amendment. Read more here.
7. Ireland’s Data Protection Commission issued a 354 million Euro fine against TikTok. The fine stems  from two pop-up notifications that were shown to children and alleges that the pop-up options failed to present options to the user in an objective and neutral way. TikTok has three months to correct the alleged violations of GDPR concerning personal data processing, data protection by design and by default, and transparency. Learn more here. 
8. California Legislature passes Delete Act. The Delete Act, if signed by the Governor, will allow residents of California to make a single data deletion request across approximately 500 registered data brokers in the state. Learn more here.
9. Sweden’s Data Protection Authority fines insurance company SEK35 million over privacy violations. The fine stems from the insurance company allegedly sending a potential customer an email with links to insurance information. The email contained clickable links allowing the potential customer to access the information of other customers. Read more here. 
10. NOYB files a complaint against French apps. Privacy advocacy group NOYB filed complaints in France alleging that multiple apps, including an electronic store, real estate app and health app illegally accessed and shred users’ personal data for analytics. Read more here. 

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

• Delaware – DE HB154
• Georgia – GA HB798;
• Hawaii – HI SB1110/HB1497;
• Hawaii – HI SB 974;
• Illinois – IL HB3385;
• Indiana – IN HB 1554;
• Iowa – IA House File 2506;
• Iowa – IA House Study Bill 12;
• Kentucky – KY S 15;
• Louisiana – LA SB199;
• Maine – ME SB807;
• Maine – ME HB1270;
• Maryland – MD HB807;
• Massachusetts – MA HD2281/SB745;
• Massachusetts – MA HD3263/SD1971;
• Mississippi – MS SB 2080;
• Minnesota – MN SF950;
• New Hampshire – NH SB255;
• New York – NY S2277;
• New York – NY SB365;
• New York – NY SB3162;
• New York – NY AB4374;
• New Jersey – NJ S 332;
• New Jersey – NJ A505;
• New Jersey – NJ A 1971;
• North Carolina – NC SB525;
• Oklahoma – OK HB1030;
• Pennsylvania – PA HB708;
• Pennsylvania – PA HB1201;
• Washington – WA HB1616;
• West Virginia – WV HB3453;
• Vermont – VT HB121

Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

1. Cloud/AI/Privacy: Trends and Legal Obligations – October 26, 2023; 
2. Changes to European Cyber Security Requirements – Have you cracked it? – October 19, 2023; 
3. ePrivacy Committee Meet and Greet – October 5, 2023.

That’s it! You’re all caught up on the privacy news.

Want more? Be sure to subscribe to our podcast, Privacy Lawls, where we talk privacy with some of the leaders in the industry.