The latest Privacy & Data Protection News for August 2023

With Oregon joining the state privacy law patchwork, there are even more updates to Privacy Policies coming for next year (as well as the already-scheduled updates for this year). We also launched a new podcast – Privacy Lawls, which will discuss the latest in privacy as well as explore the history of privacy and many other privacy-related topics with some of the best known names in the field. Make sure to check it out and listen here: https://pod.link/1697952198. We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field. 

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

1. Oregon SB619 signed into law.  On July 18, 2023, the Governor of Oregon signed Oregon SB619 into law. This law will go into effect on July 1, 2024 and will require certain businesses to have a Privacy Policy that includes the disclosures required by this law and will provide privacy rights to residents of Oregon. To learn more, please read our Oregon SB619 Compliance Guide. 
2. Meta’s Facebook facing AUD10 million fine. The Australian Competition and Consumer Commission brought an action against Meta’s Facebook and Onavo, Inc. to each pay an AUD10 million fine for engaging in conduct liable to mislead the public in promotions for the Onavo Protect App. The fine stems from the allegation that Meta failed to adequately disclose, in its Privacy Policy, that users’ data would be used for purposes other than providing the Onavo product, including the commercial purposes of Meta. Learn more here.
3. FTC fines BetterHelp $7.8 million over sharing data.  The Federal Trade Commission has finalized an order that requires BetterHelp, an online therapy tool to stop sharing sensitive health data for the purpose of advertising. The order also requires BetterHelp to pay $7.8 million for using and disclosing customers’ email addresses, IP addresses and health questionnaire information to Facebook, Snapchat, Criteo and Pinterest for advertising purposes despite promising consumers that it would not do so. Learn more here. 
4. Norway’s DPA banning behavioral advertising by Instagram and Meta. The Data Protection Authority of Norway has banned Instagram and Meta from behavioral advertising, citing that the DPA believes that these practices are illegal. The DPA stated that Meta’s advertising practices affect freedom of expression and information in society and that the tracking is difficult for most people to understand. Learn more here.
5. Report shows 15% increase in data breach costs. A recent analysis of 553 data breaches between March 2022 and March 2023 by IBM Security and the Ponemon Institute shows a 15% increase in the costs associated with a breach. The average cost of a data breach spiked to $4.45 million, with breach detection and escalation costs increasing by 42% during three years. Read more here. 
6. Instagram settles for $68.5 million over alleged BIPA violations. Instagram has recently settled a lawsuit over alleged violations of the Biometric Information Privacy Act, with a total settlement pool of $68.5 million. Residents of Illinois who used Instagram between August 10, 2015 and August 16, 2023 may be eligible to receive a portion of the settlement funds. Read more here.  
7. EU-US Data Privacy Framework finalized. The Framework for transferring data from the European Union has been finalized. The framework provides a number of safeguards regarding the access to data by US public authorities, limiting data access to what is necessary and proportionate to protect national security. In addition, EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence authorities. Read more here. 
8. Colorado Privacy Act enforcement begins. The Colorado Attorney General notified businesses that the Colorado Department of Law will begin enforcing the Colorado Privacy Act. The Attorney General stated that “enforcement is a critical tool to protect consumers’ data and privacy.” The Attorney General’s Office is planning on sending out letters to make businesses aware of the law and to help them comply. If the Office becomes aware that organizations are refusing to comply with the law, then enforcement actions will be taken. Learn more here. 
9. Proposal would ban government entities from purchasing private data. A proposed amendment to the U.S. National Defense Authorization Act would ban government entities from buying private data that would require a police warrant to seize. The proposal focuses on location data, internet search history and web browsing history. Read more here.
10. The European Commission proposes rules to increase GDPR enforcement. The European Union is proposing  procedural rules that would strengthen GDPR enforcement in cross-border cases. The proposal harmonizes requirements for cross-border complaints and streamlines the dispute resolution mechanism. The Commission stated that these changes would mean quicker remedies for consumers. Read more here. 

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

• Delaware – DE HB154
• Georgia – GA HB798;
• Hawaii – HI SB1110/HB1497;
• Hawaii – HI SB 974;
• Illinois – IL HB3385;
• Indiana – IN HB 1554;
• Iowa – IA House File 2506;
• Iowa – IA House Study Bill 12;
• Kentucky – KY S 15;
• Louisiana – LA SB199;
• Maine – ME SB807;
• Maine – ME HB1270;
• Maryland – MD HB807;
• Massachusetts – MA HD2281/SB745;
• Massachusetts – MA HD3263/SD1971;
• Mississippi – MS SB 2080;
• Minnesota – MN SF950;
• New Hampshire – NH SB255;
• New York – NY S2277;
• New York – NY SB365;
• New York – NY SB3162;
• New York – NY AB4374;
• New Jersey – NJ S 332;
• New Jersey – NJ A505;
• New Jersey – NJ A 1971;
• North Carolina – NC SB525;
• Oklahoma – OK HB1030;
• Pennsylvania – PA HB708;
• Pennsylvania – PA HB1201;
• Washington – WA HB1616;
• West Virginia – WV HB3453;
• Vermont – VT HB121

Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

1. Somebody’s watching me: surveillance in the face of rapidly accelerating AI – August 17, 2023;
2. The web tracking litigation tsunami: trends, tactics and tales from the trenches – August 30, 2023;
3.  SB262 and privacy in Florida – August 24, 2023.

If you made it this far, there’s a good chance you just can’t get enough of privacy. Be sure to subscribe to our podcast, Privacy Lawls, where we talk privacy with some of the leaders in the industry.