The Latest Privacy & Data Protection News for September 2023


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

As the Quebec Law 25 went into effect on September 1, 2023, we have emailed all customers regarding updates to their Privacy Policies, which were made in August. We also posted a new episode of Privacy Lawls, where our President, Donata Stroink-Skillrud, spoke with Debbie Reynolds (the Data Privacy Diva) about the history of privacy post-Internet. You can listen to the episode and learn more about the history of privacy as well as the latest developments here: We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field. 

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

  1. Court dismisses privacy class action lawsuit appeal.  The Insurance Corporation of British Columbia has lost its appeal to a privacy class action lawsuit. The company will have to pay damages over privacy violations after an employee unlawfully collected and sold customer license plate numbers to thieves who then broke into the cars. Read more here.
  2. Australian Privacy Commissioner publishes new study. The Office of the Australian Privacy Commissioner has published a new study where 1,916 Australian adults were surveyed about their privacy attitudes. The study found that 90% of respondents have a clear understanding of why they should protect their personal information, 82% of respondents care enough about protecting their personal information to do something about it and, after quality and price, data privacy is the third most important factor when choosing a product or service. Learn more here.  
  3. BIPA class action lawsuit filed against Pepsi. The class action lawsuit alleges that the company violated the Biometric Information Privacy Act (BIPA) by failing to get proper consent prior to collecting the voiceprints of employees. The lawsuit alleges that the voiceprints were collected from warehouse workers who were required to use voice-recognition software as they packaged items. Learn more here.
  4. Norway’s Data Protection Authority issues guidance for website analytics and tracking.  The guidance states that analytics and tracking tools often collect personal data and thus should be compliant with GDPR, that the collected data should be minimized, that cookie consent banners should not be completely relied upon, and that analytics and tracking companies should not share data with third parties. Learn more here. 
  5. UK Information Commissioner’s Office publishes guidance on bulk email communications. The guidance states that using the BCC function may lead to privacy violations and that organizations should not use the BCC function when sending sensitive personal data electronically. Read more here.
  6. CPPA Board publishes draft CPRA regulations. The California Privacy Protection Agency Board has published a draft of California Privacy Rights Act regulations for cybersecurity audits and risk assessments. The draft regulations are now open for a preliminary discussion prior to formal rulemaking activities. Read more here.  
  7. Food delivery service hit with a data breach affecting more than 1.2 million customers. The US food delivery service PurFoods disclosed that it was subject to a data breach where hackers may have accessed customers’ personal, financial and medical information, including names, financial account and payment numbers, social security numbers, health insurance member identification numbers, as well as account security codes and passwords. Read more here
  8. EU Digital Services Act enforcement starts. The EU Digital Services Act, which regulates very large online platforms and very large online search engines went into effect on August 25. Platforms and search engines with more than 45 million active EU users must now submit risk assessments to the European Commission. Learn more here.
  9. Regulators focusing on dark patterns. A number of new state privacy laws are focusing on prohibiting the use of dark patterns to obtain consent. The EVP of policy at BBB National Programs stated that dark patterns will be increasingly enforced. The Advertising Standards Authority in the UK and the European Data Protection Board both have dark patterns on their radar for enforcement. Learn more here.  
  10. US Senators ask the FTC to probe YouTube and Google over alleged children’s privacy violations. Several Senators have written to the Federal Trade Commission asking it to investigate reported children’s privacy violations by YouTube and its parent company, Google. Learn more here. 

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.


Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

  1. Cloud/AI/Privacy: Trends and Legal Obligations – October 26, 2023
  2. Take a Breath: A discussion of recent developments in privacy law – September 6, 2023
  3. The Strategic Advantage of a Data Council – September 12, 2023.

Are you a privacy nerd like us? Subscribe to our podcast, Privacy Lawls, where we talk privacy with some of the leaders in the industry.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates