The Spanish Data Protection Authority (AEPD) has released a guide detailing conditions under which audience measurement cookies, used for collecting traffic statistics, can be exempt from user consent. These cookies must solely measure site or app audience, produce anonymous data, and not be used for comparative analysis, data transmission to third parties, or tracking across multiple sites and apps. Cookies repurposed for other uses don’t qualify for this consent exemption. (in Spanish)
The CNIL, France’s data protection agency, has issued a draft guide on transfer impact assessments (TIAs) for data sent outside the European Economic Area. The guide advises data controllers to understand the data being transferred, use documented transfer tools, comprehend the receiving country’s laws, apply additional measures, and continually reassess the needed data protection level. Feedback on the draft is open until 12 February 2024. Access here → (in French)
The California Consumer Privacy Act (CCPA) has announced an upcoming strategic plan focused on safeguarding consumer privacy, educating businesses and consumers about their rights and responsibilities, and enforcing legal actions against businesses infringing on privacy rights. This plan is set to be published in February 2024 and implemented thereafter. See more here →
2) Notable Case Law
The French data protection authority, CNIL, fined NS Cards France SAS €105,000 for GDPR and French data law violations. NS Cards France required account creation for online payments, collecting extensive personal information and identity documents. CNIL’s investigation revealed that this data was retained for 10 years without purpose, with no database purge since 2005, affecting 51,735 accounts. Additionally, the NS Cards France website non-consensually installed 13 cookies, including Google Analytics. The company’s privacy policy was also outdated, and featured weak password security protocols. Access the press release here → (in French)
Noyb has filed another complaint with the Austrian data protection authority (DSB) against Facebook‘s “pay or okay” policy, this time focusing on the challenge users face in withdrawing consent without opting for a paid subscription. Noyb urges the authority to mandate Meta to align its data processing with EU data protection laws, including providing a straightforward method for consent withdrawal without fees. They also recommend imposing a fine to deter GDPR breaches. The case is expected to be transferred to the Irish DPC, Meta’s lead authority in the EU. Reported here →
3) New and Upcoming Legislation
US law updates:
Colorado: Senate Bill 41 on Privacy Protections for Children’s Online Data was introduced in the Colorado State Senate. The bill would amend the Colorado Privacy Act as it adds data protections for a minor’s online activity.
Indiana: Senate Bill 17 which would introduce a new chapter in the Indiana Code concerning trade regulation relating to age verification for harmful materials to minors has passed the Judiciary Committee.
South Carolina: the House Bill 4696 concerning Consumer Privacy and House Bill 4541 for the Child Data Privacy and Protection Act were introduced to the House of Representatives.
Vermont: House Bill 712 relating to an Act concerning the age-appropriate design code was introduced to the General Assembly.
Washington: House Bill 1616 which creates a charter of people’s personal data rights was re-introduced to Legislature.
Missouri: Senate Bill 731 concerning an act which establishes new consumer rights which protect certain data has passed its second reading in the General Assembly.
New Jersey: Senate Bill 332 which requires notification to consumers of collection and disclosure of personal data by certain entities has passed both the Assembly and Senate.
4) Strong Impact Tech
Customers in the EU will be able to store and process their Microsoft cloud data within the EU as part of the company’s plan to comply with privacy and security rules. The move helps other businesses that operate in multiple countries more easily comply with EU data storage requirements. Read here →
Other key information from the past weeks
Google, an Alphabet Inc. subsidiary, recently reached a settlement in a significant lawsuit alleging privacy breaches. The lawsuit, demanding at least $5 billion, charged Google with secretly tracking the online activities of numerous users under the impression of private browsing. Read the news here →
TikTok is currently facing a lawsuit related to digital privacy concerns. The core issue revolves around TikTok’s use of a ‘pixel’ tool on websites, including Hulu, Etsy, and Build-a-Bear Workshop. This tool is designed to collect advertising data, and it’s alleged that it tracks the activity of individuals who don’t use TikTok. Full story here →
The Commission introduced a vital component for digital market regulators: a fresh template for disclosing consumer profiling methods. This initiative is a part of the broader Digital Markets Act (DMA), aligning with its Article 15. Learn more here →
