Privacy Regulation Roundup: Top Stories of December 2024

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. CFPB Proposes New Rule Amending Regulation V Under The Fair Credit Reporting Act

Date: December 3, 2024
Summary: The Consumer Financial Protection Bureau (CFPB) has proposed a rule that addresses harmful practices by data brokers, particularly those selling sensitive consumer information. The proposed rule would amend Regulation V under the Fair Credit Reporting Act (FCRA) and extend FCRA protections to data brokers who sell personal financial data, including credit history, income, and debt information, by treating data brokers like credit bureaus.

Key provisions of the proposed rule include:

• Consent Requirements: Companies must obtain separate, explicit consent in written or electronic form from consumers before sharing their credit reports annually.
• Limiting Data Sales: The sale of sensitive information like Social Security numbers and personal identifiers is strictly restricted, ensuring it is shared only for legitimate purposes, such as mortgage approvals.
• Consumer Protections: Data brokers would be held accountable for selling sensitive information, reducing risks such as identity theft, fraud, stalking, and even threats to personal safety. Read More.

2. Colorado Attorney General Announces Adoption Of Amendments To CPA Rules

Date: December 5, 2024
Summary: The Colorado Attorney General (AG) has announced the adoption of amendments to the Colorado Privacy Act Rules (CPA Rules). These amendments include revisions to how and why biometric data is collected via "biometric identifier notice" that must be provided to users before or at the time of the initial collection or processing of biometric identifier or before any material change to the processing purpose of the identifier.

A biometric identifier notice should be clear and must be:

• Concrete and definitive;
• It should be clearly labeled to ensure consumers understand the controllers' collection and use of biometric identifiers and can easily access the privacy notice section containing the information.

Additionally, the biometric identifier notice must be reasonably accessible and may be:

• A separate notice, or included within the general privacy notice;
• Made available in its entirety before collecting or processing biometric identifiers or linking from a website's homepage.

Other critical changes per the new amendment include:

Provisions on Employee Consent Under the CPA Rules

The CPA Rules outline new requirements relating to employee consent. Currently, employers can only collect or process prospective employee biometric identifiers with the employees' consent. However, with the new amendments, the employers that obtain such consent must refresh consent in accordance with Part 7 of the CPA Rules when:

• Processing additional categories of employees' biometric identifiers for which the employee has not yet provided consent;
• Processing employee biometric identifiers for secondary use.

The Requirements Regarding Consent Under the CPA Rules

Part 7 of the CPA Rules on consent has been amended to add that controllers must obtain valid consumer consent before:

• Processing the personal data of a consumer whom the controller actually knows or willfully disregards is a minor;
• Using any system design feature to significantly increase, sustain, or extend the use of an online service, product, or feature by a consumer who the controller actually knows or willfully disregards is a minor;
• Selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric identifiers.

Other changes to the CPA Rules include the stipulation that a Data Protection Assessment must include whether processing includes personal data from a minor if required by Section 6-1-1309 of the CPA. Such assessments are considered confidential and exempt from public inspection and copying under the Colorado Open Records Act. Read More.

3. New Personal Data Processing Law Published In Chilean Official Gazette

Date: December 13, 2024
Summary: Law No. 21.719, regulating the processing and protection of all personal data, was published in the Official Gazette of the Republic of Chile. Among other things, it establishes the Personal Data Protection Agency, expands the scope of application for personal data regulations, and adds new legal bases for processing personal data.

The Law will enter into force on the first day of the 24th month following its publication in the Official Gazette. Read More.

4. California Privacy Protection Agency Announces Adjustments To CPPA Violation Fines & Monetary Thresholds

Date: December 17, 2024
Summary: The California Privacy Protection Agency (CPPA) has announced adjustments to the fines and monetary thresholds for violations of the California Consumer Privacy Act (CCPA), income thresholds for businesses, and CPPA Board compensation rates. The new adjustments ensure alignment with the Consumer Price Index and will come into effect on January 1, 2025.

The CPPA outlines the following as the new amounts:

• Income thresholds within the definition of 'business' under §1798.140(d)(1)(A) of the California Civil Code: $26,625,000;
• Monetary damages range per consumer per incident under §1798.150(a)(1)(A) of the California Civil Code: not less than $107 and not greater than $799 per consumer per incident or actual damages, whichever is greater;
• Administrative fine amounts under §1798.155(a) of the California Civil Code: not more than $2,663 for each violation or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has actual knowledge are under 16 years of age;
• Civil penalty amounts under §1978.199.90(a) of the California Civil Code: not more than $2,663 for each violation or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has actual knowledge are under 16 years of age;
• The daily compensation rate for board CPPA Board members is $107. Read More.

EMEA Jurisdiction

5. Monaco Adopts New Data Protection Act Ensuring Alignment With GDPR

Date: December 2, 2024
Summary: Monaco has adopted Act No. 1.054 on the Protection of Personal Data. It amends Act No. 1.165 to align with the GDPR and ratifies Convention 108. Key aspects of the new Act can be divided into five main categories:

Data Processing Principles

• Data can be collected for multiple purposes if they are determined, explicit, legitimate, and not incompatible with initial purposes.
• Processing for public interest, scientific, historical, or statistical purposes is permitted.

E-Commerce Consent

• Explicit consent is required for data processing.

Automated Decision-Making

• Individuals have the right to avoid decisions solely based on automated processing that significantly affect them unless:
  • It pertains to contract performance;
  • authorized by law with safeguards for rights and freedoms;
  • based on the explicit consent of the data subject, with safeguards; or
  • Involves sensitive data with explicit consent or public interest justification.

Data Protection Officer (DPO)

• Mandatory for certain data controllers and processing activities.

Supervisory Authority

• The Personal Data Protection Authority (APDP) is established to replace the CCNI and oversee compliance.

Enforcement

• Administrative fines of €500,000 and €900,000 for violations. Read More.

6. Germany’s Federal Office for Information Security Issues Guidance On NIS 2 Directive Implementation

Date: December 3, 2024
Summary: The Federal Office for Information Security (BSI) has issued its guidance on implementing the NIS 2 Directive. The BSI has further clarified that once the Directive becomes national law, more companies will come under its scope, leading to increased registration, proof, and reporting obligations. Additionally, the BSI has provided the following resources to aid organizations in their relevant obligations under the Directive:

• NIS 2 Impact Assessment Tool: This tool helps organizations determine if they are likely to be affected by the Directive's national implementation, using a decision tree for guidance.
• NIS 2 FAQs: Answers to common questions about the Directive.
• NIS 2 - What to do? Page: Actionable information for institutions on steps to take now. Read More.

7. Luxembourg Approves Bill Implementing Provisions Of The EU AI Act

Date: December 5, 2024
Summary: Luxembourg's government approved a bill to implement specific provisions of the European AI Act (Regulation (EU) 2024/1689) on November 29, 2024. Doing so made it one of the first EU countries to initiate the Act's national implementation. The National Commission for Data Protection (CNPD) is designated as the national authority for the Act's application. Its key responsibilities will include:

• Act as the single point of contact and coordinating national authorities.
• SuperviseAI systems listed in Annex III of the regulation and those not covered by sector-specific authorities.
• Protect fundamental rights alongside ALIA (Luxembourg's independent audiovisual authority) and ITM (labor and mining inspection authority).
• Establish a regulatory sandbox under the AI Act framework to promote responsible innovation.

The Bill also amends laws related to:

• The CNPD's organization and data protection framework (Law of August 1, 2018).
• Financial sector supervision (Law of December 23, 1998).
• The insurance sector (Law of December 7, 2015). Read More.

8. French CNIL Issues Fine To Orange SA For User Consent-Related Violations

Date: December 10, 2024
Summary: The French Data Protection Authority (CNIL) has issued a €50 million fine to Orange SA in its Decision SAN-2024-019 for breaches of the Post and Electronic Communications Code and the Act on Data Processing, Data Files, and Individual Liberties.

The case concerns Orange's email service displaying ads based on user activity in their inboxes. According to the CNIL, promotional messages are considered direct marketing and require explicit user consent. Since Orange did not obtain such consent, it was found to be non-compliant, in addition to its other violations, such as continuing to use cookies even after users had explicitly withdrawn consent.

In addition to the fine, CNIL has mandated Orange to undertake measures to ensure consent withdrawal results in the necessary changes in how user data and activity are monitored. If these measures are not implemented by then, a €100,000 daily penalty for non-compliance will come into effect after three months. Read More.

9. Cyber Resilience Act Comes Into Force In The EU

Date: December 10, 2024
Summary: The Cyber Resilience Act, which introduces mandatory cybersecurity measures and requirements for hardware and software products, has entered into force and will become applicable from December 11, 2027. The manufacturers' reporting obligations will begin on September 11, 2026.

The Act contains several critical requirements for subject organizations, such as ensuring products' cybersecurity during design, development, and production and handling vulnerabilities through identification, documentation, and measures to facilitate information sharing.

Manufacturer obligations include performing risk assessments, ensuring compliance, and informing users about incidents. Additionally, manufacturers must notify the relevant authorities appropriately about vulnerabilities or security incidents within specified timeframes.

The national authorities will enforce the Act in the EU. Non-compliance can result in penalties of up to €15 million. Read More.

10. French CNIL Issues Formal Non-Compliance Notices To Organizations Over Misleading Cookie Consent Banners

Date: December 12, 2024
Summary: The French Data Protection Authority (CNIL) has issued formal notices to various organizations due to their non-compliance with the Act on Data Processing, Data Files, and Individual Liberties (amended for GDPR) due to misleading cookie consent banners. These banners violate Article 82 of the GDPR by making it harder to refuse than to accept. The identified issues include:

• The opt-out option is visually less prominent than opt-in.
• The opt-out location is difficult to discern or confused with other notices.
• The acceptance option was emphasized disproportionately.
• The notified organizations have one month to rectify their banners. Read More.

Asia Jurisdiction

11. Bill Requiring Stronger Cybersecurity Measures For Critical Infrastructure Passed In Hong Kong

Date: December 6, 2024
Summary: The Protection of Critical Infrastructures (Computer Systems) Bill was published in the Government of Hong Kong Gazette. The Bill aims to strengthen cybersecurity measures for critical infrastructure, such as energy, banking, healthcare, transport, and telecommunications.

The role of a Commissioner of Critical Infrastructure is established. The Commissioner will designate organizations as critical infrastructure operators based on reliance on computer systems, data sensitivity, and operational control. These operators will be under exhaustive obligations such as maintaining a local office, notifying the Commissioner of changes, conducting security assessments and audits, submitting emergency response plans, and reporting any security incidents as soon as practical, with fines ranging from HKD 3 million to HKD 5 million for failure to comply with incident notification requirements. Read More.
Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.