Privacy Regulation Roundup: Top Stories of June 2024

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. For each relevant regulatory activity, you can find a link to related resources at the bottom.

North and South America Jurisdiction

1. New York Senate Passes Bill Enacting Privacy Act, Now Passes to State Assembly

Date: 3rd June, 2024
Summary: Senate Bill 365B enacting the New York privacy act was passed in the New York State Senate and delivered to the Assembly.

Material Scope

The bill applies to legal persons that conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfy one or more of the following thresholds:

(a) have annual gross revenue of twenty-five million dollars or more;

(b) controls or processes personal data of fifty thousand consumers or more; or

(c) derives over fifty percent of gross revenue from the sale of personal data.

Consent Requirements

The bill would require companies to obtain consent from consumers before processing their personal data.

Other Requirements

It would also place obligations on companies to, among other things, disclose their methods of de-identifying personal information, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Read more.

2. Rhode Island Becomes Latest US State To Pass Consumer Data Privacy Law

Date: 25th June, 2024
Summary: Rhode Island became the latest US state to have a comprehensive consumer data privacy law.  The Governor of Rhode Island transmitted the bill without signature.  The law will apply to all for-profit entities that conduct business in the state or product products/services targeting residents of Rhode Island and during the preceding calendar year:

• Controlled/processed the personal data of at least 35,000 customers, excluding data processed to complete payment transactions;
• Controlled/processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

The law would come into effect on January 01, 2026.  Read more.

3. Blackbaud Agrees to $6.75 Million Settlement In Privacy Law Violations Case

Date: 13th June, 2024
Summary: California’s Attorney General, Rob Bonta, announced a $6.75 million settlement with Blackbaud Inc. in relation to a consumer protection and privacy law violations case.

He noted that in July 2020, the company’s network was breached, but consumers’ personal data was not compromised. However, further investigations revealed that personal data had been compromised, including users’ social security and bank account numbers. Blackbaud did not inform those affected in a timely and responsive manner.

An investigation by the California Department of Justice followed, which revealed Blackbaud’s inability to carry out basic security procedures, failure to stay apprised of evolving cybersecurity standards, and deceptive pre-breach representations. Read more.

4. FCC Imposes $100,000 Civil Penalty on Liberty Latin America In Data Breach Notification Violation Case

Date: 13th June, 2024
Summary: The Federal Communications Commission (FCC) published its decision to impose a civil penalty of $100,000 on Liberty Latin America Limited (through its subsidiaries Liberty Mobile Puerto Rico Inc. and Liberty Mobile USVI Inc.) in relation to an investigation on Liberty’s failure to report a data breach within the stipulated time as required per the FCC rules and a Letter of Agreement (LoA).

In January 2023, Liberty became aware of 130,000 Liberty customers’ data being subject to a data breach due to a breach by a third-party vendor. Liberty did not report the incident within 72 hours, and abide by the conditions of the LoA in connection with the data breach of a third-party, and instead negotiated with its telecommunications carrier on who was responsible for notifying the FCC about the breach. Read more.

5. Vermont Senate Sustains Governor’s Veto On State Data Privacy Bill

Date: 17th June, 2024
Summary: The Vermont Senate sustained the Governor’s earlier veto (on a roll call Yeas=14, nays=15) on House Bill 121 related to the enactment of a consumer privacy law. The Governor had earlier cited the unnecessary risks that would affect businesses and non-profits established in the state, such as the provisions on the private right of action. The Governor also cited an instance in California where the courts stopped similar legislation owing to possible First Amendment violations. Read more.

6. New York Governor Signed SAFE for Kids Act to Regulate Addictive Social Media Feeds

Date: 20th June, 2024
Summary: Senate Bill 7694A, which amends the general business law by enacting Stop Addictive Feeds Exploitation (SAFE) for Kids Act to prohibit the promotion of an addictive feed to a minor, was signed by the Governor into law. The Act defines “addictive feed” as a website, online service, online application, or mobile application, or a portion where users are constantly and sequentially exposed to information based on the user’s behavioral patterns. The Act would prohibit showing such a feed to children without their parent’s consent and withholding non-addictive feed products and services in the absence of consent. Subject organizations must take commercially reasonable and technically feasible measures to ensure their covered user is not a minor. Violations of this Act will involve civil penalties of up to $5,000 per violation. Read more.

7. Bill To Establish The New York Child Data Protection Act Signed By Governor

Date: 20th June, 2024
Summary: Senate Bill 7695B was signed into law by the Governor. The Bill lays the foundation for an Act that amends the general business law on establishing the New York Child Data Protection Act. The law contains provisions that would protect the privacy of children by restricting digital services from collecting or using such users’ personal data or the sale or disclosure of such data without their consent. Any consent provided will be revocable and be just as easy to revoke as it was to provide. Any provided consent should:

• Be made separately from any other transaction or part of a transaction;
• Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a user's decision-making regarding authorization for the processing;
• Clearly state that the processing for which the request is being made is not necessary in nature, and the user may decline without a negative consequence to their digital experience;
• Clearly present an option to refuse to provide consent as the most prominent option. Read more.

8. Act To Prohibit Sale Of Americans’ Data To Foreign Adversaries Enters Into Effect

Date: 23rd June, 2024
Summary: The Protecting Americans’ Data from Foreign Adversaries Act of 2024 entered into force on June 23, 2024. The Act prohibits the sale, licensing, rent, trade, transfer, release, disclosure, provision of access to, or otherwise making available sensitive data of a US individual to any country that has been designated as a foreign adversary country or an entity that is controlled by such countries. These countries include North Korea, China, Russia, and Iran. Read more.

9. SEC Adopts New Amendments That Ensure Greater Protection For Customer Information By Financial Institutions

Date: 24th June, 2024
Summary: The Securities and Exchange Commission (SEC) announced its adoption of new rule amendments on the protection of customer information by financial institutions. These amendments now require covered entities to adopt relevant policies related to incident response plans to detect, respond to, and recover from unauthorized access to or use of customer information. Similarly, individuals affected by a security incident involving sensitive personal information will need to be notified within 30 days of the covered entity becoming aware of the incident. The notification will need to include details on the incident, such as the nature of the breached data and how the affected individuals may protect themselves. Read more.

10. Arkansas Attorney General Files Lawsuit Requesting Civil Penalties Against Temu For User Privacy Violations

Date: 25th June, 2024
Summary: The Arkansas Attorney General (AG) announced an ongoing investigation of Temu related to alleged violations of the Arkansas Deceptive Trade Practices Act and the Arkansas Personal Information Protection Act. The AG claims that Temu has engaged in the following actions:

• excessively and unjustifiably collecting users' (sensitive) personal information without them knowing;
• making false representations in its privacy policy;
• subjecting users' personal data to misappropriation by Chinese authorities;
• violating Arkansans' right to privacy and their reasonable expectations of privacy for the personal data on their mobile devices;
• making false representations about the quality of products sold on the Temu platform, maximizing the number of users signing up and providing their personal data; and
• collecting personal information of minors, including minors under the age of 13 years.

A lawsuit has now been filed in the Cleburne County Circuit Court, requesting the imposition of civil penalties and monetary and equitable relief owing to Temu's deceptive trade practices and violations of users' privacy. Read more.

11. HHS Updates Its Guidance On Use Of Online Tracking Technologies After Court Ruling

Date: 26th June, 2024
Summary: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently updated its guidance on the use of online tracking technologies by covered entities and business associates subject to HIPAA. The update comes after a court issued an order declaring a portion of the guidance unlawful. Read more.

12. FTC Penalizes Avast Millions For Multiple User Privacy Violations

Date: 27th June, 2024
Summary: The Federal Trade Commission finalized its order related to Avast Limited, Avast Software,  and Jumpshot Inc. (collectively known as Avast). Per the FTC’s findings, Avast’s actions constituted a violation of the FTC Act owing to Avast’s privacy policy failing to indicate users’ browsing data could be disclosed to third parties, notifying users about their data being sold during the installation of Avast software, and misrepresentations related to the aggregation and anonymization of consumers' data.

As a result, the FTC ordered Avast to pay $16.5 million in fines within 9 days of the order being published. The order also prohibits Avast from selling, licensing, transferring, sharing, or disclosing users’ data with third parties for advertising purposes. Additionally, Avast is barred from using browsing information for advertising purposes without user consent.

Avast must also undertake the following measures:

• Delete browsing data transferred to Avast subsidiaries and any products or algorithms derived from such data;
• Notify consumers whose browsing information was sold to third parties without consent of the FTC's actions against Avast;
• Establish, implement, and maintain a comprehensive privacy program. Read more.

13. New Data Privacy Laws for Texas, Florida, and Oregon Effective From July 1, 2024

Date: 1 July, 2024
Summary: Data privacy acts will formally come into effect in Texas, Florida, and Oregon on July 1, 2024. Similar to most other data privacy laws, these regulations will impose strict obligations related to the protection of personal information, including various other requirements related to consent and privacy notices. Read more.

EU Jurisdiction

14. German Court Restricts Access to Phone Numbers for Advertising

Date: 17th June, 2024
Summary: The Magdeburg Administrative Court in Saxony-Anhalt confirmed the State Commissioner’s order to restrict internet portal operators from accessing the phone numbers of natural persons for advertising purposes. The order restricts operators from calling unless they have prior consent or the user has demonstrated a factual interest in their ads. Phone numbers qualify as personal data per the Commissioner’s order that can only be accessed and used if certain legal requirements are met, such as the user’s valid consent. Read more.

15. GDPR Universe for Smaller Associations Launched By Danish Data Protection Authority

Date: 20th June, 2024
Summary: The Danish Data Protection Authority (Datatilsynet) recently launched a GDPR portal for smaller organizations that do not have enough legal personnel to ensure GDPR compliance within the organization. The portal is designed around seven critical steps that can help such organizations to comply with the GDPR. These seven steps are as follows:

Step 1: Create an overview
Step 2: Ask yourself, "Why?"
Step 3: Remember to delete
Step 4: State that you are processing personal data
Step 5: Make sure you have good procedures
Step 6: Remember safety
Step 7: You are also responsible when you share. Read more.

16. Danish Data Protection Authority Publishes  Guidance on Children and Online Gaming

Date: 20th June, 2024
Summary: The Danish Data Protection Authority (Datatilsynet) published its guidance on children and online gaming. The guidance provides useful information to data controllers handling children’s personal data to ensure they take reasonable measures to appropriately protect children’s personal data when designing and developing such digital games.

The Datatilsynet reiterated that the principles of lawfulness, fairness, transparency, accountability, and data minimization remain applicable even if the data controller does not intend for the game  to be accessible by children, as the GDPR cannot distinguish between accidental and deliberate processing of children’s personal data. Data controllers are advised to review their processing activities and determine which actions are necessary to ensure compliance with GDPR provisions and protect data subject rights. Read more.

Asia Jurisdiction

17. Thailand’s PDPC Releases Draft Notification On Deletion, Destruction, and De-Identification of Personal Data

Date: 13th June, 2024
Summary: The Personal Data Protection Committee (PDPC) released a draft notification for public consultation on the criteria for the deletion or destruction of personal data or de-identifying personal data per the provisions of the Personal Data Protection Act of 2019. The main aspects of the notification include the following:

On Deletion, destruction, or de-identification

• Any request to delete, destroy, or de-identify personal data must be processed promptly within 60 days of receiving the request;
• The request must cover all copies and backups of personal data, and the controller must ensure that such personal data cannot be recovered, leading to the identification of the user to whom the data belongs;
• If a deletion, destruction, or de-identification request is not immediately possible due to technical reasons, they must be appropriately documented and justified by the controller;
• If a deletion, destruction, or de-identification request is not immediately possible, the controller must undertake organizational, technical, and physical measures to ensure the personal information is:
  • Not accessed, used, or disclosed by the controller or anyone else;
  • Cannot be used by the controller to provide services, influence decisions, or affect the user to whom the data belongs;
  • Is appropriately protected over the level of risk.

On De-identification and anonymization

• The controller must erase any direct identifiers of the user to whom the data belongs;
• The controller must ensure the user to whom the data belongs cannot be re-identified by using pseudonymization or providing indirect identifiers;
• The controller must consider all the relevant technological factors, context, environment, and nature or type of personal data involved.

The data controller cannot legally refuse a deletion, destruction, or de-identification request and must appropriately notify the user about the fulfillment of their request. Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.