Privacy Regulation Roundup: Top Stories of September 2024

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. New CPPA Advisory Makes Recommendations For Businesses To Avoid Dark Patterns On Their Platforms

Date: 4th September, 2024
Summary: The California Privacy Protection Agency (CPPA) issued Enforcement Advisory No. 2024-02, titled “Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice”.

This advisory clarifies the exact definition of “dark patterns.” Under the new definition, any user interfaces or choice features that substantially subvert or impair a consumer’s autonomy, decision-making, or choice will be considered such.
Additionally, the advisory recommends that the methods of gaining consumer consent and submitting CPRA-related requests be easy to read, understand, and written in clear, technical, or legal jargon-free language.

Lastly, a consumer’s path when exercising any of their privacy-protection options must not be longer, more complex, or time-consuming than the path to exercise a none privacy-protection one, as this would impair or interfere with their ability to make a free choice.

An example would be providing users the option to either say “Yes” or “Ask me later” when deciding to opt out of the sale/sharing of their personal information, as it would require more steps to opt-out. A better option, in this case, would be to provide a clear option to say “Yes” or “No” and a website banner that offers the choice to “Accept All” or “Decline All”.

All user interfaces, including those deployed via service providers such as consent management platforms, must be properly assessed and reviewed. Read more.

2. Quebec's CAI Issues Guidance on Organizational Obligations Related to Users' Right to Portability

Date: 5th September, 2024
Summary: The Quebec Commission on Access to Information (CAI) has announced legislative provisions related to the portability of personal information will come into effect on September 22, 2024.

CAI has issued guidance on organizations' obligations related to the right of portability. Per this guidance, users may request the transfer of their personal data to other authorized persons or companies. The guidance notes that while organizations are under no legal obligation to implement interoperable systems, it would facilitate smooth and efficient data transfers.

For the right to data portability to be applicable, the following conditions need to be met:

• The data must be computerized, meaning it is structured and organized using information technology;
• The data must have been directly or indirectly collected from the individual. This includes information generated by the individual's activities, such as purchase history or driving habits. However, created or inferred data, such as risk assessments by insurance companies, are excluded from this right, as they are not directly collected from the individual; and
• Data obtained from third parties or generated by algorithms does not qualify for portability.

All requests for data portability will follow the same procedure as access and rectification requests. Organizations must also have appropriate security measures in place when transmitting personal information. Users may file for a review with the CAI if they feel dissatisfied with any organization's response.

The guidance states that fulfilling data portability requests will present serious practical difficulties. Hence, they will be subject to case-to-case interpretation, with factors such as excessive costs or technical complexity considered serious difficulties. Read more.

3. Canada's Court of Appeal Reverses Federal Court Order In Facebook PIPEDA Violations Case

Date: 9th September, 2024
Summary: The Federal Court of Appeal in Canada has reversed the Federal Court's decision and ruled in favor of the OPC in the case of Privacy Commissioner of Canada vs. Facebook. The Federal Court found that Facebook's practices between 2013 and 2015 violated PIPEDA's provisions on consent and security.

The OPC had filed an appeal against the Federal Court's decision, alleging that it had failed to illustrate how Facebook had breached PIPEDA. The OPC's proceedings against Facebook began in 2019 against its practice of sharing Facebook users' personal information with third-party apps hosted on Facebook. These proceedings came after OPC's investigation into the app “thisisyourdigitallife” (TYDL) scraping user data and subsequent selling of the data to Cambridge Analytica Ltd. for psychographic modeling purposes between November 2013 and December 2015.

The Court of Appeal has now determined that the Federal Court erred when it relied exclusively or in large part on the absence of expert and subjective evidence. Furthermore, the Federal Court failed to appropriately inquire into the existence or adequacy of the consent given by friends of users who downloaded such applications separate from the installation of such applications.

Consequently, the Court of Appeal has now asked both the OPC and Facebook to report back within 90 days whether they've agreed on the terms of a remedial order. Read more.

EU Jurisdiction

4. German Federal Ministry For Digital and Transport Introduces Ordinance Related To User Consent Management

Date: 4th September, 2024
Summary: The German Federal Ministry for Digital and Transport has introduced the Consent Management Ordinance. The ordinance contains requirements related to cookie banners and user consent. It requires consent management services to store user settings, provide transparent information, and allow users to revoke consent at any time. Furthermore, these services must allow users to export these settings while switching to other services, guaranteeing data protection. These consent management services must apply to the Federal Commissioner for Data Protection and Freedom of Information to be recognized. They must also declare that they will only process personal information for consent management and provide security information. The ordinance aims to ensure user-friendly consent management procedures and enters into effect on the first day of the quarter following its publication. Read more.

5. Croatia’s Data Protection Agency Issues Guidance On Employers’ Collecting Employee ID Cards

Date: 6th September, 2024
Summary:The Personal Data Protection Agency (AZOP) provided guidance on collecting employees’ identity cards, as described in the Ordinance on Content and Method of Keeping Records on Workers by Employers, citing increased inquiries on the issue.

AZOP clarified that the Ordinance does not require employers to retain a copy of an employee’s identity card, nor is it a legal obligation per Article 6(1)(c) the GDPR. Furthermore, employers must ensure the security of the employees’ personal data, and retaining copies of their identity cards represents a high risk of unauthorized or unlawful processing.

In any case, if an employer does choose to store copies of identity cards, they should have a legal basis to do so. Additionally, AZOP recommended that any personal data on the identity card that is not relevant, necessary, or appropriate for the purpose of the collection be redacted or obscured by the employer. Read more.

6. European Commission Plans to Seek Public Input on New Additions To SCCs

Date: 12th September, 2024
Summary: The European Commission announced its intention to seek public input on Standard Contractual Clauses (SCCs) under the GDPR in the last quarter of 2024. The prospective new rules will apply when the data importer, whether a controller or processor, is based in a third country but is subject to the GDPR. These new rules will complement the existing SCCs designed for data importers in third countries not bound by the GDPR. Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.