Privacy Regulation Roundup: Top Stories of October 2024

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. New Amendment to Several State Data Law Comes Into Effect

Date: 1st October, 2024
Summary: Sections 9-13 of Senate Bill 3, for An Act concerning online data privacy, data, and safety protections (Online Privacy Act), which amends the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) in relation to children's data, the Montana Consumer Data Privacy Act (MTCDPA), and the Maryland Age-Appropriate Design Code (Maryland Kids Code) entered into effect. Read more.

2. New FTC Rule Makes Cancellation Methods As Simple As Sign-Up Processes

Date: 16 October, 2024
Summary: The Federal Trade Commission has announced a final “click-to-cancel” rule requiring all sellers to offer cancellation methods as straightforward as the sign-up process. Relevant provisions relating to disclosures, consent, and cancellation will go into effect within 180 days of publication in the Federal Register, while provisions that prohibit misrepresentations will go into effect within 60 days of publication.

The rule will apply to any entity that sells, offers, charges, or otherwise markets a good or service with a ​“negative option feature,” which includes automatic renewals, continuity plans, free-to-pay conversions, and others. It is also applicable to B2B transactions.

Violations of the rule will result in civil penalties, and the violators are liable for redress. A product or service marketed with a negative option feature is enough to trigger the rule. The rule provides a consistent legal framework that prohibits all sellers from:

• Misrepresenting any material fact made while marketing goods or services with a negative option feature;
• Failing to clearly and conspicuously disclose material terms before obtaining a consumer’s billing information in connection with a negative option feature;
• Failing to obtain a consumer’s express informed consent to the negative option feature before charging the consumer;
• Failing to provide a simple mechanism to cancel the negative option feature and immediately halt charges. Read More.

3. Justice Department Issues New Notice Meant To Implement President Biden's Executive Order 14117

Date: 21 October, 2024
Summary: The Justice Department has issued a Notice of Proposed Rulemaking (NPRM). It aims to implement President Biden's Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." The NPRM proposed establishing a new program and implementing the executive order by establishing categorical rules for certain data transactions that would provide countries of concern access to sensitive personal data from the US.

However, the notice contains several exemptions for several classes of data transactions, including certain personal communications, financial services, corporate group transactions, transactions authorized by Federal law and international agreements, investment agreements subject to a CFIUS action, telecommunication services, biological product and medical device authorizations, clinical investigations, and others.

Under the proposed rule, all vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions must comply with separately proposed security requirements developed by the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA). Read More.

4. CFPB Announces Final Rule That Provides Users More Personal Financial Data Rights

Date: 22 October, 2024
The Consumer Financial Protection Bureau (CFPB) has announced the Final Rule to implement Section 1033 of the Consumer Financial Protection Act of 2010 (Title X of the Dodd-Frank Act), which provides for consumers' personal financial data rights.

Under the rule, consumers can transfer their personal financial information to other providers. This facilitates competition and elevates service quality within financial markets. The rule will cover various financial data types while also introducing new privacy protections for users, such as prohibiting third-party misuse and banning "screen scraping." Consumers will be able to compare rates and make secure payments, and data controllers will be required to delete users' data once they switch away.

Large institutions must comply with the rule by April 1, 2026, and small institutions by April 1, 2030, while some small banks and credit unions are exempt altogether. Read More.

5. FCC & CPPA Sign Memorandum of Understanding

Date: 29 October, 2024
The Federal Communications Commission's (FCC) Privacy and Data Protection Task Force has announced a new Memorandum of Understanding with the California Privacy Protection Agency (CPPA).

As part of the FCC's partnership with the CPPA, both agencies will align their efforts to protect consumer privacy, ensuring that users and businesses are appropriately informed about their rights and obligations and the best ways to enforce privacy laws. Read More.

EU Jurisdiction

6. AEPD Publishes Report on ‘Safe Internet By Default For Children And The Role Of Age Verification’

Date: 2nd October, 2024
Summary: The Spanish Data Protection Agency (AEPD) published a report titled “Safe Internet by Default for Children and the Role of Age Verification.” This report explores how children can be protected online without violating data privacy rights or exposing them to additional risks, with a particular emphasis on GDPR compliance. Key points of the report include the following:

• Current online protection strategies are reactive and involve intrusive surveillance or profiling, potentially exposing minors to further risks;
• Strategies that create child-friendly environments, protect against inappropriate content, and secure consent related to data processing must be adopted;
• An effective age verification system must be developed where the burden of proof is on the user to prove their age without requiring minors to disclose their personal information. Such a system must be compliant with the GDPR principle of data minimization by design and default;
• Data Protection Impact Assessments (DPIA) must be regularly conducted to manage the risks related to minors, ensuring data minimization, and verifying age without excessive data collection. Read more.

7. European Consumer Organization Makes Recommendations on Security of Minors on Online Platforms

Date: 3rd October, 2024
Summary: The European Consumer Organization (BEUC) has made several recommendations to the European Commission per the Digital Services Act (DSA) concerning minors' privacy, safety, and security on online platforms. These include the following:

• Online platforms must implement strong privacy, safety, and security measures for minors, though the DSA lacks specifics on how to achieve this.
•  BEUC suggests that the Commission’s guidelines clarify practices that violate Article 28(1), and ensure age-appropriate design isn't replaced by age verification tools.
• BEUC criticized current practices of Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) and called for improvement.
•  The DSA should be applied with other relevant EU laws, including GDPR, the Consumer Rights Directive, and the Unfair Commercial Practices Directive.
• Algorithmic recommender systems should be turned off by default for minors.
• Online platforms should address addictive design features like infinite scrolling and push notifications.
• Minors' accounts should be private by default, especially regarding geolocation and tracking.
• A strict approach should be taken on advertising and commercial communications targeted at minors.
• Participation in codes of conduct should not assume compliance with these rules. Read more.

8. CJEU Rules on Processing Personal Data for Advertising Purposes

Date: 4th October, 2024
Summary: The CJEU has issued its ruling in Case C-446/21, involving Meta Platforms Ireland and Mr. Maximilian Schrems, regarding the unlawful processing of personal data for targeted advertising.

Per the ruling, Meta’s practice of  aggregating, analyzing, and processing all personal data for advertising purposes without restrictions on time or type of data violates the GDPR’s provisions related to data minimization. Additionally, while publicly disclosed information related to a data subject’s sexual orientation can be processed, it does not imply consent for processing of other related data, particularly data gathered from third party sources.

Furthermore, the CJEU emphasized that processing such data without explicit consent breaches the GDPR’s provisions on purpose limitations. Read more.

 9. CJEU Rules on Compensation Rights for Non-material Damages

Date: 4th October, 2024
Summary: The CJEU has issued its verdict in Case C-507/23 regarding compensation for non-pecuniary damages under the GDPR. The case involved a journalist that had sought compensation after a video campaign imitated them without consent. While the Latvian courts found the campaign unlawful, the journalist’s claims for damages were dismissed as the campaign’s intent was serving the public interest. The ruling states that an apology can serve as compensation for non-pecuniary damages if it can sufficiently address the harm as the GDPR breach alone does not automatically constitute damage per Article 82(1). Read more.

10. CJEU Rules on Legitimate Interest Basis for Commercial Purposes

Date: 4th October, 2024
Summary: The CJEU has addressed a case concerning the Dutch sports federation KNLTB, which shared its members' personal data (names, addresses, and domiciles) with two sponsors in exchange for monetary payment. Following complaints, the Dutch data protection authority (AP) fined KNLTB €525,000 for violating Articles 6(1)(a) and (f) of the GDPR.

The KNLTB has contested the fine in the District Court of Amsterdam, which sought clarification from the CJEU regarding interpreting "legitimate interest" under the GDPR.

Now, the CJEU has ruled that "legitimate interest" does not have to be based solely on legal grounds but must be lawful. It clarifies that processing personal data for commercial purposes can only be considered lawful if it is strictly necessary to achieve that legitimate interest. In any case, the legitimate interest must not override data subjects' rights and freedoms.

Furthermore, the CJEU has advised sports federations to consider advanced notifications asking for consent from users about their data being shared. Additionally, it advised the District Court to consider the nature of the data recipient—a gambling company—which could expose members to risks like gambling addiction (ludopathy). Read more.

11. CJEU Rules on the Right to Erase Personal Data From Commercial Registers

Date: 4th October, 2024
Summary: The CJEU has issued its judgment in Case C-200/23 about the Bulgarian Registry Entries Agency's refusal to delete an individual's personal data from a partnership agreement despite their withdrawal of consent. Per their decision, the Agency has violated the GDPR. It further confirmed that the EU Directive 2017/1132 does not require the publication of personal data beyond what is legally necessary. Hence, the Agency, both as a controller and recipient, is responsible for all data published in the register. Even temporary loss of control over personal data could justify non-material damage claims under GDPR Article 82(1), provided that harm can be demonstrated without providing further tangible consequences, no matter how minimal. Read more.

12. EDPB Adopts Guidelines on Personal Data Processing Based on Legitimate Interests

Date: 9th October, 2024
Summary: The EDPB has adopted Guidelines 1/2024. These Guidelines clarify personal data processing under Article 6(1)(f) of the GDPR where data processing is allowed if based on the controller’s or third party’s legitimate interests. Per the Guidelines, there are three instances where lawful processing is allowed under Article 6(1)(f):

• The interest of the controller/third party must be lawful, clearly defined, real, and not speculative;
• The processing must be necessary for achieving the legitimate interest, with no less intrutive alternatives available;
• A balancing test must be conducted to ensure the data subjects' rights, interests, and freedoms are not overridden by the controller’s legitimate interests. Read more.

13. Council of the European Union Adopts Cyber Resilience Act

Date: 10th October, 2024
Summary: The Council of the European Union has announced its adoption of the Cyber Resilience Act. The Act establishes cybersecurity requirements for products with digital elements, including software and hardware, while covering the design, development, and production of these products. Additionally, the regulation also contains obligations for economic operators to handle various vulnerabilities during the product’s lifecycle.

Some of the obligations that law places on organizations include:

•  Products must be developed to ensure an appropriate level of cybersecurity based on risks;
•  Products must be released with no known exploitable vulnerabilities and secure default configurations;
•  Manufacturers must ensure regular security updates, data confidentiality, and limited data processing;
•  Users must have the option to permanently remove their data or transfer it to other systems if needed;
•  Manufacturers must assess cybersecurity risks while ensuring due diligence in integrating third-party components, designate a single point of contact for users, and establish a mechanism to report vulnerabilities;
•  Manufacturers must have early notification systems that can issue notifications within 24 hours of discovering a vulnerability, with full notifications to follow in 72 hours.

The Act now awaits the signature of the Presidents of the Council and the European Parliament. Afterwards, it will be published in the Official Journal, and come into effect 20 days after its publication, with its provisions becoming enforceable 36 months after publication. Read more.

14. Manchester-Based Firms Face Hefty Fines For Excessive Spam Texts

Date: 18 October, 2024
Summary: Quick Tax Claims Limited and National Debt Advice Limited are two Manchester-based companies that have been fined a total of £150,000 for sending over 7.5 million spam text messages. An investigation revealed that Quick Tax Claims sent more than 7 million unlawful texts in one month, leading to nearly seventy thousand complaints, most of which noted that there was no “opt-out” option. Quick Tax Claims was subsequently fined £120,000 for not obtaining proper consent.

Similarly, National Debt Advice sent more than 120,000 messages in a four-month period and was fined £30,000. Read More.

15. EDPB Publishes Guide On Technical Scope Of The ePrivacy Directive

Date: 18 Oct 2024
Summary: The EDPB has published its Guidelines 2/2023 on the technical scope of Article 5(3) of the ePrivacy Directive. These provide greater clarity related to various technologies and their uses, such as device fingerprinting, cookies, and IoT devices. Per the Guidelines, Article 5(3) will apply to any operation that involves information stored or accessed through a user’s terminal equipment, including devices connected to public communications networks. “Gaining access” may occur via methods such as cookies or JavaScript code, while “Storage” may be carried out via third-party software instructions. Other practices, such as pixel tracking and unique identifiers, are also covered in the Article when they are used to send targeted information. Read More.

16. “X Not a Gatekeeper”, European Commission Declares

Date: 18 October, 2024
Summary: The European Commission has confirmed that X (formerly Twitter) does not qualify as a gatekeeper under the Digital Markets Act (DMA). The decision was made following an in-depth investigation into the matter after X notified the Commission of its potential gatekeeper status. X argued that its social networking service should not be classified as a gateway between businesses and consumers despite meeting the DMA’s definition of a gatekeeper.

A comprehensive investigation followed, at the end of which the Commission determined that X is not an important gateway for businesses to connect with their end users. Read More.

17. NIS 2 Directive Comes Into Effect In The EU

Date: 18 October, 2024
Summary: The NIS 2 Directive became fully effective on October 18, 2024. It broadens the cybersecurity requirements for critical sectors in the EU, including energy, transport, and health, while introducing new risk management measures and reporting obligations, along with stricter enforcement and significant sanctions for non-compliance. Organizations subject to the Directive must report all cybersecurity incidents within specific periods while notifying the public in some instances. Information sharing and cooperation between member states is also encouraged to enhance overall cybersecurity resilience within the EU. Read More.

18. German Bundestag Approves The Consent Management Ordinance

Date: 24 October, 2024
The Bundestag in Germany has approved the Consent Management Ordinance, a forward-looking regulation designed to align digital consent practices with GDPR. It aims to empower end users to manage their privacy settings while using digital services.

The Ordinance encourages digital service providers to voluntarily adopt consent management services that are both user-friendly and transparent and empower users to understand, review, and modify their consent preferences easily. Additionally, the Ordinance contains various technical and security requirements while upholding users' data rights by ensuring data portability and easy service switching. Read More.

19. Irish DPC Announces Inquiry Into LinkedIn’s Data Processing Practices

Date: 24 October, 2024
The Irish Data Protection Commission (DPC) has announced its decision regarding an inquiry into LinkedIn Ireland Unlimited Company. The inquiry focused on a complaint made to the French Data Protection Authority (CNIL) about LinkedIn's processing of personal data for behavioral analysis and targeted advertising.

The full decision includes a reprimand, an order for LinkedIn to pay €310 million in administrative fines, and ensure compliance with the relevant GDPR provisions. The final decision contains the following decision notes:

• LinkedIn did not validly rely on Article 6(1)(a) GDPR (consent) to process third-party data of its members for behavioral analysis and targeted advertising, as the consent obtained was not freely given, sufficiently informed, or unambiguous.
• LinkedIn failed to establish a valid basis under Article 6(1)(f) GDPR (legitimate interests), as the fundamental rights and freedoms of data subjects overrode its interests.
• LinkedIn could not justify its processing of first-party data for behavioral analysis and targeted advertising under Article 6(1)(b) GDPR (contractual necessity). Read More.

20. NOYB Files Complaint Against Pinterest Over Alleged GDPR Violations

Date: 25 October, 2024
None of Your Business (NOYB) has filed a complaint against Pinterest with the French data protection authority (CNIL). NOYB alleged that Pinterest tracks its users for personalized ads without their consent, violating the GDPR's provisions.

Per NOYB's claims, Pinterest relies on "legitimate interest" as the basis for its data processing, requiring users to opt-out. This also breaches GDPR's consent standards and violates data access rights under the regulation. Read More.

European Commission Begins Its Investigation Into Temu’s Alleged DSA Violations

Date: 31 October, 2024
The European Commission has begun investigating whether Temu has potentially breached the Digital Services Act (DSA) by enabling the sale of illegal products, using addictive design elements, and lacking transparency in purchase recommendations. The formal investigation follows a September 2024 risk report, responses to several information requests, and collaborations with national regulations. The Commission's investigation will focus on the following areas:

• Systems designed to limit the reappearance of non-compliant products and rogue traders.
• Systems that Temu has in place to mitigate risks from addictive features, like game-like reward programs.
• Temu's transparency in recommending content and products to the users, and providing easily accessible non-profiling options.
• Compliance with DSA obligation to give researchers access to Temu's publicly accessible data.

If found guilty, Temu could face penalties for DSA infringement. Read More.

21. Norwegian Government Publishes Plans To Increase Social Media Processing Consent Age To 15

Date: 23 October, 2024
The Norwegian Government (Regjeringen) published a press release on October 23, 2024, about its plans to increase the minimum age for minors' consent to social media processing from 13 to 15. By doing so, the government aims to protect children from algorithmic influence and is part of the country's border campaign to shield its children from manipulative practices of tech platforms. The new policy will amend the Personal Data Act, requiring users to be at least 15 before they can consent to data processing, as well as introducing age verification mechanisms. Read More.

Asia Jurisdiction

22. Sri Lankan DPA Launches Public Consultation on Draft Regulations for Personal Data Protection Impact Assessments

Date: 1st October, 2024
Summary: Sri Lanka's Data Protection Authority (DPA) has launched its public consultation on draft regulations for Personal Data Protection Impact Assessments (PDPIA) under the Personal Data Protection Act No. 9 of 2022. These new regulations clarify when PDPIA is required and how to conduct it. The consultation will remain open to the public until October 31, 2024. Read more.

23. Sri Lankan DPA Launches Public Consultation on Draft Rules on Breach Notifications

Date: 1st October, 2024
Summary: Sri Lanka's Data Protection Authority (DPA) launched a public consultation on draft rules for personal data breach notifications under the Personal Data Protection Act No. 9 of 2022. Under these new rules, controllers must notify the DPA of any breaches within 72 hours unless the breach does not pose a significant risk. The affected users must also be notified if the breach poses a high risk to their rights. The consultation will remain open to the public until October 31, 2024. Read more.

24. Australia Introduces Cyber Security Legislative Package 2024

Date: 9th October, 2024
Summary: The Australian Government introduced the Cyber Security Legislative Package including the Cyber Security Bill 2024 on October 2, 2024, advancing the initiatives from its 2023-2030 Cyber Security Strategy.

The key provisions in the Cyber Security Bill include the following:

•  Mandatory security standards for internet-connected products.
• Ransomware payment incident reporting.
• Limited use' obligations for the National Cyber Security Coordinator and ASD.
• Establishment of a Cyber Incident Review Board.

Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) and Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 are also introduced under the Cyber Security Legislative Package to simplify the incident response process for businesses. Read more.

25. Proposed New Zealand Bill Makes Major Amendments To Privacy Act

Date: 2nd September, 2024
Summary: The Statutes Amendment Bill was introduced on September 23, 2024. The Bill adds major amendments to the Privacy Act, with key changes including clarifying access to information requests, granting the Privacy Commissioner more investigative discretion, allowing agencies to refuse access if the information is not readily retrievable, and providing clarity on agency liability for notifiable privacy breaches involving service providers. International data transfer rules are also revised for prescribed countries. A list of these countries will be published later. Read more.

26. SDAIA Releases New Three-Stage Data Breach Notification Process

Date: 23 October, 2024
Summary: The SDAIA has released its guidelines related to personal data breach notifications. These guidelines outline a three-stage response process:

• Controllers must notify the SDAIA within 72 hours of becoming aware of the incident. The notice must include a description of the breach, the number and type of affected data subjects, risks associated with the breach, whether data subjects have been notified, and contact details for follow-up;
• Controllers must implement containment measures to address the breach appropriately, such as identifying the type and quantity of compromised data and notifying affected individuals without undue delay if their rights are at risk;
• Controllers must keep detailed records of all communications related to the breach, including the mitigation measures and lessons learned for future reference.

27. More User Rights, Higher Penalties, and Comprehensive International Data Transfer Requirements: New Amendment To Malaysia's PDPA Comes Into Effect

Date: 22 October, 2024
Summary: The Personal Data Protection (Amendment) Act 2024 was gazetted in Malaysia on October 17, 2024. Its salient points include the following:

• Mandatory appointment of a Data Protection Officer (DPO) by data controllers and processors;
• Mandatory data breach notification to the Personal Data Protection Commissioner by data controllers;
• Users are given the right to data portability;
• Data processors must adhere to the security principle under the PDPA;
• Maximum penalties for breaching PDPA principles increased to MYR 1 million (approx. $212,530) and three years imprisonment;
• Rules related to international data transfers are revised, allowing data controllers to transfer personal data outside Malaysia if the destination country has an appropriate level of data protection equivalent to the PDPA. Read more.

28. The Privacy Regulators Release Joint Statement On Scraping Of Publicly Accessible Personal Data

Date: 28 October, 2024
The Office of the Privacy Commissioner of Canada (OPC), Norway's data protection authority (Datatilsynet), and the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong have released a joint statement as part of the Global Privacy Assembly's International Enforcement Cooperation Working Group on Data Scrapping.

Their joint statement reiterates that publicly accessible personal data is protected by privacy laws, and organizations are obligated to prevent unlawful scraping. The statement also contains several recommendations, such as using safeguarding measures against scraping, ensuring a lawful basis and transparency for permitted scraping, and complying with privacy laws when using scraped data to train AI.

The PCPD also highlights additional risks of data scraping, most notably the sale of personal data on the web and its use in various cases of cyberattacks, identity fraud, and spam. Read More.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.