By Leslie Veloz

Here’s a snapshot of a few privacy developments from the past few weeks. If you missed our last post, you can find it here.  

US STATE LAW 

Utah Passes Social Media Laws 

Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates a minor’s access to, and use of, social media sites. Read more here.  

Iowa Passes Sixth State Comprehensive Privacy Law 

On March 15, 2023, the Iowa House voted to approve Senate File 262, a comprehensive privacy law, which was previously approved by the Iowa Senate on March 6, 2023. Read more here. 

Colorado Files Final Regulations Under the Consumer Protection Act 

On March 15, 2023, the CO Attorney General's Office announced that it filed the final regulations with the Secretary of State, which will be published later this month. 

Kentucky Privacy Bill SB 15 Moves Out of the Senate into the House 

The Kentucky State Senate has introduced a Consumer Data Privacy Act. If passed, this new Act will provide privacy rights for Kentucky residents.  

Oklahoma House Passes Computer Data Privacy Act 

HB 1030 (the Oklahoma Computer Data Privacy Act (OCDPA)) passed out of the House Government Modernization and Technology Committee by a 10-0 vote on 2/21/23. In the past two years, the bill passed the House but did not get a Senate hearing. As in prior years, the hallmark of OCDPA is that it would require consumer consent for all personal data collection. 

DNA Diagnostics Center to Pay $400,000 Fine 

Genetics testing organization settled a Pennsylvania and Ohio joint class action for $400k based on a 2021 data breach from alleged inadequate security. According to the Pennsylvania and Ohio Offices of Attorney General, the data breach involved the social security numbers of 12,663 Pennsylvania residents and 33,000 Ohioans subject to genetic testing between 2004 and 2012. The DNA-testing company will pay $200,000 each to the Pennsylvania and Ohio Attorneys General Offices. 

US FEDERAL LAW 

Internet Advertising Terms Update 

The Interactive Advertising Bureau, Association of National Advertisers, and American Association of Advertising Agencies are working to do a major update to the Standard Terms & Conditions for internet advertising.   

State Driver's Record Data Sales 

Indiana's Bureau of Motor Vehicles legally made $25 million in 2022 by selling Indiana residents' names, birthdays, addresses, car types, and license plate numbers. There is no federal law that prohibits this act. Additionally, residents are not given the option to consent or opt out of this practice.  

CFPB Inquiry into Data Brokers 

On March 15, 2023, the Consumer Financial Protection Bureau (CFPB) launched an inquiry into the data broker industry. The CFPB announced it launched the inquiry to understand the full scope and breadth of data brokers, their business practices, their impact on consumers’ daily lives, and whether they are all playing by the same rules. CFPB indicated that it might use its learnings for enforcement activities and to inform potential regulations for the Fair Credit Reporting Act (FCRA). In addition, the inquiry will help inform planned updates to the FCRA.  

FCC Adopts New Rules Focused on Scam Texting 

On March 16, 2023, the Federal Communications Commission (FCC) adopted its first regulations specifically targeting the increasing problem of scam text messages sent to consumers. This regulation proposes many steps to curtail  illegal texts.  

FBI Admits to Buying US Location Data 

In lieu of taking the necessary steps to obtain a search warrant, the United States Federal Bureau of Investigation (FBI) has admitted to purchasing sensitive data from. This controversial practice has become increasingly common amongst federal and state agencies.  

New Partnership Between the NLRB and the CFPB  

The National Labor Relations Board (NLRB) and Consumer Financial Protection Bureau (CFPB) have signed an memorandum of understanding creating a formal partnership between the two agencies to better protect American workers and address employers’ practices as they relate to surveillance, monitoring, data collection, and employer-driven debt. The agencies will now collaborate closely by sharing information, conducting cross-training for staff at each agency, and partnering on investigative efforts within each agency’s authority. 

SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information 

The Securities and Exchange Commission (SEC) proposed changes to Reg S-P that would enhance covered firms' breach notification obligations to customers. Under this proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk.  

SEC Proposes New Requirements to Address Cybersecurity Risks  

The Securities and Exchange Commission (SEC) proposed regulations for securities market entities to increase their cybersecurity protections. This proposal would require all Market Entities to implement policies and procedures that address their cybersecurity risks, at least annually review, and assess the effectiveness of their cybersecurity policies and procedures, and report incidents.  

Software Company Blackbaud Inc. to pay $3 million in Settlement Charges 

The Securities and Exchange Commission (SEC) settled with Blackbaud, a software company that supports nonprofits, for $3 million based on allegedly misleading disclosures Blackbaud made to customers about a 2020 ransomware attack. 

TikTok Faces Potential Ban in the US 

The Committee on Foreign Investment in the United States (CFIUS), an agency led by the Treasury Department that evaluates cross-border deals, told ByteDance to sell its stake in TikTok after more than two years of negotiations failed to convince CFIUS that the app is not a national security risk. If ByteDance fails to divest, TikTok will be banned in the US. 

CANADA 

New Virtual Hiring Privacy Guidance 

The Office of the Privacy Commissioner released new privacy guidance for companies that conduct virtual interviewing and hiring.   

Privacy Commissioner 2023-2024 Work Plan  

The Office of the Privacy Commissioner released its 2023-2024 work plan, which includes helping Parliament as it considers new private sector privacy legislation (C-27, the Digital Charter Implementation Act).   

Updated Fax Machine Privacy Guidance 

The Office of the Privacy Commissioner released updated guidance on using fax machines to transmit personal information. 

NORTH & SOUTH AMERICA 

Mexico determines that the right to be forgotten is incompatible with their constitution  

The Primera Sala de la Suprema Corte de Justicia de la Naciόn determined that the right to be forgotten, as it has been formulated in the EU law regarding the deletion or cancellation of personal data, is incompatible with the constitutional and conventional norms regarding freedom of expression, and the right to free access to information. 

Mexico adds Transparency Interpretation to Constitution  

According to the Diario Oficial de la Federacion, an agreement approving the interpretation criteria issued in terms of articles 199 and 200 of the General Law on Transparency and Access to Public Information was published. 

EUROPE & UK 

EUR 20,000 fine imposed for unlawful personal data processing  

Croatia's DPA, AZOP,  imposed a EUR 20,000 fine on a telecom controller for failing to check the accuracy of personal data regularly and for retaining personal data beyond the scope of its legal basis, which was a contractual relationship that ended. The subjects affected by this practice learned of over-retention when they received a breach notification despite not being a customer for over ten years. 

EDPB adopts opinion on EU-US Data Privacy Framework 

On February 28, 2023, the EDPB adopted its opinion on the EU-US Data Privacy Framework. The opinion calls for substantial improvements and recommends that it ultimately be reviewed every three years, with contributions from the EDPB in performing the review. 

Denmark hotline designed to support digital security 

Denmark's DPA, Datatilsynet, announced a hotline that businesses can call for guidance on preventing and responding to cyber incidents. 

The Ombudsman issues a €440,000 for failing to cooperate with supervisory authority 

The Finland Office of the Data Protection Ombudsman ("the Ombudsman") imposed a fine of €440,000 on Suomen Asiakastieto Oy, for violations of Article 58(2) of the General Data Protection Regulation ("GDPR"), following an investigation. The investigation found that by failing to comply with the Ombudsman's order in a timely fashion, Suomen violated the GDPR. 

New guidance on anonymization and risks of re-identification 

Spain's DPA, AEPD, published guidance on anonymization and risks of re-identification. 

New guidance on user behavior analysis and data protection 

Spain's DPA, AEPD, published guidance on privacy issues in user behavior analysis and modeling. User and Entity Behavior Analytics (UEBA) techniques for analyzing the behavior of users and entities have become commonplace. UEBA techniques used in Internet services collect massive amounts of user or entity data by recording the behavior of users in the past, modeling this behavior in the present, and predicting what it will be in the future. 

Austrian DPA Decides Facebook Tracking Pixel Violates GDPR 

The Austrian Data Protection Authority (DPA), Datenschutz Behörde (DSB), released a decision (English translation) announcing that the Facebook tracking pixel allegedly violated GDPR's Article 44, by transferring personal data to the United States without a legal basis for transfer. 

ASIA-PACIFIC, MIDDLE EAST & AFRICA 

Chinese standard contractual clauses and SCC Regulations released 

The Cyberspace Administration of China (“CAC”) released the China standard contractual clauses and SCC Regulations on February 24. The China SCCs and SCC Regulations will be effective June 1, with a grace period ending November 30. This means that all three primary legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. 

Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.