Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
Colorado Bill to Amend the CPA
On January 10, 2024, Colorado introduced a draft bill that would expand the Colorado Privacy Act's definition of sensitive data to include "biological data" and "neural data." If passed, as with the other sensitive data elements, consent would be required prior to processing.
Tennessee to address AI impact on music industry with the Ensuring Likeness Voice and Image Security (ELVIS) Act
On January 10, 2024, Tennessee Governor Bill Lee introduced new legislation alongside House and Senate legislative leaders and music industry representatives that aims to protect songwriters, performers, and music industry professionals’ voice from the misuse of artificial intelligence. The bipartisan legislation would add “voice” to image and likeness protection under the state's existing Protection of Personal Rights law.
New AG guidance on Washington’s My Health My Data Act
On January 9, 2024, the WA AG updated FAQ 4 in its implementation guidance, addressing the required Consumer Health Data Privacy Policy. The updated FAQ states that there must be a separate and distinct link and that the policy “may not contain additional information not required under the My Health My Data Act.”
New Jersey Comprehensive Privacy Bill Signed by Governor
New Jersey's Assembly and Senate passed Senate Bill 332 on January 8, 2024, and was signed by the governor on January 16, 2024. The bill was originally introduced to the legislature in January 2022, and has passed with amendments. Notably, the bill provides for rulemaking.
New York Attorney General Fines Hospital for Tracking Pixel Use
On December 27, 2023, the New York Attorney General entered into a settlement agreement with New York Presbyterian Hospital after an investigation that found the hospital’s use of third-party tracking pixels between 2016 and 2022 violated the HIPAA privacy rule. Under the settlement agreement, the hospital agreed to pay a fine of $300,000, instruct third-parties that received protected health information (PHI) to provide written certification that they deleted the PHI, change its policies and procedures for pixels and software development kits (SDKs), obtain an independent third-party assessment of identify all pixels and SDKs used on its website and any data transferred via those tools.
NetChoice Sues Utah
On December 18, 2023, trade industry group, NetChoice, is sued Utah to block its social media laws in NetChoice v. Reyes. This follows two other lawsuits NetChoice previously filed to block California’s Age Appropriate Design Code and Arkansas' social media law. NetChoice secured preliminary injunctions in California and Arkansas, which may suggest a similar victory in Utah.
AI Legislation Pre-Filed in Washington State
On December 14, 2023, AI legislation was pre-filed in Washington state titled “an act relating to promoting ethical artificial intelligence by protecting against algorithmic discrimination.” It would require things like impact assessments, statements by developer of automated decision-making tools to a deployer about the intended uses of the tool and known limitations, and policies to be created by developers.
United States: Federal Updates
FTC: AI Companies: Uphold Your Privacy and Confidentiality Commitments
On January 9, the Federal Trade Commission's Staff in the Office of Technology released a technology blog warning AI and "model-as-a-service" companies, which develop and host models to make available to third parties via an end-user interface or an application programming interface, to honor their privacy commitments to users and customers or face Section 5 enforcement.
FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data
On January 9, the Federal Trade Commission reached a settlement with X-Mode Social and Outlogic, LLC, its first settlement with a data broker concerning the collection and sale of sensitive location information, following allegations the company sold precise location data that could be used to track people’s visits to sensitive locations. The proposed order would prohibit data broker X-Mode Social and its successor Outlogic from sharing or selling any sensitive location data and, among other things, require the company to delete or destroy all the location data it previously collected and any data products produced from this data.
New FTC Blog: The DNA of privacy and the privacy of DNA
On January 5, the Federal Trade Commission released a new business blog focusing on genetic privacy and reflecting on recent enforcement actions against CRI Genetics, 1Health/Vitagene and Genelink. The blog, in part, underscores how the agency’s broader enforcement strategy around biometric privacy, data security, dark patterns, and artificial intelligence applies in the genetic testing and DNA-related product context.
FCC Updates Breach Rules
On December 21, 2023, the FCC released a Report and Order, discussing updates to its data breach notification rule. The updates include, among other things, an expansion of covered information from customer proprietary neatwork information to also include personally identifiable information, modifies the definition of "breach" to include "inadvertent access, use, or disclosure of covered data," adds the requirement to notify the FCC in addition to the secret service and the FBI, and removes the waiting period before notifying customers in favor of a requirement to notify customers without unreasonable delay but in no case more than 30 days following “reasonable determination of the breach.”
FTC Proposes New COPPA Rulemaking
On December 20, 2023, the FTC announced proposed changes to the Children’s Online Privacy Protection Act (COPPA), which will be the first changes to the COPPA rule since 2013. The feedback window is open and will close March 11, 2024. Thie proposed updates include: requiring separate consent for targeted advertising, prohibiting the conditioning of children’s participation for collecting personal information, imposing limits on the internal operations exception, imposing limits on nudging children to stay online, introducing changes related to ed tech, increasing accountability for Safe Harbor programs, strengthening data security requirements, and imposing limits on data retention.
FCC Amends TCPA Consent Requirements
On December 18th, the FCC released amended the TCPA regulations regarding the requirements for obtaining consent before sending advertising or marketing text messages (using an automatic telephone dialing system or “ATDS”), or prerecorded or artificial voice calls. The amendments were intended to reign in lead generator texting and calling practices, but the regulation changes apply across all business types. Consents must now be obtained for each specific company that is marketing its products or services, and the texts sent need to be "logically and topically" related to the interaction that prompted the consent.
United States: Industry and Trade Group Updates
NIST Workshop on Secure Development for AI Models
NIST held a virtual workshop on Secure Development Practices for AI Models on January 17, 2024. The workshop is being held in support of Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Feedback from attendees will inform NIST’s creation of Secure Software Development Framework (SSDF) companion resources to support organizations producing AI models and organizations adopting and using those AI models.
DAA Releases New Tools to Address Next-Gen “Cookies and Beyond” for AdChoices Program
On January 5, 2024, anticipating the deprecation of third-party cookies, the DAA released new tools to help people opt-out of other types of tracking technologies and techniques. The DAA's announcement and overview of the tools is here. Companies participating in the DAA's AdChoices program will be expected to update their processes to interoperate with the new “cookies and beyond” tools before the end of 2024. Work may be needed for participating companies that: offer or use consent management platforms; use token-based IDs for interest-based advertising; offer token-based preferences; or participate in the DAA Choice Tool.
NIST publishes Trustworthy and Responsible AI Report on Adversarial Machine Learning
The National Institute of Standards and Technology (NIST) published NIST AI 100-2 E2023 on January 4, 2024, a report on Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. The report is meant to assist organizations in securing applications of artificial intelligence (AI) against adversarial manipulations of AI systems. It provides a categorization of attacks and their mitigations for both predictive AI and generative AI systems.
Europe and the United Kingdom
European Commission favorably reviews 11 of 16 adequacy decisions
In a report issued January 15, 2024, the European Commission confirmed that 11 of 16 adequacy decisions (for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) should continue uninterrupted because each "continues to benefit from adequate data protection safeguards." Reviews for decisions with the U.S. (the EU-U.S. Data Privacy Framework is expected to be challenged in EU courts), Japan, South Korea, and the UK — one for commercial entities under the GDPR and another under the EU Law Enforcement Directive — were not included in the report (the UK decision is likely to be revisited once the U.K. General Data Protection Regulation is reformed or replaced).
CNIL Launches Draft Guide on Data Transfer Impact Assessments
On January 8, 2024, the CNIL launched a public consultation on a draft Guide for Conducting Data Transfer Impact Assessments. The guide identifies elements to consider and provides guidance on how the assessment can be carried out following the steps set out in the EDPB Recommendations. The consultation period will close on February 12, 2024.
Researcher Blogs about ChatGPT Complaint to UODO
On January 8, 2024, researcher and blogger, Lukasz Olejnik, writes about his complaint (and supplementary letter) submitted to the Polish Data Protection Authority (DPA), relating to the alleged unlawful processing of Olejnik's personal data within ChatGPT, owned by OpenAI. Olejnik also complains that OpenAI allegedly failed to provide access to his personal data, when requested, and did not provide information about the processing of his personal data. OpenAI allegedly also failed to correct his personal data, and that personal data processing by ChatGPT is allegedly being done in a way that's contrary to the principle of data protection by design.
Austrian DPA Publishes FAQ on Cookies and Privacy
On December 20, 2023, the Austrian Data Protection Authority, Datenschutzbehörde, published frequently asked questions related to cookies and privacy on its website. Topics include descriptions of cookies and legal frameworks for cookie usage, use of cookie banners, what makes a cookie “technically necessary,” “pay or okay” schemes, and how a company can provide information about cookies to its website visitors.
CNIL Imposes Six New Sanctions
On December 20, 2023, the CNIL announced that it issued six new sanctions six new sanction decisions under its simplified procedure for a total amount of €44,000. The main shortcomings identified are: a lack of cooperation with the CNIL; excessive collection of data from job applicants; a failure to respect the rights of individuals to object political canvassing by e-mail; failure to respect the right of access to medical records; and a lack of data security, due to a failure to respect the minimum precautions for the robustness and storage of passwords.
North and South America
Quebec Draft Regulations on Personal Information Anonymization
Quebec issued draft regulations regarding anonymization of personal information. If enacted, they would regulate what entities covered by its privacy Law 25 would need to do before anonymized personal information can be generated and processed. The draft regulations are available here, and are open for comment until February 3, 2024.
Asia-Pacific, Middle East, and Africa
Australia Releases Responsible AI Discussion Paper
On January 17th, the Australian Government released an interim response paper to the Safe and Responsible AI in Australia discussion paper, which was originally released last summer. The paper highlights the concerns stakeholders submitted, and outlines how the government will ensure that AI is designed, developed, and deployed safely and responsibly in Australia. The paper outlines principles guiding the government's interim response, as well as concrete steps to prevent harm. These steps include drafting a voluntary AI risk-based safety standard, watermarking or similar data provenance mechanisms, and establishing a temporary expert advisory group. Australia also plans as part of this effort to create new laws as well as clarify and strengthen existing laws, notably privacy law reforms and reviewing the Online Safety Act of 2021.
Generative AI Governance Framework Proposed by Singapore
Singapore proposed a new governance framework for artificial intelligence, which builds on a prior AI framework from 2019. The framework was introduced at the World Economic Forum, with Singapore’s intent to contribute the global conversation and seek international feedback.
Hintze Law PLLC exclusively provides global data protection counseling for technology, ecommerce, advertising, media, and mobile companies and organizations. More information about the firm is available at HintzeLaw.com.