Privacy Roundup: Top 10 Stories of April 2024

From Google’s postponement of third-party cookie depreciation to the introduction of a new federal privacy bill in the US Congress and the potential TikTok ban, here are the top stories from the world of data privacy.

Google has once again postponed the end of third-party cookies in its Chrome browser. The company noted that it will “not complete third-party cookie deprecation during the second half of Q4.” In a statement, Google acknowledged ongoing challenges in balancing feedback from various stakeholders and emphasised the importance of allowing the UK Competition and Markets Authority (CMA) to review all evidence, including industry tests scheduled for June. Read more

On April 12, Nebraska Governor Jim Pillen approved Legislative Bill 1074, officially making Nebraska the 16th state in the U.S. to implement a comprehensive privacy law. The Nebraska Data Privacy Act (NEDPA) is set to become effective on January 1, 2025. This law closely resembles the Texas Data Privacy and Security Act, although there are some differences, particularly in the area of mandated consumer disclosures. Read more

The California Privacy Protection Agency (CPPA) urges companies subject to the California Consumer Privacy Act (CCPA) to strengthen their data minimization practices to avoid potential penalties. In its first-ever enforcement advisory released on April 2nd, the agency specifically targets CCPA’s data minimization requirements related to consumer requests. It emphasises compliance with California Civil Code § 1798.100(c), CCPA regulations on minimization, and other regulations aligned with the principle of data minimization. Read more

On April 7th, US Representative  Cathy McMorris Rodgers and Senator Maria Cantwell unveiled new draft legislation aimed at creating the United States’ first comprehensive federal data privacy law. This legislation, known as the American Privacy Rights Act of 2024 (APRA), seeks to establish the first-ever nationwide standard for regulating data privacy and security. This move revived an effort that had been stagnant in Congress for nearly two years. Read more

Google agreed to erase or de-identify billions of records of web browsing data obtained when users were using its private browsing mode, or “Incognito”, as per a proposed class action settlement. The proposed settlement in Brown v. Google will also restrict the company’s ability to collect data in the future. The lawsuit was brought by Google account holders in 2020, who accused the company of illegally tracking their online activities through the private browsing feature. Read more

US President Biden recently signed a bill that would potentially ban TikTok in the US unless it is sold within 12 months. The US has urged ByteDance, the Chinese-owned company, to either sell its TikTok app to an American buyer or face a ban. US lawmakers contend that the video-sharing app poses a threat to national security, as the Chinese government could potentially exploit TikTok to spy on Americans or manipulate public opinion in the US by promoting or censoring specific content. Read more

France’s data protection authority, the Commission nationale de l’informatique et des libertés, CNIL, released a report analysing five years of data breaches under the GDPR. Between May 2018 and May 2023, the CNIL received 17,483 data breach notifications with the private sector contributing to approximately two-thirds of the declarations of violations, including 39% from SMEs. The public sector represents 22% of notifications. Read more

The European Data Protection Board, EDPB has released a long-awaited opinion, stating that large online platforms that implement pay-or-consent models will typically fail to comply with the requirements of the EU General Data Protection Regulation regarding obtaining valid consent for processing personal data. The opinion follows Meta’s attempt to introduce a pay-or-consent model for its Facebook and Instagram platforms, following a binding ruling in November 2023 that prohibited Meta’s targeted advertising practices across the European Economic Area. Read more

The European privacy rights group noyb, has lodged a complaint with the Austrian Data Protection Authority against OpenAI, alleging that the company violated the GDPR. Filed on behalf of an anonymous public person, noyb claims that Open AI’s ChatGPT gave false information regarding the public figure’s birthday and refused the complainant’s request to rectify the incorrect birth date. Under GDPR, individuals have the right to request and correct such information via a data subject access request. Read more

AT&T faces multiple class action lawsuits for negligence and breach of contract over a data breach affecting over 70 million customers. The breach, discovered in August 2021, exposed personal information including names, addresses, phone numbers, Social Security numbers, and PINs. The plaintiffs, representing more than 70 million current and former AT&T customers, filed the lawsuit in April. Read more