The UK fined a company £6.09 million for cybersecurity failings, Thailand issued its first PDPA fine, and a judge declared Google’s search monopoly illegal. Catch up on these top stories and key data privacy news you might have missed.
New privacy law in Montana effective October 1
In 2023, the Montana legislature unanimously passed the Montana Consumer Data Privacy Act (MCDPA) which was signed into law on May 19, 2023. The MCDPA is set to take effect on October 1, 2024. It outlines various obligations for businesses, including consumer rights, data protection assessments, and requirements for data processing activities. Read more
Thailand's first PDPA fine: Firm hit with 7 million penalty
Thailand’s Personal Data Protection Act (PDPA) has had its first enforcement case, with an expert committee imposing the maximum fine of 7 million baht (approximately $205,520) on a major online sales company. The company was penalized for failing to protect personal data, which was leaked to call centre gangs, breaching PDPA security standards. Read more
Meta agrees to $1.4B settlement in Texas facial recognition privacy lawsuit
Meta has reached a $1.4 billion settlement with Texas over allegations of improper biometric data use without user consent. Filed in February 2022, the suit accused Meta of illegally using the biometric data of millions of Texans from photos and videos on Facebook without required permissions. In 2021, Meta settled a similar case in Illinois for $650 million. Read more
200 Danish websites found collecting data without consent
The Danish Digital Agency found that all 200 randomly selected websites were collecting data using tracking technologies, such as pixels and cookies, without visitors’ consent. This investigation follows a 2023 analysis by the Agency, where 11,000 .dk websites were examined for their use of third-party services in website construction. Read more
US senate passes Kids Online Safety Act
The Kids Online Safety Act (KOSA) and COPPA 2.0 have cleared the Senate and are now headed to the House. These bills require online platforms used by minors to take reasonable steps in their design to prevent harms like bullying, exploitation, and drug promotion. However, platforms can still provide minors with access to helpful content and resources. Read more
UK firm fined £6.09 million for cybersecurity failings
The UK Information Commissioner’s Office (ICO) has issued a provisional £6.09 million fine to Advanced Computer Software Group after a ransomware attack in August 2022. The ICO found that hackers exploited a customer account without multi-factor authentication, exposing the company’s inadequate cybersecurity measures for protecting personal data. Read more
New York AG releases guidance on website privacy controls
The New York Attorney General’s Office has issued new guidance on website privacy controls, stressing that businesses must maintain accurate privacy statements and ensure their privacy features work as stated. Although New York does not have a comprehensive data privacy law, its consumer protection laws prohibit deceptive privacy practices. Read more
Google has an illegal monopoly on search, US judge finds
A federal judge has determined that Google has breached US antitrust laws with its search operations, and acted illegally to crush its competition and maintain a monopoly on online search and related advertising. The landmark decision deals a major blow to Alphabet, Google’s parent company, and could reshape how Americans access information online and challenge Google’s long-standing market dominance. Read more
National Public Data breach exposes 2.9 billion users
National Public Data, a provider of background checks and fraud prevention services, disclosed a breach that may involve nearly 3 billion personal records. The breach, uncovered through a class action lawsuit in Florida, has raised major concerns about data privacy and cybersecurity in the US. NPD is facing potential class action lawsuits over the breach. Read more
X halts using personal data of EU users to train AI
X, formerly Twitter, has suspended its practice of collecting personal data from European users to train its AI, following pressure from Ireland’s Data Protection Commission (DPC). The DPC, representing the EU, approved X’s decision to stop using personal data from public posts by EU/EEA users for its AI “Grok” from May 7 to August 1, 2024. Read more