From CNIL’s fines and warnings on cookie consent to the EU’s enhanced cybersecurity framework and Noyb’s new “qualified entity” status, here are the key stories shaping the data privacy landscape.

01

Key data privacy laws taking effect in January

Several US states are set to roll out new data privacy laws in January. Organisations operating in these states should prepare now to ensure compliance.

  • January 1, 2025: Delaware Personal Data Privacy Act (DPDPA), Iowa Consumer Data Protection Act (ICDPA), Nebraska Data Privacy Act (NDPA), and New Hampshire Data Privacy Act (NHDPA).
  • January 15, 2025: New Jersey Data Privacy Act (NJDPA).

02

CNIL warns publishers over dark patterns in cookie banners

The French Data Protection Authority (CNIL) has issued formal notices to website publishers to revise misleading cookie banners following numerous complaints. CNIL found that many banners use dark patterns to encourage users to accept cookies, violating consent requirements under the French Data Protection Act (Article 82). The CNIL has given websites one month to revise their cookie banners and urged compliance with the GDPR and ePrivacy Directive. Read more

03

EU adopts new laws to strengthen cybersecurity framework

The Council of the European Union has adopted two key laws to enhance Europe’s cybersecurity capabilities: the Cyber Solidarity Act and an amendment to the Cybersecurity Act (CSA). These laws aim to improve the EU’s ability to detect, prepare for, and respond to cyber threats and enhance cross-border collaboration These legislations will come into effect 20 days after publication in the EU’s official journal. Read more

04

Meta agrees to $50M settlement with Australian privacy regulator

Meta Platforms has agreed to an AUD $50 million settlement with Australia’s privacy watchdog, Office of the Australian Information Commissioner (OAIC), resolving legal proceedings over the Cambridge Analytica scandal. The OAIC alleged Meta improperly shared user data with the Facebook app This is Your Digital Life. Read more

05

Noyb granted qualified status to bring collective redress actions

Noyb (None of Your Business), the privacy advocacy group, has been granted “qualified entity” status in Belgium, allowing it to bring collective redress actions for data protection violations. This status enables Noyb to file class-action lawsuits on behalf of consumers, within the framework of the European Union’s collective redress system, where only approved non-profit organizations can initiate enforcement actions. Read more 

06

French CNIL fines company €50M for cookie consent violations

The French Data Protection Authority (CNIL) fined e-messaging provider Orange €50 million for embedding email ads in its “Mail Orange” service without user consent. Additionally, the company continued using cookies to track website users even after they explicitly opted out. Orange has three months to comply or face further fines of €100,000 per day. Read more

07

Final Colorado Privacy Act rules adopted

The Colorado Attorney General adopted amendments to the Colorado Privacy Act (CPA) rules on December 5, 2024. Key changes address biometric data, minors’ online privacy, and interpretative guidance. Most rules take effect January 30, 2025, while biometric data provisions begin July 1, 2025. Read more

08

EDPB issues guidance on personal data use in AI

On December 18, 2024, the European Data Protection Board (EDPB) issued an opinion clarifying the GDPR application to AI. The guidance addresses AI model anonymity, the use of legitimate interest as a legal basis, handling unlawfully processed personal data, and the use of first- and third-party data in AI development. Read more

09

CCPA proposes rule changes and compliance sweep

The California Privacy Protection Agency released proposed CCPA rules in November, covering topics such as automated decision-making, risk assessments, cybersecurity audits, insurance industry applicability, and data broker obligations. The agency also announced a compliance sweep for the Delete Act. Companies have until January 14, 2025, to comment before the formal rulemaking process begins. Read more

10

Texas accuses companies of sharing sensitive data without consent

Texas Attorney General Ken Paxton has sent violation notices to four companies, including Sirius XM, GasBuddy, Life360, and Excentus Corporation, for allegedly sharing sensitive consumer data without proper notice or consent. While the state is actively enforcing its new data privacy law, these warnings have been issued quietly, with details obtained through public records rather than press announcements. Read more