Privacy Roundup: Top 10 Stories of December 2023

From Google’s latest CMP requirements to Spain’s cookie guidance, website publishers are facing imminent deadlines this January. Meanwhile, regulatory bodies continue to tighten the reins on Big Tech. Stay in the loop with these must-know top stories.

Effective January 16, 2024, Google will require publishers utilizing its advertising products, including AdSense, Ad Manager, and AdMob to implement a Google-certified Consent Management Platform (CMP) for their websites. The new requirements are mandatory and failure to do so limits your eligibility to serve personalized ads in EEA and UK, negatively impacting your ad revenue. Read more

Use Google-certified CookieYes CMP to easily comply with Google’s new requirements. 

On December 8, 2023, the Council of the EU and the EU Parliament reached a provisional agreement on the AI Act, the world’s first comprehensive legal framework for AI. After extended deliberations, EU lawmakers came to a political consensus on several contentious subjects. The AI Act, if it is approved, will prohibit specific AI systems, regulate general purpose AI (GPAI), and place strict requirements and harsh penalties on high-risk AI systems. Read more

On December 31, 2023, the Utah Consumer Privacy Act came into effect. UCPA applies to businesses that conduct business in Utah or are targeted to Utah residents, have at least $25 million in annual revenue, and meet one of two additional requirements. Modelled after Virginia’s Consumer Data Protection Act, UCPA is considered the most business-friendly of all these states’ privacy laws. Read this guide to UCPA

Last year, the Spanish Data Protection Authority (AEPD) published an updated cookie guidance in response to European Data Protection Board (EDPB) guidelines on dark patterns. This includes new requirements for cookie banner design and the criteria for the setting of personalization cookies without consent. Companies have until January 11th, 2024 to implement these obligations. Read more

You can comply with the AEPD requirements with CookieYes CMP.

2023 saw record-breaking GDPR fines for companies like Meta, Amazon and TikTok. Meta faced a gigantic £1.2 billion fine from the Irish Data Protection Commission (DPC) for failing to comply with a 2020 ruling by the European Union’s highest court and transferring data between the EU and the US. In a first-ever fine related to mishandling children’s data under the GDPR, the Irish DPC fined TikTok £345 million. Here are the top 10 fines.

X (formerly Twitter) is facing a new privacy complaint in Europe from privacy rights group NOYB (None Of Your Business) for “unlawfully using the political views and religious beliefs of its users for targeted advertising.” As per the complaint, the European Commission used this specially protected data to target an ad campaign to rally support for the proposed “chat control” in the Netherlands. Read more

Meta is facing a major legal challenge in Spain as AMI, an association of more than 80 Spanish media outlets have filed a € 550 million ($600 million) lawsuit citing “systematic and massive non-compliance” with the EU’s General Data Protection Regulation (GDPR). The complaint argues that Meta’s ​​use of the personal data from its Facebook, Instagram and WhatsApp platform users, tracked without consent, gives the company an unfair competitive advantage. Read more

Google has agreed to settle a $5 billion privacy lawsuit alleging that it spied on people who used private browsing modes. The class-action lawsuit filed in California in 2020 alleged that Google’s analytics, cookies and apps enabled the company to track user activity even when they set Google’s Chrome browser to “Incognito” and other browsers to “private” browsing mode. Read more

Genetic testing company 23andMe recently revealed that a data breach in October compromised the personal data of about 6.9 million customers. In a regulatory filing,  the California-based company noted that hackers were also able to access “a significant number of files containing profile information about other users’ ancestry”. Another 1.4 million users who opted for 23andMe’s DNA relatives feature also “had their family tree profile information accessed”, the company added. Read more

On December 14, 2023, the CJEU made a ruling and clarified the meaning of non-material damage as outlined in Article 82 of the GDPR and on the burden of proof requirements under the GDPR. The ruling specifically acknowledged that fear of potential misuse or blackmail involving personal data can be considered as non-material damage. Read more