Privacy Roundup: Top 10 Stories of January 2024

From Google’s third-party cookie phaseout to new user consent policy updates, and Meta’s plan to unlink Facebook and Instagram, the EU privacy landscape is changing for BigTech, thanks to the upcoming Digital Markets Act. Catch all the top stories and updates from January.

On January 4, 2024, Google’s Chrome web browser disabled third-party cookies for 1% of its users – about 30 million people. A new feature called Tracking Protection, which restricts third-party cookies by default was rolled out for the 1% of randomly selected group of Chrome users globally. This marks the beginning of Google’s year-long plan to phase out cookies in 2024. Read more

Google has updated its EU user consent policy for targeted ads in Europe to comply with the Digital Markets Act (DMA). The company also sent warnings to website and app owners that they could face account suspension in the European Economic Area (EEA)or UK if they display non-compliant cookie banners. Read more

CookieYes CMP is a trusted tool to comply with the new Google updates, as seen from this discussion on LinkedIn.

The first month of 2024 saw the passage of two new US state privacy laws in New Jersey and New Hampshire. New Jersey becomes the 13th state with a comprehensive state privacy law, which is set to take effect in January 2025. A few days later, New Hampshire passed a bill to become the 14th state to enact a data privacy law. The bill still is subject to signature from the state’s Governor and will take effect on 1 January 2025. Read more 

Security researchers have discovered a massive data leak dubbed the “Mother of All Breaches,” that revealed 26 billion records from popular sites like LinkedIn, Snapchat, Venmo, Adobe and X, formerly Twitter. The leak also includes records of government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries as per Cybernews, which first discovered the breach. Read more

You can use this data leak checker by Cybernews to see if your data has been compromised in the data breach.

To comply with the Digital Markets Act (DMA) in the European Union (EU), Meta announced that its users will be able to unlink their Instagram, Facebook and Messenger accounts as well as other services. The changes will apply in the EU, EEA and Switzerland, and Meta will notify users about their ability to choose whether they would like to share information between these services. Read more

In January, the Spanish Data Protection Agency issued guidance on cookies employed for audience measurement, commonly known as analytics cookies (available in Spanish). The SDPA clarifies the instances where consent is necessary per the ePrivacy Directive and also lists cases where cookies used for obtaining traffic or performance data can be exempt from consent under certain conditions. Read more

According to data from enforcementtracker.com, approximately €2.1 billion in fines were imposed in the EU due to GDPR violations. A major contributor was the €1.2 billion for Facebook’s parent company Meta, related to the unlawful transfer of data to the US based on standard contractual clauses (SCCs). Meta was also fined £344 million by the Irish Data Protection Commission for unlawful processing of user data for targeted advertising.

The Colorado Attorney General announced that the Global Privacy Control (GPC) is the first universal opt-out mechanism considered valid under the Colorado Privacy Act (CPA). Beginning on July 1, 2024, organisations subject to CPA must respect consumers’ preference to opt out of the sale of personal data and targeted advertising via browser signals that conform to the GPC specification. Read more

Italy’s Data Protection Authority (DPA) conducted a month-long investigation on Open AI’s popular chatbot, ChatGPT, and has notified the company of infringements of the EU’s data privacy laws. OpenAI now has 30 days to respond with its defence.  Italy was the first EU country to block ChatGPT in March 2023 for breaching GDPR. Read more

Amazon France Logistique was recently fined €32 million by the French data protection authorities, the Commission Nationale de l’Informatique et des Libertés (CNIL), for surveillance of its warehouse workers that CNIL noted as “excessively intrusive” and retaining data on their activities for longer than was considered necessary. Read more