The US continues to have a patchwork of state-level privacy laws as Colorado becomes the latest state to have a consumer privacy law coming into effect in 2023. Meanwhile, EU regulators reprimand Facebook pixel and ChatGPT over privacy concerns. Here’s an overview of all the top data privacy news from March.


Colorado Privacy Act rules finalized

The Colorado Attorney General’s Office released the final version of the Colorado Privacy Act (CPA), following public comments on the draft version. The CPA rules are similar to provisions of California’s CPRA, including privacy notices and opt-out mechanisms. Colorado is the third state, behind California and Virginia, to pass a comprehensive data privacy law.  The revised rules will go into effect on July 1, 2023. Read more


Italy bans ChatGPT over privacy concerns

Italy’s data protection agency announced a ban on OpenAI’s ChatGPT “with immediate effect” over privacy concerns. The regulator noted that the chatbot collected personal data from users without legal basis and did not have age verification in place to prevent minors from being exposed to unsuitable content. In March, the regulator opened a probe into ChatGPT over a data breach that exposed the payment details of some users, an incident that was confirmed by OpenAI. Italy is the first country in EU to ban the AI chatbot. Read more


Austrian regulators declare Meta’s tracking pixel illegal

The Austrian Data Protection Authority (DSB) has ruled that Facebook tracking pixels violate the GDPR and the Schrems II ruling on international data transfers. The decision follows complaints raised by the privacy rights advocacy group NOYB in 2020. The group noted that when websites use tracking pixels they also forward user data to the US companies and then “onwards to the US National Security Agency. Read story


UK introduces new privacy bill

The UK introduced Data Protection and Digital Information (No. 2) Bill to Parliament, a draft data protection bill to reform the General Data Protection Regulation. The reforms are expected to produce £4.7 billion in savings for the UK economy over the next 10 years and maintain the UK’s data protection standards to conduct business and international trade, including the EU. The bill was first proposed in July 2022 but was put on pause in September 2022 in the wake of Liz Truss’s appointment as prime minister. Read more 


EU consumer department pledges to simplify cookie consent

The European Commission’s consumer protection office announced a voluntary cookie pledge during the European Consumer Summit. The initiative aims to address the influx of cookie banners and the implications of users failing to fully understand their choices. The cookie pledge plans to use a mechanism that allows users to input their cookie preference via their browser settings, instead of being asked for consent each time they visit a website. Read more


Utah signs the Social Media Regulation Act

Utah Governor signed the Social Media Regulation Act (SMRA) into law which aims to protect children from addictive features and targeted ads on social media platforms. It will require minors to obtain the consent of a guardian before joining social media platforms and prohibits minors from using social media between 10:30 PM and 6:30 AM.  The law goes into effect on May 3, 2023, and is set to come into force beginning March 1, 2024. Read more 


WhatsApp agrees to transparent policy changes

Following complaints from the European Consumer Organisation (BEUC) and the European Network of consumer authorities, WhatsApp has agreed to be more transparent about changes to its privacy policy introduced in 2021. WhatsApp agreed to explain changes to EU users’ contracts and how it could affect their rights. The company also admitted to prominently displaying the option for users to accept or reject the changes and ensure that users can easily close pop-up notifications on updates. Read story 


Android 14 focuses on new privacy features

Google released the second Android 14 Developer Preview with a few important privacy and security updates. Notable updates include the new photo picker i.e. when an app asks permission to access photos and videos,  users will have a third option to “Select Photos”, rather than giving complete access to their media. The updates also include a new screenshot detection API “to prevent unnecessary access to a user’s data.” Read more


TikTok launches Project Clover to tackle privacy concerns

In light of the regulatory scrutiny TikTok has been facing in Europe, the company has launched a new data policy, dubbed Project Clover to sway European regulators and address privacy concerns. As part of this initiative, TikTok will introduce “security gateways” to limit employee access to EU users’ data and its transfers outside the EU. TikTok also revealed plans for two new EU-based data centres in Dublin and the Hamar region of Norway. Read more


Irish DPC publishes 2022 Annual Report

The Irish Data Protection Commission published its annual report for 2022, noting that the DPC concluded 17 large-scale investigations and imposed over € 1 billion in administrative fines. The report also highlighted the conclusion of over 10,000 cases and over 9,370 new cases from individuals. Read more