California expanded its CCPA to include neural data, Belgium took action against misleading cookie banners, and the Internet Archive suffered a data breach affecting 31 million users. Here’s a quick roundup of the latest data privacy news you might have missed.
California amends CCPA provisions on sensitive data
The California legislature has passed several privacy bills to amend the California Consumer Privacy Act (CCPA). Governor Newsom signed Bill SB 1223, which expands the CCPA’s definition of “sensitive personal information” to include neural data — data related to brainwave activity and other brain data. Bill AB 1824 amends the CCPA to address consumer opt-outs in mergers and acquisitions. Read more
Belgian DPA fines media company for misleading cookie banners
The Belgian Data Protection Authority (DPA) mandated substantial modifications to deceptive cookie banners used by media company Mediahuis on four of its news websites. Specifically, the media company must incorporate a “reject” button in the first layer of its cookie banners across its news websites. This ruling follows a complaint submitted in July 2023 by an individual, with support from the privacy advocacy group noyb. Read more
CookieYes CMP offers customisable cookie banners to help you meet GDPR compliance.
Internet Archive hack exposes 31 million users
The Internet Archive “The Wayback Machine” suffered a data breach exposing the personal data of 31 million users, including email addresses, screen names, and encrypted passwords. News of the breach surfaced when visitors to archive.org saw a JavaScript alert from the hacker, announcing the Internet Archive had been compromised. Read more
LinkedIn fined €310 million for privacy violations by Ireland
Ireland’s Data Protection Commission fined LinkedIn 310 million euros ($335 million) for violating the principles of “lawfulness, fairness, and transparency” in data processing for targeted ads. The investigation found that LinkedIn lacked a lawful basis for collecting data to personalize ads, breaching the GDPR. The Commission stated that “the consent obtained was not given freely,” marking LinkedIn’s first EU fine. Read more
CJEU rules that data minimization limits personal data for targeted advertising
In a recent ruling against Meta, the Court of Justice of the European Union (CJEU) determined that storing users’ personal data on a social networking platform indefinitely for targeted advertising constitutes a violation, in particular, with the rules on storage limitation under the GDPR. The CJEU also cited that not all data can be used for the purposes of personalized advertising, according to the Court. Read more
EU AI Act checker reveals big tech’s compliance pitfalls
An EU-approved tool now rates AI models from 0 to 1 for compliance with the upcoming AI Act, with major tech companies like OpenAI and Meta scoring around 0.75 but showing weaknesses in areas like technical robustness and safety. Developed by Swiss startup LatticeFlow AI alongside ETH Zurich and INSAIT, the tool assesses dozens of categories. Read more
Russian court fines Google $2 decillion
Russia has imposed an astronomical $20 decillion fine on Google, targeting YouTube for blocking 17 Russian state-backed media channels amid the Ukraine conflict. The fine stems from YouTube’s ban on the ultra-nationalist Tsargrad channel in 2020, following US sanctions. The court imposed a fine of 100,000 rubles ($1,025) per day, which doubles every week. Read more
California and Colorado establish protections for neural data
California and Colorado have updated their privacy laws to classify neural data as sensitive personal information. Colorado led with House Bill 24-1058, which broadened “sensitive data” under the Colorado Privacy Act to include “neural data.” Following suit, California passed Senate Bill 1223 and Assembly Bill 1008 on September 28, amending the CCPA to cover neural data starting January 1, 2025. Read more
SEC fines tech companies nearly $7 million for misleading disclosures
The US Securities and Exchange Commission (SEC) has announced a $6.985 million enforcement action against four tech companies impacted by the infamous 2020 SolarWinds compromise. On October 22, 2024, the SEC issued orders imposing these fines for “materially misleading” disclosures related to cybersecurity incidents. Read more
ICO launches new data protection audit framework
The UK ICO has introduced a new audit framework to assist organizations in evaluating their compliance with data protection laws. This framework enables organizations to identify steps for improving data protection practices and fostering a culture of compliance. It serves as a foundational tool for assessing how they manage and safeguard personal information. Read more