Privacy Roundup: Top 10 Stories of September

A number of data privacy deadlines are on the horizon for 2023, the most significant one being the CPRA. While new privacy regulations and updates are also taking hold in countries like Indonesia and Argentina, big companies face the heat with regulatory fines. Here are all the top stories that we don’t want you to miss.

The deadlines for many state-level data privacy laws in California, Colorado, Virginia, Connecticut and Utah are set to become effective from 2023. Organizations have to review their data processing activities and implement data security and compliance measures. 

• CPRA – California Privacy Rights Act, January 1, 2023
• VCDPA – Virginia Consumer Data Protection Act, January 1, 2023
• CPA – Colorado’s Privacy Act, July 1, 2023
• CTDPA – Connecticut’s Data Protection Act, July 1, 2023
• UCPA – Utah Consumer Privacy Act, December 31, 2023.

In 2023, Google will notify users if their personal information such as their phone number, email, or home address, shows up in Google search results. This new tool “Results about you” will allow users to request Google to remove any explicit or personal information from the search results. To use this new feature, you’ll need to click on the three dots beside any search result, open the About this result panel, and click on Remove result. This privacy-focused feature started rolling out to users in the US on September 28. Read more

Ireland’s data privacy regulator has decided to impose a record fine of €405 million ($402 million) on the Meta-owned social media platform Instagram for violation of the GDPR. The fine comes after an investigation into Instagram’s mishandling of the personal data of users ages 13 to 17, including email addresses and phone numbers. The regulator found that minors were switching to business accounts and had their data including email addresses and phone numbers that were displayed on their profiles. This is the second-highest fine under the GDPR after a €746 million penalty against Amazon. Read more

California recently passed California Age-Appropriate Design Code Act which aims to improve online safety and privacy for children. The act requires businesses like TikTok, Instagram, and YouTube to implement age-appropriate measures such as enabling the highest privacy settings by default for children. It also prohibits online companies from profiling children, collecting location data and nudging children to provide personal information. California is the first state in the US to require online services to install wide-ranging privacy safeguards for users under 18. Read more

The South Korean authority, the Personal Information Protection Commission, imposed fines of ~$50 million on Google and ~$22 million on Meta for collecting personal information without users’ prior consent and using it for targeted advertisements. According to the regulator, Google failed to inform users about data collection and set the default choice to ‘agree’. Meta was also found to have violated data protection rules. Both Meta and Google refuted the commission’s findings and Meta indicated it could challenge its fine in court. This fine is South Korea’s largest penalty for violating personal information protection laws. Read more

Google is rolling out new features to help website developers and advertisers to manage their privacy permissions and data collection, with some new updates to Google Consent Mode, such as setting up and troubleshooting Consent Mode. You can get troubleshooting alerts in your diagnostics tabs and see domain-level insights about your tagging and consent rate. Marketers will also have new support and troubleshooting features in Google Ads which will automatically adjust the data collected from each page in line with your visitor’s consent choices. Advertisers can also review eligibility requirements here. 

Indonesian parliament passed the Personal Data Protection (PDP) Act. The bill’s passage comes after a slew of data breaches and probes into government institutions. It is the first comprehensive data protection law in Indonesia and requires both public and private entities to comply with the Act’s requirements. The Act also has the provision to impose sanctions for mishandling personal data, including 6 year of prison term for falsifying personal data for personal gain. Indonesia now joins Singapore, Malaysia, Thailand, and the Philippines to become the fifth country in Southeast Asia to have data privacy protection law. Read more

TikTok could face a $29 million fine in the UK for failing to protect the privacy of children when they are using the video-sharing platform. An investigation by the UK Information Commissioner’s Office (ICO) found the app may have breached data protection law between May 2018 and July 2020. It said TikTok may have processed the data of children under 13 without appropriate parental consent and processed “special category data” without legal grounds to do so. If the penalty is finalised, this would be the largest fine for ICO, exceeding the record £20 million fine for British Airways in 2018. Read more 

On September 22, 2022, the first set of requirements brought on by Bill 64 came into force in Québec. Bill 64 applies to Québec-based private sector entities and companies doing business involving the personal information of Québec residents. The key changes introduced by the include assigning privacy officers for businesses, mandatory data breach reporting and exceptions to consent requirements. Québec joins the growing states in the US requiring businesses to report breaches. The remaining requirements will come into force in increments, in September 2023 and September 2024. Read story

Argentina’s data protection authority, the Agency for Access to Public Information has published a draft bill that proposes to bring the country’s year-old data protection law in line with the GDPR and other newer data privacy regulations. The draft bill has new provisions to deal with recent issues including cloud computing, biometric data and genetic data. Similar to the GDP, the bill recognises six legal bases for processing data and also requires data controllers to document and notify data breaches to the regulator. The draft bill is open for public comment until 30 September 2022. Read more