Privacy Roundup: Top 10 Stories of September 2023

Google’s third-party cookie replacement, Privacy Sandbox, is being rolled out, garnering mixed reactions, while privacy laws had a big month, with Delaware joining the growing list in the US and the UK’s Online Safety Bill being passed. 

The UK Government is moving ahead with the proposed UK-US data bridge, the UK extension to the EU-US Data Privacy Framework (DPF) and is set to come into effect on October 12. This will enable UK businesses and organisations to transfer data to certified organisations in the US without the need for further safeguards, such as international data transfer agreements. This designation also gives access to the new redress process to all UK citizens whose personal data has been transferred to the US. Read more

Google has started to roll out its new APIs for Privacy Sandbox – its privacy-preserving alternative for tracking cookies. The APIs are now generally available by default in Chrome. Google noted that 3% of Chrome users will remain unaffected for now as part of A/B testing and it’ll be available to 100% of users “over the coming months.” Read more

Governor John Carney of Delaware signed the Delaware Personal Data Privacy Act into law in September, making Delaware the 12th US state with a comprehensive consumer data privacy law. Effective 2025, Delaware-based businesses need to comply with the Act if they control or process the personal data of 35,000 consumers or more, or if they derive more than 20 per cent of their gross revenue from the sale of personal data of 10,000 consumers. Read more

Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft are among the six businesses that the European Commission have named “gatekeepers” under the EU’s new Digital Markets Act (DMA). The EC has designated 22 core platform services provided by these companies under the scope of the Act. The Commission noted, “Following their designation, gatekeepers now have six months to comply with the full list of do’s and don’ts under the DMA, offering more choice and more freedom to end users and business users of the gatekeepers’ services.” Read more

The UK Government is moving ahead with the proposed UK-US data bridge, the UK extension to the EU-US Data Privacy Framework (DPF) and is set to come into effect on October 12. This will enable UK businesses and organisations to transfer data to certified organisations in the US without the need for further safeguards, such as international data transfer agreements. This designation also gives access to the new redress process to all UK citizens whose personal data has been transferred to the US. Read more

California lawmakers passed Senate Bill 362, known as the Delete Act which would allow consumers, to have every California data broker delete their personal information, with a single request. It would establish a “one stop shop” where consumers can ask hundreds of data brokers registered in the state to stop collecting and selling their personal data. The bill now awaits Governor Newsom’s signature. Read more

On September 24, 2023, the key provisions of the EU Data Governance Act 2022 (DGA) went into effect. This comes after the 15-month transitional period from June 23, 2022, when the Act first became effective. The DGA seeks to increase data sharing and data availability across sectors for the purpose of innovation. The DGA also promotes data altruism to persuade individuals and businesses to consent to the use of their data generated in the public interest. Read more

Montana has passed the Genetic Information Privacy Act (GIPA), one of the most comprehensive consumer genetic privacy laws in the US, providing wide protections for the state’s residents. The GIPA requires companies processing genetic data, to provide notice, request consent and be transparent about their practices and data protections. The law will be effective from October 1, 2023. Read more

Google is facing a class-action style lawsuit in the Netherlands for alleged violation of European privacy laws. The suit filed by two not-for-profit organizations – The Foundation for the Protection of Privacy Interests (FPPI) and the Dutch Consumers’ Association seeks compensation for “large-scale privacy violations” by Google. In addition, the lawsuit also demands that the company stop tracking and profiling of consumers. Read more

TikTok has launched its first European data centre in Dublin in an effort to combat long-standing privacy worries about the platform’s links to China. TikTok also disclosed that any data transfer outside of Europe will be verified by an independent cybersecurity firm based in the UK. Currently, the app stores user data on servers in the US and Singapore. Read more