Montana’s new privacy law takes effect, California cracks down on dark patterns, and Australia moves forward with long-awaited privacy reforms. Catch up on the latest data privacy news you may have missed.
New privacy law in Montana effective October 1
The Montana Consumer Data Privacy Act or MTCDPA) took effect on October 1, marking the fourth new US privacy law this year. In May 2023, Montana became the ninth state in the US to enact comprehensive data privacy legislation. Montana joins California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, and Tennessee with their consumer privacy laws. Read more
How cookie settings affect privacy decisions and behaviour
The Department for Science, Innovation, and Technology (DSIT) has published a report examining the impact of website cookie settings on user privacy decisions and behaviour. Out of the 5,019 UK adults surveyed, 58% accepted cookies despite the default setting to decline them, while 42% wanted to customise their settings. Read report
CookieYes CMP allows you to display a fully customizable cookie banner with granular consent options that respect user privacy.
California issues enforcement advisory on dark patterns
In September, the California Privacy Protection Agency (CPPA) issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice. The Advisory asks businesses to “review and assess their user interfaces to ensure that they are offering symmetrical choices and using language that is easy for consumers to understand when offering privacy choices.” Read more
Checkout this 101 guide on how to avoid dark patterns in cookie consent.
Australia’s long-awaited privacy reform comes to fruition
On September 12, 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 to the House of Representatives. This Bill marks the initial phase of reforms to the Privacy Act 1988, following last year’s response to the Privacy Act Review, which called for a comprehensive overhaul of the Privacy Act. The Bill paves the way for heightened legal action against serious breaches of privacy and stronger enforcement of the Australian Privacy Principles (APPs). Read more
California Governor vetoes controversial AI safety bill
Governor Gavin Newsom vetoed a California proposal passed by the state legislature to impose safety standards for AI models. Newsom vetoed the bill, citing concerns that the legislation did not address the dangers tied to AI risks in sensitive data contexts. If the bill were signed into law, it would require the largest AI models to certify safety testing before deployment and publicly disclose the safety protocols that prevent the models from being manipulated for negative use. Read more
The Dutch DPA imposes a 290 million fine on Uber
The Dutch Data Protection Authority fined Uber €290 million for transferring EU personal data to the US without proper safeguards, violating GDPR. The breach involved sensitive data, including account details, location data, payment info, and even criminal and medical records, transferred over two years. The Dutch DPA found Uber failed to use proper safeguards like SCCs after August 2021, leaving the data unprotected. Read more
Clearview AI fined by Dutch DPA for facial recognition database
US facial recognition company Clearview AI has been fined €30.5 million ($33.7 million) for building an “illegal database” as per the Dutch data protection authority (DPA). “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world,” the DPA Chairman Aleid Wolfsen said in a statement. The DPA also issued an additional order, imposing a penalty of up to €5 million on Clearview for non-compliance. Read more
Instagram rolls out teen accounts with privacy, parental controls
Meta Platform is rolling out enhanced privacy and parental controls for Instagram users under 18. All designated accounts will automatically switch to private “Teen Accounts” restricting messaging, tagging, and setting sensitive content to the most restrictive level. Users under 16 can change the default settings only with a parent’s permission. The changes are partly in response to the advancement of the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act by the US Senate. Read more
23andme settles data breach lawsuit for $30 million
23andMe has proposed a $30 million settlement and three years of security monitoring over a class-action lawsuit in response to a 2023 data breach. In October 2023, 23andMe announced that it had suffered a “credential stuffing attack,” where hackers used login credentials, reportedly from a previous unrelated hack, to access customer accounts. Read more
CNIL publishes recommendations on mobile apps
The French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has issued guidance for mobile app developers to enhance user privacy in light of the rising popularity of these applications among French citizens. The guidance aims to enhance the protection of users’ personal data at every stage throughout the development and provision of mobile apps. Read more