Spain’s data protection authority, the Agencia Española de ProtecciĂłn de Datos, has updated its guidance on cookies to tally with the European Data Protection Board’s Opinion 8/2024, which concerns the attainment of valid consent in “pay or okay” models implemented by large online platforms. Press release here → (in Spanish)
The French Data Protection Authority (CNIL) has issued new guidance on using web scraping tools to collect personal data from public online spaces for direct marketing. Following inspections in 2019, CNIL clarified that publicly accessible data is still personal and cannot be reused without the person’s consent.
The CNIL has issued guidance for organizations providing public internet access, such as municipalities, hotels, and cafes, outlining legal obligations for retaining traffic data. Key points include:
IP addresses and connection times must be retained.
Personal data must be limited to what’s necessary for processing.
User identity data (name, birth date, etc.) should be kept for five years.
Account creation info and technical data (IP address, device ID) must be kept for one year.
Communication origin and technical characteristics can be kept for up to three months.
Users have rights to access and correct their data, but these rules don’t apply to employees of the organizations.
The UK ICO has launched a consultation on data subject rights in generative AI, closing on June 10, 2024. The ICO is concerned that generative AI models often use personal data during training and deployment, and organizations must ensure individuals can exercise their data rights. The ICO seeks evidence on effective methods organizations use to meet these legal obligations, aiming to support innovation and protect personal data in AI development. Read here →
2) Notable Case Law
The European Commission has begun formal proceedings to investigate whether Facebook and Instagram’s parent Meta, has violated the Digital Services Act (DSA) concerning the protection of minors. The Commission is worried that the algorithms on both platforms may promote addictive behavior in children and create ‘rabbit-hole effects’. Additionally, there are concerns about Meta’s age-assurance and verification methods. Read about the investigation here →
The Attorneys General of Arkansas, Hawaii, Columbia, and Oregon have announced a $10.25 million settlement with wireless carriers for deceptive advertising practices. The settlement, involving AT&T, Cricket Wireless, T-Mobile, TracFone, and Verizon Wireless, addresses misleading advertising and marketing practices. Key terms of the settlement include, among others, ensuring truthful, accurate advertising & transparently outlining fees and conditions.
Arkansas will receive $104,246.46 from the settlement, with $49,017.04 from T-Mobile, $30,125.14 from Verizon, and $25,104.28 from AT&T. Press release →
3) New and Upcoming Legislation
The Vatican City State has issued a new decree on personal data protection, effective from April 30, 2024, for a three-year trial period. This regulation applies to data processing within Vatican City, excluding personal use, publicly disclosed, or anonymized data. The regulation is available in Italian here →
The world’s first Artificial Intelligence (AI) Act has been approved. This risk-based legislation imposes stricter regulations on high-risk AI systems, banning harmful practices like cognitive manipulation and social scoring. It promotes transparency, accountability, and innovation, supported by regulatory sandboxes and a robust governance framework. The Act will be enforced two years after its official publication, aiming to set a global standard for AI regulation. Press release →
US Law Updates:
Vermont: The Vermont legislature has passed House Bill 121, a robust data privacy bill enhancing consumer privacy and age-appropriate design. If signed, it will be among the strongest privacy laws in the U.S. The bill limits data collection and use, with a private right of action for consumers against large companies handling data of over 100,000 people annually. Smaller Vermont businesses will work with the state’s Attorney General for compliance. Despite bipartisan support, the Governor may veto the bill due to the private right of action. More details →
Minnesota: The Minnesota Senate has passed the Omnibus Agriculture, Commerce, Energy, Utilities, Environment, and Climate supplemental appropriations bill, which incorporates the Minnesota Consumer Data Privacy Act (Senate Bill 2915) that:
Applies to entities processing data of 100,000 consumers or deriving 25% of revenue from selling data of 25,000+ consumers.
Exempts small businesses as defined by the U.S. Small Business Administration.
Requires a chief privacy officer or equivalent contact information.
Allows consumers to request details on profiling decisions and data used.
Includes universal opt-out mechanisms, data protection assessments, attorney general enforcement, and a 30-day right to cure (sunsetting in 2026).
If enacted, the law will take effect on July 31, 2025.
4) Strong Impact Tech
Adobe has threatened legal action against Delta, an indie game emulator, over its logo’s resemblance to Adobe’s “A” logo. Delta received an email from Adobe’s lawyer stating that Delta’s app icon infringed on Adobe’s trademark and needed to be changed within the prescribed period. Following this, Apple informed Delta that Adobe requested the app’s removal from the App Store. Delta clarified that its logo was a stylized Greek letter delta, not an “A,” but agreed to update the logo to resolve the issue. Read more →
