CDP Institute

Italy’s Garante, which has been an aggresive proponent of AI regulation among EU regulators, announced it will increase scrutiny of generative and machine learning AI applications. This follows its recent success in getting ChatGPT maker OpenAI to make changes to its ChatGPT to bring it into GDPR compliance.

Following a Washington Post report that claimed Google does not consistently delete user location history of visits to “sensitive locations,” such as fertility and abortion clinics, a group of US Democratic senators wrote to Google for explanation. Concern is that Google is not upholding its promise to delete data that can reveal private health care decisions.

Montana has a new privacy law that will go into effect in October 2024, sooner than Iowa (2025) and Indiana (2026), which passed theirs first. Montana’s law, which also applies to out-of-state businesses is narrower than some other states, notably California’s, and it does include many exemptions.

Several stories this week demonstrate how far some politicians are prepared to go to undercut individual privacy and to undermine individual autonomy. This reflects a disturbing pattern and a distraction from efforts to pass federal privacy legislation.

The General Data Protection Regulation (GDPR) just turned 5, so it’s good to get a read on how things are going. Piwik Pro surveyed 300 marketers in the European Economic Area (EEA) to see how it has impacted work. More than 80% of companies reported having a good balance between marketing and privacy compliance, which is up 20% from last year.

TrustArc’s 2023 Benchmark survey of more than 2040 global professionals, including executives, managers, full time (non-managerial) employees, and privacy team members outlined 18 challenges and 10 priorities companies big and small are facing when it comes to privacy. Not surprisingly, AI was the top challenge with third-party risk management the top concern.

Edmodo has been charged by the Federal Trade Commission (FTC) with violating the US Children’s Online Privacy Protection Act (COPPA) and the US FTC Act, which regulates unfair acts that affect commerce. The suit alleges children from kindergarten and older were able to use the platform without parental consent. It’s estimated that Edmodo, which shut down last year, had collected data from more than 600,000 students under age 13.

An investigation found the websites of 20 of the trusts in NHS, the UK’s largest health service, have been collecting identifiable browsing data and sharing it with Meta via extraction by Meta Pixel.

Tech companies won’t be held liable for user posts and any subsequent disinformation – thanks to two Supreme Court cases won by Google and Twitter. The companies and tech platforms withstood a challenge to Section 230 of the Communications Decency Act. Established in the early days of the Internet, Section 230 protects companies against liability for postings of users. So, despite growing concerns now about disinformation, discrimination, and violent content on social platforms and sites, these justices opted to side with corporations.

Ireland’s Data Protection Commission fined Meta $1.3 billion and ordered it to stop transfer of Facebook data collected on European users to the US. It is one of the most consequential rulings since the General Data Protection (GDPR) law was enacted and is the result of an EU court’s ruling GDPR protection was violated. If upheld, it could affect data related to photos, friend connections and direct messages stored by Facebook. Not surprisingly, Meta plans to appeal. It has a 5-month grace period, so states it won’t currently need to... Read More >

Hong Kong and the Philippines have signed a Memorandum of Understanding (MOU) to work together to strengthen privacy rights for citizens of each. The Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) and The National Privacy Commission (NPC) of the Philippines have established the alliance to ensure more robust data governance, safeguard data subject rights, and to work together on breach investigations, training and education.

The amendments are major revisions to South Korea’s Personal Information Protection Act (PIPA), which was enacted in 2011. They include new rights of data portability and a right to refuse automated decision-making as well as rules for offshore data transfer, PI collection and use by offline businesses, and the granting of expanded rights to the country’s regulator.