CDP Institute

Dell Technologies has announced a data breach and has sent messages to alert customers. The company said payment information was not accessed, though customer names, addresses, and order details were. This follows receipt of a threat actor claim last month on the dark web saying access to 49 million records of Dell customers and employees was accessed.

A new framework which is based on the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules will be redesigned to allow non-APEC country participation. Countries currently participating are Japan, the US, South Korea, Canada, Mexico, the Philippines, Singapore and Taiwan. The UK will be the first to join, and Dubai and Bermuda are expected soon to follow.

Maryland and Vermont passed new privacy laws, or in Vermont’s case, nearly so. Maryland’s is signed, sealed, and will go into effect in October, Vermont’s is on the governor’s desk. Both give customers rights to know, access, delete, and opt-out — but Vermont’s is set to pack a BIG punch (unprecedented in other states) because it allows individuals to sue companies that violate their privacy rights.

The IAB, American Civil Liberties Union and a dozen other organizations have fought against passage of amendments to the Children’s Online Privacy Protection Act (COPPA 2.0), the Kids Online Safety Act (KOSA) and the Kids Off Social Media Act (KOSMA). There was some hope this month in Congress that these bills might pass as part of a bundle of amendments added to the Federal Aviation Administration (FAA) Reauthorization Act, but they along with most other amendments in the bundle were pulled out.

Concerns include that the company’s use of hand scanners, monitoring software, GPS and other tracking technologies are negatively impacting workers’ mental and physical health.

Microsoft changed its terms of service to disallow US police departments’ use of facial recognition in Azure OpenAI, its generative AI enterprise platform. It also explicitly bars use of real-time facial recognition technology for trying to identify people in uncontrolled environments. However, OpenAI and Microsoft have pursued project work with the Pentagon and US Department of Defense.

Dropbox has more than 700 million registered users and, while it’s not known how many customers use Dropbox Sign, the service is available on all Dropbox tier plans. So, the Dropbox Sign hack they announced may have affected millions of consumers. Now, a class action has been proposed out of California, which alleges private information of potentially millions of customers may have been exposed and accuses Dropbox of lacking the most basic security protocols thus leaving information at risk.

The International Association of Privacy Professionals (IAPP) 2024 US State Privacy Legislation Tracker provides an overview of state-level legislation for the sixteen states that passed privacy bills and shows the more than a dozen bills currently proposed.

Data subject requests (DSRs) in the form of customer requests for companies to provide access to, delete, and stop selling and sharing data have increased exponentially in the past several years. So have business costs to comply. DataGrail’s 2024 Data Privacy Trends report shows a 246% increase in requests from 2021 to 2023 and indicates that for every 1 million customer identities, manual processing of DSRs costs ~$800 thousand.

The Children’s Advertising Review Unit (CARU) of the US Better Business Bureau (BBB) has issued a compliance warning on using AI in ads and when collecting data on children. They highlighted key areas of concern, including AI-generated deep-fakes, product descriptions that use enhanced AI, and use of avatars and simulated influencers that can mislead children.