CDP Institute

The IAB, American Civil Liberties Union and a dozen other organizations have fought against passage of amendments to the Children’s Online Privacy Protection Act (COPPA 2.0), the Kids Online Safety Act (KOSA) and the Kids Off Social Media Act (KOSMA). There was some hope this month in Congress that these bills might pass as part of a bundle of amendments added to the Federal Aviation Administration (FAA) Reauthorization Act, but they along with most other amendments in the bundle were pulled out.

Concerns include that the company’s use of hand scanners, monitoring software, GPS and other tracking technologies are negatively impacting workers’ mental and physical health.

Microsoft changed its terms of service to disallow US police departments’ use of facial recognition in Azure OpenAI, its generative AI enterprise platform. It also explicitly bars use of real-time facial recognition technology for trying to identify people in uncontrolled environments. However, OpenAI and Microsoft have pursued project work with the Pentagon and US Department of Defense.

Dropbox has more than 700 million registered users and, while it’s not known how many customers use Dropbox Sign, the service is available on all Dropbox tier plans. So, the Dropbox Sign hack they announced may have affected millions of consumers. Now, a class action has been proposed out of California, which alleges private information of potentially millions of customers may have been exposed and accuses Dropbox of lacking the most basic security protocols thus leaving information at risk.

The International Association of Privacy Professionals (IAPP) 2024 US State Privacy Legislation Tracker provides an overview of state-level legislation for the sixteen states that passed privacy bills and shows the more than a dozen bills currently proposed.

Data subject requests (DSRs) in the form of customer requests for companies to provide access to, delete, and stop selling and sharing data have increased exponentially in the past several years. So have business costs to comply. DataGrail’s 2024 Data Privacy Trends report shows a 246% increase in requests from 2021 to 2023 and indicates that for every 1 million customer identities, manual processing of DSRs costs ~$800 thousand.

The Children’s Advertising Review Unit (CARU) of the US Better Business Bureau (BBB) has issued a compliance warning on using AI in ads and when collecting data on children. They highlighted key areas of concern, including AI-generated deep-fakes, product descriptions that use enhanced AI, and use of avatars and simulated influencers that can mislead children.

The Biden administration affirmed the HIPAA Privacy Rule to Support Reproductive Heath Care Privacy. This rule supports women’s privacy by barring doctors and health plans from having to disclose health information about abortions to state officials. The objective is to ensure that information about “legal reproductive care” remains confidential and can’t be collected by state officials for criminal investigation and other use.

A breach at health care company, Kaiser Permanente exposed the data of ~13.4 million past and present customers who are now being notified by the company of the event. The company clarified the information was shared with other organizations inadvertently, rather than having been hacked or sold, and the company is both investigating the data situation and looking at how to guard against future problems.

Narrow, but interesting for auto privacy buffs is a new law Utah is enacting – the Utah Motor Vehicle Data Protection Act. This states that car brand companies (franchisors) cannot force car dealerships (their franchisees) to provide access to consumer data held in the dealer data systems. The law does not incorporate protection of data the cars can generate, nor data that can be obtained via devices people connect to their cars.

As AI legislation evolves, your company’s privacy policy should keep pace to assure customers of your commitment to safeguard their data. Beyond informing them of how it will be processed, you should clarify: 1) what will be automated via AI, 2) how their data will be used, 3) if the data will be used to train AI models, and of course, 4) how they can opt-out.

The Protecting Georgia’s Children on Social Media Act has been signed by the governor, and it follows similar laws in other states including Louisiana, Arkansas, Texas, and Utah that require parental consent for minors to create new social media accounts. Opponents of this bill earlier raised concerns it may violate kids’ First Amendment rights.