Q1 2024: This Quarter in Privacy and AI
Welcome to the Enlightened Privacy, PC “Quarter in Privacy” recap! Here’s your recap for Q1 2024.
What is the Quarter in Privacy Recap?
This is a quick summary of some of the key happenings in the world of data protection and privacy from the past quarter. While there’s always an abundance of news in privacy, we try to capture what we think may be of greatest interest or most relevant to those of you doing privacy day-to-day. Our intention with this recap is to provide thoughtful and helpful updates to keep you informed and maybe even a little entertained. Enjoy! And if you like the recap or have suggestions, please let us know! We’d love to hear your feedback.
AI News: It’s arguably the biggest news in AI for Q1: On March 13, 2024, the European Parliament took the action we’ve all been anticipating and adopted the EU AI Act. The Act enters into force 20 days after its publication in the Official Journal of the European Union (publication still pending as of the end of Q1 2024). Some final steps need to happen before that point (the European Council needs to formally endorse the Act and final linguistic edits need to be made). Once in effect, the provisions of the Act enter into force via staggered time lines. For an infographic about the AI Act from the IAPP, click here. For the IAPP’s EU AI Act Cheat Sheet, click here.
***TAKE-AWAY: Start prepping for compliance now. Evaluate applicability, get familiar with the Act’s requirements, and begin thinking about implementing risk assessments.New U.S. State Privacy Laws: Adding to the roster of U.S. states that have passed new comprehensive privacy laws, New Jersey (SB 332) and New Hampshire (SB225) both passed laws in Q1. Both laws go into effect in January 2025 (NH on Jan. 1 and NJ on Jan. 15). As of the end of March 2024, this makes 14 states that have passed comprehensive privacy legislation. (In April, 2 more states were added, for a total of 16–which we’ll cover in the next newsletter.) Neither law includes a private right of action; each will be enforced by the relevant state Attorney General. Both laws generally provide for the same basic consumer data rights we’ve seen in most of the other state privacy laws, including the right to opt out of processing for targeted advertising, sale, and profiling. Both laws require risk assessments where processing presents a “heightened risk of harm.” The standard exemptions found in many other state privacy laws apply, including the exemptions for individuals acting in a “commercial and employment context” (read B2B and HR data) as well as financial institutions covered under the GLBA.
***TAKE-AWAY: Evaluate your U.S. state privacy compliance program and expand it to cover New Jersey and New Hampshire starting in January 2025 if needed.Enforcement Activity Update: Here’s a quick recap of some enforcement highlights from Q1:
Dutch DPA fined Uber €10 million: In January, the Dutch DPA fined Uber for making it difficult for drivers to submit data rights requests and failing to be transparent about how long driver data was retained. The DPA stated that Uber made the data rights request process “unnecessarily complicated” by embedding the request form deep into the app and across multiple menus. Regarding retention, the DPA stated that Uber failed to specify in its terms how long it retains driver personal data and what security measures it implements to protect it when transferring personal data outside the EEA. The Dutch DPA called the data rights and transparency issues “obstacles” that “blocked..the right to privacy.” Note that the enforcement action originated from driver complaints made to a French human rights organization that reported them to the French DPA, which then reported them to the Dutch DPA where Uber is headquartered in Europe.
***TAKE-AWAY: Avoid anything that could be an “obstacle” to individuals exercising their privacy rights and be transparent about retention and protections for data transfers.California AG settled with DoorDash for CCPA and CalOPPA violations: In February, the California AG announced a settlement with DoorDash resulting in a civil penalty of $375,000 and “strong injunctive terms” including the requirement for DoorDash to provide annual reports to the AG. The AG found that DoorDash violated the CCPA by selling consumer personal information and failing to provide notice and an opt-out. The AG found that DoorDash’s participation in a marketing cooperative, where DoorDash disclosed its customer personal data in exchange for the ability to advertise to other cooperative members’ customers, constituted a “sale” under the CCPA.
***TAKE-AWAY: Review your organization’s marketing activities to determine if you’re engaging in any similar activities (or plan to) and evaluate your CCPA compliance methods.BONUS–New U.S. Federal Privacy Bill: There’s a new Federal privacy bill in Congress–the American Privacy Rights Act (“APRA”). Just when we thought we had seen the last of Federal privacy bills for a while, enter the APRA as of April 7. More to come on this bill, but it includes the same types of consumer data rights as we’ve seen in many of the U.S. state privacy laws. It does preempt state laws that are covered by the APRA.
Want to know more? Need help figuring out how these developments impact you? We’re here to help! Just reach out to info@enlightenedprivacy.com.