Q4 2024: This Quarter in Privacy and AI
Welcome to the Enlightened Privacy, PC “Quarter in Privacy and AI” recap! Here’s your recap for Q4, 2024.
What is the Quarter in Privacy Recap?
This is a quick summary of some of the key happenings in the world of data protection and privacy from the past quarter. While there’s always an abundance of news in privacy, we try to capture what we think may be of greatest interest or most relevant to those of you doing privacy day-to-day. Our intention with this recap is to provide thoughtful and helpful updates to keep you informed and maybe even a little entertained. Enjoy! And if you like the recap or have suggestions, please let us know! We’d love to hear your feedback.
As a reminder, our take-aways are Jackie’s thoughts on the updates and not intended to be legal advice.
Quarter in AI:
This quarter’s theme: Resources! Several new regulatory guidance documents have been published. There are also several pieces of draft legislation in the states. A short highlight reel is below.
On December 24, 2024, Oregon’s Attorney General delivered a Christmas present in the form of a guidance memorandum explaining how Oregon’s existing laws — including its new Consumer Privacy Act — apply to AI. The memo starts by saying, “If you think the emerging world of AI is completely unregulated under the laws of Oregon, think again!” That’s a solid summary (and for some reason makes me giggle). The memorandum focuses on the application of the state’s Unlawful Trade Practices Act, Consumer Privacy Act, Consumer Information Protection Act, and Equality Act to AI. One highlight related to the Consumer Privacy Act: The memorandum notes that companies need to obtain affirmative consent to use personal data to train AI models if that’s a new or secondary use of the data, not “retroactively or passively” change their privacy notices. Ghosts of Christmas past, you say? It’s true, this memorandum validates the guidance we in the privacy community have been giving for a while now!
***Take-away: In case it wasn’t clear before, existing laws apply to AI models and tools, so be sure you’re building in compliance from the ground-up to establish a strong foundation.On December 23, 2024, Texas formally introduced HB 1709, an AI bill called the Texas Responsible Artificial Intelligence Governance Act, (a draft version was circulated back in October). It covers high-risk AI systems. An important point to note — it includes a list of prohibited uses, taking a beat from the EU AI Act. Let’s see where this bill goes in the new year! Multiple other U.S. states have seen activity on AI-related bills this quarter. Most are in the “prefiled” stage.
***Take-away: Be prepared for more state AI legislation in 2025. If developing or deploying any AI system that could be considered “high-risk,” start planning for compliance now.The EDPB delivered its AI-related holiday gift early (or perhaps late if it’s a St. Nicholas day gift?). On December 17, the EDPB published an opinion on processing personal data in the context of AI models. It responds to a request made by the Irish Data Protection Commission. The questions relate to (1) model anonymity; (2) & (3) the appropriateness of legitimate interest as a legal basis in the development and deployment of AI models; and (4) the impact of unlawful processing in development on the lawfulness of subsequent processing. The opinion describes the 3-step test to evaluate if an interest is legitimate and discusses the role of reasonable expectations of data subjects.
***Take-away: Legitimate interest is a case-by-case basis, so do your assessments and document them.What’s up with OpenAI this quarter? Well, according to a TechCrunch article, there’s debate around whether OpenAI’s video generating tool, Sora, should be available to all users to generate videos of real people, using photos or videos of the real person as the “seed.” OpenAI says it has a filter to detect if someone under the age of 18 is depicted in a video and will enhance its content moderation of the video if there is. So far OpenAI has not made Sora available to all users and, for those who do have access, is limiting use to specific countries. Spoiler alert, it’s not EU countries.
EP’s holiday gift to you, for your consideration! A Washington Post article addressed the potential invasiveness of AI assistants in the workplace. The article mentioned a situation in which an AI assistant automatically generated and sent a transcript to a call participant who was external to the company. The transcript included discussion that occurred after the participant logged off. Turns out the chat among those who “stayed on the line” revealed some, shall we say, “unflattering” information about the company. So, what do you want “on the record”? What does your company’s AI policy say about using AI assistants? If nothing, consider addressing it and setting clear rules and guidelines.
***Take-away: Consider potential pitfalls of using AI assistants and other AI tools in the workplace and address them in an AI policy as well as personnel training. Be ready for potential issues that use of AI assistants could create and have a triage and remediation plan in place.
Quarter in Privacy:
On October 1, Montana’s privacy law, the Montana Consumer Data Privacy Act (“MCDPA”), went into effect. The MCDPA applies to controllers that handle personal data of 50,000 or more consumers or 25,000 or more unique consumers and derive more than 25% of their revenue from selling personal data. The law includes similar requirements to many other state privacy laws, such as impact assessments and contracts with data processors. It includes the same basic data rights as most other state laws, with the addition of an opt-out right for voice recognition features. It excludes HR data and B2B data. It currently includes a 60 day cure period that expires April 1, 2026.
Several new state privacy laws go into effect in 2025. On January 1, 2025, privacy laws went into effect in four states: Delaware, Iowa, Nebraska, and New Hampshire. In total, eight new state privacy laws will go into effect in 2025. Note: Nebraska’s law is a stand-out similar to the Texas law in its applicability threshold.
***Take-away: If you haven’t already done so, be sure to conduct your applicability assessments for the new laws, and if one of the new laws applies, implement the necessary compliance measures. Evaluate what measures you have in place to comply with other state laws, as you can likely extend them for many of these new state laws as well.On December 30, the Connecticut Attorney General issued guidelines regarding universal opt-out mechanisms. It’s important to note that the delayed implementation of the requirements to recognize universal opt-out mechanisms are now beginning to take effect. (Yes, friends, it’s been that long!) In addition to Connecticut, the requirements in Texas and Montana went into effect January 1, 2025. Reminder: The requirements in Colorado already went into effect in July 2024.
***Take-away: Double-check if you need to take any action to comply with the universal opt-out mechanism requirements that have gone into effect. Don’t let them sneak up on you!On the global stage, Australia has been working on some big amendments to its privacy law. Some new privacy act reforms under the Privacy and Other Legislation Amendment bill, which was introduced in September, include a Children’s Online Privacy Code and expanded enforcement powers for Australian Information Commissioner. Australia also adopted a bill that bans the use of social media by minors under the age of 16 and introduces an age verification requirement.
***Take-away: If you process personal data of minors in Australia, be ready to implement compliance measures to address these new legal obligations. In general, it’s wise to be upping your compliance game related to personal data of minors across the board, as this is a hot area of new legal requirements and enforcement.For those of you self-certified under the Data Privacy Framework, you should be happy to know that it looks like the DPF is still valid and in place. The EDPB issued its first report of its review of the adequacy decision for the DPF in November.
***Take-away: Since the EDPB is completing its first year DPF report, it may be time for you to conduct your annual compliance audit if you’re self-certified under the DPF. Take a look at your certification and get started conducting your review to identify any areas needing updates or fine-tuning.
Quarter in Enforcement:
Yeehaw, Texas continues to be active in its enforcement rodeo! In October, the Texas Attorney General announced a lawsuit brought against TikTok for violations of the Texas Securing Children Online through Parental Empowerment (“SCOPE”) Act. The complaint claims that TikTok disclosed minors’ personal information in violation of the Act and that TikTok did not use a “commercially reasonable method “ to verify parental/guardian identity. The complaint also asserts that TikTok failed to provide parents the ability to control the privacy settings on a minor’s account, including to limit TikTok’s disclosure of personal information and display of targeted advertising. The Attorney General is seeking civil penalties of up to $10,000 per violation and injunctive relief. In December, the Texas Attorney General also launched investigations into 15 tech companies related to their compliance with the SCOPE Act. The AG is really working to wrangle those potential violators!
***Take-away: If you’re operating in Texas, take steps to evaluate your compliance with the Texas privacy law and the SCOPE Act, if either might apply to you. Enforcement is hot, and diligence will be key!In November, the California Privacy Protection Agency (“CPPA”) announced that it’s conducting a “public investigative sweep” of data broker registrations in compliance with the requirements under the Delete Act. Data brokers were required to have registered with the CPPA by January 31, 2024. Failure to register could subject a data broker to administrative fines of $200 per day for each day the data broker failed to register.
***Take-away: If you are or might be a data broker, be sure you’ve reviewed the requirements under the Data Act and register with the CPPA if necessary.The French data protection authority, the CNIL, was busy with holiday cookies this December! The CNIL announced that it had issued notices to organizations with dark patterns (the CNIL’s words) in their cookie banners. The main complaints: the means for rejecting non-essential cookies was not as easy as for accepting them and consent was requested through ambiguous or misleading designs. According to the CNIL’s announcement, the notices were issued as a result of data subject complaints.
***Take-away: Check your cookie banners and clear out any elements that could be considered “dark patterns.”No quarterly update would be complete without a visit from Max Schrems and his organization, NOYB. In December, the Dutch Data Protection Authority published its decision to impose a €4.75 million fine on Netflix for violating the GDPR by failing to give consumers sufficient information about what it does with their data. The decision covered the period of 2018–2020. The Dutch DPA stated that notification must be “crystal clear.” In particular, the DPA took issue with the level of information that Netflix provided about its legal bases for processing, which data is shared with other parties, how long Netflix retains the data and how Netflix protects data in cross-border transfers. Complaints from NOYB initiated the DPA’s investigation. (We’ll be eagerly awaiting the next installment of our series “Where is Max Schrems?!” next quarter!)
***Take-away: Review your privacy notices and do a “crystal clear” check to make sure they provide sufficient information.
Want to know more? Need help figuring out how these developments impact you? We’re here to help! Just reach out to Jackie or info@enlightenedprivacy.com.
Looking for a refresher of last quarter’s highlights? Click HERE for Quarter 3 highlights.