Concord Privacy News: 10/10/23
Delaware Enacts Personal Data Privacy Law
Delaware is the latest state in a growing list across the country to enact data privacy laws. Governor John Carney signed the Delaware Personal Data Privacy Act on September 11. According to Delaware Public Media, it is the strongest data privacy law in the nation.
Like the other 12 states that have enacted consumer data privacy laws, Delaware’s follows a similar premise. The law, HB154, provides consumers the rights to know if a business possesses their personal data, to correct inaccuracies in their data, to request that businesses delete their data, and to obtain a copy of the personal data a business might have stored. Consumers can also request and obtain a list of the third parties that have received their data, and they can opt out of having their data used for targeted advertising.
Owen Lefkon, director of the Delaware Department of Justice’s Fraud and Consumer Protection Division, highlighted that the law empowers consumers with options. He said, “Sometimes people want to give their data…you can get benefits, you can get a discount. One of the key things about this bill is it gives consumers choice. It puts the control back in the hands of the consumer.”
The law differs from data privacy laws in other states in that it applies to a wider range of businesses, and it sets a new precedent by raising the age restriction on the sale of children’s data from 16 to 18 years old.
Delaware’s law takes effect January 1, 2025. The state is preparing for an outreach period to inform businesses and consumers, which they expect to begin by July 1, 2024. Read more.
California Legislature Passes ‘Delete Act’
On September 14, the California State Legislature passed Senate Bill 362, the Delete Act, which is designed to streamline the ability of consumers to request the deletion of their personal information collected by data brokers. The bill now awaits the signature of Gov. Gavin Newsom.
Data brokers collect, analyze, and sell personal information about consumers, aggregating data from public records, social media platforms, online transactions, and much more, to create detailed profiles on millions of people. Data brokers have to register with the California Attorney General, but they don’t have to report what kinds of information they collect and sell. Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have a right to require a data broker to delete information they collected directly from you, but you can’t require a broker to delete information they may have acquired about you from other sources.
SB 362 has a simple premise:
- Data brokers would have to register with the California Privacy Protection Agency (CPPA) and disclose the types of personal information they collect.
- The CPPA would create a simple way for Californians to direct all data brokers to delete their personal information, free of charge.
- Data brokers that fail to adhere to the law would face civil penalties and administrative fines set by the CPPA.
Governor Newsom has until October 14 to sign the bill into law.
Other Privacy News of Note
X's New Privacy Policy Allows it to Collect Users' Biometric Data
Starting next month, X's updated privacy policy will entitle it to collect some users' biometric data and other personal information. Under the revised policy, which took effect September 29, X (formerly known as Twitter) "may collect and use your biometric information for safety, security and identification purposes" so long as the user provides consent. Read more.
TikTok is hit with $368 million fine under Europe’s strict data privacy rules
European regulators slapped TikTok with a $368 million fine for failing to protect children’s privacy, the first time that the popular short video-sharing app has been punished for breaching Europe’s strict data privacy rules. The investigation found that the sign-up process for teen users resulted in settings that made their accounts public by default, allowing anyone to view and comment on their videos. Those default settings also posed a risk to children under 13 who gained access to the platform even though they’re not allowed. Read more.