Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.
North and South America Jurisdiction
1. Amendment to Illinois' Biometric Information Privacy Act Signed by Governor
Date: 2nd August, 2024
Summary: The Governor of Illinois, JB Pritzker, approved Senate Bill 2979, amending the Biometric Information Privacy Act (BIPA).
The new amendment adds several new provisions to the law, such as the concept of “electronic signature,” which is defined as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record” and is considered an appropriate method for providing written consent.
Furthermore, following this amendment, if a private organization violates multiple requirements for collecting, capturing, purchasing, receiving through trade, or otherwise obtaining the same biometric identifier or biometric information from the same person using the same method of collection in more than one instance, it will be considered a single violation which would entitle the aggrieved person to just one recovery. Read more.
2. Pennsylvania Attorney General & Titan Gas Reach Settlement in DNC Registry Violation Case
Date: 5th August, 2024
Summary: The Office of Attorney General Michelle Henry (AG) has announced that it has settled with Titan Gas, LLC (also known under CleanSky Energy), regarding alleged violations of a previous settlement prohibiting contact with individuals on the 'Do-Not-Call' (DNC) registry.
This follows an initial settlement agreement between the two parties in 2019. However, the AG alleges 2.7 million more telemarketing calls were made to Pennsylvania residents via deceptive and unlawful lead-generation practices.
Per the new settlement agreement, Titan Gas will pay $160,000 in civil penalties and $35,000 in costs in addition to producing a written report outlining its compliance with the original settlement and consumer protection laws.
Lastly, the press release clarified that the settlement was filed in the Dauphin County Court of Common Pleas and will become effective upon approval by the Court. Read more.
EU Jurisdiction
3. Higher Regional Court of Frankfurt Rules on the Issue Of Placing Cookies on User’s Device Without Obtaining Consent
Date: 9th August, 2024
Summary: The Higher Regional Court of Frankfurt ruled in case No. 6 U192/23 that a company violated the Telecommunications Digital Services Data Protection Act (TDDDG) by placing cookies on a user's device through third-party websites without obtaining prior consent.
The company in question provided advertising and analytics services to website operators who embedded the company’s code on their sites, which led to cookies being set whenever users accessed the page despite contractual obligations that required operators to obtain users’ prior consent.
The court referenced Article 25 of the TDDDG, which prohibits storing and accessing the information on a user’s device without their consent. Consequently, an injunction has been issued against the company, preventing it from placing cookies without consent, and a potential fine of €250,000 has been imposed for any future violations. Read more.
4. Senegalese Data Protection Authority Issues Press Release on Protecting Minors’ Personal Data
Date: 9th August, 2024
Summary: The Senegalese Data Protection Authority (CDP) has issued a press release stating the urgent need to protect minors’ data, especially the widespread sharing of videos involving children on social media. Furthermore, the press release reiterated the following key legal points to the public:
- Collection and sharing of minors’ images without consent from their legal representatives is prohibited;
- The Senegalese Penal Code penalizes the sharing of images that may violate an individual’s privacy and dignity;
- Exposure of children to social media may lead to risks such as cyberbullying. Read more.
5. AEPD Imposes a Fine of €450,000 On UNIQLO EUROPE LTD on Account of Violation of the GDPR
Date: 16th August, 2024
Summary: On August 12, 2024, the Spanish Data Protection Authority (AEPD) fined UNIQLO EUROPE LTD's Spain branch €450,000, later reduced to €270,000, for violating the General Data Protection Regulation (GDPR). The breach occurred when a UNIQLO employee mistakenly sent payroll information for the entire workforce to an unauthorized third party.
The AEPD found that UNIQLO failed to ensure the confidentiality and integrity of the personal data of its workers and to adopt appropriate technical and organizational measures, which allowed an unauthorized third party to access the personal data of its employees, violating Articles 5(1)(f) and 32 of the GDPR. The AEPD held UNIQLO accountable and required them to implement stronger technical and organizational measures to protect the personal data of its workers. Read more.
Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.