We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Italy – AgID Publishes Accessibility Guidelines Under the European Accessibility Act
Italy’s Agency for Digital Italy adopted new guidelines to help businesses meet accessibility requirements for digital services (Italian, PDF) under the EAA. Read the AgID news article (Italian).

European Union – Parliament Advances AI Omnibus Under Digital Omnibus Package
MEPs reached a preliminary agreement on AI Act amendments, extending high-risk compliance deadlines to 2027–2028, introducing a ban on non-consensual deepfakes, and strengthening AI Office oversight powers.

United Kingdom – ICO and Ofcom Push Platforms for Stronger Age Checks
The ICO and Ofcom called on major platforms to improve age verification, warning that children under minimum-age thresholds cannot be lawfully processed as regular users. Read the ICO press release.

2) Notable Case Law

France – Court Upholds Criteo’s €40 Million GDPR Fine
France’s highest administrative court confirmed CNIL’s fine against Criteo over consent, transparency, and erasure violations affecting millions of users. Read the Conseil d’État’s decision.

Italy – Garante Fines Intesa Sanpaolo €17.6 Million Over Unlawful Profiling
Italy’s privacy authority fined the bank for profiling 2.4 million customers during a restructuring and shifting them to a digital subsidiary without a valid legal basis. Read the Garante press release (Italian).​​​

Spain – AEPD Fines Yoti €950,000 Over Biometric Age Verification
Spain’s data protection authority sanctioned Yoti for unlawful biometric processing, invalid consent collection, and excessive retention of personal data. Read the AEPD Resolution (Spanish, PDF)

3) New and Upcoming Legislation

United States – California’s CalPrivacy Opens Consultation on Privacy Rights and Opt-Out Signals
California’s privacy agency launched consultations on reducing friction in privacy rights requests and improving opt-out preference signals, with comments open until 6 April 2026. Read the CalPrivacy notice on reducing friction.

4) Strong Impact Tech

United States – Anthropic Sues Pentagon Over AI Military Use Restrictions
Anthropic challenged a Pentagon designation that followed its refusal to allow certain military uses of Claude, including mass surveillance and autonomous weapons without human oversight. Read the Anthropic’s civil compliant here (PDF)

European Union – X Submits Blue Check Compliance Plan After DSA Fine
X submitted proposed changes to its verification system following the European Commission’s enforcement action under the DSA.

Other key information from the past weeks

European Union – EDPB Publishes First Data Brokers Market Study
The EDPB mapped over 40 data broker actors, highlighting re-identification risks and offering a framework for regulators to better assess third-party data ecosystems. Read more here.

United States – OpenAI Tests Ads in ChatGPT, Raising Privacy Concerns
OpenAI began testing ads in ChatGPT, potentially personalised based on user interactions, prompting concerns about influence in highly sensitive contexts. Read more here.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #153) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB & EDPS Issue Joint Opinion on Digital Omnibus
The European Data Protection Board and the European Data Protection Supervisor published a Joint Opinion 2/2026 on the Digital Omnibus proposal (PDF), supporting simplification but warning that some amendments could weaken fundamental rights and fragment GDPR protection across the EU.

European Union – EDPB Adopts 2026–2027 GDPR Work Programme
The European Data Protection Board adopted its 2026–2027 GDPR work programme (PDF), prioritising practical enforcement, updated cooperation procedures, revised fine-setting guidance, SME support tools, coordinated transparency enforcement, and further work on generative AI scraping.

2) Notable Case Law

France – CNIL Reports €486.8 Million in GDPR Fines for 2025
France’s data protection authority published its 2025 enforcement report (in French), detailing 259 decisions and €486.8 million in fines, mainly linked to cookie violations, employee monitoring, security failures, and unlawful marketing practices.

United States – FTC Warns Data Brokers Over Foreign-Adversary Data Sharing
The U.S. Federal Trade Commission sent warning letters under the Protecting Americans’ Data from Foreign Adversaries Act, reminding 13 data brokers that sharing sensitive data with entities linked to China, Russia, Iran, or North Korea may trigger penalties of up to $53,088 per violation.

Spain – AEPD Orders Health Authority to Answer Access Request
The Spanish Data Protection Agency ordered the Balearic Health Service to comply with a GDPR access request within ten working days after missing the one-month deadline, as confirmed in its official resolution (PDF, in Spanish).

3) New and Upcoming Legislation

United Kingdom – ICO Sets Complaint Handling Standards Under New Data Act
The UK Information Commissioner’s Office published guidance on complaint handling under the Data (Use and Access) Act, which enters into force on 19 June 2026 and requires clear procedures, prompt investigations, and reasoned written outcomes.

4) Strong Impact Tech

European Union – EU Probes Google Over Search Ad Auction Pricing
EU antitrust regulators are assessing whether Google inflated search ad auction prices in breach of EU competition law, according to a Reuters report on the preliminary investigation.

European Union – Brussels Targets “Infinite Scroll” Under DSA
EU regulators are scrutinising addictive design features such as infinite scroll and autoplay under the Digital Services Act in the TikTok investigation, as reported by Politico on potential DSA enforcement measures.

Other key information from the past weeks

Canada – Ontario Releases Privacy-First AI Framework for Health Care
Ontario’s Information and Privacy Commissioner issued guidance on responsible AI use in health care (PDF), outlining governance expectations, vendor oversight, and safeguards for AI medical scribes.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #152) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

That’s why the European Commission’s “Digital Omnibus” proposal has been getting so much attention. The headlines can be dramatic (“cookie banners are going away”), but the real story is more practical: the Commission is trying to reduce consent fatigue by looking at how consent is usually collected and simplifying the legal requirements around it.

Below is what matters most for publishers, what the proposal promises, what’s still unclear, and why pay-or-ok models are likely to stay central either way.

The EU’s proposal in a nutshell

The Digital Omnibus proposal (published 19 November 2025) is the Commission’s attempt to simplify parts of the EU’s digital and privacy framework. One key shift: cookie-related rules, now part of the ePrivacy Directive, would move into the General Data Protection Regulation (GDPR), so businesses are not struggling to keep up with too many scattered legal requirements.

On cookie consent specifically, the proposal suggests:

• Consent still matters for marketing. Advertising, profiling, cross-site tracking, and most third-party analytics remain “opt-in” scenarios.
• Fewer repeated prompts. The proposal supports clearer banner standards (including making “Reject” as easy and visible as “Accept”) and limiting how often you can re-prompt after a refusal.
• A long-term push toward browser or OS-level choices. A new system was proposed: “machine-readable” consent signals, so a user could set preferences once at the browser level, and websites would need to read and apply them.

A lot of questions arose from the proposal and will probably find their answer in future publications by the European Commission around the topic. In the meantime, the proposal will continue its journey through the EU legislative process.

There will likely still be a series of legal and technical requirements for websites to handle, like informing users of their practices around data and privacy, blocking cookies when no consent is given, etc.

Why cookie consent is crucial for publishers

As a publisher, you sit in a different reality than many other website owners.

Your model is often some mix of ad-funded access, subscriptions (hard paywalls, freemium), or hybrids (memberships, logged-in experiences).

Cookie consent affects all of it, but the pressure point is usually advertising.

• If you can’t collect valid cookie consent where it’s required, you may lose the opportunity to serve ads altogether.
• If consent is partial, you may not be able to serve ads personalized to the user. It’s less probable for users to click.
• If the consent experience is too heavy, takes too much time to load, the user may go through your content before your high-value, above-the-fold ads display. It’s less probable for users to click.

All the above can have a high negative impact on your revenue.
That’s why, as a publisher, you should make sure to curate your cookie consent processes.

Consent processes are so important for you, and yet they’re a strong pain point for your visitors. The reality is that most people don’t want to decide about cookies. They want the article, the video, the recipe.

Repeating that same decision on every new site is a fast track to the frustration that the EU’s proposal targets: fewer repeat prompts, clearer UI expectations, and, eventually, more centralized preference signals.

A special exemption granted to media providers

Here’s the part you probably immediately noticed: a carve-out for “media service providers”.

In the proposal’s logic, if users are given the possibility to broadcast a global “reject tracking” signal from their browser, ad-funded media could take a hit.

In other words, if the user were to deny consent at the browser level to advertising, for instance, media providers would not be able to display ads, which is usually their main source of revenue.

So the proposal suggests that media service providers should not be obliged to respect those globally-transmitted signals (in view of the need to finance media through advertising) and could still ask for consent in the usual way, whether through a traditional banner, a pay-or-ok model, etc.

There’s a tricky nuance here to be aware of: media service providers would not have to respect global consent rejection signals set by users. This, of course, doesn’t mean that they would be exempt from general consent rules like informing users or letting them update their preferences through a banner. Only that the signal mechanism might not be binding the same way for that category.

Some publishing platforms may not be subject to this exemption.

At these early stages of the proposal, there is still some uncertainty around the boundaries and scope of the media service provider definition. Make sure to seek expert advice to understand if you wouldfall within the exemption.

Pay-or-ok model: why it won’t disappear

If you work in media, you already know the trend: pay-or-ok is everywhere. And the user behavior is predictable: “I’ll just consent, because I don’t want to pay.”

When the “free” option is funded by ads and tracking, many readers will choose it.

Paywall? Pay-or-ok? Here’s a quick refresher for those who are new to these terms.

A paywall controls access to content. Users must pay (or subscribe) to read, watch, or listen. In short: Pay to access content.

A pay-or-ok model links access to content directly to consent for tracking. Users can either pay (usually via subscription) or consent to advertising and tracking. Advertising revenue replaces subscription revenue for users who choose “ok.” In short: Pay with money, or pay with data.

We can argue that pay-or-ok doesn’t help reduce consent fatigue. The annoyance of the banner and making a choice is still there. In general, EU privacy discussions keep scrutinizing “consent or pay” models to make sure they are fair (consent is freely given).

Regulators pay attention to whether the user genuinely has a choice, how pricing and alternatives work, and whether pressure is applied.

So even if the Omnibus proposal would give media service providers room not to honor global reject signals, pay-or-ok design will still be under a microscope. The question shifts from “can you show a banner?” to “is the choice fair, clear, and defensible?”

Subject to future clarifications of the media service provider definition, Consent Management Platforms may remain central for publishers as they would still need a reliable and compliant infrastructure to manage cookie release, consent walls, and pay-or-ok logic if it’s not done in-house.

What the proposal means for publishers now

The best you can do now is the following:

• Stay informed and monitor further developments, as this is just a proposal. It’s not law yet.
• Keeping your consent flows, preference handling, and internal documentation practices in check could help reduce future implementation effort.

Existing legal obligations still apply, and you don’t need to change anything because of the headlines. It’s a multi-year transition, and publishers will likely operate in a hybrid world for a long time.

Even if adopted, this won’t be a “flip the switch” moment. The legislative path is long, and clarifications will come in time. Requirements would start to take effect several months after entry into force.

Parts of the proposal have sparked some debate and will have to be addressed. For publishers, the biggest uncertainty is also the most basic: who counts as a “media service provider”?

Early commentary has already pointed out that this carve-out may be challenging to apply in practice and could be open to misuse. The exemption shouldn’t create a blanket legal basis for tracking and other marketing activities.

iubenda is an all-in-one, scalable privacy compliance infrastructure that can help you improve your marketing performance and grow confidently.

Our team works by your side to help optimize your consent rate and processes, to support your revenue growth.

Disclaimer: This article discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of February 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.

The post What publishers should expect from the EU’s Digital Omnibus proposal appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In October 2025, the European Data Protection Board (EDPB) announced that transparency and information duties under the GDPR will be its top coordinated enforcement topic for 2026.

That’s a clear signal: regulators will be paying extra attention to how you explain your data use to people.

For businesses, that translates to a simple focus: your privacy and cookie policy should be accurate, clear, and easy to find.

If your policies are due for an update, 2026 is the year to stop postponing it. Let’s take a look.

What the year of transparency holds in store

During its October 2025 plenary, the EDPB picked the topic for its fifth coordinated enforcement action: compliance with the GDPR’s transparency and information obligations.

Here’s the core idea: the GDPR says people have the right to be informed about the collection and processing of their data, especially under Articles 12, 13, and 14. This “right to be informed” is one of the GDPR’s foundation stones, because it’s what gives people real control over their data.

If you’re collecting personal data, you must clearly explain that you’re doing it, what data it is, what you do with it, and why.

Coordinated enforcement: what does that mean? 1-The EDPB selects a topic (for 2026, transparency). 2-National Data Protection Authorities (DPAs) choose to participate voluntarily. 3-DPAs run checks or investigations at national level using a shared approach. 4-Results are aggregated and analyzed to spot patterns. 5-If needed, this can lead to targeted follow-up at national and/or EU level. The action will be launched over the course of 2026.

This is what regulators will be looking at:

• Article 12 is your “plain language” rule. Information must be concise, transparent, easy to access and to understand.
• Article 13 covers what you must tell people when you collect data from them (for example: contact forms, checkout, newsletter signup).
• Article 14 covers what you must tell people when you get their data from somewhere else (for example: lead lists, partners, data enrichment, certain advertising scenarios).

Why it matters to your business

If the GDPR applies to you, you must follow transparency requirements.

Most businesses will be affected by the EDPB’s 2026 focus on transparency because it applies whenever you collect or use personal data.

If your website has a contact form, a newsletter signup, account creation, checkout/payments, customer support chat, or even common tools like analytics and marketing pixels, you’re almost certainly processing personal data.

If a DPA looks at your site or app and doesn’t like what it sees, they can ask questions, require changes, order you to stop certain processing, and (in some cases) issue fines.

Who are DPAs? A quick reminder: DPAs (Data Protection Authorities) are the national regulators that enforce data protection law in each EU/EEA country. There’s a French one, an Italian one, and so on.

Beyond the legal obligations, transparency isn’t just a legal checkbox for SMBs. It’s a real business advantage.

When people understand what you’re doing, they’re less suspicious. They’re more likely to sign up, buy, and stick around.

They’re more willing to trust you with their data. Better data means better campaigns and a higher revenue!

Transparency can actually improve conversion and retention, because it reduces friction and surprises.

Make your privacy and cookie policy flawless

For most businesses, the practical translation of these obligations is having a privacy and cookie policy.

The key elements to include in your privacy policy are:

• Who you are: company name, contact details
• What personal data you collect and how: e.g., name, email, billing details, IP address, device info, order history + where it comes from: forms, checkout, cookies/trackers, third-party tools
• Why you use it (purposes): e.g., provide the service, process payments, customer support, analytics, marketing
• Your legal basis: consent, contract, legal obligation, legitimate interests
• Who receives the data: any third parties, like hosting or payment processors, vendors, service providers
• Any international transfers: if data goes outside the EU/EEA, explain where and what safeguards you rely on
• Retention: how long you keep data
• People’s rights: access, deletion, objection, etc., and how to exercise them
• Updates: how you notify users of changes, “last updated”, or effective date

Do’s	Don’ts
Article 12 is explicitly about clear and plain language and making information easy to access. Can I understand the main points in under two minutes?	This isn’t about writing longer legal documents. It’s about making sure anyone can quickly find and understand it.
Can I find your privacy policy in one click from any page? That’s why you typically see all privacy policies in the footer of the website.	A privacy policy that is technically “published” but buried in a submenu or written like a courtroom script is not the spirit of Article 12.
Does your policy match reality? Make sure it is complete and tailored to your business.	Here’s an easy mistake: if a service truly doesn’t involve personal data processing, you generally don’t need to describe it in your privacy policy. Including non-existent processing can be misleading.

Take a look at our GDPR privacy policy template for an example!

How iubenda helps you meet 2026 standards

As Giulia Stancampiano, our Director of Legal at iubenda, puts it:

“By focusing on information duties in 2026, the EDPB highlights something simple but often overlooked: data protection begins with explaining things clearly. The real work is translating principles into practical steps that people can understand.”

Transparency can sound like tedious work. It’s writing the policy, but also keeping it accurate as your business changes. Add a new analytics tool, chatbot, ad platform, or payment provider, and last year’s policy no longer reflects what you actually do.

That’s where iubenda helps: we empower SMBs to manage transparency and digital compliance easily, as their business evolves.

Our tools come with pre-drafted clauses that are updated when relevant legal changes occur. We alert you if something’s missing. We offer easy integration options with your site.

A privacy policy powered by iubenda is simple, effective, and meets transparency requirements. Learn more about our Privacy and Cookie Policy Generator.

Ultimately, the EDPB’s 2026 focus reinforces a simple point: compliance starts with clear communication. iubenda’s products are built for simplicity and for maintaining consistent and reliable communication as your business grows.

Need a transparent privacy policy?

The post What the EDPB’s 2026 focus on transparency means for online businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

United Kingdom – ICO Clarified Storage and Access Technology Rules
The ICO clarified that PECR rules apply to all information, not just personal data, and maintained that storage or access must be essential to provide requested services. Legitimate interest cannot be used for non-exempt technologies and consent is required.

Italy – Garante Approved IT-Wallet System Draft Decrees
The Italian data protection authority issued a favorable opinion on draft decrees for the Italian Digital Wallet System (in Italian), which incorporates Privacy by Design and by Default principles aligned with GDPR Article 25 requirements.

European Union – EDPB Published DSA-GDPR Guidelines
The European Data Protection Board adopted guidelines 3/2025 on the interplay between the Digital Services Act and GDPR, covering illegal content detection, advertising transparency, and systemic risk management amongst others. Public consultation runs until October 31, 2025.

USA (California) – Multi-State Privacy Enforcement Sweep Targets Opt-Out Compliance
The California Privacy Protection Agency and attorneys general from California, Colorado, and Connecticut launched an investigative sweep examining business compliance with consumers’ right to opt out of personal data sales. The enforcement action specifically focuses on adherence to Global Privacy Control signals and proper handling of consumer opt-out requests across participating states.

2) Notable Case Law

Finland – S-Bank Fined €1.8 Million for Security Breach
S-Bank received a €1.8 million fine for GDPR violations (in Finnish) after a security flaw allowed customers to log into online banking using other customers’ credentials between April and August 2022.

France – Google and SHEIN Fined
France’s CNIL imposed €325 million total penalties on Google entities for unauthorized advertising practices. Google LLC was fined €200 million while Google Ireland Limited faced €125 million for Gmail advertisement deployment without consent and improper cookie placement affecting over 74 million French users. Compliance requirements include practice cessation within six months or additional sanctions.

CNIL separately sanctioned SHEIN with a €150 million penalty for cookie compliance failures (in French). Violations encompassed unauthorized tracker deployment, incomplete consent banners lacking advertising purpose disclosure, insufficient third-party identification at secondary information levels, and faulty consent withdrawal mechanisms where trackers were not removed, as well as tracker operations that continued despite user refusal.

3) New and Upcoming Legislation

Poland – Data Act Implementation Framework Advanced
Poland’s Draft Act on Fair Access to and Use of Data (in Polish) progressed, designating the Office of Electronic Communications as the enforcement authority. The Council of Ministers expects adoption in Q4 2025.

USA (California) – Opt Me Out Act Passed Legislature
Assembly Bill 566 passed, requiring businesses to develop browsers with opt-out preference signal functionality and clearly disclose how these signals work and their intended effects on data processing.

USA (Colorado) – EPIC Submitted CPA Amendment Comments
The Electronic Privacy Information Center (EPIC) supported expanding sensitive data definitions and recommended opt-in consent for features extending minors’ engagement, while proposing clarifications on content moderation requirements.

USA (New Jersey) – Privacy Groups Urged Robust NJDPA Rules
EPIC and the Consumer Federation of America recommended that the Division of Consumer Affairs adopt strong privacy rules including data minimization provisions and stricter standards for minors’ data.

4) Strong Impact Tech

USA – FTC Launched AI Chatbot Inquiry
The Federal Trade Commission initiated an investigation into AI chatbots from seven companies including Alphabet, Meta, and OpenAI, examining COPPA compliance and impacts on children and teens.

European Union – ASML Invested €1.3 Billion in Mistral AI
Politico reported that Dutch chip tool-maker ASML announced a major investment in French AI company Mistral, supporting Europe’s technological sovereignty goals and helping compete with American AI companies like OpenAI and Anthropic.

Other key information from the past weeks

Austria – YouTube Data Access Request Decision
Austria’s data protection authority ordered Google’s YouTube to comply with the GDPR following complaint proceedings instituted by noyb (in German). The regulator determined that Google LLC provided inadequate access request responses by withholding processing purposes, retention periods, recipient information, and tracking cookie details. These resulted in the violation of transparency obligations under Articles 12 and 15 GDPR.

USA – Disney Children’s Privacy Settlement
Disney agreed to a $10 million COPPA settlement for unlawful YouTube data collection from children under 13. The US Federal Trade Commission alleged Disney mislabeled child-directed videos as “Not Made for Kids,” enabling targeted advertising without parental consent, violating federal privacy protections.

USA – YouTube Children’s Privacy Settlement
Google and YouTube agreed to $30 million COPPA settlement resolving California Federal Court children’s privacy litigation from October 2019. The agreement addresses unauthorized data collection from minors including persistent identifiers, IP addresses, device information, and location data without parental consent, establishing $30-$60 individual payment ranges for affected children.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #147) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Italy – AI Law Published in Official Gazette
Italy officially published its comprehensive artificial intelligence legislation (in Italian) in the Official Gazette, establishing a regulatory framework for AI systems operating within Italian jurisdiction.

Switzerland – Website Tracking Regulations
Swiss authorities announced revised digital privacy requirements mandating clear data collection disclosure and simple opt-out options. The framework allows some non-essential cookies without consent if justified by strong interests, while sensitive or high-risk data activities require explicit user approval.

EU – Digital Platform Compliance Framework
European regulators released collaborative guidance demonstrating how the Digital Markets Act and GDPR work together to safeguard user information and promote competitive fairness among large technology companies.

Austria – Microsoft 365 Education Victory
Austrian privacy advocates successfully challenged Microsoft 365 Education for tracking school children, with authorities ruling the platform violated student privacy protections.

2) Notable Case Law

Germany – Hamburg Financial Firm Penalty
Hamburg’s data protection authority fined a financial company €492,000 (in German) for failing to provide customers with adequate explanations about automatic credit card rejections, breaching transparency requirements.

California – Universal Privacy Controls
California enacted legislation requiring browsers to provide single-click tracking rejection capabilities by January 2027. The measure enables users to block data collection and commercial sharing across all websites simultaneously, eliminating individual site preferences.

3) New and Upcoming Legislation

USA (Maryland) – Data Privacy Law Effective
Maryland’s new data privacy law became effective on October 1, granting residents rights over personal data, setting business compliance rules, and establishing security standards with potential criminal penalties.

Norway – Digital Security Act Enforced
Norway’s Digital Security Act took effect (in Norwegian) on October 1, requiring critical sectors to meet strict cybersecurity standards and rapidly report incidents, aligning with European network security directives.

4) Strong Impact Tech

USA – AI LEAD Act Referred to Committee
The AI Leadership To Enable Accountable Deployment Act was referred to committee, creating a civil liability framework holding AI developers and deployers accountable for negligence and safety violations.

USA (California) – Frontier AI Transparency Act Signed
California’s Governor signed the Transparency in Frontier Artificial Intelligence Act on September 29, requiring large AI developers to publish risk assessment frameworks and detailed transparency reports.

Other key information from the past weeks

Brazil – Cybersecurity Legal Framework Pending
Brazil prepared to approve its first Cybersecurity Legal Framework, establishing a National Cybersecurity Authority to unify regulations and enforce national standards across sectors.

United Kingdom – Apple Cloud Data Access Attempt
UK authorities made renewed attempts to access Apple’s cloud data storage systems, intensifying ongoing disputes over law enforcement access to encrypted user information.

Germany – EU Child Abuse Scanning Bill Division
Germany remained divided on the EU’s proposed child abuse content scanning legislation, with mounting pressure from various stakeholders regarding privacy and security implications.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #148) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB Reviews Brazil’s Data Protection Adequacy
The European Data Protection Board shared its opinion on recognizing Brazil’s data protection laws as adequate under EU standards. While finding Brazil’s framework largely compliant with GDPR, the EDPB advised clarification on privacy assessments, transparency limits, and law enforcement applications.

Latvia – Guidance Issued on Cookie Opt-Out Simplification
Latvia’s Data Protection Authority published guidance urging websites to make cookie consent withdrawal easier (in Latvian). The authority emphasized that non-essential cookies require freely given consent and highlighted best practices for clear withdrawal tools.

European Union – AI Content Transparency Code Development Begins
The European Commission launched development of a Code of Practice for AI-generated content transparency. The seven-month process involves industry and civil society input to meet AI Act requirements for clearly marking AI-produced content by August 2026.

France – CNIL Surveys DPOs on AI Governance Role
France’s data protection authority launched a nationwide survey exploring how Data Protection Officers adapt to AI oversight responsibilities (in French). The initiative examines AI Act and GDPR interactions, with results expected in early 2026.

2) Notable Case Law

Spain – Carrefour Financial Services Fined €2.5 Million
Spain’s data protection authority fined Servicios Financieros Carrefour €2.5 million for data breach failures (in Spanish). The breach exposed customer ID numbers, contact information, and financial data due to weak security systems and poor monitoring practices.

Poland – Courts Approve UODO’s Data Communication Framework
Polish Courts of Appeal approved the national data protection authority’s standardized communication templates for personal data protection claims (in Polish). The decision supports streamlined information sharing under Poland’s Personal Data Protection Act.

3) New and Upcoming Legislation

USA (New York) – Final Cybersecurity Rules for Small Firms Active
New York’s amended cybersecurity rules final phase took effect, requiring small businesses to adopt multi-factor authentication and maintain detailed asset inventories. Class A companies must ensure universal MFA access and comprehensive IT asset records.

Hungary – National AI Law Enacted
Hungary enacted comprehensive AI legislation effective December 2025, creating the AI Market Surveillance Authority and Hungarian Artificial Intelligence Council. The law applies to all AI providers and users, with maximum fines reaching HUF 13.3 billion (approximately €33 million).

4) Strong Impact Tech

USA – OpenAI and Amazon Sign $38 Billion AI Infrastructure Deal
OpenAI secured a multi-year agreement with Amazon for AI infrastructure capacity, including hundreds of thousands of Nvidia processors through AWS. Full capacity deployment is expected by end of 2026, reflecting massive capital investment in next-generation AI systems.

USA – Meta Announces $600 Billion AI Infrastructure Investment
Meta committed to spending $600 billion over three years expanding US infrastructure and creating jobs through new data centers. CEO Mark Zuckerberg outlined the AI growth preparation plan, including recent investments in Louisiana and Texas facilities.

Other key information from the past weeks

Hong Kong – Privacy Commissioner Alerts LinkedIn Users on AI Data Use
Hong Kong’s Privacy Commissioner reminded users that LinkedIn began using personal data and public content to train generative AI models from November 3, 2025. The change affects Hong Kong, EU, and Canadian users under reviewed privacy settings.

APEC – Leaders Adopt Digital Transformation Declaration
APEC leaders adopted the Gyeongju Declaration committing to regional digital and AI transformation readiness. The joint commitment emphasizes collaboration in digital policy research, voluntary data sharing, and human-centered AI development approaches.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #149) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EU Explores Cloud and AI Act for Data Centre Sovereignty
Parliament analysts outlined how a forthcoming Cloud and AI Development Act could expand EU data-centre capacity, reduce reliance on US cloud providers, and foster secure EU-based services to strengthen digital sovereignty and competitiveness.

European Union – Meta to Offer Real Choice on Personalised Ads Under DMA
Under Digital Markets Act pressure, Meta agreed to give Facebook and Instagram users genuine choice between fully personalised ads and versions using significantly less personal data, starting January 2026.

2) Notable Case Law

South Korea – Coupang CEO Resigns After Breach Affecting 33.7 Million Users
South Korean e-commerce giant Coupang disclosed a breach affecting 33.7 million customers after attackers used active cryptographic keys to forge access tokens, exposing personal details for nearly five months.

United Kingdom – ICO Fines LastPass £1.2 Million Over Major Data Breach
The UK Information Commissioner’s Office fined LastPass £1.2 million after a cyberattack exposed data of up to 1.6 million UK users due to inadequate technical and organizational safeguards.

3) New and Upcoming Legislation

USA (Federal) – Trump Signs Order to Preempt State AI Laws
President Trump signed an executive order creating national AI policy to displace conflicting state laws, directing federal agencies to challenge state measures while exempting child safety and procurement rules.

Ireland – Government Approves Garda Facial Recognition Bill
The Irish Government approved publication of legislation enabling police to use facial recognition and biometric tools for serious crime investigations, subject to High Court judge oversight.

4) Strong Impact Tech

European Union – Commission Probes Google’s Use of Content for AI Training
The European Commission launched an investigation into whether Google abuses dominance by using publishers’ content and YouTube videos to train AI models without fair compensation or meaningful opt-out.

South Africa – WhatsApp Settles With Regulator Over Data Compliance
WhatsApp reached an out-of-court settlement with South Africa’s Information Regulator over alleged non-compliance with local data-processing conditions, with confidential corrective measures agreed.

Other key information from the past weeks

Vietnam – Vietnam Passes First Comprehensive AI Law
Vietnam’s National Assembly approved its first Law on Artificial Intelligence, effective March 2026, establishing core principles, prohibited practices, and risk-based framework with centralized oversight.

Australia – Reddit Challenges Social Media Age Ban in Court
Reddit initiated High Court proceedings to overturn Australia’s ban on social media access for minors, arguing the regulation infringes upon free political dialogue and poses privacy concerns.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #150) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

France – CNIL Publishes Guidance on Analyzing AI Models Under GDPR
France’s CNIL published guidance helping AI providers assess whether their models store personal data from training and are subject to GDPR, building on the EDPB’s opinion on AI development.

Denmark – Datatilsynet Announces 2026 Supervisory Focus on AI Monitoring Technologies
Denmark’s Data Protection Authority published 2026 priorities focusing on AI monitoring in care settings, patient devices, employee tracking, and website tracking, signaling heightened healthcare and workplace scrutiny (Danish).

European Union – European Commission Publishes DMA Review Consultation Summary with 450+ Responses
The European Commission published all contributions from its Digital Markets Act review consultation, with stakeholders supporting DMA objectives while calling for expanded AI and cloud scope. The review report is due May 3, 2026.

2) Notable Case Law

European Union – EU Commission Orders X to Preserve All Grok Documents Until End of 2026
The European Commission instructed X to retain all Grok-related records through December 31, 2026, as it examines Digital Services Act compliance following criticism over AI-generated harmful imagery.

United Kingdom – UK Prime Minister Starmer Seeks International Coalition Against X Over AI-Generated Abuse Images
UK Prime Minister Starmer is building an international “coalition of decency” after X’s Grok enabled non-consensual imagery creation, with the government supporting potential enforcement action under the Online Safety Act.

3) New and Upcoming Legislation

European Union – European Parliament Confirms Digital Omnibus as 2026 Priority with Potential AI Act Timeline Delays
The European Parliamentary Research Service confirmed the AI Act will fully apply from August 2, 2026, but the proposed Digital Omnibus could delay certain high-risk system deadlines to late 2027 and 2028.

Netherlands – Ministry Delays Cybersecurity Act Entry Into Force to Q2 2026
The Dutch Ministry confirmed NIS2 Directive transposition into the national Cybersecurity Act is delayed until Q2 2026, with the existing Security of Networks and Information Systems Act remaining in effect.

4) Strong Impact Tech

USA – Meta Strikes Nuclear Power Agreements Worth 6.6 GW to Support AI Infrastructure
Meta announced agreements with Vistra, TerraPower, and Oklo to secure up to 6.6 gigawatts of nuclear capacity by 2035, including 20-year deals and funding for eight new advanced reactors.

European Union – EU Antitrust Regulators Set February 10 Deadline for Google’s $32 Billion Wiz Acquisition
EU antitrust regulators will decide by February 10, 2026, whether to approve Alphabet’s $32 billion Wiz acquisition, Google’s largest deal ever, or open a full investigation.

France – Macron Calls for Deepening EU’s Digital Rules in Face of US Pushback
French President Macron urged Europe to defend its Digital Services Act and Digital Markets Act, emphasizing European digital sovereignty as Washington criticized EU tech regulations.

Other key information from the past weeks

Brazil – ANPD Extends Digital ECA Compliance Deadline to February 13
Brazil’s ANPD extended the deadline for 37 tech companies to submit compliance information on the Digital Child and Adolescent Statute, including Amazon, Apple, and Google Brazil (Portuguese).

New Zealand – Privacy Commissioner Confirms Manage My Health Cyber Breach Notification
New Zealand’s Privacy Commissioner confirmed Manage My Health reported a ransomware incident on January 1, 2026, affecting thousands of users’ sensitive health information including discharge summaries and referral letters.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #151) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On March 19, 2025, the German Administrative Court of Hanover (VG Hannover) issued a decision that has big implications for anyone using Google Tag Manager (GTM). The court ruled that GTM requires explicit user consent before it can load — even if GTM itself doesn’t use cookies.

This ruling has caused understandable concern for website owners and marketers across the EU. Let’s break down what the court decided, what it means in practice, and how iubenda is approaching this development.

What the court decided

The court looked at how GTM works in practice and concluded that it is not just a neutral tool. Here’s why:

• Connection to Google servers: GTM contacts Google servers as soon as a page loads.
• Personal data transfer: IP addresses, device details, and referrer URLs are sent to Google automatically.
• Local storage: The GTM script (gtm.js) is stored on the user’s device.
• Hidden execution: GTM enables other third-party scripts to run, often before consent.

Because this happens before a user can give consent, the court found it violates both the GDPR and the German Telemedia Act (TTDSG).

The ruling also criticized invalid consent banners — for example, banners that make “Reject All” harder to find or use misleading symbols like “X” to imply consent. According to the court, these designs don’t count as genuine consent.

What this means for website owners

The main takeaway is simple:

• GTM requires explicit consent before loading.
• Consent must be informed and easy to refuse — no dark patterns.
• A Consent Management Platform (CMP) is not enough if GTM runs before the user makes a choice.
• Google’s Consent Mode 2.0 may not fully solve the compliance issue.

In short, GTM is not “just technical.” It’s a data processing tool, and that means it falls under EU consent rules.

iubenda’s approach

At iubenda, our Privacy Controls and Cookie Solution already give you two clear options for managing GTM in line with consent requirements:

1. Block tags inside GTM (granular approach)
   • In GTM, you can configure triggers to fire only after iubenda’s consent signals are received.
   • This means you can decide which tags are allowed for each consented purpose (e.g., analytics, marketing).
2. Block the GTM script itself (non-granular approach)
   • You can assign GTM to a specific purpose in iubenda.
   • With this setup, the entire GTM container will only load once a user gives consent for that purpose.

By default, our generator currently categorizes GTM as a strictly necessary service, which means it is not blocked automatically. This choice was made because blocking GTM at the script level can cause technical issues for many websites.

However, if you prefer to apply the strictest interpretation of the German court ruling, you can switch to one of the two blocking methods above to ensure GTM only runs after user consent is collected.

Will iubenda block GTM automatically?

Not at this time. Here’s why:

• The VG Hannover decision is regional and not yet binding across the entire EU.
• Automatically blocking GTM would disrupt many websites, and it’s not yet clear whether this will become the EU-wide standard.
• Our users already have the tools to choose stricter compliance and manage GTM accordingly.

We’re closely monitoring the situation, and we’ll update our recommendations if the legal landscape changes.

What you can do today

If you want to apply the strictest standard immediately, you have two options with iubenda’s Privacy Controls and Cookie Solution:

1. Block the GTM script until consent is given
   • Assign GTM to a specific purpose in iubenda (for example, “Marketing”).
   • The GTM container will only load after the user consents to that purpose.
   • This option is simpler but less flexible, because all tags wait for consent together.

   

2. Control tags inside GTM (granular consent)
   • Set up GTM triggers to listen for iubenda’s consent signals.
   • Allow or block each tag depending on the purposes the user has agreed to (e.g., Analytics, Remarketing).
   • This option takes a bit more configuration, but it gives you full control and aligns closely with GDPR requirements.

Both methods are supported by iubenda. Which one you choose depends on your compliance strategy and the level of risk tolerance you want to adopt.

The German court’s decision is a reminder that even tools considered “technical” — like Google Tag Manager — can have significant data protection implications. For now, we are not enforcing automatic GTM blocking in our products, but we give you the flexibility to decide how to configure GTM for your business.

As always, we recommend keeping a close eye on legal developments and ensuring your consent banner offers users a real, transparent choice.

The post Google Tag Manager and GDPR: What a Recent German Court Decision Means appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal as part of its wider Digital Package.

By amending cornerstone laws such as the GDPR, the ePrivacy Directive, the Data Act, and the AI Act, the proposal targets practical issues around things like cookies and consent, personal data, and AI. The purpose is clear: simplify and modernize the EU’s digital framework.

At the same time, the proposal has triggered intense public debate. Some view it as a necessary update to keep Europe competitive and reduce friction for users and businesses; others warn against any perceived “rollback” of fundamental rights.

In this context, the voices of those who build and operate digital compliance every day are crucial.

As a Consent Management Platform (CMP), we sit at the intersection of regulation, technology, and user experience. That’s why we are actively contributing to the discussions shaping the Digital Omnibus.

Why the Omnibus matters

The Commission frames the Digital Omnibus as a competitiveness and simplification initiative, intended to cut red tape and give organisations clearer, more coherent obligations across the digital landscape.

For privacy and cookies in particular, the proposal is designed to:

• Limit consent fatigue and limit repetitive, confusing banner requests.
• Reduce compliance costs by simplifying time-consuming and costly legal requirements.
• Align overlapping laws, especially where the GDPR and ePrivacy Directive currently interact in complex ways.
• Provide legal clarity on areas that have proven vague or outdated in practice.

Engaging in discussions with the European Commission

Speaking with a united CMP voice: our joint submission to the Commission

When the Commission opened its call for evidence and public feedback on its initiative, it explicitly invited stakeholders to share concrete ideas for simplifying rules without weakening protection.

As a leading European CMP, we joined forces with other CMP providers to submit a joint response to the Commission. Our goal was to ensure that the practical reality of consent management on the ground is reflected in the future legal framework.

In our joint feedback, we stress a core point:

It must be recognised that online consent goes beyond cookies. CMPs play a key role in obtaining consent for all non-essential treatment of data, for all types of technologies.

We argue that the conversation must move from “cookie banners” to “consent infrastructure”. If the EU goes toward central consent management inside browser mechanisms, it should promote an interoperable model.

Users should be able to choose trusted tools that can communicate seamlessly with browsers and apps to provide a transparent user experience.

European CMPs stand ready to support the Commission in designing practical, future-proof solutions that combine ease of compliance for businesses with genuine control for users, creating a model of European digital trust by design.

Concretely, we recommend that any future rules:

• Require browsers that offer central consent features to expose open APIs that CMPs can use. CMPs will still be needed to determine whether cookies and tracking technologies can be installed, to manage proof of consent, and to apply consent or refusal correctly.
• Protect genuine, granular consent. GDPR consent must remain specific, contextual, and be collected in a transparent way by neutral, independent tools.
• Simplify without centralising power. As reinforced in the Digital Markets Act, simplification must not mean concentrating control of the consent layer in a handful of browsers, which would risk gatekeeper issues.

Bringing real-world insights: our technical contribution

Following our joint feedback, key contributors, including our CPTO and Head of Frontend Engineering, took part in a dedicated roundtable with European Commission policymakers.

Matteo Colucci, our Head of Frontend Engineering, says that “the main purpose of the meeting was to open a dialogue between the European Commission and CMPs”, to ensure that all perspectives were taken into account.

He describes that participants brought hands-on implementation experience into the room, clarifying:

• The essential role of banners and CMPs in enabling users to exercise their rights.
• What really drives consent fatigue and how it could be improved (accessing user preferences across multiple contexts).
• That any new model must keep transparency central and make sure users are aware of and know how to exercise their privacy rights.

The Commission is meeting with a broad range of stakeholders, like advertisers and publishers, and we expect further discussions.

In the words of our CPTO Filippo Barra, “the Commission demonstrated its willingness to leverage industry expertise and collaborate with CMP counterparts.”

The post Inside the Digital Omnibus: our experts’ contributions appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is the Digital Omnibus?

The Digital Omnibus proposal is the European Commission’s plan to simplify and modernize several key EU digital laws, including the GDPR and the ePrivacy Directive.

The goal is to reduce friction and improve user experience, without weakening people’s rights.

It touches a wide range of topics: cookies and consent, use of personal data and AI, pseudonymization, and GDPR rights.

A big focus is on fixing today’s consent experience. The Commission knows that constantly clicking through cookie banners on every new site is quite tedious. The Omnibus proposal tries to ease that pain while keeping a robust privacy framework in place.

What practical changes should marketers expect?

The main changes you should be aware of concern cookie banners and consent, as well as how preferences are expressed.

1. Central consent mechanisms and signals

To reduce being prompted with the banner repeatedly, the proposal looks at “central cookie management mechanisms”, such as browser or OS-level privacy settings. Think of a simple switch like:

• “Reject tracking”
• “Only essential cookies”

Users could set this once, and websites would then read and respect that choice automatically via machine-readable signals.

2. Cookie rules moving into the GDPR and clarifying consent exceptions

The rules on storing or accessing information on a user’s device (cookies and similar tech) are expected to be moved into the GDPR and paired with clearer exceptions where no consent is needed. Key examples:

• Strictly necessary cookies, for the transmission of a communication or to provide a service the user explicitly requested.
• First-party, aggregated audience measurement, when you measure your own audience for your own use only, without sharing or selling the data, and without using it for other unrelated purposes.

3. Updated banner rules to reduce consent fatigue

Here’s what The Omnibus suggests:

• When a banner is needed, a single-click “Reject” option must be as visible and easy as “Accept” (this requirement was already commonly enforced at a member-state level).
• You can’t re-ask for consent while it remains valid.
• If a user refuses, you can’t re-prompt them for the same purpose for at least 6 months.

Will cookie banners disappear?

No. The European Commission wants to avoid users being prompted with banners again and again, not to remove consent or banners altogether.

In practice:

• Banners will still be the main way most users give consent, especially those who never touch browser/OS privacy settings. Some users will set global preferences; in those cases, your CMP can read the signal and skip the banner.
• You will still need a Consent Management Platform or equivalent system to enforce whether tracking can run, keep proof of consent, and let users review and update their choices.

What should marketers do now?

No action is needed now. The Digital Omnibus is still a proposal, not a final law. Until it’s adopted and the application dates arrive:

• Your current obligations under the GDPR and ePrivacy remain unchanged.
• You do not need to change your setup because of the Omnibus.

When will the proposal take effect?

The proposal was published on 19 November 2025, but it is not yet law. The text can change substantially at any stage during European Parliament and Council negotiations.

If and when it is adopted, it will apply in stages. Each requirement will apply months after entry into force (from 6 to 48 months).

The Omnibus is intended to be an EU Regulation, meaning it will apply directly and uniformly across all Member States.

So this is a multi-year transition, not an overnight change. You’ll have time to adapt, and your digital compliance tool, including iubenda, will guide you through the practical steps.

The post Your questions answered: what the EU Omnibus proposal means for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Germany – BfDI Updates GDPR and BDSG Guidance Brochure
The Federal Commissioner for Data Protection updated comprehensive guidance (in German) covering GDPR-BDSG relationships, lawful processing bases, data protection principles, DPO requirements, and data subject rights with practical implementation examples.

Luxembourg – CNPD Publishes AI Literacy Guidance Under EU AI Act
The authority provided a framework for Article 4 AI literacy requirements, emphasizing tailored employee training based on experience levels, risk assessment for AI-affected individuals, and development of appropriate oversight mechanisms.

Norway – NSM Releases National Cyber Incident Response Framework
The National Security Authority established a collaborative approach between businesses and National Cyber Security Center (in Norwegian), requiring compliance with ICT security principles, third-party supplier reviews, and systematic incident handling processes.

Canada – OPC Launches Children’s Privacy Code Consultation
Privacy Commissioner initiated stakeholder consultation to clarify PIPEDA obligations for children’s data until August 19, 2025. The consultation covers privacy by default and privacy rights, transparency requirements and deceptive practice avoidance.

2) Notable Case Law

USA – FTC Fines Companies $145 Million for Telemarketing Violations
Assurance IQ fined $100 million and MediaAlpha $45 million for deceptive healthcare plan marketing. In addition, MediaAlpha also carried out unauthorized robocalls to Do Not Call Registry numbers, and misled consumers about coverage benefits.

3) New and Upcoming Legislation

Greece – ADAE Issues Electronic Communications Privacy Regulations
Decision 304/2025 requires providers to establish security policies, conduct risk assessments, implement incident reporting procedures to ADAE, and maintain employee training and encryption standards for network protection (in Greek).

USA (Federal) – Senate Introduces Trustworthy AI Validation Act
Legislation mandates NIST Director develop voluntary AI assurance guidelines within one year, addressing harm mitigation, consumer privacy, governance controls, and dataset quality with biennial reviews.

4) Strong Impact Tech

USA – State Attorneys General Challenge Instagram Location-Sharing Feature
Multiple AGs expressed concerns about Meta’s Instagram location feature risks to vulnerable populations, recommending minor access restrictions, adult user risk alerts, and simplified disable controls for enhanced safety.

United Kingdom – Law Commission Examines AI Legal Personality Framework
Discussion paper explores AI autonomy, adaptiveness, and potential legal personality grants, emphasizing need for legal evolution amid rapid AI advancement while considering implications of non-personality scenarios.

Other key information from the past weeks

France/Netherlands – Air France and KLM Third-Party Data Breach
Forbes reported that a breach in a third-party customer support tool exposed passenger names, contact details, and loyalty numbers, linked to a phishing campaign targeting Salesforce platforms. Authorities have been notified.

Switzerland – PostFinance Voice Recognition Violation
The Swiss Federal Data Protection and Information Commissioner (FDPIC)  ruled against PostFinance AG for unlawful biometric voice recognition collection in violation of proportionality principles. The bank used opt-out rather than express consent and was ordered to obtain proper consent and delete existing voiceprints. However, it has appealed the FDPIC’s decision to the Federal Administrative Court.

USA – GameStop Settles Facebook Data Sharing Case for $4.5 Million
Settlement covers unauthorized customer data sharing via Facebook tracking pixels between August 2020-April 2025 without proper consent. Claims deadline was August 15, 2025.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #146) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What’s the true cost of ignoring email marketing compliance?

For noicompriamoauto.it, one of Italy’s well-known online car dealers, it was €45,000.

That’s the amount the Garante (the Italian data protection authority) fined a business for failing to comply with key privacy rules around email marketing.

The case serves as a cautionary tale for any organization using email to promote products (especially if your opt-in flows aren’t airtight).

But here’s the good news: this kind of penalty is completely avoidable.

Let’s take a closer look at what went wrong, what the Garante expects, and how iubenda can help you stay on the right side of compliance.

Firstly, what happened?

The Garante’s investigation was triggered by a user complaint.

They said they’d received unsolicited promotional emails from multiple unknown third-party senders – all partners of noicompriamoauto.it. Worse still, when the user submitted a data subject rights request, it was ignored.

The Garante’s recommendation: Double opt-in is a minimum safeguard

Although Italian law doesn’t explicitly require double opt-in for promotional emails (DEM), the Garante made its stance clear in this case:

Double opt-in is a best-practice safeguard that protects both users and businesses.

Here’s why double opt-in matters:

• It asks users to confirm their subscription via a second step, usually an email link
• It provides strong evidence that consent was freely and clearly given
• It reduces the risk of spam complaints and misuse

That makes it one of the most effective tools for compliant email marketing.

How iubenda keeps your email marketing legally covered

Our Newsletter Opt-in Booster has double opt-in built in by default – so you don’t have to think twice.

With it, you can:

• Embed GDPR-compliant opt-in forms with pre-configured legal language
• Automatically log consent for full audit readiness
• Seamlessly integrate with your favorite email marketing platforms – from Mailchimp to HubSpot

It’s ideal for marketers, developers, and compliance professionals who want to grow their email list while staying compliant.

What about user rights?

The Garante case wasn’t just about consent – it also involved a delayed data subject request.

Under GDPR, users have the right to:

• Request access to their personal data
• Ask for that data to be deleted
• Object to how their data is being used

And companies are required to respond within strict deadlines.

The Data Subject Requests Management Tool from iubenda helps you:

• Receive and process user rights requests easily
• Track all actions taken for compliance logs
• Automate responses and task assignments within your team

The takeaway: Prevention is better than a €45,000 fine

This fine wasn’t the result of malicious intent. It was a lack of process, oversight, and the right tools.

About us

GDPR compliance for your site, app and organization

www.iubenda.com

The post Why the Garante’s €45K fine should be a wake-up call for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s CNIL established comprehensive standards for analytics providers seeking consent exemptions under GDPR. The framework mandates exclusive use for anonymous traffic measurement without cross-domain tracking or profile matching. Key requirements include transparent user notifications, 13-month tracking limits, 25-month data retention periods, and regular assessment cycles. Third-party vendors may conduct comparative studies when maintaining isolated data collection systems per publisher client. Read the guidance here (in French) →
• The UK’s Information Commissioner’s Office has launched two public consultations on digital privacy. The first covers revised storage and access technology guidance incorporating Data (Use and Access) Act 2025 amendments, specifying five consent exceptions under PECR including transmission facilitation and essential services. Organizations must align activities with specified purposes and obtain consent for expanded usage. Access the storage guidance here → The second consultation reviews online advertising enforcement, examining when low privacy-risk advertising might proceed without consent, though behavioral profiling will still require explicit consent. Consultation periods end August 29 and September 26, 2025 respectively. Learn more about advertising enforcement here →
• The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the Commission’s GDPR amendment proposal within the fourth simplification Omnibus package. The proposal extends small-medium enterprise provisions to small mid-cap enterprises while introducing additional administrative burden reductions. Notably, the amendment would modify Article 30(5) GDPR record-keeping obligations, providing expanded derogations for processing documentation requirements. View the opinion here →
• Germany’s Federal Network Agency established an AI service desk providing practical implementation guidance for EU Artificial Intelligence Act compliance. The platform features an interactive assessment tool helping organizations determine AI Act applicability, transparency requirements, and risk categorization for their systems. The service includes comprehensive FAQ resources supporting the Agency’s enforcement responsibilities under the new regulation. Check it out (in German) →

2) Notable Case Law

• Italy’s Garante imposed a €45,000 penalty on Noi Compriamo Auto.it S.r.l. for unlawful marketing and data processing following a consumer complaint regarding unwanted communications and delayed rights response. The investigation identified several GDPR violations including insufficient technical safeguards, absent legal basis for processing, and inadequate data subject rights facilitation. The Garante also referred to the acquisition of consent in double opt-in mode for direct email marketing, to better confirm the subscriber’s intention of the receipt of same. Get the details (in Italian) →
• Connecticut’s Attorney General secured USD 85,000 (approximately €78,000) settlement with TicketNetwork, Inc. for alleged Connecticut Data Privacy Act violations. The enforcement action followed the company’s failure to remedy deficient privacy notices featuring unreadable content and malfunctioning data subject rights mechanisms despite receiving November 2023 cure notice. The settlement mandates CTDPA compliance including data subject request metrics maintenance and regular reporting to the Attorney General. Read the details here →

3) New and Upcoming Legislation

• California’s Assembly reintroduced Assembly Bill 566 (formerly AB 3048) mandating mobile operating systems integrate opt-out preference signal settings for consumer privacy protection. The legislation defines browser, mobile operating system, and opt-out preference signal parameters under California Consumer Privacy Act amendments. The bill advanced through Privacy and Consumer Protection, Appropriations, and Judiciary committee stages, receiving Senate Judiciary recommendation for passage. Track the Bill →
• Pennsylvania introduced House Bill 1559 requiring employers provide advance written notification for electronic employee monitoring activities, excluding security surveillance in shared spaces. The legislation defines electronic monitoring as information collection through non-direct observation methods, with exceptions for suspected legal violations or hostile workplace situations. Violations carry USD 500-5,000 (approximately €460-4,600) penalties alongside private enforcement options, effective 60 days post-enactment. Follow the Bill here →

4) Strong Impact Tech

• Missouri Attorney General Andrew Bailey initiated investigation into AI chatbot bias and misinformation by Google, Microsoft, OpenAI, and Meta platforms. The inquiry examines ChatGPT, Meta AI, Microsoft Copilot, and Gemini for alleged historical inaccuracies and misleading responses under Missouri Merchandising Practices Act provisions. Companies must explain algorithmic bias mechanisms, provide internal input selection records, and clarify founding-era inaccuracies while ensuring accurate, unbiased information delivery. Read more →
• European corporate leaders from 40+ companies including ASML, Philips, Siemens, and Mistral petitioned Commission President von der Leyen for two-year AI Act implementation delay. The executives requested postponement of August 2026 high-risk AI system obligations and August 2025 general-purpose AI model requirements, citing implementation complexity and rule simplification needs. However, Commission spokesperson Thomas Regnier confirmed no grace period extensions, maintaining August 2026 deadlines while discussing voluntary code initiatives and administrative burden reductions. View the report here →

Other key information from the past weeks

• European privacy advocacy group noyb filed a complaint against dating platform Bumble with Austria’s Data Protection Authority regarding AI-powered conversation features. The challenge targets Bumble’s “Opening Moves” functionality for processing user profiles, photographs, and personal information through artificial intelligence without adequate GDPR legal basis. The complaint alleges transparency violations and inadequate user consent mechanisms for automated decision-making processes. See the full story →
• CNIL has opened a public consultation on draft guidelines for email tracking pixels, highlighting that the GDPR requires recipient consent for purposes like marketing and personalization. The draft clarifies that senders act as data controllers, while email service providers function as processors or sub-processors. CNIL recommends the use of clear, purpose-specific consent that can be withdrawn anytime, and stresses the importance of retaining proof of consent. Consultation period ends July 24, 2025. Read the guidance here (in French) →
• Denmark implemented facial copyright protections enabling individuals to claim copyright over their likeness as deepfake countermeasure. The legislation grants people legal ownership of their facial features for protection against unauthorized artificial intelligence manipulation and synthetic media creation. The framework establishes precedent for personal biometric data ownership within European privacy law contexts. Explore more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #145) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s data protection authority, CNIL, has released new guidance addressing the relationships between data controllers, processors, and joint processing arrangements. The documentation provides clarity on how entities can determine their respective roles when processing personal data. Joint arrangements require formal agreements detailing shared obligations including data subject requests and security management. Learn more here (in French) →
• The European Data Protection Board published guidance on cross-border data transfers to foreign government authorities under GDPR Article 48. The framework establishes that foreign court decisions lack automatic recognition within European jurisdictions. Where formal agreements are absent, organizations must evaluate alternative legal grounds on an individual basis. Access it here →
• The European Data Protection Board announced dual expert initiatives focusing on artificial intelligence and data protection compliance. One initiative targets legal practitioners with analysis of regulatory frameworks including GDPR and AI Act compliance. The companion initiative addresses technical specialists with guidance on secure AI development and privacy-preserving audit procedures.
• Poland’s EU Council leadership proposed a regulatory harmonization initiative to address fragmentation across digital governance frameworks. The proposal targets overlapping requirements and inconsistent terminology across AI, data protection, and cybersecurity domains. Recommendations include establishing unified terminology resources and implementing consolidated reporting mechanisms. Access it here →

2) Notable Case Law

• German privacy regulators issued penalties totaling €45 million against telecommunications provider Vodafone GmbH for GDPR compliance failures. The enforcement action addressed inadequate oversight of third-party partnerships and authentication security vulnerabilities. The company has implemented remedial measures including enhanced partner auditing and separation from fraudulent partners. Access the press release here →
• Swedish appellate courts upheld financial penalties against streaming platform Spotify, imposing SEK 58 million (approximately €5.2 million) in fines for data subject rights violations. The ruling followed regulatory findings that the platform failed to provide adequate transparency regarding individual rights and data retention policies. The court highlighted the platform’s shortcomings in handling data subject rights and GDPR compliance. Learn more here (in Swedish) →

3) New and Upcoming Legislation

• Oregon: Recent legislative developments strengthened consumer privacy protections through amendments to state privacy law. The framework restricts targeted advertising and data sales involving individuals under 16 years of age and establishes location-based privacy protections within 1,750-foot proximity zones. The legislation emphasizes enhanced safeguards for minors and location tracking. Follow the Bill here →
• California: New workplace transparency requirements mandate annual reporting of employee surveillance technologies to state labor authorities. The legislation requires detailed disclosures about technology providers, capabilities, and data handling practices. Regulatory authorities must publish submitted reports within 30 days. Access the Bill here →
• Nebraska: Child safety legislation established age-appropriate design requirements for major online platforms operating within the state. Services with annual revenues exceeding $25 million must implement protective mechanisms for users under 13. The framework mandates opt-out capabilities for engagement features, taking effect January 1, 2026. Follow the Bill here →
  

4) Strong Impact Tech

• UK cybersecurity authorities published cultural guidance for organizations seeking to strengthen security behaviors across their operations. The framework emphasizes positioning security as a business enabler and promoting psychological safety for incident reporting. Implementation strategies address various organizational contexts with practical scenarios and visual assessment tools. Access it here →
• British telecommunications regulator Ofcom outlined its strategic vision for artificial intelligence oversight spanning multiple sectors through 2025-26. The approach encompasses innovation support through technical sandboxes and specialized risk management across telecommunications and broadcasting. The strategy emphasizes balancing technological advancement with consumer protection. Learn more here →

Other key information from the past weeks

• Texas lawmakers overwhelmingly passed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), establishing AI guardrails including discrimination prohibitions and biometric data protections starting January 1, 2026. More details →
• Reddit filed lawsuit against Anthropic alleging unauthorized scraping of user-generated content to train Claude AI chatbot without proper licensing agreements. Learn more here →
• AI researchers suspect Chinese company DeepSeek may have used Google’s Gemini model outputs to train its latest R1 reasoning model, highlighting ongoing concerns about unauthorized model distillation practices. Learn more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #144) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Garante has launched a public consultation to assess the legality of the “pay or consent” model. The consultation will assess whether consent under this model can be considered free, while avoiding any drastic measures that could disrupt the current market. Stakeholders can submit feedback until June 28, 2025. Learn more here (in Italian) →
• The Spanish AEPD has launched its virtual assistant – Ayuda – that answers the most frequently asked questions regarding data protection and privacy. Access it here (in Spanish) →
• The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have endorsed the European Commission’s proposal to simplify record-keeping obligations. The proposal extends exceptions to small and mid-sized companies, as well as non-profits with fewer than 500 employees. Learn more here →
• The European Data Protection Board issued an opinion on the European Commission’s proposal to extend the validity of the UK’s adequacy decisions under the GDPR and the Law Enforcement Directive (LED), which are set to expire on June 27, 2025. The opinion focuses only on the proposed 6-month extension and does not assess the level of protection for personal data in the UK. Access it here →

2) Notable Case Law

• The California Privacy Protection Agency fined Todd Snyder, Inc. $345,178 for violating the California Consumer Privacy Act by mishandling consumer opt-out requests and requiring excessive verification. The company used third-party tracking software and sold personal data without allowing consumers to opt out properly. Access the press release here →
• Italy’s Garante fined Acea Energia S.p.A. together with other companies €3.85 million for GDPR violations linked to illegal telemarketing practices. The investigation uncovered the use of illegally obtained contact lists leading to unauthorized promotional calls and insufficient data protection measures. Learn more here (in Italian) →

3) New and Upcoming Legislation

• United Kingdom: The Data (Use and Access) Bill passed its third reading in the House of Commons, outlining legitimate reasons for data processing, such as national security and crime prevention. Follow the progress of the Bill here →
• Montana: Montana’s recently signed Senate Bill 297, revises privacy laws by adding definitions for ‘adult’ and ‘minor’ and introducing the concept of ‘heightened risk of harm to minors.’ The bill requires controllers to disclose data processing for targeted advertising and provide opt-out options. Follow the Bill here →
• Virginia: Virginia’s recently signed Senate Bill 854, regulates minors’ use of social media by banning addictive feeds and limiting usage to one hour per day, starting January 1, 2026. The bill defines a minor as anyone under 16 and outlines requirements for controllers and processors, including age verification and parental control over time limits. Access the Bill here →
  

4) Strong Impact Tech

• The National Cyber Security Centre and the Department for Science, Innovation and Technology of the UK have published the Software Security Code of Practice to reduce software supply chain attacks and improve software resilience. Access it here →
• The Verbraucherzentrale North Rhine-Westphalia (Consumer Advice Centre) has formally requested that Meta halt its plans to use personal data for AI training in the EU and is considering legal action if the company does not comply. Learn more here (in German) →

Other key information from the past weeks

• The European Commission fined Apple €500 million and Meta €200 million for breaching the Digital Markets Act. Learn more →
• Following an inquiry into transfers of EEA user data to China, the Irish Data Protection Commission fined TikTok €530 million and ordered corrective measures within 6 months. More details →
• Meta plans to restart AI training using publicly available data from EEA Facebook and Instagram users, including historical and future posts, photos, and comments from users over 18 years old. Learn more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #143) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The French CNIL published an updated version of its recommendations for mobile apps. The recommendations aim to help app publishers, developers and providers to comply with the GDPR. Access it here (in French) →
• The CNIL also published the results of its sandbox on AI and public services. The results highlight that AI tools are not prohibited under the GDPR, as long as they don’t result in significant legal effects. Read more here (in French) →
• The Norwegian Datatilsynet launched an audit of a number of selected websites that use tracking tools. These websites were selected based on their activities, such as services for children, health services, associations for disadvantaged groups, and public businesses. The aim of the audit is to determine whether these websites share sensitive personal information with Big Tech companies. Learn more here (in Norwegian) →
• A joint letter was submitted to the House Committee on Energy & Commerce’s Privacy Working Group by the California Privacy Protection Agency and the New Jersey Attorney General. In the letter, they advocate for a federal data privacy law that sets the bar and would also allow states to implement stronger individual measures. Access the letter here →

2) Notable Case Law

• Aylo Freesites Ltd received a €58,400 fine by the Commissioner for Personal Data Protection in Cyprus following an inspection that revealed GDPR violations. The company was using cookies unlawfully and did not comply with the principles of accountability and transparency. Access the Authority’s decision here (in Greek) →
• The Dutch data protection authority investigated five organizations for non-compliant cookie banners. The organizations were hiding the “Reject” button, pre-checking consent options, and placing cookies without consent or despite refusal. Read more here (in Dutch) →
• The Dutch Data Protection Authority also sent a letter to 50 organizations, requesting them to fix their cookie banner and to stop the intrusive tracking of visitors. These organizations have 3 months to fix the issue, or they risk a fine. More details here (in Dutch) →

3) New and Upcoming Legislation

• Texas: House Bill 5495 has passed its first reading and has since been referred to the House Trade, Workforce, and Economic Development Committee. It mandates the use of global privacy controls to protect consumer data. The Bill requires browsers to comply with these controls, with penalties for violations. Access the Bill here →
• Utah: The Utah App Store Accountability Act has been signed. The Act requires app store providers to verify users’ ages and obtain parental consent for minors under 18 before allowing account creation, app downloads, and purchases. Follow the progress of the law here →
• Oklahoma: Senate Bill No. 546 has passed its first reading in the House. The Bill aims to establish a comprehensive data privacy framework and, if it goes through, should take effect on January 1, 2026. Access it here →

4) Strong Impact Tech

• The European Data Protection Board published a report on AI privacy risks and mitigations for Large Language Models (LLMs). The report provides a risk management methodology for identifying, assessing, and mitigating privacy risks. It also underlines the importance of monitoring the AI life cycle. Access the report here →
• The UK Department for Science, Innovation and Technology published the Cyber Governance Code of Practice, to help companies manage cyber risks. The code also includes a training program and toolkit for practical guidance. Read more here →

Other key information from the past weeks

• The French Competition Authority fined Apple €150 million for the implementation of App Tracking Transparency (ATT) systems. Read more →
• The Italian Garante fined Energia Pulita S.r.l. €300,000 for GDPR violations, after receiving more than 80 complaints related to unwanted marketing calls. More details →
• The Norwegian Data Protection Authority released a guide on how businesses can obtain cookie consent in line with the GDPR. Access it here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #142) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued recommendations for organizations to review their data retention practices and comply with statutory periods effective from 2025. The HmbBfDI specified that different retention periods may apply depending on data type and industry. Access the recommendations here (in German) →
• The French CNIL has announced its priorities for 2025: data collection through mobile apps, the right to erasure, cybersecurity of local authorities and data processed in prison administration. Read more here (in French) →
• The European Commission proposed to extend the UK’s adequacy decision for six months, until December 27th, 2025. This will give time to the new UK Data (Use and Access) Bill to complete its legislative motions. The EU Commission will then assess the adequacy of the new bill. Read more here →
• The Dutch data protection authority (AP) issued its 2024 annual report. A number of regulatory actions on AI, Big Tech and other areas were taken, including six considerable fines and seven reprimands. Learn more here (in Dutch) →

2) Notable Case Law

• The Italian Garante fined Energia Pulita S.r.l. €300,000 for GDPR violations, after receiving more than 80 complaints related to unwanted marketing calls. The Garante found out that Energia Pulita wasn’t collecting consent properly, which led to the extensive spreading of personal data to various controllers. Read the Garante’s decision here (in Italian) →
• A statement on the O’Carroll vs Meta case was issued by the UK Information Commissioner’s Office which highlighted that individuals have the right to object to personal data use in direct marketing, as per Articles 21(2) and 21(3) of the UK GDPR. Read the statement here →

3) New and Upcoming Legislation

• United Kingdom: On March 17th, 2025, the UK’s Online Safety Act’s illegal content obligations came into effect. The Act requires platforms to remove illegal material and prevent criminal content. Learn more here →
• California: Assembly Bill 264 was amended to require businesses to obtain explicit consent from consumers before storing their personal information outside the United States. More details here →
• Washington: Senate Bill 5708 and House Bill 1834 set new obligations for businesses providing online services to minors. These include estimating minors’ ages, not collecting or selling their data, configuring high privacy settings by default, and restricting profiling and addictive feeds.
  

4) Strong Impact Tech

• The Swiss Federal Data Protection and Information Commissioner (FDPIC) finalised its preliminary investigation into X/Twitter‘s AI system, Grok. Grok processed data from X users and the investigation focused on the transparency of this processing. The FDPIC concluded that X/Twitter was aligned with the FADP requirements. Read more here →
• OpenAI has allegedly violated the GDPR‘s data accuracy principle when ChatGPT generated a false criminal story about a Norwegian user, negatively impacting their private life. noyb has filed a complaint with Norway’s data protection authority, Datatilsynet seeking both a fine and the deletion of the story. More details here →

Other key information from the past weeks

• The California Privacy Protection Agency fined American Honda Motor $632,000 for CCPA violations. Read more →
• A new analysis of the Swiss privacy company Proton has concluded that Big Tech companies hand over the personal data of millions of their users to US authorities. More details →
• The Irish Data Protection Commission has submitted a draft decision on an inquiry into TikTok, focusing on the transfer of EU user data to China. Read more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #141) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Note: This page reflects the FDPIC cookie guidelines v1.1 (January 22, 2025; clarifications added October 6, 2025) and the February 3, 2025 publication announcement.

On February 3rd, 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) released new guidance on cookie usage in Switzerland. While this is not legally binding, it provides insight into the authority’s intended direction and the future of cookie consent practices in the country. 

Legal Foundations

Swiss cookie regulations are primarily governed by two laws:

These laws form the basis for the authority’s stance on cookies and their implementation on websites.

Consent and Legal Bases

The FDPIC clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This approach differs from the strict consent requirements of the EU’s GDPR.

Cookie Categories 

The guidance classifies cookies based on their necessity:

Here’s a breakdown of key points:

Consent vs. Other Legal Bases

The authority clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This is a significant difference from the strict consent requirement seen in the EU’s GDPR and might affect how CMPs are implemented in Switzerland.

Prior Blocking Not Always Required

Functional enhancements and analytics are non-essential unless strictly necessary to provide the requested service. In Switzerland, non-essential cookies require justification via overriding interests with a clear, immediate opt-out, or express consent in higher-risk scenarios (e.g., high-risk profiling, sensitive data, unexpected uses).

Before users can see information and exercise opt-out via a control, use must be limited to necessary cookies only. Non-essential cookies (including analytics) should not run until the control is available; where consent is required, implement a two-click pattern and block until users opt in.

If you rely on research or statistics to justify analytics, anonymize data as soon as the purpose permits (usually immediately). If you use external tools, make sure they act exclusively as processors and do not reuse data for their own purposes.

Opt-Out and Withdrawal Mechanism

The guidance clearly states that companies must provide users with an easy way to withdraw consent or opt out. Under Swiss law, the opt-out principle is fundamental, meaning that prior opt-in does not override the right to opt out. This distinguishes Swiss regulations from those in the EU and ensures ongoing compliance with privacy requirements.

Dark Patterns Prohibited

The Swiss authority follows EU guidelines by prohibiting dark patterns, which are manipulative designs that trick users into consenting to data processing. CMPs must be designed with transparency and simplicity, avoiding confusing or coercive tactics.

When express consent (opt-in) is required

Express consent (opt-in) is required when non-essential cookies are used in high-risk profiling, for sensitive data, or in unexpected contexts (e.g., political, union, or religious content). Federal bodies must obtain consent even for “normal” profiling.

Embedded third-party services

When embedding third-party services (e.g., social plugins or videos), the third party collects data for its own purposes. The website operator and third party can be jointly responsible for this collection. Provide prominent information, consider a two-click activation, and obtain consent if the use is qualified or high-intrusion.

CMP UI Considerations

The guidance does not delve deeply into the specifics of CMP user interface design but highlights that any solution must align with these principles. Companies have some flexibility in how they implement CMPs, but they must ensure compliance with the general principles of transparency, simplicity, and user control.

What Should Companies Do Next? 

While the Swiss authority’s guidance provides more flexibility in CMP implementation, it’s crucial to remember that the guidance is not binding. With the guidelines now available, it’s the right time for companies to consider implementing a CMP.

Companies retain autonomy in their approach to cookie consent management and should stay informed of evolving regulations to ensure compliance and maintain user trust.

The post Swiss Authority’s New Cookie Guidelines: What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The French CNIL issued recommendations to align AI practices with GDPR. It emphasized the need for transparency by ensuring individuals are informed about AI data processing and encouraged best practices for notification and transparency. It also addressed the challenge of upholding individuals’ rights in AI systems with large training databases, suggesting solutions such as pseudonymization and data minimization. Access the recommendations here → (in French)
• The CNIL also reminded QWANT about its GDPR duties after a complaint in 2019, claiming QWANT’s ad data wasn’t anonymous. CNIL found the data was pseudonymous and noted QWANT’s efforts to protect privacy. QWANT updated its privacy policy to clarify the data use and its legal basis, making sure the updates were in multiple languages. Learn more here → (in French)
• The UK Information Commissioner’s Office (ICO) launched a direct marketing advice generator to help organizations comply with UK privacy laws, such as PECR and GDPR. The tool offers tailored compliance advice for small organizations on direct marketing channels such as email, SMS, and social media. Read more here →
• The Nebraska Attorney General’s office updated its website to include a Data Privacy Homepage with FAQs about the Nebraska Data Privacy Act (NDPA). The FAQs explain what data controllers and processors must do, detail consumer rights, and describe the process for filing a complaint. Read more here →

2) Notable Case Law

• The Italian Garante fined E.ON Energia S.p.A. €890,000 for GDPR violations regarding unlawful telemarketing practices. Individuals complained about receiving unwanted calls and a lack of response to their GDPR rights. Access the decision here → (in Italian)
• The Administrative Court in Sweden confirmed a SEK 13 million fine (around €1.1 million) against Bonnier News. Bonnier News improperly collected and processed personal data from customers and web visitors for both marketing purposes as well as creating profiles without proper consent. Read more here → (in Swedish)
• The Spanish Data Protection Authority fined Generali España €5 million for violating the GDPR. The company experienced a data breach that affected over 1.5 million individuals. The breach was due to a technical issue with the company’s CMS and a lack of transaction logs. Read about the decision here → (in Spanish)
  

3) New and Upcoming Legislation

• United Kingdom: The Data (Use and Access) Bill passed its second reading in the House of Commons and is now moving to the Committee Stage. The bill suggests various changes to the UK’s data protection rules, including the creation of a list of ‘recognized legitimate interests’ for data processing. Track the Bill’s progress here →
• Oklahoma: The Oklahoma Computer Data Privacy Act has passed the first and second readings in the House of Representatives. It applies to for-profit businesses operating in Oklahoma that handle consumers’ personal information and meet certain thresholds. Here is the progress of the Act →
• Oklahoma: Senate Bill No. 546 also passed the first two readings in the Senate. It aims to establish a comprehensive data privacy framework in the state. Progress of the Act →
• Tennessee: Senate Bill 663 and House Bill 630 were introduced to amend the Tennessee Code Title 47, Chapter 18. These amendments allow consumers to opt-out of the processing of personal data and mandate clear opt-out methods. Read the text here →
• California: Assembly Bill 566, which deals with opt-out preference signals, has been reintroduced. The bill would require businesses to make sure their browsers include a setting that lets users easily opt out of tracking by businesses. Access it here →

4) Strong Impact Tech

• The Office of the Australian Information Commissioner, along with data protection authorities from Korea, Ireland, France, and the UK, signed a joint declaration to create a data governance framework for AI. Read more here →
• The Dutch Data Protection Authority (AP) released guidance for enhancing AI literacy in line with the EU Artificial Intelligence Act. Access the guidance here → (in Dutch)

Other key information from the past weeks

• The Italian Data Protection Authority has ordered a ban on the processing of Italian users’ data by the AI tool DeepSeek. Learn more → (in Italian)
• LinkedIn has been accused of sharing the private messages of LinkedIn Premium users with other companies to train artificial intelligence models. Read more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #140) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What was the ODR Platform?

Established under Regulation (EU) No 524/2013, the ODR Platform was an EU-level initiative designed to help consumers and traders resolve disputes related to online sales or service contracts outside of court. It served as a single access point where consumers could request that traders agree to use an Alternative Dispute Resolution (ADR) entity listed on the platform.

Online traders and marketplaces were required to provide an easily accessible link to the ODR Platform. Over the years, the platform had attracted 2 to 3 million visitors annually. However, data showed that only a small fraction of users proceeded with a complaint, and just 2% of those complaints received a positive response from traders, amounting to approximately 200 cases per year across the EU.

Due to these inefficiencies, the EU has decided to discontinue the platform.

If you use our Terms & Conditions generator, we have specified in the ”Online dispute resolution for Consumers” clause that the Online Dispute Resolution platform, previously available for alternative dispute resolutions that facilitated an out-of-court method for solving disputes related to and stemming from online sale and service contracts, has been officially discontinued as of 20 July 2025, following the adoption of EU Regulation 2024/3228.

Note that for already existing projects, the clause is available and will be fixed as soon as a change is made or the document is updated. It is also possible to deselect the clause, as the ODR platform is no longer available, and therefore the presence of the clause is not necessary. 

If, instead, an entirely new project is generated, the clause is no longer listed among the options to be selected.

The post Discontinuation of the European Online Dispute Resolution (ODR) Platform appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Italian Garante published FAQs on accessing personal data in medical records. In particular, the Garante stated that healthcare facilities must provide data subjects with a copy of their data, and the first copy should be free of charge. Access the FAQs here (in Italian) →
• The Danish Data Protection Authority, Datatilsynet, has published a press release including its supervisory focus areas for 2025. These areas include, among other things, children’s data, the regulation of digital tracking via shopping apps, and the use of AI and generative AI in healthcare. Access the full list here (in Danish) →
• Ireland’s Data Protection Commission (DPC) welcomed the European Data Protection Board’s opinion on the use of personal data in AI development and deployment. The DPC asked for this guidance in September 2024 to ensure consistent rules across the EU. Read the press release here →
• The New Jersey Division of Consumer Affairs Cyber Fraud Unit released FAQs on the New Jersey Data Privacy Law (NJDPL), concerning key definitions and scope of the law. The law affects businesses and controllers targeting New Jersey residents. Learn more here →

2) Notable Case Law

• The Italian Garante fined Illumia S.p.A. €678,900 for GDPR violations. The company was making unsolicited telemarketing calls, lacked a proper legal basis for the calls, and did not ensure compliance with the law. Read about the decision here (in Italian) →
• The Court of Justice of the European Union (CJEU) ruled that access requests under GDPR cannot be deemed ‘excessive’ solely based on their number. The case involved an Austrian individual whose complaints were limited by the Austrian Data Protection Authority to two per month. This decision was overturned, and the CJEU clarified that authorities must prove abusive intent to label requests as excessive and may only impose fees or refuse requests if disproportionate. Access the ruling here →

3) New and Upcoming Legislation

• New Hampshire: House Bill 195, introduced on January 8, 2025, proposes amendments to the New Hampshire Privacy Act by clarifying the definition of ‘personal information’ and setting conditions for its disclosure. It requires explicit, informed consent for most disclosures but allows exceptions for emergencies, criminal activity, or legal obligations. Access here →
• Texas: Senate Bill 726, introduced on January 1, 2025, requires smart device operators in Texas to inform users about personal data collection. Text of the bill →
• Virginia: Senate Bill 769 amends §59.1-578 of the Code of Virginia, requiring privacy notices with opt-out options for cookies and consumer consent for non-essential cookies. Read more here →
• Washington: House Bill 1170 requires entities with generative AI systems used by over 1 million people in Washington to offer free AI detection tools, user feedback systems, and AI-generated content disclosures. It also prohibits collecting personal data through the detection tool, except under specific conditions. Access here →
  

4) Strong Impact Tech

• The Texas Attorney General has filed a lawsuit against TikTok for violations of the Deceptive Trade Practices Act. The lawsuit accuses TikTok of false advertising and for marketing its apps as safe for minors, not disclosing the nature of the content and its addictiveness. Read more here →
• Apple has agreed to pay $95 million to settle a 5-year-long lawsuit. Allegedly, the voice assistant Siri recorded private conversations that were shared with third parties and used for targeted ads. Learn more →

Other key information from the past weeks

• The Dutch Data Protection Authority fined Coolblue B.V. €40,000 for GDPR violations related to improper cookie consent practices. Learn more →
• France’s Law No. 2024-449 transposes the European Digital Services Act and Digital Markets Act into national law. Access here (in French) →
• The French CNIL fined the telecommunications operator ORANGE 50 million euros for showing advertising to users of its email service without their consent. Read more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #139) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

When visitors land on a website, to perhaps shop for the latest gadgets, read about breaking news, or simply scroll through content, cookies are quietly collecting personal data. 

But in order to do this, they need the visitors’ consent. 

That’s how e-commerce giant Coolblue recently found itself in the spotlight, facing a €40,000 fine from the Dutch Data Protection Authority (DPA). 

This case now serves as a brisk wake-up call for businesses across Europe, emphasizing that cookie compliance isn’t just a box to tick – it’s a legal necessity that can land companies in hot water, no matter their size. 

What is GDPR?

The General Data Protection Regulation (GDPR) is Europe’s flagship privacy law. It’s designed to protect people’s personal data and give them better control over how it’s collected, used, and stored. 

For businesses, these regulations set strict requirements around things like transparency, consent, and data processing practices. 

If a company fails to comply with GDPR, it can face significant fines. 

So, what went wrong? 

Coolblue’s cookie practices failed to meet GDPR standards. Instead of requiring active consent, the company made the error of assuming their visitors agreed to cookies by default. 

Worse still, its consent banners featured pre-ticked boxes – both of which are clear violations of the GDPR. 

Despite being alerted to these issues back in 2019, Coolblue didn’t fully address them until mid-2020 – by which time the DPA had already begun its investigation, which ultimately led to the fine. 

Why does this matter?

For any business that operates under GDPR, this ruling shines a bright light on the importance of obtaining valid consent. 

Regulators like the Dutch DPA are intensifying their enforcement of data protection rights, with a particular focus on clear cookie consent practices. Companies that fail to respect user privacy face penalties.

The consequences of noncompliance can go beyond just fines. It can also erode the trust of a company’s customer base and damage brand reputation – which arguably can cost far more than the monetary penalty. 

How you can avoid similar mistakes

If navigating cookie compliance can feel daunting, you’re not alone. 

But the solution doesn’t have to be complicated.

With iubenda’s Privacy Controls and Cookie Solution, businesses of all sizes can get on the road to compliance while maintaining user trust. 

Our solution’s features include:

• Customizable cookie banners: Get active consent with clear, GDPR-compliant designs. 
• Automatic cookie scanning: Keep track of every cookie on your site. 
• Detailed consent logs: Have a ready-made record for audits or investigations. 

Whether you’re operating in the Netherlands, Germany, Belgium, or beyond, iubenda gives you the tools to aid your business on its journey to compliance. 

Take action today

Don’t wait until the regulators come knocking. Equip your website with iubenda’s Privacy Controls and Cookie Solution to obtain valid cookie consent from your users and a record of such consents for your business. 

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Fined €40,000: A GDPR wake-up call for cookie compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Italian Garante approved a code of conduct for management software developers, to ensure compliance with data protection principles. The code applies to organizations that use management software for their administrative and financial tasks. Read here → (in Italian)
• The French CNIL issued a formal notice to several companies for using dark patterns on their cookie banners. In particular, notices were sent where it wasn’t as easy to reject consent as it was to accept it. Read more here →
• The California Privacy Protection Agency published the meeting materials for public consultation on CCPA updates, cybersecurity audits, risk assessments, automated decision-making technology and insurance companies. The consultation closes on January 14, 2025. More details here →
• The Brazilian Data Protection Authority (ANPD) published Resolution No. 23, which contains the agenda for 2025-2026. According to the Resolution, the ANPD will prioritize – among other things – data subject rights, data sharing by public administration entities, minors’ data processing, artificial intelligence. Access the Resolution here → (in Portuguese)

2) Notable Case Law

• The French CNIL fined the telecommunications operator ORANGE 50 million euros for showing advertising to users of its email service without their consent. The company was showing advertising messages, disguising them as regular emails. Read about the decision here →
• The Italian Garante fined the Istituto Nazionale di Previdenza Sociale (INPS) €50,000 for GDPR violations. The INPS published names, dates of birth, and scores of more than 5,000 participants in a public competition. The Garante found that this data could remain online indefinitely and be misused. Read more here → (in Italian)
• The Irish Data Protection Commissioner (DPC) fined Maynooth University €40,000 for GDPR violations. After a data breach which caused the unauthorized access to employee email accounts, the DPC found that the university didn’t have proper security measures in place and failed to notify the Authority about the breach. Read about the decision here →

3) New and Upcoming Legislation

• European Union – On December 8, the Product Liability Directive became effective. It addresses liability for defective products, including software and AI systems. Learn more here →
• Colorado – The Colorado Attorney General approved amendments to the Colorado Privacy Act Rule. The amendments include new requirements for biometric identifiers, which now need a ‘biometric identifier notice’ at the time of collection. Access here →
  

4) Strong Impact Tech

• The UK’s Information Commissioner’s Office published a response to the generative AI consultation series, addressing topics such as lawful web scraping, individual rights, and controllership in AI models. Read here →
• The Norwegian Datatilsynet provided information about X’s processing of EU users’ personal data on its platform to train AI models, including the Grok chatbot. Although users can opt out of the processing, Datatilsynet is still uncertain about the use of public posts for AI training. More details here (in Norwegian) →

Other key information from the past weeks

• The House for Whistleblowers in the Netherlands released guidelines for conducting internal investigations in compliance with the Whistleblowers Protection Act. Read here (in Dutch) →
• The Norwegian DPA announced that Meta will introduce a new alternative to the “consent or pay” model. More here (in Norwegian) →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #138) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Now more than ever, people care about their privacy and often act to protect their data from misuse. As a business, avoiding data privacy issues can ensure you have a better relationship with your users, who will be more likely to trust you.

In this guide, we take a look at the top 3 data privacy issues for businesses and how to avoid them.

What Is Data Privacy?

Data privacy concerns protecting individuals’ rights to control their personal information and decide whether it can be collected, used, and shared by companies.

Data privacy laws allow individuals to get control over how their data is used and impose to businesses specific requirements to minimize the amount of data that they collect.

Data Privacy Issues: Cyberattacks

One of the first privacy concerns is cyberattacks. Did you know that someone falls victim to a cyberattack once every 11 seconds?

With the widespread digitalization of processes, cyberattacks and data breaches are becoming more and more common, and knowing how to prevent them is key to avoiding data privacy risks.

When we talk about cyberattacks, we refer to any deliberate attempt to compromise the security, integrity, availability, or confidentiality of a digital system, network, or data.

Some of the most common examples of cyber attacks include:

• Phishing: tricking into revealing sensitive information by pretending to be a trustworthy entity.
• Malware: deploying malicious software like viruses, worms, trojans, or ransomware to disrupt or compromise systems.
• DDoS (Distributed Denial of Service): overwhelming a server or network with excessive traffic, causing it to crash.
• Password attacks: stealing passwords to gain unauthorized access.
• SQL Injection: exploiting vulnerabilities in database-driven applications to access or manipulate data.

How to avoid cyberattacks?

Avoiding cyberattacks requires special attention to your security measures. Having robust security measures in place can help you prevent cyberattacks, or at least make it harder for hackers to access your data.

But because cyberattacks can happen even with the most robust measures in place, it’s also a good idea to have a data breach response plan in place. In the event of an incident, you will know what to do immediately and be able to mitigate the effects of the attack.

Data Privacy Issues: Lack of Transparency

Another popular data privacy issue is the lack of transparency with your users. Companies often forget how important trust is in a business relationship: it can really make a difference in how your business is perceived and thus impact your revenue.

Being transparent about your data practices helps users understand how you will use their data and make a more conscious choice about sharing it with you.

How to avoid lack of transparency?

Being upfront about how data is used not only avoids misunderstandings but also demonstrates respect for customer privacy.

Legal documents made easy with iubenda!

---

iubenda helps you with being transparent with your users, thanks to our simplified view of legal documents.

Users will understand at a glance what data you’re processing and why, without having to read a complicated legal document.

Try it now

Data Privacy Issues: Non-compliance with Privacy Laws

Lastly, another common data privacy concern is non-compliance with privacy laws.

Failing to comply with data privacy laws is a costly mistake that many businesses cannot afford. Not only non-compliance can result in damage to your reputation, but it can also lead to hefty fines.

For example, certain fines for non-compliance with the EU GDPR can reach €20 million or 4% of a business’s annual worldwide turnover.

How to avoid non-compliance with privacy laws?

Compliance can be tricky, especially when you don’t know where to start. Moreover, it’s an ongoing process that you should monitor periodically.

Data Privacy Concerns: Conclusion

As you can see, privacy is more than a legal requirement; it’s a critical factor in your business success. By addressing privacy issues, you can create a safe environment for your users and build lasting relationships rooted in trust and accountability.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Top 3 Data Privacy Issues and How To Avoid Them appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Norwegian Data Protection Authority (Datatilsynet) announced that Meta will introduce a new alternative to the “consent or pay” model. Users will be able to access Instagram and Facebook without paying a fee and will see ads based on the collection of less personal data. Read here → (in Norwegian)
• The Hamburg Commissioner for Data Protection and Freedom of Information highlighted key rulings on the right to be forgotten under GDPR. These include a 20-year limit on public register entries, requirements for legitimate interest in third-party access after this period, and specific notice for search engines to remove content. Access here → (in German)
• The Danish Digital Agency published a white paper on “Responsible use of AI assistants in the public and private sector“. The paper provides a framework for the development, implementation and use of AI in Denmark, in line with the EU AI Act and the GDPR. Access the paper here →
• The Dutch Data Protection Authority (AP) and the UK Information Commissioner’s Office (ICO) signed a Memorandum of Understanding, to strengthen collaboration on personal data protection laws. Read more here →

2) Notable Case Law

• The Spanish Data Protection Authority (AEPD) fined SEAT SA €12,000 for installing non-technical cookies without users’ consent. The company’s website placed cookies on the users’ devices even after they withdrew their consent. Access the Authority’s decision here (in Spanish) →
• The Polish Supreme Administrative Court upheld the fine of PLN 201,599.50 (approximately €46,000) imposed on ClickOuickNow by the Data Protection Authority, UODO. The company made it difficult to withdraw consent for processing personal data by using complicated technical solutions. Read the press release here (in Polish) →

3) New and Upcoming Legislation

• California – The California Privacy Protection Agency adopted new regulations for Data Broker Registration. The regulations also update the California Consumer Privacy Act and establish new requirements for businesses – such as cybersecurity audits and risk assessments – and enhance consumer rights to access and opt out of the use of automated decision-making technologies. Read the press release here →

4) Strong Impact Tech

• The UK Information Commissioner’s Office (ICO) issued recommendations for developers and providers of AI recruitment tools following an audit that identified concerns about fairness, excessive data collection, and indefinite retention of personal data. Access the press release →
• The OECD released a report titled “Assessing potential future artificial intelligence risks, benefits and policy imperatives“, which highlights AI’s potential to improve information flow, transparency, and services in healthcare and education. However, it also warns of risks such as cyber threats, misinformation, safety issues, privacy breaches, and governance challenges. Read it here →

Other key information from the past weeks

• The Spanish DPA fined the bank Santander Consumer Finance €50,000 for not complying with the right to object under the GDPR. Read more → (in Spanish)
• The Italian Garante announced the creation of a task force to ensure the protection of databases. Press release → (in Italian)
• The Irish Data Protection Commissioner fined LinkedIn Ireland Unlimited Company €310 million for GDPR violations. Read here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #137) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Belgian Data Protection Authority published a report on data protection in smart cities. The report highlights how the Smart Cities project would process citizens’ personal and sensitive data – such as travel patterns and location – and raises questions about the protection of their privacy. Access the press release here →
• The UK Information Commissioner’s Office (ICO) has published a new audit framework to help organizations assess their compliance with key requirements under data protection law.
• The European Data Protection Board (EDPB) adopted Guidelines on the processing of personal data based on legitimate interest. In order to rely on legitimate interest, the controller needs to meet three conditions: the controller (or a third party) must have a legitimate reason for processing the data, the data must be necessary to fulfill this interest and the interest should never take precedence over the rights of individuals.
• The EDPB also chose the topic for the fourth Coordinated Enforcement Action (CEF): the implementation of the right to erasure by controllers. Data Protection Authorities will join the CEF voluntarily, and the action will be launched at the beginning of 2025. Read more here →

2) Notable Case Law

• The Spanish Data Protection Authority (AEPD) has fined the bank Santander Consumer Finance, S.A. €50,000 for not complying with the right to object under the GDPR. The bank failed to fulfill a user’s request, who had previously objected to receiving advertising at his home address. Read about the decision here → (in Spanish)
• After five years, the German Federal Cartel Office (Bundeskartellamt) closed its case against Meta. In 2019, Meta was prohibited from combining user data from different sources without consent. The EU Court of Justice confirmed that the competition authority could enforce GDPR rules, leading Meta to take measures such as separating data from different services and improving consent options. Meta withdrew its legal appeal, making the decision final. Access the press release here →

3) New and Upcoming Legislation

• European Union: The European Council adopted the Cyber Resilience Act. The Act aims to ensure that products with digital elements – like home cameras, TVs, and toys – are safe before being sold on the market. Read more here →
• European Union: On October 9, 2024, the European Commission published the first periodic review of the EU-US Data Privacy Framework (DPF). The review follows the Commission’s request for feedback in August 2024. Download the report here →

4) Strong Impact Tech

• The European Commission held a workshop to gather input on protecting minors under the Digital Services Act (DSA). A group of experts discussed a variety of topics – such as cyberbullying, access to age-inappropriate content, and the proliferation of child sexual abuse material – and identified best practices to mitigate risks. The Commission plans to publish draft guidelines for public consultation in early 2025 and adopt them later in the year. Read more here →
• The G7 released a statement discussing concerns about the impact of artificial intelligence (AI) on competition. To address these concerns, the G7 outlined principles for fair competition in AI, such as ensuring fair access to AI tools and data, supporting open standards, and promoting transparency about how AI is used. Access the Digital Competition Communiqué here →

Other key information from the past weeks

• The Dutch Data Protection Authority published its report on data breaches in 2023. Press release → (in Dutch)
• The Belgian Data Protection Agency fined a company for using dark patterns. Read more → (in French)
• The CNIL has published its recommendations to help professionals design mobile applications that respect privacy. More details →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #136) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Dutch Data Protection Authority (AP) published its report on data breaches in 2023. After investigating 50 of the largest breaches of the year, the AP found that companies did not comply with all requirements regarding the warning messages to be sent to affected individuals. Access the press release here (in Dutch) →
• Ireland’s Data Protection Commission (DPC) has made a request to the European Data Protection Board (EDPB) for an opinion pursuant to Article 64(2) of the General Data Protection Regulation (GDPR) further to successfully concluding legal proceedings against X’s AI tool “Grok”. The request aims to kickstart discussions on AI model training including the extent to which personal data is utilized and to obtain much-needed guidance in this unchartered area. Access the press release here →
• The EDPB and the European Commission have agreed to join forces to provide guidance on the interplay between the GDPR and the Digital Markets Act (DMA). The intention is to produce a set of rules that will provide coherent application of the regulatory framework to better guide digital gatekeepers.
• The California Privacy Protection Agency (CPPA) issued an Enforcement Advisory on dark patterns. The Agency defined dark patterns as “user interfaces that subvert or impair consumers’ autonomy, decision making, or choice when asserting their privacy rights or consenting”. Businesses should avoid dark patterns and instead use symmetrical choices and straightforward language. Read the press release here →

2) Notable Case Law

• The Belgian Data Protection Authority has found that Mediahuis NV uses cookies and dark patterns in an unlawful way, in violation of the General Data Protection Regulation (GDPR). Mediahuis NV now has 45 days to add an option to reject cookies at each level of its cookie banner and to stop using misleading designs. Should they fail to do so, they will receive a fine of €25,000 for each day of non-compliance. Read all the details here (in French) →
• The Swedish Data Protection Agency (IMY) has fined Apoteket AB and Apohem AB for illegally transferring sensitive data to Meta. The companies used Meta’s pixel on their websites to improve their social media marketing strategy. However, the pixel also transferred users’ health data to Meta. Access the press release here (in Swedish) →

3) New and Upcoming Legislation

• Germany – The German Federal Government has adopted the Consent Management Ordinance under the Telecommunications Digital Services Data Protection Act, which sets out requirements relating to the use of cookie banners and the provision of user consent. Consent management services will need to store user consent decisions permanently after users provide them, reducing the need for repeated consent requests. Read more here (in German) →
• European Union – On September 2, 2024, the European Parliament released a Briefing on the EU Artificial Intelligence Act, which expands on the application of the EU AI Act.

4) Strong Impact Tech

• Brazil’s Data Protection Authority (ANPD) has lifted the ban on Meta using personal data to train its artificial intelligence. The company is now allowed to use personal data again, but with some restrictions. Meta is not allowed to use data from children’s and teenagers’ accounts and must improve transparency while making it easier for users to refuse the use of their personal data. Read more here (in Portuguese) →

Other key information from the past weeks

• Certified US companies now offer an adequate level of protection under the Data Privacy Framework between Switzerland and the USA. Press release →
• The EU Al Act entered into force on August 1, 2024. Learn more →
• The Kids Online Safety and Privacy Act (KOSPA) passed in the U.S. Senate. Follow the progress of the law here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #135) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

And when it comes to responding to data subject requests (DSRs), it’s all the more important. But DSRs are something that many organizations overlook – which can come with significant consequences.

As one Belgian telecommunications company found out the hard way. 

In a moment, you’ll discover where this organization went wrong and how you can protect yourself from the same fate – it’s easier than you think. 

What’s a data subject request? 

A data subject request is a formal request made by an individual to an organization about the personal data that it has collected, processed, or stored about them – ensuring individuals have greater control over their personal data.

It’s a key part of privacy laws like the General Data Protection Regulation (GDPR), making it vital for you to keep in mind to stay compliant.  

Under GDPR, individuals have the right to make eight different requests when it comes to their personal data:  

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision-making

What happened?

A client of a Belgian telecommunications company noticed there were some changes to their subscription and billing, even though they didn’t ask for anything to be changed. 

To find out why the issue came up in the first place, on January 25th 2022 the client asked the company for access to their personal data – with specific details on which employees accessed their  personal data, when they did so, and why – as per their rights according to GDPR. 

A few weeks passed and the individual concerned hadn’t received the data they requested, despite sending reminders. So they made a formal complaint to the Belgian Data Protection Authority (DPA). 

In fact, the individual concerned didn’t receive the data they requested from the organization until March 28th 2023 – 14 months later.

Where they went wrong

The DPA found that the telecommunications company had violated:

• Article 15 of GDPR – where they were required to respond to the data subject request within a month
• Articles 12(2) and (3) of GDPR – where they had to inform the client of changes to their subscription 

When an organization receives a DSR, they’re required to respond within a month and take appropriate action, depending on the nature of the request. This company responded with the requested data 14 months later. 

The consequence of responding so late?

A fine of €100,000.

How you can avoid the same mistakes

If the prospect of dealing with a DSR seems overwhelming, you don’t have to worry – it’s easy with the right tool. 

iubenda’s Data Subject Rights Management Tool simplifies the whole DSR process for you, allowing you to address all the different types of data subject requests. 

Setup is quick: All you have to do is activate the tool and embed a request form on your website for easy access. 

Then, once someone makes a request you’ll receive a notification – so you can take action, fast. 

You’ll be guided through the process with regular reminders, ensuring you don’t miss a step.

With the Data Subject Rights Management Tool, you’ll have all the help you need to respond to data subject requests quickly, making it easier to comply with legal requirements.

It might just save you €100,000.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Data subject requests: A 14-month delay cost this company €100,000 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The New Hampshire Attorney General announced the creation of the Data Privacy Unit. The Unit will be responsible for enforcing compliance with the New Hampshire Act, which is expected to enter into force on January 1, 2025. Read more here →
• Certified US companies now offer an adequate level of protection under the Data Privacy Framework between Switzerland and the USA. This means that personal data can be transferred from Switzerland to certified US companies without any additional guarantees. Read the press release here →
• The European Commission is seeking public feedback on its report on the first review of the EU-US Data Privacy Framework (DPF). EU citizens have until September 6th to submit their views on all relevant aspects of the Data Privacy Framework. Access the platform here →
• The Polish Data Protection Authority (UODO) has clarified the interpretation of the Whistleblower Protection Act. According to the Polish DPA, a whistleblower can be identified not only by their name or surname, but also by any indirect data, such as their place of work. Read more here (in Polish) →

2) Notable Case Law

• After randomly selecting 200 websites, the Danish Digital Agency found that all the sites were collecting data without visitors’ consent. Specifically, 42.2% of websites had unclassified cookies, 27.6% lacked information in their cookie banner, and 18.1% were missing a cookie banner. Most sites remedied this situation, however the sites that are still in violation may be subject to a fine. Reported here (in Danish) →
• noyb has filed 9 separate complaints against X/Twitter. The complaints follow the Irish DPC proceedings against the company, which began training its AI models on EU data. X/Twitter has paused the training until September, but noyb is alleging that further GDPR enforcement should take place. Read more here →
• The Brazilian Federal Court issued a preliminary decision against WhatsApp for violating the General Personal Data Protection Law (LGPD). WhatsApp must stop sharing unencrypted user data and it must provide users with an easy way to opt out of sharing their data with companies in the Meta group. WhatsApp has 90 days to comply, or it will face a fine of R$200,000 (approx. $36,460) per day of non-compliance. Read the press release here (in Portuguese) →

3) New and Upcoming Legislation

• European Union – The EU Al Act entered into force on August 1, 2024. The Act will become fully applicable in two years, but certain requirements related to prohibited Al practices will become enforceable in February 2025. Fines for non-compliance with the AI Act can be up to 7% of the total global annual turnover, making the risk of non-compliance almost double if compared with the GDPR. Access the press release here →
• United States – The Kids Online Safety and Privacy Act (KOSPA) passed in the U.S. Senate. The bill requires online platforms to pay attention to the creation of new design features, to mitigate harm to minors. Follow the progress of the law here →

4) Strong Impact Tech

• According to Bleeping Computer, Google is taking a privacy-focused approach to integrating its Gemini AI into Android devices. Google is implementing end-to-end protection to secure data in transit, while storing the most sensitive data on the device. Read more here →
• The European Commission has sent a request for information to Meta under the Digital Services Act (DSA). Since Meta discontinued CrowdTangle, the Commission wants to know how the company will allow researchers to access public data on Facebook and Instagram, among other things. Read more here →

Other key information from the past weeks

• The European Commission has issued preliminary findings to Meta regarding its “Pay or Consent” model, stating it breaches the Digital Markets Act (DMA). Press release here →
• The French CNIL commissioned a study on alternative advertising models and the decline of third-party cookies. Learn more here (in French) →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #134) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A.S Watson Group, which owns Kruidvat, a Dutch health and beauty brand, has discovered how important it really is. Ignoring GDPR has led to them receiving a significant fine from the Dutch Data Protection Authority (AP). 

Find out where A.S Watson went wrong on the kruidvat.nl website and how you can avoid making the same mistake with one simple platform.

It could save you €600,000.

Where did A.S Watson go wrong?

AP launched investigations into various websites, including kruidvat.nl, in October 2019. It discovered two key areas where A.S Watson was violating GDPR:

Installation of cookies before consent

AP found kruidvat.nl was automatically placing tracking cookies on user devices before consent was given. 

Some of these cookies assigned unique identifiers to website visitors, creating a personal profile of them.

These cookies collected personal data including email addresses, IP addresses, location, products added to shopping carts, purchases, and which recommendations users clicked on.

Considering that users’ sensitive, health-related information is collected on krudivat.nl, the consent requirement is all the more important.

A non-compliant consent process

What’s more, Kruidvat’s cookie banner had boxes that agreed to the placement of tracking and advertising cookies ticked by default. 

And it made it difficult for users to opt out of these cookies. Users would have to navigate a complicated five-step process to protect their privacy.

The cost of ignoring GDPR

AP found that A.S Watson was violating Articles 5(1)(a) and 6 of GDPR which concern the processing of data in a lawful and transparent manner. AP made A.S Watson aware of these issues in November 2019, giving them time to remedy the situation. 

But by June 2020, the company still hadn’t made any changes to their cookie consent practices.

As a result, A.S Watson is now facing a fine of €600,000. The lesson is clear: 

It’s important to take GDPR seriously – or it could come with significant consequences for any organization that ignores it.

How iubenda can help you easily avoid the same mistake 

The great news is that you can easily avoid making the same mistakes that appear on kruidvat.nl.

iubenda’s Privacy Controls and Cookie Solution is a reliable tool you can use to get on the road to compliance with GDPR and other data privacy laws.

With it, you can customize and embed your own cookie notice and generate a cookie policy.

The tool recommends a suitable configuration based on users’ locations, as well as your own, helping you comply with country-specific regulations – whether in the Netherlands or elsewhere. 

The Privacy Controls and Cookie Solution comes with an integrated auto-blocking feature, which automatically blocks scripts that place cookies on user devices before they give their consent. 

This would’ve prevented A.S Watson’s main violation – and saved them €600,000.

Don’t make the same mistake

A.S. Watson’s story serves as a reminder that GDPR and other privacy legislation shouldn’t be taken lightly. It’s important to ensure your website follows proper cookie consent practices.

iubenda commences your journey towards compliance. Take a quick look now – and avoid the same mistake:

About us

GDPR compliance for your site, app and organization

www.iubenda.com

The post The GDPR mistake that could cost you €600,000 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Here’s a summary of key findings from various national DPAs:

Overview from the French DPA

The CNIL (French data protection authority) increased its enforcement actions, issuing 42 sanctions totalling nearly €90 million. They conducted 340 inspections and processed over 16,000 complaints, resulting in 168 formal notices and 33 reminders of legal obligations. 

Record number of formal notices with 168 decisions

The sanctions covered diverse themes including online advertising, data security, and employee surveillance, targeting both small companies and multinational corporations. A simplified sanction procedure introduced in 2022 also contributed to the rise in enforcement actions.

Overview from the Spanish DPA

The Spanish Data Protection Agency (AEPD) Annual Report highlights a significant increase in data protection activities. 

Key points include:

• a 43% rise in complaints compared to 2022, totalling 21,590; and 
• notable sanctions against public administrations for non-compliance with data protection measures. 

The report also covers legislative trends, significant enforcement actions, educational initiatives, and advancements in technology and innovation in data protection. 

Overview from the Irish DPA

The Data Protection Commission (DPC) of Ireland imposed significant fines totalling €1.55 billion, with €1.2 billion being placed on Meta Ireland. TikTok was also fined €345 million for non-compliance with GDPR, specifically related to the processing of children’s data. 

Other substantial penalties included €750,000 for the Bank of Ireland and €460,000 for Centric Health, highlighting the severe consequences of data breaches and non-compliance.

The DPC handled a record number of cases in 2023:

• New cases received: 11,200
• Cases concluded: 11,147
• Formal complaints: 2,600

This high volume of complaints indicates a growing awareness and enforcement of data protection laws, emphasizing the need for businesses to have comprehensive compliance frameworks to manage and respond to data protection issues efficiently.

There was a notable 20% increase in valid breach notifications, totaling 6,991 for the year, with 92% of these concluded by year-end. 

DPC concluded 237 investigations related to unsolicited marketing communications, resulting in fines for several companies.

Overview from the German DPA

The Bavarian Data Protection Authority (BayLDA) took substantial enforcement actions to uphold data protection laws. Among the notable cases, significant fines were imposed on organizations failing to comply with GDPR. 

This strict enforcement underlines the necessity for businesses to maintain robust compliance frameworks to avoid hefty penalties and ensure data protection compliance.

Likewise, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) took substantial enforcement actions, reflecting their commitment to upholding data protection laws. The number of data breach notifications reached a new high with 925 reported cases, including 235 hacker attacks. 

This increase underscores the need for businesses to have robust data protection measures and effective breach management systems in place.

Overview from the Italian DPA

The authority investigated several thousand cases, received over 10,000 complaints, issued 221 compliance orders, and adopted 146 sanctions. 

These fines were mainly for:

1. infringements of data subject rights, 
2. unlawful telemarketing practices; and 
3. data breaches affecting both public and private bodies.

High-Profile Cases

• OpenAI (ChatGPT): The Italian DPA temporarily limited the processing of data belonging to Italian users following a data breach involving ChatGPT. The inquiry addressed several concerns, including the lack of information provided to users, unclear legal basis for data processing, risks from inaccurate data, and the absence of effective age verification mechanisms. In response, OpenAI updated its privacy policy and provided opt-out options for users. However, further efforts were required for age verification, leading to the establishment of an ad-hoc task force by the EDPB to address these issues across the EEA.
• Aggressive Telemarketing Practices: The Italian DPA took significant actions against aggressive telemarketing practices.

These actions highlighted the importance of oversight and complying with data protection laws in telemarketing activities.

Adoption of National Code of Conduct

A national Code of Conduct was adopted to regulate telemarketing and teleselling activities. The Code includes specific commitments such as:

• Obtaining explicit consent for each purpose of data processing.
• Providing clear and precise information to individuals regarding the use of their data.
• Guaranteeing the exercise of privacy rights (right to object, right to rectification).
• Including penalties in contracts between operators and service providers for any sales conducted without proper customer consent.

What Can You Do to Avoid Receiving the Next Big Fine?

2023 saw data protection authorities across Europe demonstrating their commitment to enforcing strict regulations through significant fines, rigorous investigations, and proactive regulatory engagements. 

Businesses are facing increasing scrutiny and complex compliance challenges, highlighting the necessity for robust and adaptive compliance solutions. 

But, why choose iubenda…?

1. Mitigate Risks and Avoid Penalties

With authorities cracking down on businesses it’s clear that non-compliance can have severe financial consequences. Thats why, ensuring you stay ahead of regulatory requirements is crucial to mitigate risks and avoid costly penalties.

2. Efficient Complaint and Breach Management

The rise in data breach notifications and complaints underscores the need for efficient management systems. Being able to quickly detect, manage, and report data breaches ensures compliance with GDPR requirements and safeguards your business.

3. Adapt to Evolving Regulations

Data protection regulations are continually evolving, with new guidelines and codes of conduct being adopted regularly. Staying compliant with the latest regulatory changes through continuous updates and guidance is essential for maintaining a proactive approach to data protection.

4. Comprehensive Coverage

Managing data subject rights, ensuring lawful telemarketing and direct email marketing practices, providing clear information, and obtaining explicit consents are all critical aspects of data protection compliance. Effective tools designed to handle multi-jurisdictional requirements make it easier for businesses operating across different regions.

Take Control of Your Data Compliance Today!

Don’t wait for a data breach or regulatory fine to highlight the gaps in your compliance framework. Our solutions can help you avoid making the same mistakes:

• Provide a privacy and cookie policy. You can create one in minutes with our Privacy and Cookie Policy Generator
• Display a cookie banner and block cookies before consent. It’s easy with our Privacy Controls and Cookie Solution
• Make your forms GDPR compliant. You can prove your newsletter consents with our Consent Database

The post Europe’s GDPR Enforcement in 2023: Record Fines and Key Insights appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Garante published its 2023 activity report focusing on digitalisation, AI, aggressive telemarketing, vulnerable subjects, and health data protection. Key actions included the initial block of ChatGPT, suspension of the Replika chatbot, and an investigation into the Sora AI model. Efforts continued on age verification on social media and developing cybersecurity guidelines with the National Cybersecurity Agency. In 2023, 2037 data breaches were reported (37% public, 63% private). The Garante imposed heavy fines for aggressive telemarketing, handled 9,281 complaints, conducted 144 inspections, and issued 394 sanctions totaling €8 million in fines. Press Release → (in Italian)
• Following the EDPB’s cookie banner taskforce report, noyb released a Consent Banner Report comparing the taskforce’s findings with positions from 15 national DPAs. The report highlights the need for clear cookie reject options, the illegality of pre-ticked boxes, and issues with nudging through different colored buttons. Learn more →
• CNIL commissioned a study on alternative advertising models and the decline of third-party cookies. The study examined which models might replace third-party cookies and the associated risks. It identified seven solutions: Google’s Privacy Sandbox, substitution identifiers, contextual targeting, cohort targeting, retail media, user account-driven environments, and paywalls. Press Release → (in French)

2) Notable Case Law

• The Austrian Data Protection Authority (DSB) published the Federal Administrative Court’s (BVwG) judgment in Case BVwG to No. W137 2248575-1/31E, which upheld a fine for an appellant failing to facilitate the exercise of data subject rights by using a mandatory contact form. The fine was reduced to €500,000 considering minor negligence and cooperation during the proceedings. (in German)
• noyb filed a complaint against Microsoft’s Xandr with the Italian Garante for GDPR infringements, alleging violations of transparency, right of access, and holding inaccurate user information. The complaint highlights Xandr’s failure to comply with GDPR access requests. Read more →

3) New and Upcoming Legislation

• Published in the Official Journal, the AI Act will come into force on August 1, 2024, however it will fully apply by August 2, 2026, with phased provisions starting from February 2025. These include bans on certain AI systems, regulations for general-purpose AI, and high-risk AI systems in various sectors. The European AI Office will oversee implementation.

4) Strong Impact Tech

• The European Commission requested information from Amazon under the DSA regarding measures taken to ensure transparency of recommender systems, ad repository maintenance, and risk assessment compliance. Read more →
• The European Commission has issued preliminary findings to Meta regarding its “Pay or Consent” model, stating it breaches the Digital Markets Act (DMA). The Commission found that Meta’s model forces users to consent to the combination of their personal data without offering a less personalized but equivalent alternative. Under Article 5(2) of the DMA, gatekeepers must obtain user consent for combining personal data and provide an equivalent alternative if consent is refused. Gatekeepers cannot condition service use or certain functionalities on user consent. Press Release →

Other key information from the past weeks

• In a significant move to protect consumer privacy, the Federal Trade Commission (FTC) has finalized an order against Avast, a software provider, banning the company from selling or licensing web browsing data for advertising purposes. Follow this news →
• The US Federal Trade Commission (FTC) has escalated a complaint against TikTok and its Chinese parent company, ByteDance, to the Department of Justice over potential breaches of children’s privacy regulations. Full details →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #133) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This feature allows site visitors to opt out of the sale or sharing of their personal information. Users will see messages specific to their state’s regulations, which need to be activated and managed within the AdSense interface. This update supports compliance with laws like the California Privacy Rights Act (CPRA) and similar regulations in other states.

supports compliance with laws like the California Privacy Rights Act (CPRA) and similar regulations in other states.

Setting Up Google AdSense Privacy Messages

You need to activate and manage the US state regulations messages in your AdSense account. Here’s a step-by-step guide:

For more details, refer to: 

• About Privacy & messaging
• Available user message types
• About US state regulations messages
• Create a US state regulations message

Frequently Asked Questions

Which states have privacy laws that Google’s new AdSense features address?
Google’s new AdSense privacy and messaging features are designed in line with privacy laws in California, Colorado, Connecticut, Virginia, and Utah.

How can users opt out of data sharing through AdSense?
Users can opt out by clicking the “Do Not Sell or Share” link in the AdSense message, which guides them through the process.

Do site owners need to manually activate these features for each state?
Yes, for existing messages. New messages will automatically include all relevant states by default, adjustable in the targeting settings.

What are some best practices for implementing these privacy features?
Ensure messages are clear, visible, and transparent. Regularly update settings and test different implementations to optimize user experience.

What are the consequences of not complying with these privacy laws?
Non-compliance can lead to hefty fines, legal action, and damage to your site’s reputation.

Ensure Your Website’s Compliance with iubenda

With Google AdSense’s new privacy feature now rolling out to comply with various state privacy laws, it’s crucial to ensure your website stays compliant. iubenda is your one-stop solution for global data privacy laws. Our tools help you manage privacy policies, cookie consent, and more, effortlessly.

Stay Ahead of Privacy Regulations

Google’s new feature addresses the requirements of privacy laws in states like California and Virginia. iubenda can help you keep pace with these changes. 

Take Action Today

Don’t wait for compliance issues to arise. Secure your website and protect your users’ privacy with iubenda. Here’s how you can get started:

Google’s new AdSense privacy feature is a step forward in aligning with state-specific privacy laws. Partner with iubenda to ensure your website remains compliant and your users’ data is protected. Embrace the changes and stay ahead in the compliance game.

The post Google AdSense Rolls Out New Privacy and Messaging Feature appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Saxon Data Protection Authority (SächsDSB) reviewed around 30,000 websites for data protection issues, particularly focusing on the use of Google Analytics. They emphasized that Google Analytics tracks user behavior in detail, making user consent essential under data protection laws. The authority discovered that 2,300 websites, including those of companies, associations, and public bodies, failed to meet these consent requirements. The SächsDSB will demand that these entities correct the violations and delete improperly collected data, with potential formal proceedings if they do not comply. Press release in German →
• The Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the UK’s Information Commissioner (ICO) met in Venice and signed a Memorandum of Understanding (MoU) to formalize their cooperation. The MoU outlines the exchange of information between the authorities and confirms their commitment to collaborate on key international data protection issues. Access here →
• The European Commission’s Multistakeholder Expert Group released its report on the application of the General Data Protection Regulation (GDPR). The report noted positive developments in compliance, awareness, and the use of rights to access and erasure. However, it also identified issues such as low awareness of other rights, challenges with automated decision-making, data portability, transparency obligations, and GDPR’s alignment with other regulations. Concerns were also raised about the adoption of Standard Contractual Clauses for data transfers and inadequate coordination between data protection authorities in cross-border cases. Read here →

2) Notable Case Law

• The Spanish Data Protection Authority (AEPD) fined BANCO BILBAO VIZCAYA ARGENTARIA, SA (BBVA) €200,000, later reduced to €120,000. The fine was based on a complaint that BBVA had incorrectly included the complainant’s personal data in a solvency file without proper prior notice, due to an incorrect address. The AEPD found that BBVA violated the GDPR’s accuracy principle, which mandates that personal data must be accurate and up-to-date. By failing to provide the correct address, BBVA caused significant harm to the complainant, who did not receive the notification. BBVA paid the reduced fine of €120,000 voluntarily, acknowledging its responsibility. The Authority’s Decision can be found here in Spanish →
• The Irish Data Protection Commission (DPC) announced that Meta will no longer process EU/EEA user data for “artificial intelligence techniques” following 11 complaints from privacy advocacy group noyb. Although the DPC initially approved Meta’s AI operations in the EU/EEA, recent pressure from other regulators has led to this change. We cover the full story here →

3) New and Upcoming Legislation

US Law Updates:

• Vermont: Vermont’s Governor vetoed House Bill 121, which aimed to enhance consumer privacy. The bill included provisions such as the Vermont Data Privacy Act, public outreach and education, an Attorney General study, protection of personal information including data broker security breach provisions, and an age-appropriate design code. The Governor stated that the bill posed unnecessary risks, particularly due to the private right of action provision, which could impact many businesses and non-profits. He also highlighted concerns about the age-appropriate code, citing potential First Amendment violations, similar to issues seen with legislation in California. Press release →
• Rhode Island: House Bill 7787, the Rhode Island Data Transparency and Privacy Protection Act, was passed by the State Senate and is now at 50% progression. This bill, paired with Senate Bill 2500, aims to improve data transparency and privacy protection. If approved, it will take effect on January 1, 2026.

4) Strong Impact Tech

• LinkedIn has stopped using special category data for targeted advertising. This decision was made after the European Commission requested information to check compliance with the Digital Services Act (DSA) following a complaint from civil society organizations. The complaint alleged that LinkedIn allowed advertisers to target users based on special categories of personal data from users’ participation in LinkedIn Groups. If true, this would violate the DSA’s ban on targeted ads using sensitive personal data. Press release →
• The European Commission has requested information from Pornhub, XVideos, and Stripchat regarding illegal content and the protection of minors under the Digital Services Act (DSA). The Commission seeks detailed information on the measures these companies have implemented to assess and mitigate risks related to minors’ online protection and to prevent the spread of illegal content and gender-based violence. Read more here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #132) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Keep reading to understand the details of this case below

Legislative Push Against TikTok

President Joe Biden just approved an omnibus foreign aid deal that includes a possibly prohibitive clause against TikTok. The parent business of TikTok, ByteDance, is required by law to sell the platform within nine months. The Protecting Americans’ Data from Foreign Adversaries Act, which tries to prevent data brokers from disclosing private information to foreign enemies, is also included in this package.

Furthermore, a bill mandating ByteDance to sell TikTok within a year or risk a nationwide ban has been expedited by the U.S. House. 

ByteDance would need to locate a buyer who has been authorized by the US government if this measure is adopted. In similar news, it has been claimed that TikTok is thinking about firing General Counsel Erich Andersen.

Fast-Track Court Challenge

The U.S. Justice Department and TikTok have jointly asked an appeals court to expedite the consideration of the new statute, which requires ByteDance to sell its U.S. assets by January 19 or risk a ban, in response to the legislative pressure. If necessary, this swift legal action seeks to get a Supreme Court review prior to the deadline.

Since 170 million Americans use the app, a group of TikTok creators has already launched a lawsuit to prevent the rule, claiming it has a significant impact on American life. In a related lawsuit, TikTok and ByteDance claimed that the law infringed upon their First Amendment rights to free speech.

Both the Justice Department and TikTok emphasize the public’s strong interest in a speedy resolution given the platform’s large user base. They think the legal dispute might be resolved with a quicker timeline without the need for emergency injunctive relief.

For reasons of national security, the White House is in favor of terminating Chinese control of TikTok, but it is not in favor of a complete ban. Discussions have been requested by both sides for September, and the Justice Department may submit classified data to support its allegations of national security.

Reauthorization of Section 702 of FISA

President Biden reauthorized Section 702 of the Foreign Intelligence Surveillance Act (FISA) on April 20, which was another significant development. The Senate approved it with a vote of 60-34. Experts such as Professor Matthew Waxman of Columbia University and Adam Klein of the University of Texas pointed out in a New York Times opinion piece that the reauthorization includes supervision changes that would greatly improve compliance.

Despite opposition from both parties in Congress, the program was given a two-year extension because of worries about civil liberties and possible abuse of American data. The significance of the technology in preventing security threats was emphasized by lawmakers, although several suggested changes to strengthen American privacy laws. Although these changes were not approved, the program’s safeguards against invasions of privacy and intelligence requirements remain in place.

Current Legal Landscape

In light of the changing legal landscape, TikTok is advocating for an accelerated court decision by December 6th to address the proposed ban. This legal move emphasizes the serious and nuanced position TikTok holds in the US market.

The increased emphasis on data privacy and national security is reflected in these legislative and legal actions. Businesses and consumers alike should pay close attention to these changes as they may have significant effects on data governance and global IT operations.

The reauthorization of FISA and the congressional pushback against TikTok show how seriously the U.S. government takes data privacy and national security. All of these moves highlight the growing concern about foreign tech companies and how they might affect security and privacy in the United States.

The post U.S. Legislation Intensifies Scrutiny on TikTok Amid National Security Concerns appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• Spain’s data protection authority, the Agencia Española de Protección de Datos, has updated its guidance on cookies to tally with the European Data Protection Board’s Opinion 8/2024, which concerns the attainment of valid consent in “pay or okay” models implemented by large online platforms. Press release here → (in Spanish)
• The French Data Protection Authority (CNIL) has issued new guidance on using web scraping tools to collect personal data from public online spaces for direct marketing. Following inspections in 2019, CNIL clarified that publicly accessible data is still personal and cannot be reused without the person’s consent.
• The CNIL has issued guidance for organizations providing public internet access, such as municipalities, hotels, and cafes, outlining legal obligations for retaining traffic data. Key points include:
  • IP addresses and connection times must be retained.
  • Personal data must be limited to what’s necessary for processing.
  • User identity data (name, birth date, etc.) should be kept for five years.
  • Account creation info and technical data (IP address, device ID) must be kept for one year.
  • Communication origin and technical characteristics can be kept for up to three months.
  • Users have rights to access and correct their data, but these rules don’t apply to employees of the organizations.
    
    Press Release → (in French)
• The UK ICO has launched a consultation on data subject rights in generative AI, closing on June 10, 2024. The ICO is concerned that generative AI models often use personal data during training and deployment, and organizations must ensure individuals can exercise their data rights. The ICO seeks evidence on effective methods organizations use to meet these legal obligations, aiming to support innovation and protect personal data in AI development. Read here →

2) Notable Case Law

• The European Commission has begun formal proceedings to investigate whether Facebook and Instagram’s parent Meta, has violated the Digital Services Act (DSA) concerning the protection of minors. The Commission is worried that the algorithms on both platforms may promote addictive behavior in children and create ‘rabbit-hole effects’. Additionally, there are concerns about Meta’s age-assurance and verification methods. Read about the investigation here →
• The Attorneys General of Arkansas, Hawaii, Columbia, and Oregon have announced a $10.25 million settlement with wireless carriers for deceptive advertising practices. The settlement, involving AT&T, Cricket Wireless, T-Mobile, TracFone, and Verizon Wireless, addresses misleading advertising and marketing practices. Key terms of the settlement include, among others, ensuring truthful, accurate advertising & transparently outlining fees and conditions.
  
  Arkansas will receive $104,246.46 from the settlement, with $49,017.04 from T-Mobile, $30,125.14 from Verizon, and $25,104.28 from AT&T. Press release →

3) New and Upcoming Legislation

• The Vatican City State has issued a new decree on personal data protection, effective from April 30, 2024, for a three-year trial period. This regulation applies to data processing within Vatican City, excluding personal use, publicly disclosed, or anonymized data. The regulation is available in Italian here →
• The world’s first Artificial Intelligence (AI) Act has been approved. This risk-based legislation imposes stricter regulations on high-risk AI systems, banning harmful practices like cognitive manipulation and social scoring. It promotes transparency, accountability, and innovation, supported by regulatory sandboxes and a robust governance framework. The Act will be enforced two years after its official publication, aiming to set a global standard for AI regulation. Press release →
  
  US Law Updates:
• Vermont: The Vermont legislature has passed House Bill 121, a robust data privacy bill enhancing consumer privacy and age-appropriate design. If signed, it will be among the strongest privacy laws in the U.S. The bill limits data collection and use, with a private right of action for consumers against large companies handling data of over 100,000 people annually. Smaller Vermont businesses will work with the state’s Attorney General for compliance. Despite bipartisan support, the Governor may veto the bill due to the private right of action. More details →
• Minnesota: The Minnesota Senate has passed the Omnibus Agriculture, Commerce, Energy, Utilities, Environment, and Climate supplemental appropriations bill, which incorporates the Minnesota Consumer Data Privacy Act (Senate Bill 2915) that:
  • Applies to entities processing data of 100,000 consumers or deriving 25% of revenue from selling data of 25,000+ consumers.
  • Exempts small businesses as defined by the U.S. Small Business Administration.
  • Requires a chief privacy officer or equivalent contact information.
  • Allows consumers to request details on profiling decisions and data used.
  • Includes universal opt-out mechanisms, data protection assessments, attorney general enforcement, and a 30-day right to cure (sunsetting in 2026).
    
    If enacted, the law will take effect on July 31, 2025.

4) Strong Impact Tech

• Adobe has threatened legal action against Delta, an indie game emulator, over its logo’s resemblance to Adobe’s “A” logo. Delta received an email from Adobe’s lawyer stating that Delta’s app icon infringed on Adobe’s trademark and needed to be changed within the prescribed period. Following this, Apple informed Delta that Adobe requested the app’s removal from the App Store. Delta clarified that its logo was a stylized Greek letter delta, not an “A,” but agreed to update the logo to resolve the issue. Read more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #131) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

As of July 31, 2024, Google expanded the application of its EU User Consent Policy. Users in Switzerland are now also subject to this policy.

What This Means for Advertisers:

These adjustments guarantee that user privacy is upheld and that local laws are followed when handling data. We urge advertisers to assess their procedures, update their consent mechanisms, and get ready to comply with these requirements. 

Compliance and Implications:

Make sure these steps are followed in order to prevent any disruptions when using Google’s analytics and advertising tools. Although Google does not yet specifically specify account suspension, they are notifying the extension of the consent requirements. 

Compliance Requirements for Third-Party Properties

It’s important to discuss how personal data is managed when applying Google products that need integration or use on other sites, apps, or properties. It is your duty to make sure that Google’s EU User Consent Policy is followed if end users’ personal information is shared with Google via these third-party properties.

In particular, you have to use commercially reasonable efforts to guarantee that the owners and operators of these third-party properties follow the necessary procedures. This is especially crucial if you, your affiliates, or your clients do not directly operate these third-party properties, and if the operators are not already using a Google product that integrates this policy.

No Impact on Other Google Products

Please be aware that other Google services, including Google Workspace or Cloud Identity, are unaffected by this modification, which is exclusive to Google’s analytics and advertising products.

How to Comply with the EU User Consent Policy

Users are advised to use a Google-certified Consent Management Platform (CMP). 

Luckily for you, our CMP integrated with Google Consent Mode, is designed to automatically transmit the necessary consent signals, simplifying the compliance process for advertisers and publishers.

The post EU User Consent Policy: Expansion to Switzerland appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The European Data Protection Board (EDPB) adopted an opinion regarding ‘consent or pay‘ models associated with behavioral advertising typically used by major online platforms. This opinion addresses whether such models genuinely offer users a free choice as mandated by GDPR standards further to a request from the Dutch, Norwegian & Hamburg Data Protection Authorities.
• Spain’s Agencia Española de Protección de Datos (AEPD) has released its annual reports, revealing a significant surge in data protection complaints in 2023. According to the Action Report, the AEPD received a total of 21,590 complaints, marking a 43% increase from 2022 and a 55% increase from 2021. The most frequent complaints involved issues with unwanted advertising, internet services, video surveillance, and the sectors of commerce, transport, hospitality, and financial institutions. Read here → (In Spanish)
• The Danish data protection authority, Datatilsynet, released its 2023 annual report, which underscores a year of heightened activity, complex cases, and extensive international engagements. The report notes the publication of 22 national guidelines and web pages, focusing on areas such as direct marketing and television surveillance, providing targeted guidance to private companies, public authorities, and housing associations. Access the press release here → (In Danish)
• France’s data protection authority, CNIL, has released its first guidelines on using artificial intelligence (AI) while ensuring personal data protection. These guidelines cover legal and technical requirements for AI under the GDPR, including the necessity for a legal basis to process data and conducting tests on reused data, helping organizations comply with data protection standards. Read here → (In French)

2) Notable Case Law

• In a nonbinding opinion, Advocate General Priit Pikamäe of the Court of Justice of the European Union has highlighted a lapse by the Hessian Data Protection and Freedom of Information Commissioner. The criticism came after the Commissioner failed to take corrective action when a local savings bank employee accessed a citizen’s personal data without consent. Advocate General Pikamäe stated that upon notification of such data mishandling, the regulator is obliged to identify and implement appropriate corrective measures to address the infringement. Read the press release here →
• France’s data protection authority, CNIL, has imposed a fine of €525,000 on the technology retail chain Hubside.Store for its unauthorized use of phone calls and text messages for promotions. The company was found to have acquired personal data from data brokers and websites without obtaining proper consent from individuals, in violation of GDPR’s requirements. Specifically, Hubside.Store breached Article 6, lacking a legal basis for commercial prospecting, and Article 14, failing to properly inform individuals about the use of their data. The Authority’s decision can be found here → (in French)

3) New and Upcoming Legislation

• The European Parliament has endorsed new procedural rules to enhance the enforcement of the General Data Protection Regulation (GDPR). Concerned with the inconsistent enforcement across member states, Parliament aims to restore public trust by reducing lengthy legal processes. The proposed adjustments focus on improving cooperation among national data protection authorities, refining dispute resolution mechanisms, and standardizing procedural rules across the EU. Access here →
• Nebraska (US): The omnibus bill (Legislative Bill 1074) passed its final reading on April 11, and includes a proposed comprehensive privacy statute which mirrors Texas’ comprehensive law, including dedicated language for universal opt-out mechanisms and dark patterns, a 30-day cure period as well as particular coverage thresholds. If enacted, the privacy bill would take effect on January 1, 2025.

4) Strong Impact Tech

• DuckDuckGo is set to introduce a new privacy tool that enables consumers to request the deletion of their personal data from people-search websites, according to Wired. Reported here →
• Hackers have found a way to access online accounts without passwords by exploiting stolen third-party cookies. Adrianus Warmenhoven, a member of NordVPN’s Security Advisory Board, warns that if an attacker acquires an active cookie, they can log into accounts bypassing both passwords and multifactor authentication. This vulnerability underscores the need for enhanced security measures concerning cookie management and digital privacy. Read the full story here →

Other key information from the past weeks

• The Information Commissioner’s Office (ICO) is stepping up its efforts to safeguard the online privacy of children. Read here →
• ICO Expands Global Reach in Data Protection with Global CAPE Membership The Information Commissioner’s Office (ICO), the UK’s guardian of data privacy, has taken a significant step in international collaboration by joining the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE). Continue reading →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #130) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Garante has released guidelines for any business or organization that keeps users’ passwords. These guidelines suggest the safest cryptographic methods for storing passwords. They cover topics like password hashing, PBKDF2, and Argon2. Read here →
• Spain’s data protection agency, the AEPD, has updated its advice on reviewing human roles in automated decisions to follow Article 22 of the GDPR. Previously addressed in 2018, the new recommendations propose evaluating how much a person is involved in the decision-making process by looking at factors like their authority, skills, abilities, effort, and autonomy. Access here →
• The U.S. Federal Trade Commission summarized its findings from cases where Avast, X-Mode, and InMarket sold personal data. It highlighted that selling browsing and location data by X-Mode and InMarket reveals detailed aspects of a person’s life. Additionally, the FTC noted that people can’t oppose or manage the collection, storage, and use of their data. Read here →
• The U.K. Information Commissioner’s Office is asking for opinions from businesses and digital advertising parties on “pay or OK” subscription plans and their alignment with third-party cookie rules. The ICO wants to know if these models would work well for users while it updates its cookie guidelines. More here →

2) Notable Case Law

• The Garante has started looking into OpenAI regarding its new AI model, ‘Sora’, and how it might handle personal data in the EU and Italy pursuant to the algorithm learns; the type of data, particularly personal data, used for training; if sensitive data like beliefs, political views, genetic or health information, or sexual life details are gathered; and the sources of this data. Read about the investigation here →
• CNIL fined the telemarketing company FORIOU €310,000 for buying data from brokers and using it without the people’s permission. CNIL found that the forms used by the data brokers to collect information were misleading, so they didn’t get proper consent from the individuals. As a result, FORIOU didn’t have a legal right to use this data for marketing, which violates Article 6 of the GDPR. The Authority’s summary can be found here →

3) New and Upcoming Legislation

US law updates:

• New Hampshire’s Governor has executed Senate Bill 255 relating to consumer privacy legislation. The law will come into effect on January 1, 2025, allowing people to know more about how their data is collected and kept. New Hampshire is now the 14th state in the U.S. with a full privacy law.
• Virginia has updated its privacy laws with two new bills focusing on protecting children’s data. Senate Bill 361 stops the data of anyone under 18 from being collected, used, or sold without permission. House Bill 707 adds extra protections for how children’s data is processed, including restrictions on collecting their location data.
• California has introduced a data broker registry as part of the California Delete Act. This registry allows California residents to easily ask for their personal information to be deleted from records held by data brokers in the state.

4) Strong Impact Tech

• Microsoft plans to use Google’s Privacy Sandbox technology in its advertising services. They aim to adopt Google’s privacy standards to improve and support the digital advertising industry with new privacy-focused technologies. Read more here →
• Tech Policy Press has shared insights from the Future of Privacy Forum on how U.S. states agree or differ on defining sensitive data. It highlights states whose data protection standards have been adopted by others and points out the broad range of protections for biometric data and information about minors.
• The European Commission has asked Meta for details under the Digital Services Act about its subscription service that doesn’t show ads, known as “pay or ok.” This request focuses on how Facebook and Instagram handle advertising, their recommendation systems, and any risk evaluations for this subscription option. Press release →

Other key information from the past weeks

• The European AI Office marks a significant milestone in the EU’s commitment to becoming a global leader in the development and regulation of AI. Read about it on our blog →
• The European Data Protection Board (EDPB) has embarked on a significant initiative aimed at reinforcing the right of access, a fundamental aspect of data protection. Read more here →
• The European Union has initiated a comprehensive investigation into TikTok, the popular social media platform, due to growing concerns over child safety, its advertising practices, and privacy protocols. Full story here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #129) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We now have more precise details to share with you, about how Google Consent Mode will impact your digital marketing campaigns.

Two new tags

The previous version of Consent Mode relied on just two tags related to data collection that were passed to Google when a user granted or rejected consent to cookies:

• analytics_storage, refers to cookies installed for analytics purposes;
• ad_storage, refers to cookies installed for ads purposes.

The new version of the Consent Mode adds two new tags, which instead relate to how the data is used or shared:

• ad_user_data, defines whether user data can be sent to Google for advertising purposes;
• ad_personalization, defines whether personalized advertising can be enabled (i.e. remarketing).

Update your first-party user lists

As we said, these four tags are now mandatory in the EEA and UK. In particular, from March 2024, Google will stop accepting first-party lists that do not contain consent choices for EEA and UK users.

If you have first-party lists for Remarketing or Customer Match that weren’t updated with the new tags, the data in these lists will start degrading over time and become less relevant. For an optimal campaign, you should update your lists regularly and make sure they all contain consent data.

Comply with Google’s EU User Consent Policy to preserve measurement features

Google Consent Mode will not impact only personalization, but also measurement features. One of the key features of the framework is conversion modeling, which allows gathering aggregated data even from non-consented users, to improve conversion and analytics.

However, without consent data, you won’t be able to preserve the measurement features either. Google measurement products use data collected via cookies and local storage to support ad measurement, and the EU ePrivacy Directive (Cookie Law) requires consent to store cookies on the user’s device. Of course, Google has aligned its EU User Consent Policy to the EU legislation and requires consent from EEA users for both ad personalization and ad measurement.

Starting this Spring, Google is enforcing its EU User Consent Policy very strictly and non-compliance could even result in the suspension of your lists and conversion tracking features:

From Spring 2024, we are ramping up our existing audit program to ensure compliance with our EU User Consent Policy and Customer data policies. Advertisers without appropriate consent mechanisms in place may be subject to enforcement on their ads personalization and measurement capabilities. Enforcement action can include suspension of remarketing lists and disabling conversion tracking.

Enable the Google Consent Mode with iubenda

Time is up! March 6th was the deadline for the implementation of the new Consent Mode. If you still haven’t enabled it, then we suggest you hurry, to avoid losing access to key features.

The easiest and fastest way to enable the Google Consent Mode is with a Google-certified CMP, like iubenda. This is also the method that Google recommends, as it makes the implementation a lot easier on your side.

At iubenda, we’ve already integrated Consent Mode support as a default feature, and our CMP automatically passes the consent signals you collect to Google. If you’re already using our product, don’t worry, you’re all set!

But if you’re still looking for your CMP, try iubenda! Google Consent Mode is just one click away.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post The latest updates about Google Consent Mode appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This action underscores the importance of upholding consumer rights in the digital age, particularly concerning the sale and sharing of personal information.

Streaming Services Under Scrutiny for CCPA Compliance

As streaming platforms become integral to family entertainment, from live sports to blockbuster movies, the need to protect personal information has never been greater. California’s pioneering stance on data privacy, offering consumers the legal right to instruct businesses not to sell their data, sets a precedent that Attorney General Bonta is keen to enforce.

This investigative sweep focuses on ensuring streaming services comply with CCPA’s opt-out requirements, a critical measure that has been mandatory since 2020.

Data Privacy Day: Understanding Consumer Privacy Rights

Marking Data Privacy Day, Attorney General Bonta urges consumers to familiarize themselves with their rights under the CCPA:

The law empowers Californians with increased privacy rights, including understanding how businesses collect, share, and disclose their personal information. It mandates businesses to respond to consumer requests to exercise these rights and to provide clear notices about their privacy practices.

The Right to Opt-Out

A cornerstone of the CCPA is the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. 

This provision ensures consumers can easily exercise their right to privacy with minimal steps, such as enabling a “Do Not Sell My Personal Information” setting on a SmartTV’s streaming service app. Moreover, consumers should expect these preferences to be respected across different devices and easily access the streaming service’s privacy policy detailing their CCPA rights.

Continued Commitment to Data Privacy

The enforcement of the CCPA remains a priority for Attorney General Bonta, as demonstrated by the August 2022 settlement with Sephora over its failure to comply with the CCPA’s requirements. This recent sweep sends a clear message to businesses about the seriousness of adhering to data privacy laws.

For more information on the CCPA or to report a violation, consumers are encouraged to visit www.oag.ca.gov/ccpa, vist their complaint form or check out this new resource. This initiative reinforces California’s leadership in data privacy and serves as a reminder of the ongoing efforts to protect consumer rights in an increasingly digital world.

How to Protect Your Business

Ensuring CCPA compliance is crucial for avoiding fines and building customer trust. iubenda offers tools and services to navigate data privacy laws, helping businesses easily meet CCPA standards with customized privacy policies and user opt-out mechanisms.

Why Choose iubenda?

• Easy to Use: Our intuitive interface makes compliance accessible for businesses of all sizes. Generate a privacy policy, terms and conditions, and more in just a few clicks.
• Up-to-Date with Legislation: With the legal landscape constantly evolving, we ensure your policies remain compliant with the latest regulations, including the CCPA.
• Comprehensive Solutions: Beyond privacy policies, our Consent Database and Register of Data Processing Activities help you manage consents and document compliance efforts efficiently.

Take proactive steps today to ensure your streaming service or app is compliant with the CCPA and other data privacy laws. 

The post California CCPA Cracks Down on Streaming Services appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The BayLDA has conducted general compliance audits across Bavaria. They can be triggered by complaints, but are also conducted randomly or on specific businesses and industries without notice. The Authority uses a range of methods, from in-person visits to AI-driven online scans. Right now, the Authority is expanding with a new division called the Test Procedures Office. This change is the start of regular, focused audits to improve data protection throughout the region.

And you could be next on their list.

What do you get with iubenda?

Smart Site Scanning: Our AI-powered site scanner and guided setup help simplify the complex privacy regulations BayLDA expects you to meet.

Clearer Consents: Add easy-to-understand ‘Accept’ and ‘Reject’ options in your cookie banners, directly addressing BayLDA’s concerns.

Customizable Cookie Banners: Flexible design options mean you can align your privacy tools with your brand’s style.

Consistent Updates: Our solutions evolve in real time to match the latest laws and regulations so you can stay compliant with almost zero effort.

About us

Cookie consent management for the ePrivacy, GDPR and CCPA

www.iubenda.com

The post Get Ready for Incoming BayLDA Audits appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Dutch Data Protection Authority (AP) has announced that they’re ramping up compliance checks in 2024. To start off, they’re focusing on cookie banners that are misleading or difficult to navigate. The agency also released a helpful list of how to make sure your banner is compliant.

Rules of thumb for a compliant cookie banner

According to the AP, good cookie banners:

• say why trackers are being used;
• make consent choices absolutely clear;
• avoid pre-filled checkboxes;
• offer several consent options on a single layer;
• don’t hide certain choices;
• don’t require extra clicks to reject consent;
• make any in-text links obvious;
• are clear about withdrawing consent.

The AP also made a point to call out privacy controls that don’t distinguish between consent and legitimate interest.
Certain cookies don’t require user consent due to the legal basis of legitimate interest, but you still need to tell users about them. Using consent features like sliders or toggles for these cookies can be confusing since they usually can’t be turned off.

What do you get with iubenda?

Smart Site Scanning: Our AI-powered site scanner and guided setup help simplify the complex privacy regulations the AP expects you to meet.

Clearer Consents: iubenda’s expert lawyers know the requirements and make sure your privacy controls are clear and concise.

Customizable Cookie Banners: Flexible design options mean your banner can match your brand’s style.

Consistent Updates: Our solutions evolve in real time to match the latest laws and regulations so you can stay compliant with almost zero effort.

About us

Cookie consent management for the ePrivacy, GDPR and CCPA

www.iubenda.com

The post More Cookie Banner Checks in 2024 Says The AP appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Enforcement of the California Privacy Rights Act (CPRA) was originally delayed by the courts until late March 2024, but that decision has been overturned. This means the law is now in full effect, and businesses that aren’t compliant could face fines immediately.

What’s the risk? Fines are $7,500 per intentional violation, or $2,500 per non-intentional violation.

What do you need to do?

The CPRA is an update to California’s older privacy law, CCPA, both of which may also apply to businesses outside of California. Among many new requirements, this new legislation broadens the scope of CCPA, adds new categories of sensitive personal information and expands consumer rights by adding the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information. To be compliant, you’ll need to understand how this new legislation applies to your business. That’s where we come in.

Comply with the CPRA in three easy steps

1. Generate your legal documents

Get your custom legal documents in a flash with iubenda’s Privacy and Cookie Policy Generator. Our guided setup makes it easy to choose from thousands of readymade clauses or to add your own custom legalese.

2. Get your custom privacy controls

Build a privacy controls banner tailor-made for your business, with white-label options and privacy controls that are updated constantly to stay on top of the ever-changing world of privacy laws.

3. Check the right boxes

Before embedding your new policies and privacy tools in your site, make sure you’ve turned on the “US State Laws” setting in your dashboard. This setting is usually activated during guided setup based on your answers to a few simple questions.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Time’s up on the CPRA delay: California Privacy Law now in full effect appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Italian Garante has released a guidance document for email management and metadata processing in the workplace, targeting both public and private sector employers. This follows investigations revealing that certain email management programs automatically collect and store comprehensive metadata from employee email accounts, including details like sender, recipient, and email size. The findings also highlighted instances where employers did not stop this data collection or reduce storage duration. Read more here → (in Italian)
• IAB Europe has released it’s updated “Guide to Quality” for 2024 which provides guidance on how to improve digital advertising campaigns, by focusing on viewability, brand safety, user experience and privacy. IAB Europe will be holding a webinar on 7 March to discuss the guide and hear from contributors. Access here →
• The Dutch data protection authority, Autoriteit Persoonsgegevens (AP), plans to target misleading cookie banners in 2024, ensuring they clearly request tracking consent. AP’s guidelines include offering clear purpose information, avoiding pre-ticked boxes, using straightforward language, consolidating choices, making all options visible, minimizing extra steps, avoiding hidden links, clarifying consent withdrawal, and not equating consent with legitimate interest. See here for more → (in Dutch)
• France’s CNIL has outlined its regulatory focus areas which include monitoring data collection during the Paris Olympics and Paralympics, online personal data collection from minors, the management of loyalty programs and electronic receipts, and ensuring data subjects’ right of access. The Authority’s summary can be found here → (in French)
• The U.K. Information Commissioner’s Office published a blog wherein app developers were reminded of their obligations to protect users’ privacy whilst also maintaining transparency in how they use personal information, obtain valid consent and establish a lawful basis for processing personal data. Accountability towards users was also highlighted in the blog. Access here →
• Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, (ANPD) is seeking input from personal data holders and data processors until 4 March 2024, to draft a regulation concerning data subject access rights. Separately, the ANPD has launched guidance on the interpretation and practical application of the notion of legitimate interest. Press release → (in Portuguese)

2) Notable Case Law

• Italy’s data protection authority, the Garante, has fined Nirvam Srl, the owner and operator of dating site nirvam.it for GDPR violations. A fine of €200,000 was issued due to failing to maintain an adequate data processing register, lacking a clear policy on data retention periods and missing a legal basis for processing activities. The company also failed to obtain explicit consent for the processing of sensitive personal data, such as one’s sexual orientation. Read more here →
• The California Third District Court of Appeal has reversed a prior decision that paused the implementation of new CCPA regulations by the California Privacy Protection Agency (CPPA). Previously set for delay until March 29, 2024, from an initial start of July 1, 2023, the appellate court’s ruling now allows immediate enforcement of these extensive regulations.
• Poland’s Urząd Ochrony Danych Osobowych (UODO) fined the e-commerce site Morele.net PLN3.8 million for GDPR breaches after a data breach impacted 2.2 million users due to insufficient cybersecurity. UODO found that Morele.net failed to encrypt certain data, lacked two-factor authentication, and did not perform a risk analysis for public network access, leading to unauthorized access and data compromise. Access here →

3) New and Upcoming Legislation

US law updates:

• Nebraska: Legislative Bill 308 which concerns an Act to adopt the Genetic Information Privacy Act passed the final reading in the Nebraska State Legislature and was presented to the Governor of Nebraska for signature.
• Virginia: House Bill 707 to amend Consumer Data Protection Act for children’s protections was passed by the Virginia House of Delegates.
• West Virginia: House Bill 5338 which introduced the Consumer Data Protection Act was presented to the House of Representatives.

4) Strong Impact Tech

• The U.K. Competition and Markets Authority has issued a report demanding that Google does “not design, develop or use the Privacy Sandbox proposals in ways that reinforce the existing market position of its advertising products and services, including Google Ad Manager.” Meanwhile, IAB Tech Lab has also published an assessment which analyzes the challenges that the advertising industry may be subjected to upon adopting Google’s Privacy Sandbox.
• A 2023 ransomware activity analysis reported by the Record, revealed that companies paid more than USD1.1 billion to buy back data stolen during breaches. Hackers deployed “zero-day vulnerabilities” and sharpened “their operations and targeting high-profile institutions and critical infrastructure like hospitals, schools, and government agencies” throughout last year. Read the full story here →

Other key information from the past weeks

• Meta is updating its platforms, including Facebook and Instagram, to empower users in the EU, EEA, and Switzerland with greater control over their data usage, in compliance with the EU’s Digital Markets Act (DMA). Read about it here →
• IAB Europe, a key player in digital marketing, advertising, and media, has recently voiced significant concerns about the European Parliament’s draft report on the GDPR procedural regulation. Follow the news here →
• Apple has just rolled out a series of significant updates for iOS, Safari, and the App Store, specifically tailored for the European Union (EU) region. These changes are a response to the new Digital Markets Act (DMA). Full story here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #128) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The text of the email

Here below, you can read the text of the email, which was shared on X/Twitter by a Google Ads user:

What is the EU User Consent Policy?

The EU User Consent Policy was first issued in 2015 and then updated in 2018 when the GDPR was enforced. Basically, if the GDPR and the Cookie Law apply to you, you need users’ consent to use Google products, which often rely on technologies such as cookies or local storage.

How to avoid the suspension of your account

The latest update of the EU User Consent Policy was announced on January 18th, 2024. Google is enhancing the enforcement of the policy, making it stricter. In particular, from now on, publishers and advertisers showing ads to consumers in the European Economic Area (EEA) and the UK need to send verifiable consent signals through Google Consent Mode v2.

The best and most efficient way of doing this is through a Google-certified CMP, like iubenda. A CMP with a Google Consent Mode integration will automatically pass the consent signals, without any effort on your behalf.

The post Google is sending emails asking users to comply with the EU User Consent Policy: how to avoid the suspension of your account appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This fine underscores a crucial lesson for website owners: the importance of clear and compliant communication with customers.

Uncovering HelloFresh’s Compliance Missteps

The company’s opt-in statement for these communications was not specific or informed, lacking clear mention of SMS and being bundled with other aspects. 

This led to customers not being fully aware of what they were opting into, especially regarding the use of their data for marketing up to 24 months post-subscription cancellation. 

The investigation, initiated due to public complaints, revealed that HelloFresh continued to contact some individuals even after opt-out requests. This case reflects the importance of transparent and legally compliant communication strategies.

For more details, please visit the ICO’s website here.

Want to learn more about legal requirements for email marketing?

---

Check out our comprehensive and practical guide here

Don’t risk your business’s reputation and finances

At iubenda, we understand the challenges of navigating complex legal requirements for digital communication. HelloFresh’s oversight demonstrates the risk of unclear consent terms and the consequences of not fully respecting customer choices.
Our suite of services offers a robust solution to these challenges.

In today’s digital landscape, trust and compliance are key to sustaining customer relationships and business growth. Learn from HelloFresh’s mistake. Choose iubenda to safeguard your digital communications and stay compliant.

Visit our website to learn how iubenda can help you stay compliant and build trust with your customers.

The post Learn from HelloFresh’s Costly Mistake: Ensure Compliance with iubenda appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Spanish Data Protection Authority (AEPD) has released a guide detailing conditions under which audience measurement cookies, used for collecting traffic statistics, can be exempt from user consent. These cookies must solely measure site or app audience, produce anonymous data, and not be used for comparative analysis, data transmission to third parties, or tracking across multiple sites and apps. Cookies repurposed for other uses don’t qualify for this consent exemption. (in Spanish)
• The CNIL, France’s data protection agency, has issued a draft guide on transfer impact assessments (TIAs) for data sent outside the European Economic Area. The guide advises data controllers to understand the data being transferred, use documented transfer tools, comprehend the receiving country’s laws, apply additional measures, and continually reassess the needed data protection level. Feedback on the draft is open until 12 February 2024. Access here → (in French)
• The California Consumer Privacy Act (CCPA) has announced an upcoming strategic plan focused on safeguarding consumer privacy, educating businesses and consumers about their rights and responsibilities, and enforcing legal actions against businesses infringing on privacy rights. This plan is set to be published in February 2024 and implemented thereafter. See more here →

2) Notable Case Law

• The French data protection authority, CNIL, fined NS Cards France SAS €105,000 for GDPR and French data law violations. NS Cards France required account creation for online payments, collecting extensive personal information and identity documents. CNIL’s investigation revealed that this data was retained for 10 years without purpose, with no database purge since 2005, affecting 51,735 accounts. Additionally, the NS Cards France website non-consensually installed 13 cookies, including Google Analytics. The company’s privacy policy was also outdated, and featured weak password security protocols. Access the press release here → (in French)
• Noyb has filed another complaint with the Austrian data protection authority (DSB) against Facebook‘s “pay or okay” policy, this time focusing on the challenge users face in withdrawing consent without opting for a paid subscription. Noyb urges the authority to mandate Meta to align its data processing with EU data protection laws, including providing a straightforward method for consent withdrawal without fees. They also recommend imposing a fine to deter GDPR breaches. The case is expected to be transferred to the Irish DPC, Meta’s lead authority in the EU. Reported here →

3) New and Upcoming Legislation

US law updates:

• Colorado: Senate Bill 41 on Privacy Protections for Children’s Online Data was introduced in the Colorado State Senate. The bill would amend the Colorado Privacy Act as it adds data protections for a minor’s online activity.
• Indiana: Senate Bill 17 which would introduce a new chapter in the Indiana Code concerning trade regulation relating to age verification for harmful materials to minors has passed the Judiciary Committee.
• South Carolina: the House Bill 4696 concerning Consumer Privacy and House Bill 4541 for the Child Data Privacy and Protection Act were introduced to the House of Representatives.
• Vermont: House Bill 712 relating to an Act concerning the age-appropriate design code was introduced to the General Assembly.
• Washington: House Bill 1616 which creates a charter of people’s personal data rights was re-introduced to Legislature.
• Missouri: Senate Bill 731 concerning an act which establishes new consumer rights which protect certain data has passed its second reading in the General Assembly.
• New Jersey: Senate Bill 332 which requires notification to consumers of collection and disclosure of personal data by certain entities has passed both the Assembly and Senate.

4) Strong Impact Tech

• Customers in the EU will be able to store and process their Microsoft cloud data within the EU as part of the company’s plan to comply with privacy and security rules. The move helps other businesses that operate in multiple countries more easily comply with EU data storage requirements. Read here →

Other key information from the past weeks

• Google, an Alphabet Inc. subsidiary, recently reached a settlement in a significant lawsuit alleging privacy breaches. The lawsuit, demanding at least $5 billion, charged Google with secretly tracking the online activities of numerous users under the impression of private browsing. Read the news here →
• TikTok is currently facing a lawsuit related to digital privacy concerns. The core issue revolves around TikTok’s use of a ‘pixel’ tool on websites, including Hulu, Etsy, and Build-a-Bear Workshop. This tool is designed to collect advertising data, and it’s alleged that it tracks the activity of individuals who don’t use TikTok. Full story here →
• The Commission introduced a vital component for digital market regulators: a fresh template for disclosing consumer profiling methods. This initiative is a part of the broader Digital Markets Act (DMA), aligning with its Article 15. Learn more here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #127) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Datatilsynet, Denmark’s data protection authority, has issued a guide on managing access rights. This guide specifically covers the topic of rights management, a concept that involves controlling access to an organization’s IT systems and physical locations, as well as determining the specific information that individual users are allowed to access. Read the press release here → (in Danish)
• The Dutch data protection authority, Autoriteit Persoonsgegevens, has released a Privacy guide advising companies on privacy policies and emphasizing transparency in data protection. The guide stresses the importance of demonstrating GDPR compliance and robust data management for building trust in online businesses. Access here → (in Dutch)

2) Notable Case Law

• The EU Court of Justice (CJEU) ruled in terms of Article 22 of the General Data Protection Regulation (GDPR) against automated decision-making systems like Germany’s SCHUFA, which uses personal data for scoring creditworthiness. The Court declared such practices illegal if they significantly impact individuals’ lives, especially when these scores play a ‘decisive’ role in decisions by entities like banks. Read about the decision here →
• The CJEU determined that administrative fines under the GDPR can only be imposed for wrongful infringements, either intentional or negligent. This ruling, responding to inquiries from Lithuanian and German courts, clarifies that data controllers are may also be liable for fines resultant of their processors’ actions. The press release can be found here →
• The Belgian Data Protection Authority settled with four media websites, L’Avenir, RTBF, Mediafin, and IPM regarding their cookie usage, following noyb’s complaints. While fines were not imposed, the companies must modify their cookie banners to include a ‘refuse all’ button, avoid emphasizing the ‘accept all’ option, and simplify the consent revocation process. Except for Mediafin, all must also clarify the use of essential cookies and the effect of withdrawing consent, within one month to implement these changes. Read more here on our blog →
• The EDPB published its urgent binding decision against Meta for GDPR violations in behavioral advertising. The EDPB identified ongoing breaches in Meta Ireland’s use of contract and legitimate interest for data processing and non-compliance with DPAs’ decisions. Consequently, the EDPB instructed the Irish DPA to enforce a ban on Meta Ireland’s data processing for behavioral advertising based on these legal grounds. Press release here →

3) New and Upcoming Legislation

• The California Privacy Protection Agency has released proposed amendments to the current California Consumer Privacy Act. These updates aim to expand the scope and penalties of the act, and include modifications regarding dark patterns and responsibilities pertaining to the rights of data subjects. Access here →

4) Strong Impact Tech

• Meta, Facebook’s parent company, is facing a €550 million lawsuit from AMI, an association representing 83 Spanish media outlets. The lawsuit accuses Meta of unfairly dominating the advertising market through the extensive and systematic exploitation of user data from Facebook, Instagram, and WhatsApp. They allege it is often collected without explicit consent, violating data protection laws and constituting unfair competition. Reported here →
• The U.S. Federal Trade Commission has urged a federal appellate court to deny Meta’s plea for a temporary suspension of their legal dispute concerning user data monetization. The FTC argues that Meta’s request is an attempt to evade a potential FTC directive that might bar the company from monetizing the data of minors. Read more here →

Other key information from the past weeks

• Italy’s data protection authority, Garante, is conducting an investigation into the data collection methods used for training algorithms. This investigation targets both public and private organizations, aiming to ensure they implement adequate security measures to protect against the webscraping of personal data. There is a 60-day public consultation underway to discuss potential security strategies to prevent data scraping. Read here → (in Italian)
• The UK Information Commissioner’s Office has sent warning letters to the country’s top websites, urging them to enhance their third-party cookie practices within 30 days or face enforcement actions. “Companies must make changes now or face consequences,” stated ICO Executive Director of Regulatory Risk. More here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #126) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this post

---

Consent Mode Background

Google Consent Mode v2

• Difference between Consent Mode and Consent Mode v2

Using Consent Mode v2 continue maximising your revenue after March 2024

Using a Google Certified CMP with Consent Mode v2

Consent Mode Background

Over the last few years, the impact of privacy laws like the GDPR and ePrivacy Directive on businesses and the public has grown tremendously. Consent and the lawful management of personal data has been central to legal privacy requirements and has led to changes and innovations in the way businesses operate.

One of these major changes was the introduction of Google Consent mode.

Additionally, with the introduction of the new Digital Markets Act (DMA or Regulation 2022/1925), Google, along with a few other huge companies (like Meta) has been named as a gatekeeper. This designation gives certain enhanced responsibilities to Google and other gatekeeper companies, including the direct responsibility of obtaining user consent for their central services. The DMA will be enforced from March 2024.

Google Consent Mode v2

What’s new in Consent Mode v2

Google is now updating from Consent Mode to Consent Mode v2. At least part of this can be attributed to the ongoing development of privacy legislation, including the recent DMA.

With that said, the main difference between Consent mode and Consent Mode v2 is the addition of 2 new parameters – ad_user_data and ad_personalization .

• ad_user_data, indicates whether a user has consented to send their data to Google for advertising purposes
• ad_personalization, whether personalized advertising can be enabled (for things like remarketing). This parameter passes granted or denied values based on the preferences users set on your site’s cookie banner.

If consent is denied for one or more parameters, the relevant tags adjust their behavior or stay entirely blocked.

For some additional context, the initial pre-existing parameter tags (analytics_storage & ad_storage) were related to data collection, and these 2 new v2 tags relate to how data is used and shared.

The addition of these 2 new tags now mean that a total of 4 signals are required for Consent Mode.

“From March 2024, we will require these 4 signals to be passed via Consent Mode in order for personalized advertising within Google to be enabled for new EEA users.”

If you use use audience features for advertising, you’ll need to upgrade or implement this new version of Consent Mode.

Consent Mode Basic Implementation vs Advanced

Consent Mode offers both a Basic and an Advanced implementation – with advanced being recommended.

Under the basic implementation, no information is collected at all, not even consent status. Tags stay blocked until consent has been granted and will not load unless consent is granted. If the user consents, tags load and behave as normal

Under the advanced implementation, Google tags are loaded before the consent dialog appears and tags send cookieless pings when cookie consent declined.

Using Consent Mode v2 continue maximizing your revenue after March 2024

From March 2024 onwards, all 4 signals mentioned above must be passed via Consent Mode for personalised Ads to run.

Advertisers not using Consent Mode may see a potential drop in measured conversions and a resulting lower confidence in bidding and optimization. Without Consent Mode v2, the conversion rates your observe may not accurately reflect reality. When consent isn’t given, Advertisers can lose out on up to 60% of measurement data – making upgrading to Consent Mode v2 vital for businesses.

Easy Consent Mode v2 Implementation Using a Google Certified CMP

The easiest way to keep your revenue and business campaigns running smoothly is to use a Google Certified Consent Management Platform (CMP) with Consent Mode v2.

CMPs handle the consent banners, consent management and signalling with Consent Mode to transmit the necessary parameters to Google as required.

Google has certified a few trusted CMP Partners, and work with them to make Consent Mode adoption as easy as possible.

iubenda’s Consent Mode support is included in all our plans –including the Free plan.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Google Announces Consent Mode v2 – here’s what it means for your business and advertising appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Office of Communications (Ofcom) released an announcement clarifying its responsibilities after the Online Safety Act came into force. Ofcom highlighted its official duty as the overseer of online safety, with the responsibility to ensure that services under its regulation adopt suitable actions to protect their users. Read here →
• The ICO and the European Data Protection Supervisor (EDPS) have entered into a Memorandum of Understanding, reaffirming their shared commitment to safeguarding individuals’ data protection and privacy rights and collaborating on a global scale to accomplish this objective.
• The Brazilian data protection authority (ANPD) released an activity report in celebration of the three years since the beginning of its operations, in 2020. (in Portuguese)

Data Protection Authorities Scrutinize Meta’s Paid Subscription Model

• Danish Authority Weighs in on Meta’s Ad-Free Options
  • The Danish Data Protection Authority, Datatilsynet, is set to contribute insights to the Irish Data Protection Commission’s (DPC) evaluation of Meta Platforms Ireland Limited’s latest feature.
  • This new option allows Instagram and Facebook users to opt for a paid version that excludes behavioral marketing.
  • The move comes after the European Data Protection Board mandated Meta to adjust its use of personal data for behavioral marketing. More details → (in Danish)
• Hamburg Commissioner Examining Meta’s Subscription Model
  • The Hamburg Commissioner for Data Protection and Freedom of Information is scrutinizing Meta’s proposed ad-free subscription service.
  • The model is being assessed for its alignment with the website subscription standards of the Data Protection Conference.
  • However, there remains uncertainty about whether Meta’s planned implementation will be deemed legally compliant in the future. Learn more → (in German)
• Norway’s Data Authority Joins European Review
  • Norway’s Data Protection Authority, Datatilsynet, is participating in a Europe-wide review of Meta’s ad-free subscription model for EU users.
  • The focus is on addressing potential violations of targeted advertising under the GDPR.
  • The authorities have expressed doubts about Meta’s compliance, especially concerning the necessity to pay for avoiding ‘consent’. Further information → (in Norwegian)

2) Notable Case Law

• Following the initiation of evaluations in 2022, the Danish Agency for Digitalization (Digitaliseringsstyrelsen) has recently directed two separate mandates against Meta and Google. These directives address the companies’ deployment of cookies and analogous technologies on their respective websites and the information given to users prior to making their choice. The service providers have been granted four weeks to correct the alleged deficiencies. Read about the decision here → (in Danish)
• A privacy advocate, has filed a complaint alleging that YouTube’s ad blocker detection mechanism is in violation of the EU ePrivacy Directive. The claim states that prior to deploying the detection technology, YouTube did not obtain consent from users. Read about it on our blog →

3) New and Upcoming Legislation

• The Data Protection and Digital Information Bill (Bill No. 2) was introduced by the UK Parliament and will be reintroduced in the 2023–2024 session. It carries over the previous version of the bill. Read more here →
• On November 9, 2023, the Data Act, which had previously been approved by MEPs and member states, was adopted. Its goal is to remove obstacles to data access in order to promote innovation. More details here →

4) Strong Impact Tech

• Research by the Dutch Broadcasting Foundation revealed that several political parties in The Netherlands had secretly placed tracking cookies on different websites. An official from the Dutch data protection authority stated that the organisation was requesting more information about each political party’s actions from them. Reported here → (in Dutch)

Other key information from the past weeks

• The European Commission has formally sent AliExpress a request for information under the Digital Services Act (DSA) on the measures it has taken to comply with obligations related to risk assessments and mitigation measures to protect consumers online.
• Quebec’s data protection authority, the Commission d’accès a l’information du Québec, adopted guidelines for organisations on the criteria for the attainment of valid consent to process personal data under Law 25.
• The dating application Grindr sued the Norwegian data protection authority, Datatilsynet, after it was fined NOK65 million for sharing user locations and advertiser information with marketing partners, NRK reports.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #125) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Update on Data Privacy in the EU: IAB Europe Advocates for Public Consultation on ‘Consent or Pay’ Model

Brussels, Belgium, 19 March 2024 – A coalition of digital associations, including IAB Europe, Alliance Digitale, IAB Italia, and IAB Spain, has officially addressed the European Data Protection Board (EDPB). In a joint letter, they articulate crucial points for consideration regarding the EDPB’s forthcoming Opinion and Guidelines on the ‘Consent or Pay’ model. The group calls for a public consultation, stressing the necessity for the EDPB’s stance to reflect current EU and EEA case law and guidelines, and advocating for cooperation with competition and consumer protection bodies to define “reasonable” pricing standards.

The associations underscore public sentiment favoring the choice between paid services and ad-supported content, defending the model against critiques that it equates to “paying” for data protection rights. They assert that compliance with the GDPR is paramount, regardless of the payment or consent given by users.

You might have seen by now: Meta has launched a paid subscription option across its platforms, Facebook and Instagram. This Facebook subscription allows end users to subscribe for a fully ad-free experience. According to Meta, this paywall is a way of complying with European regulations.

Meta’s “Pay or OK” Model Under Scrutiny in Europe

Meta’s “Pay or OK” subscription model, allowing users to opt for an ad-free experience on platforms like Facebook and Instagram in exchange for a fee, has attracted significant attention and concern across Europe. Members of the European Parliament, Paul Tang and Kim Van Sparrentak, have sought clarity from the European Commission on the legality of this model, questioning its compliance with data protection regulations.

European consumer organizations from eight countries, including Czechia, Denmark, Greece, France, Norway, Slovakia, Slovenia, and Spain, have filed complaints against Meta’s subscription model. These complaints, coordinated by the pan-European consumer group BEUC, argue that Meta’s data collection practices through this model violate the EU’s General Data Protection Regulation (GDPR). BEUC’s Deputy Director General, Ursula Pachl, emphasized the need for data protection authorities to address Meta’s “unfair data processing” and its infringement on fundamental rights.

The European Data Protection Board (EDPB) is expected to make a decision regarding the “Pay or OK” model, which could influence global data collection standards. This decision is particularly relevant as it could affect the ongoing reform of Australia’s Privacy Act, highlighting concerns that such models support “surveillance-based business models.”

Moreover, the European Commission has formally requested information from Meta under the Digital Services Act, focusing on the company’s advertising practices, recommendation systems, and risk assessments related to its subscription model. This request indicates the Commission’s proactive stance in ensuring digital services operate within legal frameworks.

In the UK, the Information Commissioner’s Office (ICO) has initiated a “call for views” to explore how “Pay or OK” models can comply with regulations concerning third-party cookies. This move reflects the ICO’s commitment to updating cookie compliance guidelines while considering the practical implications for businesses and digital advertising stakeholders.

As regulatory bodies and consumer organizations continue to scrutinize Meta’s subscription model, the outcome of these inquiries and complaints could have significant implications for privacy standards and digital advertising practices worldwide.

Update: European Commission’s Preliminary Findings on Meta’s Compliance with the Digital Markets Act

The European Commission has issued its preliminary findings regarding Meta’s “Pay or Consent” model, determining it to be in breach of the Digital Markets Act (DMA). According to the Commission, Meta’s advertising model does not comply with the DMA requirements, as it forces users into a binary choice: either consent to the combination of their personal data or lose access to certain services, without offering a less personalized but equivalent version of Meta’s social networks.

Under Article 5(2) of the DMA, gatekeepers like Meta are required to seek users’ consent for combining their personal data across designated core platform services and other services. If a user refuses to give such consent, they must still be provided access to a less personalized but equivalent alternative. The law prohibits gatekeepers from making access to the service or specific functionalities conditional upon the user’s consent.

The Commission’s preliminary view highlights the necessity for Meta to adjust its advertising model to comply with these regulations, ensuring that users have a genuine choice regarding their personal data.

Are paywalls allowed in the EU?

According to the GDPR, consent should always be freely given. That’s why EU Data Protection Authorities are generally against the use of a paywall. However, in the last year, more and more EU DPAs have declared that the paywall system would be acceptable if users are properly informed about what they are consenting to and the paywall system actually provides an equal alternative to consent.

The discussion around this topic is still quite heated. However, Meta isn’t the first company to implement a paywall on its platforms. Many others – mostly publishers – have already introduced a paid option as a way of respecting users’ privacy rights while preserving their ability to be profitable.

Lawful ways to recover consent

If you’re a publisher or a business that monetizes content, then you should know that there are a few effective ways for consent recovery, that can help you optimize your earnings while respecting users’ privacy rights.

For example, iubenda has meticulously crafted several features that bridge the gap for optimal consent rates and a satisfying user journey, to help you boost your revenue:

• Our Consent Recovery feature allows you to display a custom message instead of the pre-blocked scripts and iframes, maximizing your opportunities to obtain users’ consent.
• Our flexible Cookie Paywall strategically limits access to content based on user consent preferences.
• Our Reverse Proxy guarantees uninterrupted cookie consent collection, by navigating around ad-blockers.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Facebook and Instagram Subscription: Meta adds a paywall appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

This landmark decision roots back to 2020 when the Norwegian Consumer Council (NCC) filed a complaint further to the publication of the “Out of Control” report. The report had served as an eye-opener as it detailed how Grindr indiscriminately shared users’ intimate data with a plethora of commercial entities. These third parties had the autonomy to further distribute the information to an expansive network of companies, primarily for tailoring surveillance-driven advertisements. 

The NCC alleged that Grindr breached the General Data Protection Regulation (GDPR) through these practices. 

Invalid Consent

Throughout the proceedings, the Norwegian Data Protection Authority also noted that Grindr had not obtained valid consent to share the personal data in question. 

Personvernnemnda also upheld this and highlighted that: 

“the user was not given a free choice to consent to the disclosure of personal data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy.”

following which, it upheld the Norwegian Data Protection Authority’s decision to fine Grindr.

Welcomed Decision

Finn Myrstad, the Director of Digital Policy at the NCC, emphasized the gravity of the situation in a press release: 

“Surveillance-based advertising, where companies collect and share personal data for commercial purposes, is entirely unchecked. We applaud the Norwegian Data Protection Authority’s determination in addressing our grievance and the subsequent validation by the Norwegian Privacy Appeals Board, underscoring that Grindr’s sharing of sensitive data with third-party entities is indeed unlawful.”

Recognizing the potential implications, the NCC, accompanied by a consortium of consumer and human rights organizations from Europe and the US, has advocated for the outright prohibition of surveillance-oriented advertising.

A Wake-Up Call for Digital Enterprises

The Grindr case is more than just a hefty fine. It serves as a timely reminder of the immense responsibilities companies shoulder in the digital age. With stricter regulations and an increasingly vigilant consumer base, compliance with data protection norms is non-negotiable.

For businesses navigating these complex legal waters, tools, and services that ensure GDPR compliance are indispensable. It’s not merely about avoiding fines but fostering trust with your user base.

Let iubenda Guide Your Compliance Journey

With a vast landscape of data protection regulations and their intricate nuances, ensuring complete compliance can be daunting. 

At iubenda, we offer a suite of solutions designed to simplify this process. From privacy policies to cookie management, our tools are crafted to help you maintain transparency and stay aligned with evolving regulations.

The post Grindr Faces €5.8 Million Fine: A Reminder on the Importance of GDPR Compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The French data protection authority, CNIL, has published “a first series of guidelines for the use of AI that respects personal data.” Principles concerning minimization, finality and retention periods are all addressed in the guidelines whilst noting that the GDPR offers an “innovative and protective framework” for AI. Read here (in French) →
• The UK-US Data Bridge entered into effect on October 12, 2023. Businesses in the UK can transfer personal data to US organizations certified under the UK Extension to the EU-US DPF without needing additional safeguards. Access here →
• The European Commission has published a template for the compliance report to be submitted by gatekeepers under the Digital Markets Act. The report must be completed in a detailed and transparent manner and will determine whether gatekeepers are in compliance with the DMA. Read here →
• The European Commission has sent a request for information to X, formerly known as Twitter, under the Digital Services Act (DSA). Learn more here →

2) Notable Case Law

• The European Union General Court has rejected the French Member of the European Parliament Philippe Latombe’s request to suspend the EU-US Data Privacy Framework. The decision follows Latombe’s filing against the transfer agreement and subsequent adequacy decision. Read about the decision here (in French) →
• The UK Court of Appeal has ruled that the UK Information Commissioner’s Office (ICO) had acted lawfully in relation to a subject access request complaint. The case addressed the ICO’s remit within an investigation. The Court of Appeal further confirmed the ICO’s “broad discretion in deciding the extent to which it investigates each complaint.” Access the press release here →

3) New and Upcoming Legislation

• California: Senate Bill 362 which is informally known as the “Delete Act” was signed by the California Governor. Separately, Assembly Bill 947 concerning the California Consumer Privacy Act of 2018: sensitive personal information was signed by the Governor into law. Citizenship and immigration status have been added to the definition of sensitive personal information.

4) Strong Impact Tech

• The Norwegian data protection authority (Datatilsynet) has confirmed that “advertising on Facebook has not been banned in Norway” but precaution is being encouraged. Moreover, it was also confirmed that provided that users’ valid consent is given, personalized marketing on Facebook is also not banned. Read more here (in Norwegian) →
• The Wall Street Journal has carried out an investigation into data brokers’ purchasing of information generated from advertisements on mobile phones and the consequent sale of such information to government contractors for surveillance purposes. It is alleged that the cloud-based data intelligence platform Near Intelligence did not have the relevant authority to resell its data. Reported here →

Other key information from the past weeks

• Meta is considering a model where EU users might have to pay up if they wish to maintain their privacy rights. What you need to know →
• Consumer Reports, a non-profit advocate for consumer rights, launched a new app to restore control over personal data in a few simple taps. Learn more here →
• The five-year privacy controversy involving DAZN has finally come to an end. Read here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #124) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

TikTok is facing a €345 million (about $368 million) fine in Ireland. The Irish Data Protection Commission (DPC) found that the shortform video-sharing service failed to protect children who used the app. The DPC, the chief European data privacy regulator for most tech companies, has been investigating TikTok since 2021.

Child Safety and Data Transfers Under the Lens

The commission looked into how TikTok processes children’s data alongside concerns with how the company transfers data to China, where their owner is based. TikTok took in $9.8 billion in 2022, meaning this fine could represent a whopping 3.8% of the company’s revenue.

Prior to the investigation, TikTok showed off steps to prioritize child safety, but the DPC called those efforts too little, too late. The nine-figure fine stems from violations in the latter half of 2020, during which time they say TikTok’s signup process pushed users toward more “privacy-intrusive” settings and led to teens’ profiles being set to publicly visible by default.

On top of these issues, the “family pairing” feature designed to help parents manage their kids’ accounts actually enabled other adults to remotely turn on direct messaging for 16 and 17-year-olds.

Compliance and Ongoing Controversies

The Irish regulator also examined how the app verifies that users are age 13 or older and found TikTok compliant in that case. The DPC gave TikTok three months to fully comply, but the company claims the bulk of the practices for which they were reprimanded have been resolved for years.

This isn’t the first time TikTok has come under fire for how children interact with their platform or even the first time the company’s been fined for violating children’s rights in this part of the world.

Most European countries fall under the General Data Protection Regulation (GDPR), a strict set of privacy rules that gives individuals extensive control over their personal data. The same regulators hit Meta with the largest GDPR fine ever—$1.2 billion—earlier this year.

Worried About GDPR Fines?

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Irish Regulator Slaps $368M Fine on TikTok appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The European Commission has designated the six “most impactful online companies” as gatekeepers under the Digital Market’s Act (DMA): Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. These companies will now have six months to comply with the DMA’s provisions, including the appointment of a compliance officer that will report to their board and inform the European Commission of any plans for mergers or acquisition. The commission will become the enforcer of the DMA as of 6 March 2024. Read here →
• Politico has reported that a French Member of the European Parliament has submitted challenges to the European Union General Court against the EU-U.S. Data Privacy Framework. The European Parliament had formally voted against the DPF last April. The challenges request the immediate suspension of the trans-Atlantic agreement for data transfers whilst also questioning the legality of the DPF’s text which was notified to EU countries only in English and not published in the EU’s Official Journal. The MEP has informed the French government and the data protection authority CNIL of his challenge. Access here →
• Further to the entry into force of the Swiss Federal Data Protection Act, the Swiss Federal Data Protection and Information Commissioner has published an information sheet on the carrying out of data protection impact assessments. The document instructs federal bodies and citizens to “prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or the fundamental rights of the persons concerned.” Access here →

2) Notable Case Law

• The Belgian Market Court has given an interim ruling and “suspended its assessment of the validation decision” with regard to IAB Europe’s action plan. It agreed that a decision from the Court of Justice of the European Union is required before any further assessment can be made. Read about the decision here →
• The Norwegian Data Protection Authority’s emergency decision which resulted in a temporary ban of behaviour-based marketing on Facebook and Instagram has been upheld by the Oslo District Court. Meta sought to obtain a temporary injunction against the ban, however this was to no avail. The Court held that “the Norwegian Data Protection Authority’s decision is valid, and that there is no reason to stop it.” Datatilsynet is now considering bringing the decision before the European Privacy Council to extend the ban’s application to the entire EU/EEA. The press release can be found here → (in Norwegian)
• Reuters has reported that OpenAI and Microsoft Corp. are facing a lawsuit before the Northern District Court of California for “allegedly breaking several privacy laws in developing OpenAI’s chatbot ChatGPT and other generative artificial intelligence systems.” The complaint, which was filed on behalf of two unnamed software engineers who used ChatGPT, accuses the companies of “using stolen personal information from hundreds of millions of internet users” to train their AI technology. Reported here →

3) New and Upcoming Legislation

• Switzerland has ratified the Protocol of Amendment of Convention 108 and becomes “the 28^th State Party to join the modernized Convention 108 (Convention 108+).” Access here →
• The New Zealand Privacy Commissioner’s Office has revealed that an amendment to the Privacy Act has been tabled in Parliament. This proposed law mandates that entities subject to its provisions must divulge the rationale behind their data collection practices, as well as identify the first and third parties who will be privy to the collected data. Advocating for a more expansive transparency framework, the Privacy Commissioner stated that the legislative changes are designed to align with international best practices. Read more here →

4) Strong Impact Tech

• Tests conducted by the nonprofit Mozilla Foundation revealed potential issues with car manufacturers’ data practices. The survey considered 25 major automotive manufacturers and concluded that a majority are “potentially selling off consumers’ personal data and would fulfill law enforcement requests for data without a warrant.” What you need to know →
• The Verge has revealed that Google has made the APIs for its Privacy Sandbox broadly accessible to users by default. This move is part of Google’s strategy to provide a privacy-focused alternative to third-party cookies, enabling Chrome developers to substitute cookies with these APIs. Google also noted that a small fraction (3%) of Chrome users will continue to operate a browser containing embedded cookies for the purpose of conducting A/B tests. Reported here →

Other key information from the past weeks

• Google’s plea for a summary judgment in a case where it was alleged to have intruded upon the privacy of millions, has been rejected. Read the full story here →
• YouTube and its parent company, Google, find themselves at the center of a heated debate concerning children’s online privacy. Access here →
• Privacy organization noyb has filed complaints against Fitbit in Austria, the Netherlands, and Italy, alleging some serious GDPR violations. Find out more here →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #123) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Are Your Cars Spying on You? Vehicle Data Collection, what you need to know

If you think your privacy is only compromised when you’re online, think again. A new study by the nonprofit Mozilla Foundation reveals that modern cars have become “wiretaps on wheels,” collecting an alarming amount of personal information without your explicit consent.

The Concern of vehicle data collection

• Vague Policies: Major car manufacturers are increasingly vague about who gets access to your personal data, and half of them willingly share it with government or law enforcement agencies without a court order.
• Data Overload: With sophisticated sensors, telematics, and digital consoles, modern cars are gathering more data than ever before.
• Weak Security: Given the industry’s track record of being susceptible to hacking, the vague security standards are a growing concern.
• Little Control: Car owners have little to no control over the data their vehicles collect, since they are not even aware of some data collection. 

So, Who Gets This Vehicle Data Collection?

• Government: Half of the 19 automakers surveyed may share your data with the government upon “request” — no court order needed.
• Data Brokers and Marketers: Though vague, it’s likely that your data is being sold to data brokers and marketers.
• Third-party Services: Partners like SiriusXM, Google Maps, and Onstar are also collecting data.

Failing to Meet Minimum Privacy Standards

Not one of the 25 most popular car brands in Europe and North America met Mozilla’s minimum privacy standards.

The point is particularly glaring given that many of these popular brands operate globally and are subject to various privacy regulations, such as the GDPR in Europe. 

The alarming findings highlight a significant gap in the automotive industry when it comes to data privacy and protection. For car brands and related businesses, this is a wake-up call. If your organization falls into this category, the public’s concern regarding data privacy offers you an opportunity to differentiate your brand by taking responsible action. This is where iubenda comes in.

How iubenda Can Help You Turn the Tide

Navigating the complex web of privacy laws like GDPR, CCPA as amended by the CPRA, and others can be a daunting task. iubenda provides solutions to make your compliance journey simpler and stress-free.

Why Act Now?

Consumer Trust: In an industry that’s losing consumer trust, your commitment to privacy could be a strong selling point.
Regulatory Actions: Government investigations into privacy practices in the automotive industry are a clear sign that regulatory actions are coming. It’s better to be prepared than caught off guard.
Competitive Advantage: As Mozilla’s survey indicates, no major car brand meets the minimum privacy standards currently. Be the first to turn this around and gain a competitive edge.

The post The Privacy Pitfalls of Vehicle Data Collection: What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The new policy also reveals X will collect everything from biometrics to school and work history. All of that data is on the table for xAI’s machines. It’s likely that info like user posts, search preferences and video content will be the main course.

Other businesses are dealing with Terms and Conditions (T&C) troubles too. After some uproar, Zoom had to reassure customers it won’t do the very thing X is doing, while tech giants like Microsoft and Amazon have come under fire for their unclear or unkind policies.

About us

The solution to draft, update and maintain your Terms and Conditions. Optimised for eCommerce, marketplace, SaaS, apps & more.

www.iubenda.com

The post Twitter customer’s data on the menu for xAI models appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Help your network stay compliant and give them 10% off

Earn a 30% cash commission by copying + sharing this update in your newsletter and on social media.

Step 1: Download your image

Download

Step 2: Copy the text below into your post

Feel free to change it up, or use it as is.

Switzerland just completely revised its data privacy laws, but iubenda helped me comply with a single click. Do you have that kind of protection? You can click my affiliate link [insert your link here] to get a 10% discount.

Copy!

Step 3: Insert your affiliate link and share

Don’t forget to replace the text with your affiliate link so we can send you that sweet commission.

Get your affiliate link here →

Share it in all of your posts and newsletters to maximize your cash rewards.

The post Update: Revised Swiss Privacy Law Takes Effect appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Read on! We’ll explain the new changes and how iubenda and Google are working together to help and support you. Let’s get you updated!

New Google Adsense requirements, AdMob and more

So, what are the requirements for Google Adsense?

Google announced they’re rolling out some changes later this year. If you run ads using Google’s publisher products — AdSense, Ad Manager, or AdMob — in the UK or European Economic Area, you’ll need to use a Google-certified Consent Management Platform (or CMP for short). But not just any CMP, it must be a Google certified CMP and one that integrates with the IAB Europe’s Transparency and Consent Framework (TCF).

Why is Google requiring partners to use a Google certified CMP?

By making sure businesses use a compliant certified CMP, Google aims to give users a safer, privacy-first experience.

This move is inspired by the latest IAB Europe’s Transparency and Control Framework (TCF) version 2.2 (This version has major updates and improvements compared to the previous IAB TCF 2.0). Here’s a quick peek at what it entails:

• No more using “legitimate interest” as an excuse for any form of personalization (like ads or content).
• Third-party groups now have to follow certain data holding timeframes.
• Users should easily find and use the CMP if they want to change or drop their consent.

Here’s what Google had to say:

---

“Later this year, we will require all partners using our publisher products to use a Google certified CMP that integrates with the TCF when serving ads to users in the European Economic Area or the UK.”

Read the full announcement →

What does this mean for you and your business?

If you don’t use a Google-certified CMP, your ads may not display for a big chunk of your users. This can likely result in fewer clicks, views, and revenue.

→ To avoid potential revenue loss, ensure that you use a Google certified CMP like iubenda on your site.

Already with iubenda?

If you’re already on board with iubenda, you’re ahead of the curve! No extra actions are needed on your end. As a Google CMP Partner, iubenda is Certified to give you all the help and support you need.

Not using a Google-certified CMP or unsure about yours?

For publishers who haven’t adopted a Consent Management Platform (CMP) or are with a provider that’s not aiming for Google’s certification, this is a pivotal moment. Partnering with a Google-certified CMP like iubenda can give your business a competitive edge.

iubenda has got you covered!

We’re an IAB TCF validated Consent Management Platform (CMP), and a Google CMP Partner. This means our system is already checked and certified by Google. So, with us, you’re always safe and in line with the new requirements.

Choosing to implement or migrate to our CMP is a strategic move. Here’s the competitive edge you gain:

• Google-Ready: We’re fully compliant with Google’s Consent Mode, making us a preferred partner in the Google CMP program.
• Global Compliance Coverage: Stay ahead with compliance for major regulations like GDPR, US State Laws, LGPD, and others.
• Dedicated Support: Our professional team ensures a seamless transition and ongoing support.
• Customizable User Experience: Craft consent banners that resonate with your brand and audience.

Our Consent Management Platform is not only certified by Google but also designed to foster stronger ties between publishers and the tech giant. As your business landscape evolves, we’re here to guide and support.

About us

The solution to draft, update and maintain your Terms and Conditions. Optimised for eCommerce, marketplace, SaaS, apps & more.

www.iubenda.com

The post Google AdSense Requirements: Here’s What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The background

The Department of Justice filed a complaint on behalf of the FTC, where it was noted that users who created an account on Experian Consumer Services (ECS) to manage their Experian credit report information started receiving marketing offers disguised as emails about their accounts. Moreover, these marketing emails did not provide a clear mechanism for opting out, thus violating the CAN-SPAM Act.

“Signing up for a membership doesn’t mean you’re signing up for unwanted email,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “You always have the right to unsubscribe from marketing messages, and the FTC takes enforcing that right seriously.”

As a result, the FTC fined the company $650,000 and prohibited them from further sending marketing emails without an opt-out mechanism.

What is the CAN-SPAM Act?

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing) is the US email marketing regulation enacted in 2003, and it applies to any person or business that sends commercial emails for the primary purpose of “commercial advertisement or promotion of a commercial product or service”.

The CAN-SPAM Act has an opt-out approach, meaning that it does not require users to give their prior consent before receiving commercial emails, but it does require providing a clear mechanism for opting out of further contact.

How do you allow users to opt-out?

Opting out can be easily achieved by including a visible and valid unsubscribe link in your marketing emails or newsletters. Users should also have the ability to manage their mail preferences from within their accounts.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Users can’t opt out from marketing emails: FTC fines Experian $650,000 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

To respect your inbox and ensure that you receive only essential updates, we are shifting from a weekly to a monthly publication.

Rest assured, our commitment to keeping you informed on vital data protection and privacy matters remains steadfast. For time-sensitive news, we will still reach out sporadically.

1) Newly Published Documentation

• The U.K. Information Commissioner’s Office (ICO) and the Competition and Markets Authority have jointly issued a position paper which highlights harmful designs in the digital market. These practices include lack of equal prominence of “accept” and “reject” buttons and granular choices, among others. The ICO intends to clamp down on these practices and take “enforcement action where necessary to protect people’s data protection rights”. Read here →
• Finland’s Office of the Data Protection Ombudsman has issued a temporary order and Norway’s data protection authority, Datatilsynet, has issued a decision against Yango taxi service banning the transfer of customer data to Russia. Finland’s temporary suspension and Norway’s decision preempt the coming into force of “a new Russian law that will allow security services to obtain passenger data” as from September 1, 2023.
• Further to the amendments to the California Consumer Privacy Act pursuant to the California Privacy Rights Act (CCPA as amended by the CPRA), the California Privacy Protection Agency has been granted an adequacy decision by the Dubai International Financial Centre (DIFC). Press release here →

2) Notable Case Law

• The Spanish data protection authority (AEPD) imposed a fine of €90,000 on Masluz Energy Power SL for carrying out data processing activities without a legal basis to do so, further to telemarketing promoting better electricity rates. The AEPD also noted that the complainant’s consent to carry out the changes to the electrical provision was not proven. Read about the decision here → (in Spanish)
• The Provincial Administrative Court in Warsaw upheld the Polish data protection authority‘s (UODO) decision to impose a fine of PLN 16,000 (approximately €3,600) on Esselmann Technika Pojazdowa for failure to report a data breach concerning the loss of an employee’s personal data. The court highlighted that on discovering a data breach, the controller has the obligation to immediately (within a maximum of 72 hours) notify UODO. Press release here → (in Polish)

3) New and Upcoming Legislation

• The Presidency of the European Council has released a document which outlines the progress of the negotiations between the European Commission, the Council and the European Parliament in relation to the draft AI Act.
• The Hill has reported that the US State of Georgia is keen to raise a bill concerning children’s online safety. Inspiration is drawn from the bill passed in Louisiana earlier this year and aims to address both age verification concerns and the requirement for parental consent when accessing social media platforms. Full story here →

4) Strong Impact Tech

• Zoom, the globally renowned video conferencing platform, recently updated its terms of service. The modifications, at first glance, hinted that Zoom could use AI to analyze audio, facial movements, and even private conversations without any restraints. Read more here on iubenda →
• A potential US$5 billion lawsuit may be heard before the U.S. District Court for the Northern District of California in relation to alleged user tracking in Google’s private mode. The lawsuit relates to 2020 claims where despite the use of incognito settings, it was discovered that “Google’s cookies, analytics, and tools continued tracking users.” Full story on our blog →

Other key information from the past weeks

• France’s CNIL has issued an opinion regarding two decrees concerning parental control standards for internet access.
• The Guardian has reported that Google plans to update its policies and launch privacy tools which remove explicit personal images from web search engines.
• The Irish DPC started an inquiry into TikTok’s data processing for users aged 13-17 and children under 13.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #122) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Zoom, the globally renowned video conferencing platform, recently updated its terms of service, raising concerns and discussion among users and privacy experts alike. 

The modifications, at first glance, hinted at an unsettling prospect: that Zoom could use AI to analyze audio, facial movements, and even private conversations without any restraints.

Initial Backlash and Clarification

The alterations to Zoom’s terms of service immediately triggered a wave of backlash, particularly because it initially seemed that opting out of this data usage wasn’t a possibility. 

The outcry was so significant that Zoom felt compelled to respond. In a blog post, the company clarified that it wouldn’t employ audio, video, or chat content for AI model training without obtaining explicit customer consent.

Understanding the Data Types

Zoom can collect two distinct categories of data:

User Consent and Potential Privacy Issues

Zoom has made it clear that they can use video calls and chat transcripts for AI training, but only if user consent is obtained. 

If a meeting host agrees to share data, it is understood that all participants would also be required to share their data if they remain in the call, potentially posing significant privacy issues.

Privacy Advocates’ Concerns

For privacy advocates, the broadness of Zoom’s terms of service raises eyebrows. They fear that the company might have intentions for various AI projects beyond the publicly stated goals of meeting summaries. As the world becomes increasingly reliant on virtual communication, the clarity, and transparency of such terms become critical.

Changes to Zooms T&Cs

In March 2023, Zoom changed its terms of service to provide clarity about content ownership across the platform. Here’s a breakdown:

Lingering Concerns Among Privacy Experts

Even with Zoom’s clarification, privacy experts continue to warn that the updated terms don’t necessarily prevent the company from utilizing customer data for AI training. The vagueness of the terms is still alarming, prompting questions about the extent of data usage and privacy protection during virtual meetings.

Zoom’s recent changes to its terms of service have opened up a Pandora’s box of privacy concerns, questions, and ongoing debates. 

While the company has attempted to provide clarification, ambiguities remain, highlighting the ever-present tension between technological advancement and user privacy. 

The situation underscores the importance of clear communication and robust privacy protections, particularly in an age where our virtual lives are becoming as essential as our physical ones. It remains to be seen how Zoom will continue to navigate this complex landscape, but one thing is clear: the conversation around privacy, consent, and AI training is far from over.

The post Zoom’s New Terms of Service: A Closer Look at Privacy Concerns and AI Training appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s CNIL has issued an opinion regarding two decrees concerning parental control standards for internet access. Read here → (in French)
• The European Commission (EC) is requesting the public for feedback “on the template for the description of consumer profiling techniques and audit of such reports that designated gatekeepers will have to submit annually under Article 15 of the Digital Markets Act (DMA).” Access here →
• The Executive Director of Regulatory Risk at the UK’s ICO seems to have caught wind of Meta’s intention to offer inferior rights to UK citizens versus their EU counterparts where behavioural advertising is concerned. More here →

2) Notable Case Law

• The Restricted Committee of France’s data protection authority, CNIL, has closed the injunction issued against both Google LLC and Google Ireland Limited on December 31, 2021, after Google added a “refuse all” cookies button for google.fr and YouTube. Read about the decision here → (in French)
• The Irish DPC started an inquiry into TikTok‘s data processing for users aged 13-17 and children under 13. The EDPB intervened after complaints from other DPAs, adopting a resolution under Article 65 of the GDPR. The resolution will be published once the Irish DPC finalizes its decision. The Press Release can be found here →
• The Norwegian data protection authority, Datatilsynet, imposed a daily fine of NOK one million per day (approximately €88K) on Meta, further to the issuance of a ban last month in relation to behavioral advertising on Facebook and Instagram. The fine will become effective on 14 August 2023 unless Meta is successful in obtaining an injunction against it. Read the story on our blog →
• The California Privacy Protection Agency (CPPA) and the California Attorney General have filed a petition with California’s Third District Court of Appeal to overturn the Superior Court’s decision, which imposed a year-long delay in the enforcement of the Consumer Privacy Regulations. Read the announcement here →

3) New and Upcoming Legislation

• US law updates:
  • Maine: House Bill 1977 which seeks to create Maine’s Data Privacy and Protection Act was carried over to the next session by the House of Representatives and Senate Bill 1973 which aims to establish the Consumer Privacy Act was carried over to subsequent session by Senate.
  • New Jersey: Assembly Bill 4919 concerning social media privacy, data management for children and the establishment of the New Jersey Children’s Data Protection Commission was reported out of the Assembly’s Committee with amendments and read for the second time.
• The Argentinian data protection authority (AAIP) has announced its project to update the Personal Data Protection Law before the Deputies’ Chamber. Reported here → (in Spanish)

4) Strong Impact Tech

• The Digital Advertising Alliance has launched a new consent mechanism which involves the opt-out from behavioral advertising practices on the basis of encrypted mobile phone numbers: “The DAA is adding capabilities to its existing opt-out tool for encrypted email that uses a token-based mechanism to prevent ad targeting.” Press release →
• The Guardian has reported that Google plans to update its policies and launch privacy tools which remove explicit personal images from web search engines. Furthermore, together with the policy update, Google also simplified the submission form where individuals can request that their personal images are taken down from web searches. Read the full story here →

Other key information from the past weeks

• The Guardian has reported that the proposed surveillance changes in the U.K.’s Investigatory Powers Act of 2016, may prompt Apple to withdraw its iMessage and FaceTime services from the U.K.
• Italy’s Garante fined Ew Business Machines S.p.A. (Ew) €20,000 for unlawful remote monitoring of employees further to a complaint filed by an individual.
• The European Commission has announced the formation of a new alliance designated as “EU-LAC Digital Alliance” which it has entered into with the Caribbean and Latin American nations.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #121) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Specifically, the Garante asked MG Freesites to shed light on several aspects of its online activity:

• Does Pornhub track users? If so, in what ways and for what purposes?
• What is the legal basis for their use of cookies and what data is collected? What information is given prior to the attainment of consent?
• Is the data collected shared with third parties? If yes, are users informed through a privacy policy?
• What measures are taken to verify the age of users?

The Garante’s investigation began after a complaint filed by #StopDataPorn, a European initiative that aims to address the exploitative practices of porn platforms, like Pornhub.

According to #StopDataPorn, these platforms have access to an incredible amount of sensitive data (such as users’ sexual preferences) but do not comply with the principle of transparency of the GDPR.

The Garante had given MG Freesites Ltd 20 days to respond to its requests. To date, MG Freesites’ response or otherwise is not official. However, two new banners have appeared on Pornhub: one to collect cookie consent, the other for age verification.

What are cookie consent requirements in Europe?

One of the main problems with Pornhub was the lack of a button that allowed users to accept or reject all cookies. In fact, the platform merely informed users of its use of cookies but did not allow them to opt out of the tracking.

According to the Cookie Law and the GDPR, a website that is accessible to European users must comply with specific requirements. We’ve summarized them below:

How to comply with cookie consent requirements

The easiest way to comply with all these requirements is to use a solution that allows you to align your site with the most stringent regulations automatically.

iubenda’s Privacy Controls and Cookie Solution does just that: you only need to provide your location and the location of your users, and your cookie banner will be automatically configured in minutes.

In addition, our solution allows you to manage cookie consent requirements across the board:

• create a cookie policy;
• block cookies before consent;
• collect granular consent;
• store your users’ preferences.

The post The Italian DPA investigates Pornhub: tracking isn’t GDPR-compliant appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Norwegian data protection authority, Datatilsynet, has issued guidance on website analytics and tracking which includes but is not limited to: the maintenance of compliance with the GDPR, minimization of data collection and the avoidance of personal data flow to unsafe third countries.
• The European Commission has announced the formation of a new alliance designated as “EU-LAC Digital Alliance” which it has entered into with the Caribbean and Latin American nations. Read here →
• France’s CNIL has requested the public to provide comments on its draft recommendation on mobile apps until the October 8, 2023, following which the CNIL will examine the public participation and launch the finalized version of the recommendation. Access here → (In French)

2) Notable Case Law

• In response to the case brought against Meta by the Australian Competition and Consumer Commission (ACCC) regarding deceptive data collection practices, the Australian Federal Court has imposed a collective fine of AUD 20 million on both entities. Read about the decision →
• Norway’s Datatilsynet issued a decision on Google Analytics against the telecommunication company Telenor ASA in relation to its website, telenor.com. Datatilsynet concluded that “when the website used Google Analytics, personal data was transferred to the United States in violation of the rules.” It therefore issued a reprimand to this effect. Press Release → (In Norwegian)
• Italy’s Garante fined Ew Business Machines S.p.A. (Ew) €20,000 for unlawful remote monitoring of employees further to a complaint filed by an individual. The Authority’s summary can be found here → (In Italian)
• Further to the preliminary study into Meta’s new social network, Threads, Brazil’s Autoridade Nacional de Proteção de Dados (ANPD), has now opened an investigation. Read here → (In Portuguese)

3) New and Upcoming Legislation

US law updates:

• Federal: The U.S. Senate Committee on Commerce, Science, and Transportation has approved Senate Bill 3663 which addresses the Kids Online Safety Act and Senate Bill 1628 concerning Children and Teens’ Online Privacy Protection Act, which would extend protection to minors aged up to 16 years of age. Press Release →
• California: The California Consumer Protection Agency (CPPA) has clarified the steps required in the administrative enforcement process.
• Oregon: House Bill 2052 concerning the registration of entities as data brokers was signed by the Governor.

4) Strong Impact Tech

• France’s competition authority, L’Autorité de la Concurrence, informed Apple Group of an issue concerning its App Tracking Transparency framework. Reported here → (In French)
• The Guardian has reported that the proposed surveillance changes in the U.K.’s Investigatory Powers Act of 2016, may prompt Apple to withdraw its iMessage and FaceTime services from the U.K. Read more on our blog →

Other key information from the past weeks

• WhatsApp has updated its privacy policy by switching to the “legitimate interest” legal basis following the Irish Data Protection Commissioner’s sanction in January, where it was fined €5.5 million.
• NOYB has now started a campaign against several Belgian news outlets, including among others RTL Belgium, the public service broadcaster VRT, newspapers Het Laatste Nieuws and L’Avenir.
• The EDPB has adopted an information note for both individuals and entities carrying out data transfers to the U.S., which clarifies that no supplementary measures are required for transfers based on the adequacy decision.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #120) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The EDPB has adopted an information note for both individuals and entities carrying out data transfers to the U.S., which clarifies that no supplementary measures are required for transfers based on the adequacy decision. Separately the U.S. International Trade Administration has launched an EU-U.S. data privacy framework dedicated website.
• The French data protection authority (CNIL) has launched a new “sandbox” dedicated to artificial intelligence and the personal data issues that arise as a result of such innovation: “The sandbox is therefore aimed at organizations facing new issues related to personal data regulations. By intervening at an early stage in the development of the project, the CNIL teams help the organization identify possible solutions and implement them.” Press release here → (in French)
• The California Privacy Protection Agency introduced the new consumer complaint system which grants both residents and nonresidents the possibility to lodge either sworn or unsworn complaints concerning alleged violations of the California Consumer Privacy Act.
• The Biden administration has announced that seven leading artificial intelligence (AI) companies including Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI have committed voluntarily to, among others, carry out internal and external security testing of AI systems before release, share information on managing AI risks, and invest in safeguards. The administration said that in consultation with several allies and partners engaged in the voluntary commitments, it is working “to establish a strong international framework to govern the development and use of AI.”

2) Notable Case Law

• Amazon has reached a settlement with the U.S. Department of Justice and the Federal Trade Commission over alleged children’s privacy violations concerning its Alexa voice assistant. As part of the agreement, Amazon will pay USD 25 million in civil penalties and adhere to a permanent injunction.
• The FTC concluded its actions against BetterHelp with a finalized order amounting to USD 7.8 million. The order was based on allegations of improper data sharing for advertising purposes. Under the order, the online counseling service is banned from sharing consumers’ health data for advertising and using personal data for retargeting.
• NOYB has now started a campaign against several Belgian news outlets, including among others RTL Belgium, the public service broadcaster VRT, newspapers Het Laatste Nieuws and L’Avenir. The NGO is claiming that these companies “have bought themselves free from GDPR compliance”. The full list of websites against which a complaint has been filed can be found here →
• The Italian Garante fined the department store Rinascente SpA 300,000 euros for several violations in relation to the illegal processing of personal data of millions of customers in marketing and profiling activities through the use of loyalty cards. The infringements included but were not limited to the failure to:
  • indicate data retention times for marketing and profiling purposes;
  • indicate processing activity carried out through Facebook-Meta, which included the forwarding of customer’s email addresses to the US company;
  • prepare a data protection impact assessment as envisaged by the GDPR.

3) New and Upcoming Legislation

• The Council of the European Union’s Committee of the Permanent Representatives of the Governments of the Member States to the EU, has approved the draft compromise text of the Data Act. Draft compromise Data Act here →
• California: The California Privacy Protection Agency (CPPA) Board had unanimously voted, to support four California privacy bills. Among these bills are:
  • Assembly Bill 947 which would define sensitive personal information under the CCPA as amended to include personal information that reveals a consumer’s citizenship or immigration status;
  • Senate Bill 362, which would transfer the administration and rule-making authority over the data broker registry from the Department of Justice to the CPPA. This would also be directed to establish a deletion mechanism to allow a consumer to ask that all data brokers delete their personal information in one single request. Press release here.
• Oregon: Senate Bill 619 for an Act relating to protections for the personal data of consumers was signed by the Governor of Oregon. It will enter into force on July 1, 2024 however, certain exceptions apply to non-profit entities and the Act will not apply to them until July 1, 2025.
• Federal: The FTC has published a Federal Register notice seeking public comment on an application from ESRB, Yoti and SuperAwesome. The application proposes using “Privacy-Protective Facial Age Estimation” to obtain parental consent under COPPA. Comments can be submitted until August 21, 2023. Press release →

4) Strong Impact Tech

• WhatsApp has updated its privacy policy by switching to the ‘legitimate interest’ legal basis following the Irish Data Protection Commissioner’s sanction in January, where it was fined €5.5 million. WhatsApp, stated that “under legitimate interest, users will still be able to object to the use of their information.” Read the full story on our blog →
• The Canberra Times has reported that the release of Threads in Australia, Meta’s new social media platform, led to renewed calls for privacy law reforms. Digital Rights Watch Program Lead Samantha Floreani said that “We urgently need the Australian government to take action to pass robust reforms to the Privacy Act to make sure companies are handling our personal information appropriately […. since] All of this data is collected for the benefit of the companies harvesting it.” Reported here →

Other key information from the past weeks

• The Spanish Data Protection Authority (AEPD) has issued an updated version of its guide on the use of cookies to reflect the Guidelines on deceptive design patterns issued by the EDPB in February 2023.
• The Italian Garante has published its 2022 activity report, which indicates that there has been an increase in the number of inspections, totaling to 140 inspections and tripling the 2021 figures.
• The EPDB held their 82nd EDPB meeting, wherein the focus of the EDPB Members was on the EU-U.S. Data Privacy Framework (DPF).

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #119) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The Spanish Data Protection Authority (AEPD) has issued an updated version of its guide on the use of cookies to reflect the Guidelines on deceptive design patterns issued by the EDPB in February 2023. Read here → (in Spanish)
• The EPDB held their 82nd EDPB meeting, wherein the focus of the EDPB Members was on the EU-U.S. Data Privacy Framework (DPF). An update on the adequate level of protection of personal data under the EU-U.S. DPF was made, together with an information note on data transfers under the GDPR to the United States after the adoption of the Adequacy Decision. Access here →
• With the aim of offering alternatives to third-party cookie use, Google’s “Privacy Sandbox” has now come under the review of the French data protection authority, CNIL, which has published some recommendations and considerations in particular to publishers. CNIL noted that the basic purpose and use cases for the sandbox will be available to all parties in the third quarter of 2023 once third-party cookies are deprecated. Read here → (in French)
• The Italian Garante has published its 2022 activity report, which indicates that there has been an increase in the number of inspections, totaling to 140 inspections and tripling the 2021 figures. The report noted that 442 collective measures had been adopted and 9,218 complaints had been responded to. 81 opinions on regulatory and administrative acts had been issued, together with 317 corrective actions in terms of article 58(2) of the GDPR. The total amount of collected penalties amounted to approximately €9.5 million. Press release here → (in Italian)
• The Danish data protection authority (Datatilsynet) has expanded its guidance on the right to erasure in terms of Article 17(1) of the GDPR in relation to search engines. The Datatilsynet receives several inquiries on this matter from citizens who are unsure whether they have the right to request the deletion of their information from search engines, and more importantly how such right can be exercised. Press release here → (in Danish)

2) Notable Case Law

• The Norwegian Data Protection Authority, Datatilsynet, has invoked the urgent procedure mechanism and issued a temporary ban effective from August 4, 2023 until October 2023 prohibiting “Meta from adapting advertising based on monitoring and profiling of users in Norway,” unless Norwegian users have validly consented to behavior-based advertising on Facebook and Instagram services. Failure to comply with the ban may subject Meta to a compulsory fine of up to NOK one million per day. Press release here → (in Norwegian)
• The cookie paywall model, which is commonly adopted by news sites, was once again declared unlawful, this time by the Data Protection Authority of Lower Saxony (LfD), unless the consent banner properly informed users prior to granting their consent and also gave easily accessible options to revoke consent. Read about the decision here → (in German)
• Further to a user’s complaint, the Italian data protection authority, Garante, has given the company MG Freesites Ltd. twenty days within which to clarify its tracking systems as well as user profiling. The Authority’s summary can be found here → (in Italian)

3) New and Upcoming Legislation

US law updates:

• Colorado: The Colorado Attorney general has launched the enforcement of the Colorado Privacy Act by notifying businesses that the Colorado Department of Law will begin enforcing the Act, which went into effect on 1 July. The Attorney General directed businesses to educational resources to assist with compliance. Full story here →
• Rhode Island: Senate Bill 5684 which amends the Criminal Offenses – Identity Theft Protection Act of 2015 has entered into effect.

4) Strong Impact Tech

• Further to delay over GDPR compliance issues, Google’s Bard has launched within the EU. The generative artificial intelligence platform will require Google to submit a report to the Irish Data Protection Commission within 3 months from its launch. Google’s Product Director said that “discussions with data protection authorities resulted in a focus on transparency around data use and giving users a choice over Google’s use of their information.” Reported here →
• Pursuant to a Microsoft Outlook flaw, 26 countries have allegedly been hit by the Chinese hacking group Storm-0558. GovInfoSecurity has reported that the Chinese hackers have reportedly accessed and stolen emails from both U.S. government agencies and around 25 European Governments. Read here →

Other key information from the past weeks

• The European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on July 10, 2023.
• The European Commission has proposed the introduction of the GDPR Procedural Regulation, which, if adopted, will support the enforcement of the GDPR in cross-border cases.
• Further to release in the US, UK and several other countries, Meta has delayed the release of Threads within the European Union (EU) further to uncertainty over personal data use.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #118) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on July 10, 2023. Read about it here →
• The European Commission has proposed the introduction of the GDPR Procedural Regulation, which, if adopted, will support the enforcement of the GDPR in cross-border cases. Read here →
• The Commission nationale de l’informatique et des libertés (CNIL), has published a technical recommendation concerning data sharing through Application Programming Interface (API). Press release here → (in French)
• The Norwegian data protection authority and the Norwegian Accreditation have entered into a cooperation agreement on the accreditation of certification bodies under the GDPR. Read here → (in Norwegian)

2) Notable Case Law

• In the case Meta vs Bundeskartellamt the Court of Justice of the European Union (CJEU) has issued a ruling on Meta’s (formerly Facebook) GDPR approach. Read about the decision here →
• Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD) has issued its first enforcement action against the telemarketing firm Telekall Infoservice for violating the LGPD and failure to cooperate with the ANPD’s investigation. The Authority’s summary can be found here → (in Portuguese)

3) New and Upcoming Legislation

US law updates:

• California: Senate Bill 680 which relates to amendments to the Civil Code and calls for a civil penalty in relation to social media platforms which include features that harm children, has passed Senate and the Assembly Committee.
• Louisiana: Senate Bill 162 which creates the Secure Online Child Interaction and Age Limitation Act was signed by the Governor and enters into force on 1st of July 2024.
• Washington: The Office of the Attorney General of Washington state has published a number of Frequently Asked Questions on the My Health My Data Act, part of which comes into effect on 23 July 2023.

4) Strong Impact Tech

• Further to release in the US, UK and several other countries, Meta has delayed the release of Threads within the European Union (EU) further to uncertainty over personal data use. It has been reported that “Threads imports data from Meta’s Instagram and tells U.S. users that it collects health, financial, location, search and other data.” The Twitter rival faces privacy hurdles within the EU, therefore its impending launch remains to be seen. Reported here on our blog →

Other key information from the past weeks

• Italy’s Data Protection Authority (Garante) fined Benetton Group €240,000 for violating data protection principles and security requirements in terms of Articles 5 and 32 of the GDPR.
• The Swedish Authority for Privacy Protection (IMY) has ordered the companies CDON AB, Coop Sverige, Dagens Industri and Tele2 Sverige to stop using Google Analytics.
• The United Kingdom and Singapore have signed two Memoranda of Understanding, one concerning emerging technologies and the other relating to data cooperation.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Data Protection & Privacy News (issue #117) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we will explore why this change is important and what you can do with GA4. We will guide you on how to initiate the switch and provide you with the necessary steps to get started on the new platform.

Why the Switch to Google Analytics 4?

Universal Analytics served us well, but the digital landscape is evolving. GA4 brings with it enhancements that better serve our needs in this modern, data-driven world. Improved customer journey insights, advancements in cookie-less tracking, and superior predictive capabilities are just a few of the new features that make Google Analytics 4 stand out.

If you’re looking for a deeper technical understanding, our comprehensive article, “Google Analytics 4: All You Need To Know,” provides detailed information on the subject.

Key Improvements with Google Analytics 4

Customer Journey Understanding

One of the significant enhancements in GA4 is its focus on providing a deeper understanding of the customer journey.

With Universal Analytics, tracking user interactions across multiple devices and touchpoints was challenging. Google Analytics 4 overcomes this limitation by offering a more holistic view of user behavior, allowing businesses to gain insights into how customers engage with their websites or apps from their initial touchpoint to conversion.

Cookieless Measurement

As the digital landscape evolves, privacy concerns have led to the tightening of regulations and restrictions on third-party cookies. Google Analytics 4 addresses this challenge by introducing cookieless measurement.

By leveraging machine learning algorithms and statistical models, it can fill in the gaps caused by the absence of third-party cookies. This advancement ensures that businesses can continue to track and analyze user interactions accurately, even in a future where cookies are less prevalent. With cookieless measurement, GA4 provides a more sustainable solution for obtaining valuable insights.

Predictive Capabilities

Another notable improvement in Google Analytics 4 is its predictive capabilities. By harnessing the power of machine learning, it can analyze historical data and patterns to make predictions about user behavior.

These predictive insights help businesses anticipate customer needs, identify potential opportunities, and optimize marketing campaigns accordingly.

Enhanced Privacy and Control

Privacy has become a paramount concern for businesses and users alike. GA4 places a strong emphasis on privacy and provides enhanced features for data protection and control.

In the previous version of Google Analytics (Universal Analytics), users had to manually activate the IP anonymization feature to protect privacy. This was an issue because IP addresses are considered “online identifiers” under the GDPR and could potentially reveal personally identifiable information.

However, in GA4, the IP anonymization feature is automatically enabled and cannot be modified by users. This means that GA4 does not store the IP addresses of users by default.

From a privacy standpoint, this is the most significant feature in GA4 as it strongly promotes data privacy and assists users in complying with the GDPR, especially in the context of EU regulations.

Simplified Reporting Structure

GA4 introduces a simplified and streamlined reporting structure compared to Universal Analytics. It offers pre-built reports and templates tailored to specific business objectives, making it easier to extract valuable insights without the need for complex configuration.

The new reporting structure provides users with a more intuitive and user-friendly interface, facilitating the analysis of key metrics and performance indicators.

How to Switch from Universal Analytics to Google Analytics 4?

To get started with Google Analytics 4, you have three options:

1. Set up Analytics data collection for the first time

If you’re new to Analytics and want to start collecting data for your website or app, choose this option. It allows you to begin the data collection process.

2. Add Google Analytics 4 to a site with Universal Analytics (Analytics “classic”)

The GA4 Setup Assistant will add a Google Analytics 4 property alongside your existing Universal Analytics property. You’ll be able to access your previously processed data in your Universal Analytics property until July 1, 2024. However, new data will only flow into Google Analytics 4 properties.

3. Add Google Analytics 4 to a website builder platform or CMS (content management system)

If you use a website builder platform or CMS like Wix, WordPress, Drupal, Squarespace, GoDaddy, WooCommerce, Shopify, Magento, Awesome Motive, HubSpot, or others, select this option. It allows you to integrate Google Analytics 4 into your CMS-hosted website.

Using Google Analytics on your site?

---

Then you must fully disclose this in your privacy policy.

• See how you can do this with a single click here:

Generate a Privacy Policy for Google Analytics

Start Generating

It’s free!

About us

The solution to draft, update and maintain your Terms and Conditions. Optimised for eCommerce, marketplace, SaaS, apps & more.

www.iubenda.com

The post Google Analytics 4: The New Stage in Web Analytics – GA4 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Implications of the New Decision

For the last three years, the use of Google Analytics and other tools that transfer personal data to the US was not permitted. With no framework in place to regulate these data transfers, users were left facing legal uncertainties and potential data privacy issues.

This decision has finally clarified the ways in which personal data transfers can occur. In practice, before data flows can resume, US-based service providers like Google must self-certify with the EU-US DPF.

What Does This Mean for My Website: Can I Use Google Analytics Again?

EU-US data transfers are now regulated. We now need to wait for the providers affected by this decision to complete their self-certification process. Once they have, site owners would likely be able to resume using these tools.

As always, we’ll continue to monitor the situation. Check your account email preferences to be notified once major providers complete the self-certification process.

The post New Agreement on EU-US Data Transfers: US services like Google Analytics no longer “illegal”? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On July 10, 2023, the European Commission made a significant announcement by adopting its adequacy decision on the EU-US Data Privacy Framework (DPF). 

This decision signifies that the United States is once again recognized as providing an adequate level of protection to its European Union (EU) counterpart. Consequently, personal data can now flow freely from the EU to US self-certified companies without the need for additional safeguards. 

This article will delve into the details of the decision and highlight the key revisions made to the invalidated Privacy Shield framework.

EU-US Data Privacy Framework

The EU-US DPF marks a crucial step towards reinstating trust and confidence in transatlantic data transfers. 

After the Schrems II judgment by the CJEU, the previous Privacy Shield framework was invalidated due to concerns over access to data by US intelligence agencies. 

The newly adopted framework addresses these concerns through several notable revisions:

1. Necessary and Proportionate Access to Data

Under the EU-US DPF, access to data by US intelligence agencies is now limited to what is deemed “necessary and proportionate.”

This provision ensures that data transfer complies with stringent privacy standards while balancing legitimate national security interests.

2. Two-Layer Redress Mechanism

To enhance accountability and protect the rights of EU individuals, a new two-layer redress mechanism has been established.

3. Empowering EU Individuals

The adequacy decision grants EU individuals whose data has been transferred to self-certified US companies several important rights. These rights include the ability to:

4. Wider Applicability and Safeguards

The safeguards provided by the US government within the EU-US DPF extend beyond data transferred through this specific framework. They also apply to data transferred via other mechanisms, such as:

This broader application ensures a consistent level of data protection for EU individuals, regardless of the specific transfer mechanism utilized.

5. Periodic Reviews and Continuous Compliance Monitoring

To ensure ongoing compliance and effectiveness, the EU-US DPF will be subject to periodic reviews. 

The first review is scheduled to take place within a year from the framework’s entry into force. The European Commission will continuously monitor relevant developments in the US to ensure that the established safeguards are maintained.

What do you need to do now? 

Currently, there is no immediate action required. We need to wait for US companies to complete the self-certification process before data flows can begin.

The adoption of the EU-US Data Privacy Framework by the European Commission represents a significant milestone in transatlantic data privacy. With the adequacy decision in place, the flow of personal data from the EU to US companies can resume without additional safeguards, provided they participate in the EU-US DPF. 

The post Green Light for the Data Privacy Framework: EU to USA Personal Data Transfers Now Approved  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The implementation of executive order 14086 concerning the EU-U.S. Data Privacy Framework has been completed as confirmed by the U.S. Department of Justice and the Office of the U.S. National Intelligence Director (ODNI). EU and EEA member states have been designated with the possibility to file for redress under the proposed Data Protection Review court and ODNI has released the policies and procedures that will be applicable to the U.S. intelligence community. Press Release →
• The Swiss Federal Data Protection and Information Commissioner has published it’s 30th Annual Report which covers the period between April 1, 2022, and March 31, 2023, for the section on data protection and 1 January to 31 December 2022 for the section concerning freedom of information. Press Release →
• The United Kingdom and Singapore have signed two Memoranda of Understanding, one concerning emerging technologies and the other relating to data cooperation. Access here →
• Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, has published a guidance note on data processing activities in relation to academic purposes. See the guidance here → (In Portuguese)

2) Notable Case Law

• The Swedish Authority for Privacy Protection (IMY) has ordered the companies CDON AB, Coop Sverige, Dagens Industri and Tele2 Sverige to stop using Google Analytics. Two of the companies were slapped with fines of SEK 12 million and SEK 300,000 respectively. Read the full story on our blog →
• IMY fined Bonnier News AB (which now goes by the name Expressen Lifestyle AB) SEK 13 million (approx. €1.1 million) for processing personal data without the correct legal basis in violation of Article 6(1) of the GDPR. Press release → (In Swedish)
• Further to the €1.2 billion fine issued against Meta by the Irish Data Protection Commission (DPC) on May 22, 2023, the Irish Times reported that the Irish High Court has granted Meta a stay to the five-month period to cease all EU data transfers to the US pursuant to the Irish DPC’s order. Read about the decision here →
• Italy’s Data Protection Authority (Garante) fined Benetton Group €240,000 for violating data protection principles and security requirements in terms of Articles 5 and 32 of the GDPR. The Authority’s summary can be found here → (In Italian)
• The U.S. Department of Justice together with the Federal Trade Commission have announced a permanent injunction and a $6 million civil penalty against education technology provider Edmodo who was allegedly collecting information on children aged under 13 years of age without parental consent in violation of COPPA Rules. Read here →