Weekly Privacy News Update – Episode 47


California ratifies Age-Appropriate Design Code Act into law

Assembly Bill 2273, also known as California Age-Appropriate Design Code Act, was enacted into law after getting signed by Gov. Gavin Newsom, D-Calif. The California Age-Appropriate Design Code Act intends to protect children’s mental and physical health and wellbeing by requiring online platforms to recognize the best interest of child users and to default to privacy and safety settings that protect them. The law will also require online platforms to have their privacy information, terms of service, policies, and community standards that are quickly accessible and maintained. Responsive tools that will assist children in exercising their privacy rights will also be enforced. The new law will take effect on Jan. 1, 2024, forming the Children’s Data Protection Working Group assigned to review and report on the law’s implementation.

Source: Office of Governor Gavin Newsom, IAPP

Ireland’s DPC announced the decision on Instagram investigation

The Irish Data Protection Commission (DPC) formally finalized its EUR 405 million children’s data protection fine versus Instagram. The penalty is the second-largest since the EU General Data Protection Regulation (GDPR) was implemented. The total fine includes ten penalties, two violations regarding public-by-default processing, and contact information processing under Article 12(1) of the GDPR that total EUR 170 million. The binding decision of the DPC is recognized by the European Data Protection Board (EDPB) as the first concerning the legality of processing under Article 6 of the GDPR. The final decision also tasked Instagram to bring its processing into compliance by taking a range of specified remedial actions.

Source: Data Protection Commission, IAPP

Google and Meta get a $71.8 million fine from South Korea’s PIPC

South Korea’s Personal Information Protection Commission (PIPC) hands over fines, a total of KRW 100 billion, to tech giants Google and Meta for data processing violations related to user consent. The infractions for the two companies rose from the lack of disclosures on data collection and the practices and issues with default opt-in settings for user consent. According to South Korea’s data protection authority, Google failed to inform users about the collection and use of other companies’ behavioral information when they signed up for its service. The default option set by Google was set to “agree” since the other available choices were covered in the setting screen. For Meta, it allegedly did not indicate the details required by law for consumers to know. It failed to gain users’ consent since the company gathered and used the behavioral information of users that was used for personalized ads when they signed up. Representatives for Google and Meta expressed their contradiction on the decisions while noting commitments to legal compliance, user control, and transparency.

Source: TechCrunch, IAPP

EDPB and EDPC request funding to prevent EU GDPR enforcement from weakening

The regulatory bodies, European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), sent a letter to the European Parliament and the Council of the European Union appealing for an increase in funding to make sure the EU General Data Protection Regulation (GDPR) is enforced correctly. The European Commission rejected the 2023 budget proposal of both regulatory bodies; the proposal sought to increase resources for staffing and financial resources.

Source: European Data Protection Board, IAPP

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources