New Privacy Requirements Took Effect October 1 In Three States

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

New Privacy Requirements Took Effect October 1 In Three States

The Montana Consumer Data Privacy Act took effect October 1, the same effective date of The Maryland Age Appropriate Design Code Act (MAADCA) and amendments to Connecticut’s privacy law.

TAKEAWAY

The Montana Consumer Data Privacy Act is a comprehensive privacy law closely resembling that of Connecticut (before the amendments discussed here). The MAADCA applies to products, services and features “reasonably likely to be accessed” by minors under 18 and borrows several elements from California’s Age Appropriate Design Code Act (CAADCA), albeit without the age estimation and assessment of harmful content requirements that are currently pending constitutional challenges. The Connecticut amendments create additional rights and requirements for “consumer health data” (as a new sensitive data category, with its own set of additional protections and restrictions) and data of minors under 18 (also borrowing several elements from the CAADCA, albeit in a largely less restrictive manner than the MAADCA, including, for example, by only applying to controllers who have actual knowledge, or willfully disregard, that they are offering an online service, product or feature to minors).

Trying to keep up with all the US state privacy laws for sensitive data? We’ve got you covered. Check out the Sourcepoint U.S. State Privacy Laws Sensitive Data Comparison Chart to see how sensitive data is being defined differently in U.S. state laws

EUROPE

CJEU Interprets GDPR in Favor of Schrems in Case Against Meta

In response to a request from the Austrian Supreme Court in Max Schrems’ action against Meta, The European Court of Justice made two findings: (1) the GDPR principle of data minimisation precludes a controller, such as a social media platform, from aggregating, analysing and processing for targeted advertising all of the personal data obtained by such controller from a data subject or third parties without restriction as to time or or type of data; and (2) although the fact that a data subject manifestly makes data concerning his or her sexual orientation public allows for such data to be processed in compliance with the GDPR, such fact does not authorise the processing of other personal data relating to that data subject’s sexual orientation. The case will go back to the Austrian Supreme Court to determine, applying the CJEU’s interpretation, whether Facebook’s processing of Schrems’ personal data, including his sexual orientation, in combination with other data obtained on and outside the social network, violated the GDPR.

TAKEAWAY

The CJEU’s opinion points out that the principle of data minimisation “provides that personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,” that “even initially lawful processing of accurate data may over time become incompatible” with the purposes for which they were collected or processed, and that, with respect to type of data processed for such purposes, “the reasonable expectations of data subjects” and “the degree to which various forms of processing interfere with the rights of the data subject” should be taken into account. Ultimately, however, application of these principles is for the court to decide on a case-by-case basis to determine the extent to which the period of retention and type of processing is justified, based on the circumstances of the case, leaving courts (and companies) to make independent assessments without bright-line rules.

Sourcepoint believes that good privacy experiences drive user experience and trust. That’s why Sourcepoint Dialogue CMP was built to deliver highly customized messages to meet GDPR compliance and your monetization needs. Check out how we help with GDPR compliance.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.