Delaware governor signs comprehensive privacy law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Delaware Governor Signs Comprehensive Privacy Law

Delaware HB 154, implementing the Delaware Personal Data Privacy Act, was signed into law, making Delaware the twelfth state to enact a comprehensive privacy law.

Most of the law will take effect January 1, 2025, with the requirement to respect opt-out preference signals going into effect January 1, 2026. 

TAKEAWAY

The Delaware law largely resembles Connecticut’s and Montana’s privacy laws, including obligations to obtain opt-in consent to process sensitive data, to provide mechanisms for users to revoke consent as easily as providing it, and to respect opt-out preference signals.

Read more: Comparing U.S. State Privacy Laws: Sensitive Data

Amended Version of California Delete Act Passes Assembly/ Senate

California SB 362, which would implement the Delete Act governing data broker registration and deletion obligations, has passed the California Assembly and received final approval from the Senate in amended form.  

TAKEAWAY

“Data brokers” are businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship.

If signed by the Governor, the Delete Act will require a data broker to register with the California Privacy Protection Agency (current law requires registration with the California Attorney General’s Office) and to disclose certain additional information about its use of personal information to both the Agency and to consumers.

Additionally, starting in 2026, data brokers will be required to listen for and respect deletion requests submitted to a deletion mechanism maintained by the Agency that would transmit a single request to all registered data brokers.   

Read more: The Delete Act: ‘A Fantastically Flawed Attempt At Solving A Critical Problem’ (AdExchanger)

California AG / Google Enter $93MM Settlement Over Location Tracking

California Attorney General Bonta announced a $93 million settlement over allegations that Google used user location data for consumer profiling and advertising purposes without informed consent in violation of California consumer protection laws.

In addition to the monetary settlement, Google will be required to make certain changes to its practices, including providing more transparency to users when they enable location-related account settings and on a “Location Technologies” webpage.

TAKEAWAY

Google has already entered into settlements with most other state attorneys general over similar location-tracking allegations, including a $391.5 million settlement with 40 state attorneys general in November 2022, a $9.5 million settlement with the Washington D.C. Attorney General in January 2023, and a $9 million settlement with the New Hampshire Attorney General in March 2023. 

EUROPE

noyb Files Complaints in France Re App Data Sharing

Non-profit noyb–European Center for Digital Rights–announced its filing with the French data protection authority (CNIL) complaints with respect to three mobile apps: electronics app Fnac, real estate app SeLoger, and fitness app MyFitnessPal.

The complaints allege violations of the ePrivacy Directive, the French Data Protection Act, and GDPR, based on the apps’ alleged access to device local storage and processing of personal data without (or prior to) user consent and failure to exercise data protection by default and design. 

CONTEXT

User tracking by mobile applications was listed by the CNIL in March 2023 as one of its four “priority topics for investigations in 2023“, citing the “systemic” use of identifiers that allow users to be tracked for advertising, statistical or technical purposes and noting that checks had already been, and would continue to be, carried out on applications that access such identifiers in the absence of user consent.

The CNIL included in its announcement a link to its guidance on cookies and other tracers issued in October 2020.   

Dutch Class Actions Filed Against X / MoPub and Google

Two notable class actions were filed in the Netherlands:

Dutch non-profit foundation Stichting Data Bescherming Nederland (SDBN) announced that it is starting a lawsuit against X and its former subsidiary MoPub based on MoPub’s alleged unlawful collection and exchange of user data from over 30,000 free mobile applications in the Netherlands (including personal data about sexual orientation, health and religious beliefs and collected from children) without proper disclosure of the purposes of processing or the third parties with whom the data would be shared. SDBN is demanding compensation for damages and a share of profits on behalf of 11 million Dutch citizens, as well as destruction of the allegedly unlawfully collected data. 

Dutch consumers’ association Consumentenbond announced that it, together with the Foundation for the Protection of Privacy Interests, took Google to court for alleged “large-scale privacy violations” in violation of Dutch and European privacy legislation. The action is based on Google’s alleged collection and sharing of behavior and location data, including “highly sensitive personal data about health, ethnicity and political preference” via its online advertising platform. The lawsuit is demanding €750 in damages for every impacted Dutch consumer, plus an amount based on the value of the data that Google has collected and shared.  

TAKEAWAY

These lawsuits may just be the beginning of a new trend in the Netherlands.

According to a TechCrunch article, “more privacy suits are likely to follow in the Netherlands, especially as litigation funders spot opportunities to cash in.” The article cites a new class action regime brought in by the country as the reason for the uptick. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.