Blog

New Privacy Requirements Took Effect October 1 In Three States

Julie Rubash, General Counsel and Chief Privacy Officer
October 7, 2024
New Privacy Requirements Took Effect October 1 In Three States

UNITED STATES

New Privacy Requirements Took Effect October 1 In Three States

The Montana Consumer Data Privacy Act took effect October 1, the same effective date of The Maryland Age Appropriate Design Code Act (MAADCA) and amendments to Connecticut’s privacy law.

TAKEAWAY

The Montana Consumer Data Privacy Act is a comprehensive privacy law closely resembling that of Connecticut (before the amendments discussed here). The MAADCA applies to products, services and features “reasonably likely to be accessed” by minors under 18 and borrows several elements from California’s Age Appropriate Design Code Act (CAADCA), albeit without the age estimation and assessment of harmful content requirements that are currently pending constitutional challenges. The Connecticut amendments create additional rights and requirements for “consumer health data” (as a new sensitive data category, with its own set of additional protections and restrictions) and data of minors under 18 (also borrowing several elements from the CAADCA, albeit in a largely less restrictive manner than the MAADCA, including, for example, by only applying to controllers who have actual knowledge, or willfully disregard, that they are offering an online service, product or feature to minors).

Trying to keep up with all the US state privacy laws for sensitive data? We’ve got you covered. Check out the Sourcepoint U.S. State Privacy Laws Sensitive Data Comparison Chart to see how sensitive data is being defined differently in U.S. state laws

EUROPE

CJEU Interprets GDPR in Favor of Schrems in Case Against Meta

In response to a request from the Austrian Supreme Court in Max Schrems’ action against Meta, The European Court of Justice made two findings: (1) the GDPR principle of data minimisation precludes a controller, such as a social media platform, from aggregating, analysing and processing for targeted advertising all of the personal data obtained by such controller from a data subject or third parties without restriction as to time or or type of data; and (2) although the fact that a data subject manifestly makes data concerning his or her sexual orientation public allows for such data to be processed in compliance with the GDPR, such fact does not authorise the processing of other personal data relating to that data subject’s sexual orientation. The case will go back to the Austrian Supreme Court to determine, applying the CJEU’s interpretation, whether Facebook’s processing of Schrems’ personal data, including his sexual orientation, in combination with other data obtained on and outside the social network, violated the GDPR.

TAKEAWAY

The CJEU’s opinion points out that the principle of data minimisation “provides that personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,” that “even initially lawful processing of accurate data may over time become incompatible” with the purposes for which they were collected or processed, and that, with respect to type of data processed for such purposes, “the reasonable expectations of data subjects” and “the degree to which various forms of processing interfere with the rights of the data subject” should be taken into account. Ultimately, however, application of these principles is for the court to decide on a case-by-case basis to determine the extent to which the period of retention and type of processing is justified, based on the circumstances of the case, leaving courts (and companies) to make independent assessments without bright-line rules.

Sourcepoint believes that good privacy experiences drive user experience and trust. That’s why Sourcepoint Dialogue CMP was built to deliver highly customized messages to meet GDPR compliance and your monetization needs. Check out how we help with GDPR compliance.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]