These are the top 10 things you need to know from the world of privacy last month, as compiled by me.

  • Texas means business when it comes to biometrics. The Texas Attorney General recently secured a $1.4 billion settlement from Meta stemming from the state’s “Capture or Use of Biometric Identifier” Act (CUBI). If you are using biometric data ( in the workplace or otherwise), you must have things like: a notice, written acknowledgement, DPIA, and a retention plan.
  • State Attorney General Offices are coming after your website tracking, even if their states don’t have a state privacy law. Don’t believe me? Just look at New York.
  • FTC and hash. The FTC recently issued new guidance that hashes aren’t “anonymous.”
  • No one expects the Spanish Inquisition … or a pixel behind a log in. It can be a data breach, a HIPAA breach, or an unfair or deceptive practice. Swedish DPA Integritetsskyddsmyndigheten recently fined Avanza bank $1.4 million for it.
  • HHS issues guidance on age appropriate design measures.
  • KOSPA (which is KOSA + COPPA 2.0) passed the Senate. If sign into law, it would impose several obligations regarding Data of under 17s; duty of care in design; parental controls; and privacy tools. There also are new provisions regarding “opaque algorithms.”
  • FTC issues guidance on surveillance pricing.
  • CNIL issued a 7000 Euro fine, plus an injunction, plus a daily fine of 150EUR/day on a controller for having failed to appoint a DPO.
  • Latvia DPA issues guidance on common mistakes of controllers that lead to most of the complaints it receives.
  • Much ado about deepfakes. California Governor Newsom says he will sign a law regulating use of deepfakes. FTC already says that if it’s unfair and deceptive without AI, it’s also unfair and deceptive with AI. FCC issues NPRM requiring an on-air announcement re use of deepfakes in television or radio political ads that use AI generated content. UK Ofcom issues publication on tackling deepfakes.