Hello all, and happy Thursday!
July’s been a hot month—both at the thermometer and attorneys general offices across the US.
Coming off of last week’s CCPA enforcement against Healthline, both Connecticut and Nebraska have issued privacy enforcement actions of their own this week.
Connecticut is notable for being the first enforcement under that state’s data privacy law, the CTDPA. The CTDPA offers a pretty generous cure period compared to other state privacy laws (60 days, though the cure period isn’t required and is offered at the AG’s discretion).
The Connecticut AG sent out dozens of notices of violation to different companies, and only one (an online marketplace called TicketNetwork) failed to cure its violations in time. In fact, the violator appears to have pretended like they had addressed their violations without actually doing anything. Everybody knows Attorneys General are really chill people who don’t follow up on their investigations, right?
Nebraska’s enforcement wasn’t made under a data privacy law per se, but it’s all about data privacy nevertheless. The Nebraska AG is suing General Motors for collecting and selling drivers’ data to third parties without drivers’ consent. This, the AG alleges, violates Nebraska's Uniform Deceptive Trade Practices Act and its Consumer Protection Act. The suit serves as a good reminder that even if all consumer data privacy laws disappeared tomorrow, data privacy would still be relevant for businesses.
Best,
Arlo
Blog: Customer Data Privacy: Why It’s Important and How to Protect It
Data subjects, consumers, residents—privacy regulations have a lot of names for the people whose privacy you need to protect. When it comes down to it, what do you need to do for your customers? Our blog lays it all out.
Blog: Privacy Laws 2025: Prepare for the 8 Laws Going into Effect
With the year halfway over, it’s the perfect time to review which new US privacy laws are turning on in the coming days and months. Check out our blog from earlier this year to learn more.
Nebraska is suing General Motors (GM) and its OnStar subsidiary for allegedly collecting and selling drivers’ location and driving behavior data without their knowledge or consent. This lawsuit adds to a wave of legal actions, including an FTC settlement and class action suits, focused on GM’s data-sharing practices with insurance-related third parties.
The first enforcement action under the CTDPA has been leveled against online marketplace TicketNetwork. The CT Attorney General’s Office recently announced an $85k settlement with TicketNetwork for violations associated with its privacy policy, malfunctioning subject rights request workflows, and falsely claiming it had cured the violations after being notified by the Attorney General of its non-compliance.
Montana, Connecticut, Oregon, and Colorado have all recently amended their privacy laws. Amendments include changes to applicability thresholds, so businesses that previously were not subject to these laws may need to review their status.
The Minnesota Consumer Privacy Act (MCPA) takes effect July 31, and unlike most state privacy laws, it also covers nonprofits. Learn more about your potential obligations here.
Qantas Airways recently revealed that more than a million customers had their phone number, birth date or home address accessed in one of the country's biggest cyber breaches in years. Another four million customers had just their name and email address taken during the hack. All told, 5.7 million customers were impacted.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!