Hello all, and happy Thursday!
2025 is shaping up to be the year of data privacy enforcement in the US, and it'll surprise nobody that California and Texas have been the biggest enforcers.
Regular readers of this newsletter will have marked the recent enforcement action by the Texas AG against Allstate. Not to be outdone, the California Privacy Protection Agency (CPPA) recently issued a $632,500 fine against Honda for CCPA violations.
The CPPA’s press release called out a number of violations, including:
- Collecting excessive personal data from data subjects when they exercised their rights.
- Making it difficult for authorized agents to exercise privacy rights on behalf of data subjects.
- Sharing consumers’ personal information with ad tech companies without the appropriate contractual language.
- “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
That privacy management tool? OneTrust.
In order to opt out of the use of advertising cookies through Honda’s OneTrust tool, users needed to take two steps; opting in again only requires one. It’s a dark pattern, which the CPPA has cautioned businesses against in the past.
The bottom line: Data privacy compliance is complex, but that isn’t stopping regulators from enforcing the law. Your privacy solution should have your back, and it should be developed and maintained with current best practices baked in.
Best,
Arlo
.png?width=800&height=400&name=Weathering-the-2025-Whirlwind-1024x512%20(1).png)
Highlights from Osano
In Case You Missed It...
Blog: AI Governance and Why It’s Necessary
AI isn’t going away anytime soon, but best practices around AI are still developing. How can privacy, security, and GRC professionals better manage the risks and opportunities associated with AI? A robust AI governance framework is key. Find out what AI governance is, how to develop your own framework, and more in our blog.
Upcoming Webinars and Events...
Weathering the 2025 Whirlwind: How to Keep Calm and Carry On
Privacy is changing fast, are you keeping up? Join Ashley Fowler, Sr Privacy Program Manager at Osano & Olivia Ward, Data Privacy Lawyer at Simmons + Simmons, as they get to the heart of what's important right now.
Save your seat | March 17th
A Blueprint for Efficient SRRs: Mastering Your Subject Rights Workflow
Whether you are swamped by a deluge of subject rights requests or just want more time to spend on strategic work, managing SRRs effectively is a highly sought-after goal—one that's seldom achieved. In this webinar, Osano’s Senior Product Manager Chris Simpson and Lead Implementation Manager Christie Roy will show you the best (and worst) approaches to handling your SRR workflow.
Save your seat | March 27th
The Privacy Pro Survival Summit 2: This Time It’s Personal
In our second Privacy Pro Survival Summit, we’re putting the personal in personal data and showcasing a suite of thought leaders and experts from privacy, security, GRC, and related experts. Learn, connect with your peers, and maybe have a little fun along the way!
Save your seat | April 10th
Top Privacy Stories of the Week
Honda Settles With CPPA Over Privacy Violations
Honda must pay the California Privacy Protection Agency (CPPA) $632,500 to settle multiple California Consumer Privacy Act (CCPA) violations. The violations relate to interfering with data subjects’ ability to exercise their rights, sharing consumers’ personal information with ad tech companies without the appropriate contractual protections in place, and more.
New Guidance from the ICO on Retaining Employee Records
Recently, the UK’s Information Commissioner’s Office (ICO) published updated guidance for employers on what they need to do to comply with the UK GDPR and Data Protection Act when processing their employees’ personal data.
Attorney General Rayfield Releases 6 Month Report on Oregon Consumer Privacy Act
Attorney General Dan Rayfield recently released a report showing results from the first 6 months of Oregon’s Consumer Privacy Act. Notably, the Oregon DOJ received 110 complaints, and the Privacy Unit initiated and closed 21 privacy matters after sending notices of violation and broader information requests to companies. These include failure to disclose processing activities; issuing confusing privacy notices; and absent, burdensome, or misleading subject rights mechanisms.
Final Draft of the General-Purpose AI Code of Practice Published, Written by Independent Experts
The General-Purpose AI Code of Practice is a set of guidelines to help providers of general-purpose AI models to comply with the EU AI Act. Now, the third and final draft of the code has been released for stakeholder review.
Attorney General Bonta Announces Investigative Sweep of Location Data Industry, Compliance with CPPA
In a recent press release, California Attorney General Rob Bonta announced an ongoing investigative sweep into the location data industry, sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the CCPA.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!