.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Ch-Ch-Ch-Changes
Hello all, and thanks for reading today.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
Last week, you may have noticed a story in our newsletter about CIPA-style class action lawsuits coming to Arizona. The California Invasion of Privacy Act (CIPA) is a 60s-era law meant to protect citizens from wiretapping—in recent times, it’s become popular amongst the plaintiff’s bar to bring lawsuits against organizations on the grounds that modern internet marketing technologies count as CIPA violations.
Apparently taking inspiration from California law firms, Arizonan lawyers have been bringing class action lawsuits against organizations on the grounds that these tracking technologies constitute a violation under the Telephone, Utility, and Communication Service Records Act.
This week, yet another apparently unrelated, decades-old law is being used to sue businesses over modern privacy violations. The Song-Beverly Credit Card Act, originally meant to limit the collection of personal information during in-person transactions, is being used as grounds to sue retailers over excessive data collection.
But this shouldn’t come as a surprise; so long as there’s a chance at a legal victory, enterprising law firms will repurpose these old laws to go after organizations that are easy targets. Your best bet is to not be an easy target by adhering to robust data minimization and retention practices.
Best,
Arlo
.png?width=800&height=400&name=Osano-PSR-social-O-mazing-race-1024x512%20(1).png)
Highlights from Osano
New this week
The Big Data Privacy Bundle
50+ free data privacy resources, including templates, trackers, and more!
In case you missed it...
Privacy Insider Podcast, Episode 4: Don’t Be Evil: In the Hot Seat of Data Privacy (Part 1)
Webinar: It's Time to Think About Data Mapping Differently
Upcoming Webinars
A Sneak Peek into Data Mapping: What Implementation Really Looks Like
Today at 1 PM EST! | Save Your Seat
When AI meets PI: Assessing and governing AI from a privacy perspective
Thursday, September 12th | Save Your Seat
Top Privacy Stories of the Week
First PDPA Enforcement in Thailand: A Landmark Case
Recently, an expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019 issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by the PDPA. The committee imposed the maximum administrative fine of 7 million baht (approximately $205,520).
New Hampshire Attorney General Formella Announces Creation of New Data Privacy Unit
Attorney General John M. Formella announces the creation of a new Data Privacy Unit that will be primarily responsible for enforcing the New Hampshire Data Privacy Act. “Ensuring accountability, transparency, and consumer choice regarding how companies handle and monetize the personal data of their customers is a priority of my office,” said Attorney General Formella in a press release.
Dutch DPA Imposes a Fine Of 290 Million Euro on Uber Because Of Transfers of Drivers' Data to The US
The Dutch Data Protection Authority (DPA) imposes a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred the personal data of European taxi drivers to the United States and failed to appropriately safeguard the data with regard to these transfers. According to the Dutch DPA, this constitutes a serious violation of the GDPR. In the meantime, Uber has ended the violation.
Retailers Meet Wave of Credit Card Suits Citing Decades-Old Law
A decades-old law protecting personal information during California credit card transactions is fueling a new wave of privacy litigation that could challenge how online retailers do business. The Song-Beverly Credit Card Act, passed in California in 1971, limits retailers’ collection of personal information during in-person transactions unless it's necessary to process the credit card transaction. Much like the wave of pixel-tracking cases over the past two years citing California wiretap laws, the new Song-Beverly disputes ask if companies are strictly acting as service providers without monetizing collected data and if it’s essential to solving business needs.
Illinois Becomes Second State to Enact AI Law For Employers
Recently, Illinois Governor JB Pritzker signed HB 3773, which amends the Illinois Human Rights Act to address employers’ use of artificial intelligence (AI). Illinois employers that use any automated tools to make employment-related decisions are encouraged to prepare for compliance with the new law, which takes effect on January 1, 2026.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!