Delete Act signed into law by California governor

Senate Bill 362, also referred to as the Delete Act, was signed into law this week by Gov. Gavin Newsom, D-Calif. Under this law, properly verified consumers need to be provided with a one-stop-shop mechanism to submit data deletion and data tracking requests. This mechanism needs to be provided by 1st January 2026. Further, starting August 2026, data brokers will be required to process such requests within 45 days of verification. Under this law, data brokers will have to register with the California Privacy Protection Agency, the entity enforcing the law. Currently, users are required to submit requests to each data broker individually. Read more

23andMe suffers data theft

The biotechnology company 23andMe, based in South San Francisco, California, suffered a data breach, leaking over "20 million pieces of data," according to the threat actor. The genetic information has been listed for sale by the attackers on the underground hacking forum BreakForum for around $1000 for 100 profiles. Leaked information includes name, gender, birth year, location, and genetic information. Read more

New Meta AI tool scraped data from public Instagram and Facebook posts

Public posts on Instagram and Facebook were allegedly used to train Meta's recently announced A.I. assistant. This was done without the knowledge or consent of users. In August, Facebook users were provided with the mechanism to opt out of allowing their personal data to be used to train third-party A.I. models. However, this 'Generative AI Data Subjects Rights' form is difficult to locate on the platform. Importantly, this form only allows users the ability to disallow their data being used to train third-party A.I. models, not Meta's A.I. model. Read more

€5.47 million fine imposed for GDPR violation in Croatia

Debt collection agency EOC Matrix was fined €5.47 million by the Croatian Supervisory Authority for processing personal data in a non-transparent way and without a proper legal basis. It was also found that they processed data of individuals who were non-debtors, meaning that there was no legal basis for processing under the GDPR. Further, it was found that telephone conversations were recorded without legal basis. Read more

GDPR violation leads to €90,000 fine in Italy

Italian Data Protection Authority, Garante, imposed a fine of €90,000 on GFB One for violation of the General Data Protection Regulation and the Personal Data Protection Code as the company activated the complainant's SIM cards without identity verification. Garante found that GFB One violated Articles 5(1), 6, and 13 of the GDPR and Article 157 of the Personal Data Protection Code. Read more