Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

Here’s a quick recap of last week’s top privacy industry headlines:

  1. According to a recent report from the Identity Theft Resource Center, nearly 447 million consumer records containing sensitive personal information were stolen as a result of data breaches in 2018—a 126-percent increase from the year before, and setting a new record. These numbers come even with a 23-percent drop in the number of reported U.S. data breaches, which, according to the report, could be a result of organizations collecting and storing more data in single places, making it easier for criminals to steal more records in a single attempt. And across the pond, a study conducted by DLA Piper found that over 59,000 personal data breaches have been reported to European supervisory authorities since the GDPR came into effect on May 25th 2018, with the Netherlands, Germany and the UK topping the list.
  2. President Donald Trump has signed an “Executive Order on Maintaining American Leadership in Artificial Intelligence” that sets out strategy and objectives for the federal government to prioritize the education, development and regulation of AI in the public and private sectors. The order calls the strategy the American AI Initiative, and sets out that the Initiative will be coordinated through the National Science and Technology Council.
  3. Microsoft has backed a facial recognition bill in Washington State that would require detailed notice and allow standardized third-party testing of facial recognition products. The legislation is part of a larger privacy bill under consideration in the state that would cover any organization doing business in Washington State and that either processes the data of 100,000 or more consumers or gets half their revenue from the sale of personal data. According to Microsoft President and Chief Legal Officer, Brad Smith, the bill “takes an important and much needed step to be a regulatory foundation for facial recognition technology and create a model that can be considered by other states and countries.”
  4. A new consumer privacy bill has been introduced in Massachusetts that includes a broad private right of action for consumers. The bill appears to have been modeled after the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act, and would allow consumers to seek damages for any alleged violation of the law without having to show any tangible harm. Like the CCPA, the bill seeks to cover any business that collects the data of Massachusetts consumers and that meets a revenue-related threshold, and includes access and deletion rights. If enacted, the bill would, as of now, not take effect until January 2023.
  5. A group of California lawmakers has introduced a package of bills to supplement the California Consumer Privacy Act. The bills include rules prohibiting the storage of voice data on smart speakers used for marketing, requirements for social media platforms to obtain parental consent for users under the age of 16, a new 72 hour data breach notification rule, a right to erasure for social media users after they close their accounts, and more. The bill is scheduled for committee hearing later this month, and we will be closely monitoring this and other state privacy law developments.

That’s all for this week, be sure to join us next week for Last Week in Privacy.