By Destiny Ginn, Summer Associate
Here’s a snapshot of a few of the privacy developments we followed over the past few weeks. If you missed our last post, you can find it here.
UNITED STATES FEDERAL PRIVACY UPDATES
American Data Privacy and Protection Act
The American Data Privacy and Protection Act (ADPPA) H.R. 8152, a bipartisan comprehensive privacy bill was introduced in the House and on June 23d the U.S. House of Representatives Subcommittee on Consumer Protection and Commerce passed the bill by unanimous voice vote.
Apple
Apple issued an App Store Fraud Prevent report stating they rejected over 343,000 apps for privacy violations.
CFAA: The DOJ Updated Policy for CFAA Prosecution
The DOJ updated their policy regarding prosecution under the Computer Fraud and Abuse Act (CFAA) to reflect the developments in technology and business practices. One of the updates include not to criminally prosecuting “good faith security research.”
FTC Chair Plans to Work on Improving Kids Data Privacy Online
The FTC Chair Khan announced that the FTC is pushing an agenda of actions and policies to help safeguard children’s privacy online. These actions include toughening enforcement of long-standing laws governing children privacy and looking at algorithms used by social media platform targeting children.
FTC: Importance of Effective Breach Disclosures
The FTC released “Security Beyond Prevention: The importance of effective Breach Disclosures”, a blog post that stresses the importance of having good incident responses and breach disclosures as part of their reasonable information security program. A breached entity may violate Section 5 of the FTC Act if they fail to disclose or mitigate reasonably foreseeable harm.
FTC’s Report Warns Congress about Using AI
The FTC issued a report to Congress warning of the harms AI can have when used to combat online problems. The FTC reported concerns about AI harms such as inaccuracy, bias, discrimination, and commercial surveillance.
IAB Releases Intrinsic In-Game Measurement Guidelines for Public Comments
In a joint collaboration between IAB, IAB Tech Lab, and the Media Rating Council (MRC), IAB has released its Intrinsic In-Game (IIG) Measurement Guidelines to establish updated measurement guidelines for ads that appear within gameplay. The release is open for public comment for a 30-day period until July 15, 2022.
IAB Tech Lab Expands Open Measurement SDK to Connected TV
On June 8, 2022, IAB Tech Lab announced that its Open Measurement SDK will soon be available on Connected TV.
IAB Unveils Global Privacy Platform
The IAB announced the launch of the Global Privacy Platform (GPP). The GPP is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers. This platform will be used to consolidate domestic and global privacy signals for digital advertising. The specifications for GPP will be in public comments until July 30, 2022.
DAAP guidance from BBB
Digital Advertising Accountability Program issued a compliance warning that a consumer’s mere continued use of a product or service does not constitute “Consent” as defined by the Digital Advertising Alliance’s Self-Regulatory Principles for Online Interest-Based Advertising.
NIST New Draft Publications
NIST issued the final public draft of the Engineering Trustworthy Secure Systems on June 7, 2022. The public comment period for this draft will be June 7, 2022 to July 8, 2022.
NIST issued a preliminary draft of Implementing a Zero Trust Architecture on June 3, 2022.
NIST issued an internal report on using business impact analysis to inform risk prioritization and response. The public comment period for this draft will be June 9, 2022 to July 18, 2022.
U.S. Court of Appeals Ninth Circuit
In an unpublished decision issued May 31, 2022, the U.S. Court of Appeals Ninth Circuit interpreted the California Invasion of Privacy Act and reversed the district court holding that consent under Section 631(a) was valid even if it was given after communication between a website and website user has taken place.
U.S. STATES PRIVACY UPDATES
California: Proposed Regulations for CPRA
The California Privacy Protection Agency published proposed regulations for the California Privacy Rights Act (CPRA) on May 27, 2022. Some proposed regulations that are included are related to service providers and vendors, purpose limitation, dark patterned, right to know, opt-out rights and methods, sharing opt-out signals, and financial incentives.
The California Privacy Protection Agency also published a draft of its Initial Statement of Reasons for the proposed regulations ahead of its June 8, 2022 meeting.
Colorado: Limiting Use of Facial Recognition
Colorado SB 113 limits the use of facial recognition by state agencies, including institutions of higher education. The law is effective August 10, 2022, and it also prohibits, with limited exceptions, the use of facial recognition services by any public school, charter school, or institute charter school until January 1, 2025.
Maryland: Amendments to the Student Data Privacy Bill
Maryland’s amendments to the Student Data Privacy bill went into effect on June 1, 2022. The amendments primarily update the definitions, including expanding the covered information to include disciplinary records, online behavior and usage information, persistent unique identifiers (which include pseudonyms and aliases), and confidential information defined by the Department of Information Technology.
Minnesota: Student Privacy Bill Passes
Minnesota HF 2353, which is effective beginning with the 2022-23 school year, in addition to prohibiting the use of educational data for any commercial purpose, including marketing or advertising, also prohibits providers of school issued devices, with limited exceptions, from accessing or monitoring a device’s location-tracking feature, audio or visual recordings, and student interactions with a device including keystrokes and web-browsing activity.
New York: Vaccine Privacy Bill Heads to Governor’s Desk
The New York Legislature passed a vaccine bill that would protect the confidentiality of vaccine information and protect such information from being used to track people’s movements and to be used against them in unauthorized way.
Washington: AG Lawsuit Against Google for Deceptive Practices Around Location Data
Washington AG’s suit against Google for deceptive practices around location data proceeds after a King County Judge rejects Googles motion to dismiss.
Washington: Telemarketing Law Amendments Now in Effect
House Bill 1479, effective June 9, 2022, amends portion of the state’s existing telemarketing laws. These amendments include broadening the scope of “residential telephone customer” to “person”, setting new requirements for callers requesting a donation or gift, and applying more requirements arounds callers identifying themselves.
Washington, D.C.: Stop Discrimination by Algorithms Act Scheduled a Public Hearing
Bill B24-0588, the ‘Stop Discrimination by Algorithms Act’ will be discussed at a public hearing scheduled for September 22, 2022.
NORTH AMERICA
Canada: Tim Hortons’ App Violates Privacy Laws
The Office of Privacy Commissioner of Canada has concluded the Tim Hortons’ App violated Canadian privacy laws after finding the app tracked and recorded users every few minutes regardless of the app being opened or closed. Tim Hortons originally planned to use the data for targeted advertisement but continued to collect the location data for a year after the plans were shelved.
EUROPE & UK
Belgian: Belgian DPA Fined Roularta Press Group
The Belgian Data Protection Authority (DPA) fined Roularta Press Group for how it managed cookies on its sites. In particular, the DPA found that two of Roularta’s sites placed 60 cookies before obtaining consent, didn’t provide proper information about the cookie collection, and pre-checked cookie consent boxes.
Denmark: Statement on “Data Exporters”
The Danish data protection authority published (in Danish only) a short informative note about the concept of ‘data exporters.’ A processor may enter into a SCC directly with the sub processor in third counties in order to provide the necessary transfer requirements under Article 46(2)(c) of the GDPR.
Iceland: Denies Amgen AB to target social media users for scientific research
The Icelandic Data Protection Authority issued a decision (in Icelandic only) denying Amgen AB’s (an International Pharmaceutical company) application to target social media users who searched for pages related to migraines and use this information for scientific research. The decision concluded that transmitting an advertisement to someone who may have a migraines based on online behavior history would be a use of sensitive data and would require consent.
Italy: Google Analytics Banned by Data Protection Authorities
The Italian SA concluded that a website using Google Analytics without safeguards set out in EU GDPR violates data protection law by transferring user data to the US. The Italian SA stated that an IP address is personal data and, given Google’s ability to enrich such data, would not be considered anonymised even with truncation.
Norway’s Data Protection Authority Issued a Fine of NOK 100,000
The Norwegian data protection authority issued a fine of NOK 100,000 to an unnamed company after an employer automatically forwarded ex-employees emails to the general manager for six weeks. The company violated of Article 6(1)(f), 13, 22 and 24 of the GDPR.
Norway’s Data Protection Authority Issues a Reprimand
The Norwegian data protection authority issued (decision in Norwegian only) a reprimand June 2, 2022 to Norwegian Labour Inspection Authority for lack of access. The Decision states that the company was in violation of Article 15(1) of the GDPR.
ASIA-PACIFIC, MIDDLE EAST & AFRICA PRIVACY UPDATES
China Drafts Specifications for Privacy Notices
China released a consultation draft of the technical specification for privacy notices. They will be accepting comments on the proposed specification until July 25, 2022. Some Specifications include: a privacy notice must be included on the company’s website with easy access to it for consumers and a company must highlight if any of their personal information will be transferred aboard in its privacy notice.
Hong Kong: Guidance on Recommend SCC for Cross Border Data Transfers
The Privacy Commissioner for Personal Data of Hong Kong issued a “Guidance on Recommended Model Contractual Clauses for Cross Border Transfer of Personal Data” in May 2022. The guideline introduces two sets of Recommended Model Contractual Clauses to address two different scenarios, specifically (i) transfers of data from one data user to another data user and (ii) transfers from one data user to a data processor.
New Zealand: Appointment of the New Privacy Commissioner
New Zealand appointed, Michael Webster, a current secretary of the cabinet as the new privacy commissioner. Webster will transition into his new role on July 5, 2022.