Privacy Report: CPPA Amends Draft CPRA Regulations & Announces Public Comment Dates

Headlines that Matter for Privacy and Data Security.

On

US News

CPPA Amends Draft CPRA Regulations & Announces Public Comment Dates

The California Privacy Protection Agency (CPPA) has announced amendments to the California Privacy Rights Act proposed regulations, which primarily involve grammatical adjustments. The CPPA is also hearing public comments on the regulations on August 24 and 25 as part of their rulemaking process. The deadline for submissions is August 23, 2022, at 5 pm PT. Comments can be submitted by email to regulations@ccpa.ca.gov or by mail to The California Privacy Protection Agency, Attn: Brian Soublet, 2101 Arena Blvd., Sacramento, CA 95834. Based on this timeline, it is likely that the regulations will not be finalized until late summer or early fall. A copy of the regulations, Notice of Proposed Rulemaking, and relevant information can be found here.

Maryland Amends Privacy & Data Breach Law

Maryland recently passed House Bill 962 (the Bill), which amends its Personal Information Protection Act. The Bill introduces an expanded definition of genetic information, which falls under the definition of personal information. Specifically, genetic information is data that results from a biological sample; deoxyribonucleic acids; genes; chromosomes; alleles; genomes; DNA; RNA; and biological samples. Further, the Bill alters the data breach notice requirement. Now, a service provider must notify a controller within 10 days of discovery, as opposed to within 45 days.   

FTC Takes Fresh Look at Digital Advertising Guidance and Seeks Public Input

Last updated in 2013, the Federal Trade Commission’s (FTC) “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” provides guidance to businesses on digital advertising and marketing. After almost 10 years, the FTC has decided to update the guidance. Specifically, as dark patterns receive more and more attention, some companies are wrongly citing the guidance to justify practices that mislead consumers online. For example, firms have claimed that they can avoid liability under the FTC Act by burying disclosures behind hyperlinks, a practice that can expose consumers to financial fraud, intrusive surveillance, and other harms. FTC staff is seeking public input to ensure the guides help businesses treat consumers fairly. The FTC is soliciting comments on:

  • manipulative user interface designs
  • whether the current guidance adequately addresses advertising on mobile devices
  • hyperlink guidance
  • sponsored and promoted advertising on social media

The comment period will end on August 2, 2022. More information can be found here.

FTC Issues $150 Million Fine for Targeted Ads Based on Users’ Account Security Information

The FTC and Department of Justice (DOJ) recently ordered Twitter to pay $150 million for violating a 2011 FTC order that prohibited it from misrepresenting its privacy and data security practices. Of note, from 2014 to 2019, almost 150 million users provided personal information under the impression that they were doing so to secure their accounts. Instead of using the information solely for account security purposes, as disclosed to users, the company allowed advertisers to target “specific ads to specific consumers by matching the information with data they already had or obtained from data brokers.” In addition to the lofty fine, the proposed order bans the company from profiting from the deceptively collected data. For more information, please see our alert.

Moving Closer to a Federal Data Privacy Act

As more states enact their own privacy laws, members of the privacy community and those impacted by privacy legislation continue to push for uniformity. The proposed American Data Privacy and Protection Act (ADPPA) addresses this growing concern by drafting a uniform national data privacy framework. The ADPPA is the first bipartisan, bicameral comprehensive privacy and data security proposal with support from both House and Senate committee leaders. The bill’s primary purpose is to provide consumers with foundational data privacy rights, create oversight mechanisms, and establish meaningful enforcement. In a press release by the ADPPA’s sponsors, they stated that the effort has been “years in the making,” representing “a critical milestone.” The most recent version of the ADPPA will soon come up before the full committee for a vote, where discussions about the bill’s preemption of state laws, right to cure, and the possible negative implications of the private right of action are likely to be front and center. Numerous privacy stakeholders have weighed in on the bill, expressing concerns about those specific sections. For example, the Chamber of Commerce released a letter expressing disapproval of the private right of action and preemption provisions. The letter states that the Chamber of Commerce will oppose legislation that “fails to provide meaningful preemption or any proposal that creates a blanket private right of action.” Given the reach of this legislation and since some key issues remain in flux, it is worth monitoring the committee’s upcoming markup. For more information, please see our alert.

IAB Tech Lab Releases Platform for Domestic and Global Privacy Digital Advertising Compliance

The Interactive Advertising Bureau (IAB) Tech Lab, which is IAB’s digital advertising technical standards-setting body, announced the launch of its Global Privacy Platform (GPP). Launched after two years of consultations with industry experts, the GPP is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers. IAB alleges that the GPP will provide an efficient method of encoding and communicating consumer privacy preferences. Further, the GPP is alleged to allow users to leverage preferences globally, across all platforms and channels. IAB claims the GPP “reduces the cost of managing privacy compliance,” and simplifies the process of complying with multiple privacy regulations such as GDPR, CCPA, and CPRA. The specifications are in public comment until July 30, 2022. Comments may be submitted to globalprivacy@iabtechlab.com.

FTC Refiles Advanced Notice of Proposed Rulemaking on Privacy and Artificial Intelligence

The FTC refiled its Advanced Notice of Proposed Rulemaking (ANPRM) on privacy and artificial intelligence. For reference, this filing is identical to the one the FTC originally filed in December 2021. However, the FTC took no further action until now. Specifically, the FTC’s ANPRM states that it is considering initiating a rulemaking section to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision making does not result in unlawful discrimination under section 18 of the FTC Act. Find the filing here.  

NAI Releases Voluntary Enhanced Standards for Precise Location Data

The Network Advertising Initiative (NAI) released Precise Location Information Solution Provider Voluntary Enhanced Standards (Enhanced Standards) for a subset of NAI member companies that collect and use Precise Location Information to provide analytical services to clients (Location Solution Providers). The NAI reasoned that because these companies analyze large amounts of Precise Location Information and maintain a variety of clients that rely on them to provide context to raw location data, they are well-positioned to prevent Precise Location Information from being used for purposes that may be detrimental to consumers, such as bounty hunting and law enforcement outside of legal due process. The Enhanced Standards restrict the use, sale, and transfer of location data correlating to Sensitive Points of Interest, which includes without limitation places tied to religious worship, correctional facilities, domestic abuse shelters, dependence or addiction treatment centers, sensitive healthcare services, military bases, and LGBTQ+ identity. Location Solution Providers who choose to make a public commitment to follow the Enhanced Standards will be assessed for compliance by NAI staff. A material violation of the Enhanced Standards will result in enforcement and could ultimately result in sanctions according to the NAI’s Sanctions and Enforcement Procedures.

Ready to Test Drive in the Metaverse?

As e-commerce becomes more popular, the days of brick-and-mortar car dealerships may be coming to an end. Not only are consumers able to select their preferred dealer, reserve, order, finance, and purchase a new or used vehicle in a seamless transaction, consumers may soon be able to rely on the Metaverse for all their test driving needs. The Metaverse currently offers a myriad of opportunities for dealers to engage interactively with consumers beyond traditional advertising. Manufacturers are already venturing into the Metaverse, including one Metaverse hosted on Roblox that allows users to experience the latest advanced racing technologies and motorsports available via the company’s latest high-performance car. However, as with all new evolving technology, there are legal and regulatory issues that need to be considered. For more information, please see our alert here.

Global News

Sweden’s PTS Publishes Cookie Guide

Sweden’s Post and Telecom Authority (PTS) recently published a cookie guide that focuses on notice and consent requirements. Notice should be as clear, complete, and user-friendly as possible. It must also contain information regarding the purposes of processing. Regarding consent, the guide ascertains that access to a service may not be conditional on acceptance of cookies. Moreover, consent must be active, and simply not saying ‘no’ cannot be considered consent. The press release is available here in Swedish only. The guide is here in Swedish only.

Czech Republic’s Data Protection Authority Releases Cookie Consent Report

Czech Republic’s data protection authority released a report about cookie consent. The report covers conditions for granting consent, revocation, lifespan, and “Accept All” versus “Reject All” buttons. In addition to being free, specific, informed, and unambiguous, data subjects must have a simple option not to give consent without harm to him or her. Consent may be revoked by the data subject at any time. Regarding lifespan, 12 months can be considered a reasonable period for which consent to the use of cookies has been granted. However, in the event that the user has refused to give consent, it should not be required again for at least six months. Finally, the appearance and color of the “Accept All” and “Reject All” buttons should allow data subjects to freely decide whether or not to give consent. The report is available here in Czech only.

Canada Introduces Artificial Intelligence and Data Act

Canada’s Minister of Innovation, Science and Industry recently introduced a three-part privacy bill that, if passed, would govern consumer privacy, data protection, and artificial intelligence.

Part One: 

Part one of Bill C-27 would enact the Consumer Privacy Protection Act to govern the protection of personal information of individuals while taking into account the need of organizations to process personal information in the course of commercial activities. It would also replace part one of the Personal Information Protection and Electronic Documents Act, changing the short title to the Electronic Documents Act.

Part Two:

Part 2 of Bill C-27 would enact the Personal Information and Data Protection Tribunal Act, which would establish an administrative tribunal to hear consumer privacy protection appeals.

Part Three:

Most notably, part three of Bill C-27 would enact the Artificial Intelligence and Data Act (AIDA) to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring private sector organizations that design AI systems to adopt measures to mitigate risks of harm. The AIDA adopts a risk-based approach, requiring said private sector organizations responsible for “high-impact”—a term that has not yet been defined—systems to monitor and publish compliance practices, provide notice to the Minister if the system is likely to result in material harm, and comply with record-keeping requirements. Please find Bill C-27 here.

UK Department for Digital, Culture, Media and Sport Publishes New Data Protection Reform Bill Proposal: Will This Result in UK Leaving GDPR Entirely? 

The Department for Culture, Media, and Sport (DCMS) recently published its response to the data protection reform bill entitled Data: A New Direction, originally introduced in September 2021. The proposals in the response are arranged into five chapters: (1) reducing barriers to responsible innovation; (2) reducing burdens on businesses and delivering better outcomes for people; (3) boosting trade and reducing barriers to data flows; (4) delivering better public services; and (5) reform of the Information Commissioner’s Office (ICO). They cover topics such as accountability, reuse of data and research, ePrivacy, data transfers, and data subject rights. Many of the proposals focus on greater economic benefits from greater personal data use. Notably, language such as “the reforms proposed in the consultation provide an opportunity for the UK to reshape its approach to regulation outside of the EU” has led to some concern that the UK’s privacy laws will draw back from the GDPR.

Britain’s ICO Releases Surveillance Camera Guidance to Help Organizations Avoid Common Mistakes

Britain’s Information Commissioner’s Office (ICO) has released surveillance camera guidance to help organizations avoid common mistakes. Prior to using surveillance systems, organizations are expected to comply with certain GDPR and Data Protection Act requirements. The guidance is designed to assist with this. It outlines considerations for the use of traditional closed-circuit television (CCTV); automatic number plate recognition; body worn video; unmanned aerial vehicles; facial recognition technology; commercial products such as smart doorbells and surveillance in vehicles; workplace monitoring, live streaming; and other commercially available surveillance systems that have the potential to process personal data. The guidance also features a checklist for users of limited CCTV systems that monitor small premises, such as retail stores. The checklist requires these entities to clearly define the problem the surveillance use is designed to address; designate an individual to handle system operations; ensure cameras are well positioned; and provide notice to individuals through visible signs. 

Continue Reading