Privacy Law Update: August 15, 2022
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Federal Data Privacy Legislation: Differences With State Laws Raise Preemption Issues
For over two years now businesses have been dealing with the complexities of compliance with the California Consumer Privacy Act (CCPA); the nation’s first comprehensive consumer privacy law. Compliance became more complex with the enactment of comprehensive consumer privacy laws in Virginia, Colorado, Utah and Connecticut, plus the new California Privacy Rights Act (CPRA), a/k/a CCPA 2.0. As a result, industry has been screaming for one, consistent federal standard. Congress may finally be answering the call with the introduction of the American Data Privacy Protection Act, H.R. 8152, (ADPPA). The ADPPA in its current form would preempt most, but not all, state privacy and data protection laws.
Republican FTC Commissioner Noah Phillips to Step Down
Noah Phillips, one of two Republican commissioners at the Federal Trade Commission, is set to leave the agency in the fall, he told POLITICO. Phillips’ departure comes at an extraordinarily high-profile moment at the agency, one marked by a heightened skepticism toward corporate consolidation and tension between the Republicans and Democrats on the commission under Chair Lina Khan, a progressive antitrust hawk who has targeted the tech giants and corporate concentration across the economy.
FTC Deepens ‘dark Patterns’ Investigation
Business Insider reports the U.S. Federal Trade Commission is moving forward with its investigation into alleged use of “dark patterns” by Amazon in its Prime services promotions. The agency sent subpoena letters to current and former Amazon employees as it seeks details on the potential deceptive and manipulative practices the company used to amass and maintain Prime memberships.
Final Decision on Meta’s EU-US Data Transfers Delayed
Objections to the Irish Data Protection Commission’s order to halt Meta’s EU-U.S. data transfers will delay a final decision, Politico reports. A DPC spokesperson said fellow data protection authorities raised concerns during the mandated four-week consultation under Article 60 of the EU General Data Protection Regulation and it may take months to resolve the discrepancies. If issues go unresolved, the Article 65 dispute resolution mechanism will be triggered.
FTC Privacy Rulemaking: On Thursday, the Federal Trade Commission issued an Advance Notice of Proposed Rulemaking (“ANPRM”) on “Commercial Surveillance and Data Security” by a 3-2 vote. The ANPRM triggers a 60-day public comment period that will constitute a public record that the Agency will consider in determining whether to proceed with rulemaking. On September 8th, the Commission will host a virtual public forum on the proposal.
ADPPA: With legislative attention focused on the Inflation Reduction Act and August recess upon us, we have not seen any major public indications of progress on the American Data Privacy and Protection Act (ADPPA) from key policymakers. The most recent update is an August 4th report from Axios in which a spokesperson said that E&C Chair Pallone “is continuing to build broad bipartisan support and incorporate feedback from members, and is committed to seeing comprehensive national privacy protections signed into law.”
Colorado: The Colorado AG’s comment period for Colorado Privacy Act pre-rulemaking considerations closed on August 5. The AG is posting comments that it received here.
Montana: Sen. Kenneth Bogner (D) has submitted a bill draft request (LC0067) to state legislative services with the short title “Generally revise laws related to privacy and facial recognition technology.” The request is for the 2023 legislative session and it is unclear what scope such legislation may take.
New Jersey: S.332, a narrow privacy bill that would require websites to post privacy notices and honor opt-outs of sales (“monetary consideration”) was amended by Senate Majority Leader Ruiz (D) to clarify that the bill does not create a private right of action. This legislation was introduced in January by Senators Singleton (D) and Cody (D) and was reported from committee on a 3-2 vote in June.
Oregon: The Attorney General’s office submitted a draft comprehensive privacy bill (largely informed by the CO and CT privacy laws and a multi-stakeholder workgroup) to state legislative counsel. The AG’s office intends to move the bill in the 2023 session.