Privacy Law Update: January 18, 2022
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Privacy Impact Assessments – Practical Considerations
This is the first of a multi-article series focused on privacy impact assessments. This first article provides an overview of privacy impact assessments, the existing and pending privacy laws which require privacy impact assessments, and how privacy impact assessments are used in practice from a proactive perspective. The second article will focus on data protection impact assessments pursuant to Article 35 of the European Union’s General Data Protection Regulation (GDPR). The third article will focus on similar assessments required under U.S. State laws set to go live in 2023 including the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (VCDPA), and the Colorado Privacy Right Act (CPA). The fourth and final article will provide best practices on building a global privacy impact assessment process.
CNIL’s ePrivacy Fines Reveal Potential Enforcement Trend
The new year for EU data protection enforcement has rung in with an early bang courtesy of France’s data protection authority, the Commission nationale de l’informatique et des libertés. The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive. Allegations against the companies focus on French users’ inability to easily decline tracking via cookies. Google’s U.S. and Irish operations received penalties of up to 90 and 60 million euros, respectively, while Facebook Ireland will pay up to 60 million euros. Additional daily penalties of 100,000 euros are possible if users are not given sufficient means to opt out of tracking within three months.
Israel Privacy Protection Bill Includes Steep Sanctions – and a DPO
On January 6, 2022, the Israeli government released a long anticipated bill amending and updating Israel’s 1981 Privacy Protection Act (PPA) (the Bill). If passed, the Bill would constitute the most comprehensive update of the PPA in more than two decades. Primarily, the Bill greatly enhances the enforcement and investigation powers of the privacy regulator, the Israel Privacy Protection Authority (IPPA). While relaxing certain bureaucratic burdens on Israeli companies, most notably the dated obligation to register database, it would tighten substantive obligations and impose steep sanctions for violations, including severe criminal penalties. For the first time under Israeli law, it would require certain companies to appoint a data protection officer (DPO).
How to Read Your iOS 15 App Privacy Report
IT’S BROADLY SAFE to download a mainstream app from the iOS App Store or Android’s Google Play. But thanks to increasingly invasive tracking by Facebook and others, Apple and Google have both recently introduced transparency features into iOS and Android that give you more insight into how often apps access data and sensors, from your camera and microphone to your location and contacts. If you’re an iOS user, the App Privacy Report tool likely hit your phone a few weeks ago. Here’s how to get the most out of it.
India’s Draft Data Protection Bill Moves Closer to Passage
Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.
What to Anticipate for EU Digital Policy in 2022
Digitalization has been a top priority for the European Commission, including an extensive legislative package, which ranges from platform regulation to artificial intelligence, from data sharing to cybersecurity. With the commission’s mandate set to expire in spring 2024, this year is its last chance to present proposals that could complete the legislative process in time. Journalist Luca Bertuzzi looks at what 2022 has in store for digital matters in the EU.
Alaska: The Consumer Data Privacy Act (HB 159 / SB 116), a CCPA-style bill, will roll-over into this session. The Act was introduced at the request of Governor Dunleavey. In December 2021 the House Labor and Commerce Committee presented changes to the bill, summarized here.
Furthermore, the “Personal Information Protection Act” (HB 222) was prefiled on January 7 by Representative Rauscher (R). The Act contains CPRA-style “do not sell” and “limit the use of sensitive personal information” rights. The Act creates a private cause of action limited to data breaches and delegates rulemaking authority to the Department of Commerce, Community, and Economic Development.
District of Columbia: Council Chairman Mendelson introduced B24-0451. The bill was introduced at the request of the Uniform Law Commission (ULC) and is based on the Uniform Personal Data Protection Act drafted by the ULC.
Florida: Senator Jennifer Bradley filed the Florida Privacy Protection Act (SB 1864) on January 7, 2022. Senator Bradley sponsored SB 1734 last year. It is expected that Representative McFarland will introduce a bill in the Florida House in the coming days.
Rep. McFarland (R) introduced HB 969 on January 11 which provides a consumer right to opt-out sale or sharing to third parties and a private right of action limited to (1) failures to delete/correct, (2) continuing to sell or share data following an opt out, (3) selling or sharing information of people under 17 without consent. As a reminder, Rep. McFarland’s 2021 “Consumer Privacy Act” (HB 969) included a broad private right of action and passed the state house by a 118-1 vote.
Indiana: HB 1261 was introduced on January 10 by Rep Carey Hamilton (D). The bill creates CPRA style rights to opt out of the sale or sharing of personal information and to restrict the use of sensitive personal information. Enforcement authority is allocated to the Indiana Attorney General’s Consumer Protection Division.
Maryland: The “Maryland Online Consumer Protection and Child Safety Act” (SB 11) was pre-filed on Oct. 15, 2021 by Senator Lee (D). The bill creates a right to opt out of the third-party disclosure of personal information and provides for broad AG rulemaking.
New York: In New York, a platoon of comprehensive data privacy bills originally introduced in 2021 rolled over on January 5. These include, the “Online Consumer Protection Act” (A 405); “Consumer Control of Personal Information” (S 557); “New York Data Protection Act” (S 1570); “Digital Fairness Act” (A 6042); and perhaps most prominently, Senator Thomas’ “New York Privacy Act” (S 6701) which would provide for a “duty of loyalty.”
Ohio: The “Ohio Personal Privacy Act” (HB 376) supported by Lt. Governor Jon Husted will carry over. The bill resembles elements of the CCPA and includes a safe harbor against AG enforcement for adherence to the NIST privacy framework. At a House Government Oversight Committee Hearing on December 9th, sponsors suggested that numerous changes to the bill are under consideration; however, an amended version has not yet been formally released. News reports suggest that sponsors have put the bill on hold, but intend to push it again this year.
Oklahoma: The “Oklahoma Computer Data Privacy Act” (HB 2969) was prefiled by Reps. Walke (D) and West (R) on Sept. 9 201. The Act provides that a business shall collect or share data only if “reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.” In 2021, an earlier version of the Act passed the Oklahoma State House by a vote of 85-11.
Vermont: H 570 a placeholder bill (no substantive text) relating to enhancing data privacy protections for consumers was submitted on January 10 by Reps. Marcotte (R) and Kimbell (D).
Virginia: Virginia legislators have started to propose amendments to the “Virginia Consumer Data Protection Act” scheduled to take effect in 2023. HB 381 introduced on Jan 11 by Del. Davis (R) would allow controllers that collect consumer data indirectly to treat deletion requests as opt out requests. HB 552 introduced on Jan 11 by Del. O’Quinn (R) would add 501(c)(4) organizations to the nonprofit exemption. HB 714 introduced on Jan 11 by original VCDPA sponsor Del. Hayes would add “political organizations” to the nonprofit exemption; allow an opportunity to cure only where “deemed possible” by the AG; permit the AG to recover “actual damages” sustained by consumers; and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund.”
Washington: Representatives Vandana Slatter and April Berg pre-filed the Washington Foundational Data Privacy Act (HB 1850) on January 7, 2022. The bill is similar to the Colorado and Virginia laws, but it contains an annual registration requirement, would create the Washington State Consumer Data Privacy Commission (similar to the California Privacy Protection Agency), and contains a private right of action.
It remains to be seen whether Senator Carlyle will amend his Washington Privacy Act (SB 5062) when the legislature opens on January 10, 2022.
On January 10, Sen. Carlyle introduced a limited-in-scope privacy bill, SB 5813, which would impose broad privacy obligations for children and adolescent data, regulate data brokers, and provide for the recognition of a “Do Not Track” mechanism. A first hearing is scheduled for January 20th. Sen. Carlyle’s “Washington Privacy Act” has also been carried over.