Privacy Law Update: June 6, 2022
For the first time in years, members of U.S. Congress have found common ground on comprehensive federal privacy legislation and a bipartisan framework may be in reach. Politico reported members of the U.S. Senate and House are circulating a draft bill that includes bipartisan compromise on the two biggest stumbling blocks between parties, federal preemption and the private right of action. The draft from Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., and House Committee on Energy and Commerce leaders Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., speaks to previously reported momentum between chambers and parties, but the proposal also hasn’t yet garnered the support of Senate Commerce Committee Chair Maria Cantwell, D-Wash., arguably the most important legislator working on federal privacy legislation.
IAB Tech Lab Unveils Global Privacy Platform (GPP) To Consolidate Domestic And Global
Following two years of collaboration with the industry, and consultation processes with technical and legal experts across the globe, IAB Tech Lab, the digital advertising technical standards-setting body, is proud to announce the launch of the Global Privacy Platform (GPP). GPP is one of the products of IAB Tech Lab’s Project Rearc initiative. It is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers, and integrates with existing privacy signals from Europe’s Transparency & Consent Framework and CCPA in the U.S.
An external auditor reported on a “secret data flow list” that enables the sharing of data with Microsoft for third-party advertising. The audit describes how DuckDuckGo’s web browser did not block data transfers to ad platforms owned by Microsoft—LinkedIn and Bing—when the auditor was on a site that was not a Microsoft property. The audit is nuanced, and I think the auditor’s commentary is the best way to simply relay the findings. One main take-away is this: DuckDuckGo intentionally left certain third-party trackers unimpeded while many users thought the product would be blocking those trackers.
The metaverse is no longer a concept—it’s here. And as it gains more traction from tech companies like Microsoft, Facebook and Nvidia, and retailers like Nike and Ralph Lauren, we need to start talking about the potential privacy implications that occur when our real and virtual lives become increasingly blurred.
California: The California Privacy Protection Agency has released an initial set of draft implementing regulations for the California Privacy Rights Act. The Agency has yet to enter formal rulemaking procedures on this draft and we will be closely watching a June 8 Agency board meeting for potential announcements of next steps in the process. There is plenty to dig into in these proposed regs, so be sure to check out expert analyses from our friends at Frankfurt Kurnit, Hogan Lovells, & Kelley Drye.
Separately, we expect to closely follow Assembly-members Wicks (D) and Cunninghams’ (R) pair of child online privacy, safety and design bills as they move from the California Assembly over to the Senate. AB 2408 the ‘Social Media Platform Duty to Children Act’ has been referred to the Judiciary and Appropriations committees while AB 2273 to establish an ‘Age-Appropriate Design Code’ has yet to formally receive its committee assignments.
Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) was withdrawn from a potential House vote by sponsor Daryl Deshotel (R) on Tuesday, May 31. Deshotel said that he wouldn’t run a bill without 100% business buy-in and that his bill only got 85% of the way there. Nevertheless Deshotel got a final set of amendments adopted to help set the bill up for next year including: (1) replacing the “sexual orientation” sensitive data category with “an individual’s sex,” (2) narrowing the right to portability to only cover information provided by the consumer in the previous 12 months, and (3) narrowing the right to delete to personal data previously provided by the consumer. We are moving HB 987 to the failed bills list.
New York: New York’s legislative session ended on June 2 without passing comprehensive privacy legislation. However, on May 31, S6701, the ‘New York Privacy Act’ from Senator Thomas (D) was significantly amended to bring the bill into greater alignment with the VA-CO legislative model. Core changes include:
- Limiting the definition of “biometric data” to information that “allows or confirms unique identification of a natural person”
- Adding relatively standard definitions of “decisions that produce legal or similarly significant effects”; “precise geolocation”; and “sensitive data” and amending the definitions of “profiling” and “targeted advertising”
- Amending the transparency notice requirement to remove “the identity of each third party” recipient and replacing it with the disclosure of “categories of third party” recipients.
- Narrowing the opt-in consent requirement to “sensitive personal data” rather than just “personal data.”
- Creating a right to opt-out of data sales, targeted advertising, and significant profiling, that may be exercised through user-enabled privacy controls.
- Reducing the restrictions on the use and retention of personal data to clearly permit internal business operations and compliance with legal obligations.