Privacy Law Update: March 20, 2023
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Attorney General’s Office files finalized Colorado Privacy Act rules
The Colorado attorney general’s office announced finalization of the Colorado Privacy Act regulations. The office highlighted rules implemented on the topics of universal opt-out mechanisms, data protection impact assessments, user profiling and transparency. The rules were formulated based on feedback from 137 written comments. “Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information,” Colorado Attorney General Phil Weiser said.
California legislative wrap-up: CCPA amendments, children’s privacy, and more
Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10 proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements, and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Information Act, platform liability, and student data privacy. While a significant majority of data privacy-related bills were introduced by elected representatives from the Democratic Party, Assemblymen Joe Patterson, Jim Patterson, and Tri Ta offered a few bills from across the aisle.
Iowa set to finalize sixth US comprehensive state privacy law
The next shoe is set to drop in the growing network of U.S. comprehensive state privacy laws. Iowa is poised to become the sixth state to pass comprehensive legislation after both chambers of the Iowa Legislature unanimously voted to approve Senate File 262.
Courts Side With Big Companies Including Amazon and Experian in Privacy Appeals
Big companies are winning appeals to overturn regulatory decisions that allege they violated European privacy rules, potentially carving out a path for more businesses to challenge similar sanctions. Courts in the U.K., Spain, Italy, and Germany sided with companies including Experian PLC, Amazon.com Inc., and Italian energy giant Enel SpA in recent rulings, in some cases striking down multimillion-dollar fines and reaffirming companies’ arguments that their data practices comply with the General Data Protection Regulation.
FTC finalizes $520M COPPA settlement; proposed budget seeks additional privacy resources: The U.S. Federal Trade Commission finalized its $520 million settlement with Epic Games over alleged Children’s Online Privacy Protection Act violations. The settlement covers FTC claims of nonconsensual data collection of users under the age of 13 and unlawful communications that proved harmful to Fortnite video game players.
The FTC’s new Office of Technology published analysis and subsequent guidance on third-party tracking pixels. The office unpacked recent enforcement work by the FTC on tracking in the cases of digital health providers GoodRx and BetterHelp. Explanations were offered to define pixels, how they work, and where the concerns lie, in addition to information on five key findings from the analysis.
The FTC requested a 37% budget increase, approximately $160 million, from U.S. Congress for the fiscal year 2024. In a report outlining its needs, the FTC said it wants to hire 310 full-time employees, including 62 dedicated to consumer protection, with an eye toward helping the agency “investigate and litigate more and increasingly complex matters.”