Privacy Law Update: May 16, 2022
• read
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Newsworthy Updates
US Senate Confirms Alvaro Bedoya to FTC as Fifth and Final Commissioner
After a series of delays during the confirmation process, the U.S. Senate approved the nomination of Georgetown University law professor Alvaro Bedoya to fill the remaining commissioner vacancy on the Federal Trade Commission. Bedoya’s confirmation now gives Democratic appointees a 3-2 majority on the FTC’s Board of Commissioners.
California Privacy Protection Agency Holds Pre-Rulemaking Stakeholder Sessions
The California Privacy Protection Agency (CPPA) in charge of implementing and enforcing the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA) held a series of pre-rulemaking stakeholder sessions over three days last week. Executive Director of the Agency, Ashkan Soltani, opened the sessions on Wednesday, May 4, welcoming those in attendance which included Professor Jennifer Urban, Chair of the Agency. Urban was appointed Chair of the five-person CPPA Board by California Governor Gavin Newsom in March 2021.
Potential Roe v. Wade reversal brings ‘urgent need’ for federal privacy law
U.S. Rep. Suzan DelBene, D-Wash., issued a statement explaining how overturning Roe v. Wade further amplifies the need to “swiftly pass a strong” federal privacy law. DelBene said Congress “can’t afford to wait” on a law because “our tech laws are so behind.” She also noted how the impacts on women’s online privacy from the pending Supreme Court decision could be best addressed through a national privacy standard. She said sensitive data risks include “internet searches about reproductive health care including abortions, menstrual tracking and other women’s health apps, and which medical facilities a woman has visited.”
Digital Advertising Alliance Launches Initial Certification Process for Addressable Media Identifiers
The Digital Advertising Alliance (DAA) announced the launch of its initial certification process for providers of Addressable Media Identifiers (AMIs). AMIs are used to enable relevant advertising, optimized outcomes, measurement tools, and other important functionality with new privacy safeguards for the ad-supported digital content and services enjoyed by millions of consumers worldwide. “Over more than a decade, the DAA has built the advertising industry’s leading independent self-regulatory platform for interest-based advertising, and the AMI certification process is the logical next step for our efforts,” said Lou Mastria, CIPP/US, executive director of the DAA. “The DAA has continuously adapted our industry guidelines and consumer tools to keep pace with new technologies and industry changes, and we are proud to continue to evolve our program with important new cross industry privacy safeguards including prohibited data uses.”
UK announces data protection reform
The U.K. government announced in the Queen’s Speech its intentions to reform the country’s data protection regime, Euractiv reports. The speech did not include specific details regarding the extent of the reform, but those are expected in the weeks to come. The changes may affect EU-U.K. adequacy, as Centre for European Reform Senior Research Fellow Zach Meyers said the U.K. “was repeatedly found to have breached” EU data protection standards previously with its national security practices and further divergence may lead the European Commission to a withdrawal.
Privacy Legislation
California: The California Privacy Protection Agency (CPPA) heard public comments from approximately 100 stakeholders in a series of virtual sessions held from May 4-6. A brief summary of FPF’s presentations to the CPPA on the topics of automated-decision making, data minimization, and opt-out preference signals can be found here. The Agency heard from various representatives of industry and civil society, with commentary largely matching responses to the September 2021 request for comments. Alastair Mactaggart, proponent of the CPRA ballot initiative, spoke to reiterate his argument that the plain language of the CPRA requires that businesses recognize opt-out signals like the Global Privacy Control.
Connecticut: On Tuesday, May 10, Governor Lamont signed SB 6, An Act Concerning Personal Data Privacy and Online Monitoring in law. The majority of this comprehensive privacy legislation will take effect on July 1, 2023. FPF’s summary memo on the bill is available in our member portal here.
Florida: Florida’s special session is scheduled to run from May 23 to May 27. While the only formally announced topic for the special session is property insurance, rumors have circulated that data privacy may be added to the agenda. As a reminder, HB 9 passed the state House in early March (CCPA-style + graduated PRA).
Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received a hearing in the House Commerce Committee on Monday, May 9. While initially closely following the Utah Consumer Privacy Law, the Committee adopted amendments offered by Deshotel to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. The Commerce Committee advanced the bill without objection.
Then, on May 11, HB 987 received an unexpected hearing in the House and Governmental Affairs Committee (the late amendment to include risk assessment requirements included the standard public records exemption, and all Louisiana bills that touch on public records must go through House and Governmental Affairs). Chair Stefanski (R) shared that he had heard concerns about the legislation and that action on HB 987 would be deferred until the Committee’s next hearing, Tuesday, May 17th.
Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.