Privacy Law Update: May 31, 2022
Have you tried to unsubscribe from a recurring service and given up? Have you opted to “accept all” cookies on a website to access the content without an annoying banner covering half of the page? Nearly all web users have encountered some form of what is commonly known in the data privacy community as a “dark pattern”: an interface designed to nudge user behavior toward choices he or she might not normally make if the options were presented differently. Although businesses and their web or app designers may feel tempted to explore employing these methods, the increased regulatory focus on dark patterns makes it more important than ever to consider the avoidance of dark patterns as a legal obligation, not just a best practice.
Twitter Agrees with DOJ and FTC to Pay $150 Million Civil Penalty and to Implement Comprehensive Compliance Program to Resolve Alleged Data Privacy Violations
The Department of Justice, together with the Federal Trade Commission (FTC), announced a settlement that, if approved by a federal court, will require Twitter Inc. to pay $150 million in civil penalties and implement robust compliance measures to protect users’ data privacy. The settlement will resolve allegations that Twitter violated the FTC Act and an administrative order issued by the FTC in March 2011 by misrepresenting how it would make use of users’ nonpublic contact information.
The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”
A delegation of several members on the European Parliament’s Civil Liberties Committee will visit Washington, D.C., May 23 to 26. Led by Chairman Juan Fernando Lopez Aguilar, the delegation plans to discuss possibilities for the new EU-U.S. Trans-Atlantic Data Privacy Framework.
Google released updates on its Privacy Sandbox for Android, which is on track for a beta release by the end of 2022. The lead third-party cookie alternative being trialed in the sandbox, “Topics,” was made available for a developer trial in April. Google will preview the “First Locally-Executed Decision over Groups Experiment” and “Attribution Reporting” concepts in May or June. On the beta release, Google said, “key components” of the sandbox “will be distributed as mainline modules” to Android devices in order to allow for improvements “in a seamless way.”
California: The California Privacy Protection Agency (CPPA) held a board meeting on Thursday, May 26. The ‘New Rules Subcommittee’ (board members Le and de la Torre) announced that it is planning to release an initial rulemaking package covering (1) the Agency’s audit authority and (2) administrative enforcement processes. The Subcommittee will continue to work on a separate rulemaking package covering (1) cybersecurity audits, (2) privacy risk assessments, and (3) automated decision-making. Furthermore, Maureen Mahoney, formerly of Consumer Reports, was announced as the CPPA’s new Director of Policy. Separately, video from the CPPA’s May 4-6 public stakeholder sessions is now available online here.
We continue to track various privacy-related bills in California. Today is the last day for bills to move out of their chamber of origin. Two significant bills sponsored by Reps Wicks (D) and Cunningham (R) have advanced:
AB 2273 would establish an ‘Age-Appropriate Design Code’ requiring online products and services likely to be accessed by children (under 18 years old) to implement various default limits on data collection & use, profiling, etc. On May 26 the bill passed the State Assembly by a 66-0 vote.
AB 2408 the ‘Social Media Platform Duty to Children Act’ would prohibit social media platforms from ‘addicting’ child users and authorize private lawsuits with civil penalties up to $25,000 per violation ($250,000 per knowing violation). On May 23 the bill passed the State Assembly by a 51-0 vote. Senate amendments are reportedly possible.
Numerous privacy bills are set to fail to pass their chamber of origin including SB 1189 (biometric data), AB 1651 (workplace privacy), AB 2871; AB 2891; SB 1454 (extending the CPRA employee data carve-outs), SB 1059 (data brokers), and AB 2486 (establishing a CPPA office for the protection of children).
Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received its second hearing in the House and Governmental Affairs Committee on May 17, advancing on a 9-2 vote. While scheduled for floor time in the House multiple times over the past week, the bill has been deferred to Tuesday May 31 for a potential chamber vote.
While initially closely following the Utah Consumer Privacy Act, Deshotel has amended the bill to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. Louisiana’s legislative session adjourns on June 6.
Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors received an informational hearing in the House Consumer Affairs Committee on Wednesday May 25. No action was taken and no formal announcement for next steps was made, but the Chair appeared interested in remaining engaged on the bill and considering additional exemptions. This is a fairly unique privacy bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.