Privacy Law Update: November 21, 2022
• read
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Newsworthy Updates
New Privacy Laws in 2023
There are five states with new comprehensive consumer privacy laws taking effect in 2023 — California, Virginia, Colorado, Utah and Connecticut. While businesses are well-advised to start their compliance efforts early, the lack of final implementing regulations from some states makes complete compliance impossible at this time. California and Colorado recently released draft regulations for comment.
Consumer Reports Innovation Lab Launches App for Data Rights Protocol
The Consumer Reports Innovation Lab is launching a testing application for the Data Rights Protocol, an open standard for exchanging data rights requests to make it easier for companies to comply with consumer privacy laws. The app, OSIRAA v0.5, is available on GitHub and can be used by “both authorized agent and privacy infrastructure provider companies looking to implement the protocol,” Lead Engineer John Szinger said. With OSIRAA, Szinger said companies “can test against the protocol on their own and refine their implementations as needed.”
A View From DC: Lame Ducks and Safe Kids
Most senators who sponsored privacy legislation are instead indicating that they will focus their energy in the lame duck session on youth privacy. The best, or perhaps only, path for this would be to attach a proposed bill to a piece of “must-pass” legislation, like an omnibus spending bill. At the moment, the Kids Online Safety Act represents the clearest candidate for such an endeavor. Axios reports that both sponsors of the bill, Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., intend to give this a shot.
India Proposes Digital Personal Data Protection Act 2022
India’s Ministry of Electronics and Information Technology proposed new privacy legislation, the Digital Personal Data Protection Act, 2022. The draft bill aims to enable personal data processing while recognizing individuals’ rights and “the need to process personal data for lawful purposes.” It allows cross-border data transfers with “certain notified countries and territories” and establishes a Data Protection Board to oversee compliance and impose penalties, stated not to exceed 5 billion rupees. The ministry welcomes public feedback on the draft bill until Dec. 17.
Privacy Legislation
DPC 2022: EU-US Data Privacy Framework On Track, Schrems Challenge to Come: Well-known and influential names entrenched in the ongoing discussions around EU-U.S. data flows made their presence felt in back-to-back breakout sessions to cap off the final day of the IAPP Europe Data Protection Congress in Brussels, Belgium. EU and U.S. government officials took the stage focused on further touting and cementing the pending EU-U.S. Data Privacy Framework’s workability. NOYB Honorary Chairman Max Schrems threw cold water on those notions, all but announcing he will attempt to raise a potential “Schrems III” challenge to the Court of Justice to the European Union.
Home Stretch: Finalization of CPRA Regulations Draw Close: The delay on California Privacy Rights Act regulations has proven difficult for everyone involved. Covered entities are in a bind trying to address CPRA compliance ahead of the Jan. 1, 2023, effective date without final rules being promulgated by the California Privacy Protection Agency. On the other hand, the CPPA is trying to work diligently and tactfully in the face of criticism for running well past its initial July 1 deadline to finalize regulations. The pressure on both sides could ease soon though with the CPRA rulemaking process entering the final stretch. The CPPA recently approved modifications to the draft regulations and opened a 15-day public consultation that runs through Nov. 21.
Google Pays Nearly $329 Million to Settle Sweeping Location-Tracking Case: Google has agreed to pay nearly $392 million in a settlement with 40 states over allegations that the company tracked people through their devices after location tracking had been turned off, a coalition of state prosecutors announced on Monday. Authorities said, since at least 2014, Google broke consumer protection laws by misleading users about when it secretly recorded their movements. It then offered the surreptitiously harvested data to digital marketers to sell advertisements, the source of nearly all of Google’s revenue.