Privacy Law Update: October 18, 2022
CMOs Are on Their Toes and Not Conducting ‘Business As Usual’ As Data Privacy Regulators Get More Assertive
CMOs are a bundle of nerves these days. Blame data privacy regulators for some of it. Sure, the threat of a global recession keeps marketers awake at night, but being named and shamed in headlines of The New York Times for data privacy breaches is the stuff of nightmares. But until recently, those nightmares never materialized. After all, it was the platforms and ad tech vendors that were in headlines for data snafus, not advertisers.
The White House Office of Science and Technology Policy published “Blueprint for an AI Bill of Rights,” which provides design, development and deployment guidelines for artificial intelligence technologies. Data privacy, algorithmic discrimination protections and user choice principles are among the OTSP’s “five common sense protections to which everyone in America should be entitled.” The OTSP said the blueprint is “a vision for a society” and its AI use focuses on protections from the onset, input from marginalized communities and realizing technological benefits.
The Colorado Department of Law filed a set of proposed rules to implement the Colorado Privacy Act (Draft CO Rules) on Sept. 29, 2022, foreshadowing additional compliance obligations that businesses will have to strive to meet in 2023. The level of detail in the document – which is nearly 40 single-spaced pages in 10-point font – stands in stark contrast to the underlying law, which is high level and largely parrots the Virginia Consumer Data Protection Act (VCDPA). Though the Draft CO Rules are not as proscriptive as the proposed California Consumer Privacy Act (CCPA) rules regarding consumer-facing requirements, the Draft CO Rules focus much more heavily on data governance and management of sensitive data.
Britain will replace the European Union’s data privacy regime known as the General Data Protection Regulation (GDPR) with its own system, culture secretary Michele Donelan said on Monday. “We will be replacing GDPR with our own business- and consumer-friendly British data protection system,” Donelan said, speaking at the annual conference of Britain’s governing Conservative Party in Birmingham.
IAB Tech Lab finalized the Global Privacy Platform, designed to help communicate and manage user consent signals from various jurisdictions. The GPP supports signals for the Global Privacy Control and the IAB Europe Transparency and Consent Framework as well as consent strings required under comprehensive state privacy laws. More jurisdictions will be added as global regulations come online. For state law compliance, IAB Tech Lab urged companies to transition from its U.S. Privacy Specifications tool to the GPP, which will be “the only platform to accommodate upcoming and future privacy and consent management requirements in the U.S.”
Executive Order on EU-U.S. Privacy Framework: On October 7, President Biden signed a long-awaited executive order (EO) which implements a new EU-U.S. data privacy schema. The EO is intended to address the concerns raised in the 2020 Schrems II decision, in which the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, the mechanism that had previously provided the legal basis for data transfers between the EU and the U.S. under the GDPR. In Schrems II, the CJEU ruled that the U.S., in allowing for overly-invasive government surveillance, did not provide sufficient protections for the data of EU citizens.
FTC on Dark Patterns: On September 15, the Federal Trade Commission (FTC) released a staff report on dark patterns, identifying and analyzing four major categories of manipulative design. The report is the outcome of conversations kicked off in the FTC’s virtual ‘Bringing Dark Patterns to Light’ Workshop (Apr. 29, 2021), which convened experts, advocates, and representatives from the business community to discuss the use of manipulative design online and its impact on consumer autonomy.
- The report focuses on economic harm, but is also concerned with the confusion and shame that consumers may experience after being misled by manipulative design.
- There are also fair competition considerations at work in the agency’s contemplation of “dark patterns.”
American Data Privacy and Protection Act (ADPPA): ADPPA’s preemptive effect on state privacy laws, especially those in California, remains one of the most controversial aspects of the bill. In a recent Slate article, Professors Danielle Citron and Alison Gocke suggest that lawmakers could provide California with a waiver to continue to set its own privacy standards, similar to the waiver granted to California for environmental regulations.
Colorado: On September 30, the Colorado Attorney General’s office published a draft of regulations implementing the Colorado Privacy Act. The draft regulations are highly detailed and complex.There are eleven “High Level Takeaways” from the draft rules; including their creation of new definition of “biometric data,” distinct from the definition used in other state privacy laws; the substantial requirements the draft rules create around unified opt out mechanisms; and the rules’ creation of a new category of sensitive data called “sensitive data inferences,” which must be deleted within 12 hours if collected without consent from children under age 13.
The Colorado Attorney General’s office will hold stakeholder meetings seeking feedback on the draft regulations on November 10, 15, and 17, 2022 and a public hearing on February 1, 2023.