Privacy Law Update: October 11, 2021
It was always going to be interesting to see who would be appointed the inaugural leader of the California Privacy Protection Agency. With the hiring process mostly closed-door and unpublicized, the selection was bound to catch people by surprise and did just that on Monday. The CPPA announced Ashkan Soltani, former chief technologist for the U.S. Federal Trade Commission and senior advisor to the White House, will be its first executive director. Soltani was a key player in the drafting of the California Consumer Privacy Act and the California Privacy Rights Act while also a leading voice and advocate for the Global Privacy Control initiative.
Last week, we wrote about FTC Chair Khan’s memo describing her plans to transform the FTC’s approach to its work. This week, she followed up with a no-less-ambitious statement laying out her vision for data privacy and security, which she appended to an agency Report to Congress on Privacy and Security (“report”). Together, these documents outline a remarkably far-reaching plan to tackle today’s data privacy and security challenges. As noted in the dissents, however, some of the stated goals may exceed the bounds of the FTC’s current legal authority.
Members of the U.S. Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Data Security used a hearing with Facebook whistleblower Frances Haugen to lament the need for Congress to act on federal privacy legislation, The Wall Street Journal reports. Sen. Amy Klobuchar, D-Minn., explicitly called for the drafting of a comprehensive privacy law during the hearing while characterizing Haugen as “the catalyst for that action.” Haugen added that simply updating existing U.S. privacy laws “will not be sufficient.” Full Story
Consumers are more concerned about data privacy than ever. Through data breaches, legislation changes and shifts in technology, consumers have learned the importance of keeping their data safe and they’re short on patience for companies that don’t respect their security. Privacy has become even more important since the onset of the pandemic, which has shifted content consumption to even more digital channels where consumer data can be collected and leveraged for ad revenue.
European Data Protection Board Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs
The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.
Privacy professionals around the world are feverishly working on configuring and implementing the European Union’s new standard contractual clauses. Effective Sept. 27, companies in the European Economic Area entering into new cross-border data transfer arrangements with companies outside the EEA based on SCCs must adopt the new versions. Any recipient that signs the new SCCs promises it has matching agreements in place with its own vendors according to Clauses 8.8 and 9. Myriad businesses are affected because every company has numerous affiliated and unaffiliated vendors and other business partners worldwide. To remain open to businesses from the EEA, all companies need to have the new SCCs in place by Sept. 27.
- Massachusetts Legislature to hold privacy hearing: The Massachusetts Legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity will hold a virtual hearing Oct. 13 to consider data privacy-related bills. The committee’s agenda features at least seven bills proposed by state lawmakers from both chambers that cover data privacy matters, including frameworks for comprehensive state privacy law, biometric privacy and education privacy. Meanwhile, Northeastern University School of Law and College of Computer and Information Science Professor Woodrow Hartzog wrote an op-ed supporting consideration of Bill S.46, the Massachusetts Information Privacy Act.
- Connecticut Tightens its Data Breach Notification Laws: Effective October 1, 2021, an amendment to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment:
- Expands the definition of “personal information”;
- Shortens the notification deadline after discovery of a breach from 90 to 60 days
- Removes the requirement to consult with law enforcement as part of a risk assessment;
- Deems compliant any person subject to and in compliance with HIPAA and HITECH; and
- Provides certain exemptions from public disclosure for materials provided to the state in response to an investigation of a breach of security.