Here’s a round up of a few of the privacy developments we followed from the past couple of months between December 2021 and February 2022. If you missed our last post, you can find it here.

United States Privacy Updates:

Adtech: Companies continue to grapple with cookie-less future

• Google abandoned its plans to replace its third-party marketing cookies with Federated Learning of Cohorts (“FLoC”) following pushback from privacy advocates.  In place of FLoC, Google has announced the “Topics API,” which will assign users interests—or topics—based of their web activity.  Topics will be selected and stored locally and will be reassigned each week.
• The impact of Apple’s privacy changes in iOS14 became clearer following release of Q4 results in early 2022.  Meta estimated that the changes could result in a $10 billion drop in ad sales this year.

Standards: NIST publishes new assessment framework for security and privacy

• NIST released “Assessing Security and Privacy Controls in Information Systems and Organizations,” a new control assessment meant to help organizations develop tailored assessment procedures.

Broadband: FCC approves Nutrition Labels for broadband services

• The FCC voted to move forward on a plan that would require broadband providers to offer labels that disclosed a plan’s price, speed, data allowances, and network management practices.

FDA: Draft Guidance on Use of Real-World Data Released

• The FDA released “Considerations for the Use of Real-World Data and Real-World Evidence to Support Regulatory Decision-Making for Drug and Biological Products.”  The draft guidelines include consideration of privacy issues for access to health care data.

FTC: New Guidance on FTC’s Health Breach Notification Rule

• The FTC released new guidance on its Health Breach Notification rule.  The guidance includes more information on entities covered by the rule, triggers for the notification requirement, and actions to take once a breach occurs.

 FTC: COPPA Enforcement Against OpenX

• The FTC required an online advertising platform OpenX Technologies, Inc. to pay $2 million to settle claims the company violated COPPA by allowing child-directed apps to participate in its ad exchange and collected geolocation data from users who had opted-out of such tracking.

U.S. States Privacy Updates:

Biometric Privacy: More States Introducing BIPA-Like Bills

• Legislators in Kentucky introduced HB32, a BIPA copycat that includes a private right of action.
• Similarly, legislators in Maryland introduced HB0259.  HB0259 would introduce new compliance obligations on companies as it diverges from the BIPA mold.

Comprehensive Data Privacy Bills Filed Across the Country

New state bills have been introduced in:

• New York
• Florida (House Version)
• Indiana (House Version)
• Washington
• Vermont
• Mississippi
• Nebraska
• Hawaii

States File Suit Against Google

• Attorneys general from Texas, Washington, D.C., and others filed suit against Google, claiming that the company obtained location information from users through dark patterns.  The suits are based on state consumer protection laws.

California: AG CCPA Enforcement Actions Continue While CPPA Preliminary Rulemaking Takes Shape

• The California Privacy Protection Agency released comments submitted in response to the Agency’s September 2021 invitation for preliminary comments.
• On Data Privacy Day 2022, California Attorney General Rob Bonta announced a new round of CCPA warning letters.  The sweep was focused on companies operating loyalty programs that implicated CCPA’s financial incentives requirements.
• SB 746, if passed and signed by the Governor, would amend the CCPA and CPRA to require that business disclose to consumers whether personal information was used for political purposes and, if so, disclose how that information was used.

District of Columbia: Stop Discrimination by Algorithm Act Introduced

• Attorney General Karl Racine introduced legislation that would increase transparency around automated decision-making and prohibit use of algorithms that produce discriminatory results in education, employment, housing, and services such as credit, health care, and insurance.

Pennsylvania: Expanded Data Breach Bill

• The Pennsylvania Senate is considering SB696, which would extend breach notification rules to state agencies.

Virginia: Amendments Proposed to VCDPA

• 7 amendments to the VCDPA are being considered in the Virginia Legislature.  The amendments touch on topics ranging from the right to delete to the definition of nonprofit.

Asia Privacy Updates:

China: Personal Information Protection Law Takes Effect

• Following the November 1 implementation date for PIPL, the Ministry of Industry and Information Technology ordered Tencent to pause its roll-out of new apps and updates.

Europe Privacy Updates:

Google Analytics Decision: The Austrian DPA held that international transfers via Google Analytics Violated the GDPR

• In the continuing saga of international transfers, the Austrian DPA held that an Austrian website violated the GDPR by maintaining Google Analytics on its site.  The parties relied on SCCs, but neither the SCCs nor other measures taken by Google overcame the risk posed by potential US government surveillance.  The DPA made clear that additional measures must be taken specifically to thwart US surveillance activities.  If this decision is followed across Europe and no replacement for Privacy Shield is agreed to, international transfers from the EU to the US will be severely hampered.

IAB Releases New Guides to Connected TV and In-App Advertising

• The Guide to CTV Targeting and Measurement expands upon the industry group’s existing guidance on connected TVs, including its general guidance, a focus on programmatic opportunities, and a guide to brand safety.
• The organization also released its new Guide to In-App Advertising, which focuses on an overview of the ecosystem and as well as the key changes taking place.

New Guidelines on Right of Access under GDPR

• The European Data Protection Board released new guidance on the right of access.  The guidance expands upon the right by providing more information on considerations such as scope, information required to be provided, formatting of requests, and responses to manifestly unfounded or excessive requests.

Emerging Policies on Digital Rights and AI

• The European Commission proposed a draft Declaration on European Digital Rights and Principles.  The Declaration aims to keep people at the center of the digital transformation, touching on everything from working conditions to digital public services.
• The European Parliament kicked off work on the proposed Artificial Intelligence Act.  If passed, the Act would be the first law to specifically govern AI in the EU.

New CNIL Guidance on Processor Use of Data

• CNIL, the French data processing authority, released guidance on processors’ use of personal data for their own product development.  Broadly, the authority would permit such re-use only where the processing activity is compatible with the original purpose of the processing and where the processor has received written authorization from the controller.

New UK Model Clauses Submitted to Parliament

• The model international data transfer agreement and addendum, if approved by Parliament, will replace the existing standard contractual clauses for data exports out of the UK.  Assuming Parliament does not object, the documents will come into force on March 21, 2022.

Belgian DPA Issues Fine Against IAB Europe

• The Belgian DPA found that IAB Europe’s Transparency and Consent Framework, commonly used in Europe’s advertising ecosystem, violated the GDPR and issued IAB Europe a 250,000 euro fine.  Citing several violations—including lack of a legal basis for processing and failure to maintain records of processing activities—the DPA ordered IAB Europe to permanently delete all data from the framework currently in its system.

Irish DPC Publishes Final Guidance on Children’s Privacy

• The Data Protection Commission released the final version of “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” a guidance document that provides child-specific interpretations of GDPR principles.  The document, referred to as “Fundamentals,” will form the basis of the DPC’s approach to enforcement in relation to processing children’s data.

Clearview AI Ordered to Stop Processing in France

• CNIL ordered Clearview AI to stop collecting and using data from people within the French territory, citing Clearview AI’s lack of legal basis for its original collection of data.  CNIL also found that Clearview AI had failed to respect individuals’ subject access request rights.

Meta and Google Fined Over Cookie Practices

• Facebook and Google were fined €60M and €150M respectively by CNIL for the companies’ methods for collecting cookie consents.  CNIL, acting under the ePrivacy Directive, said that the companies made accepting cookies easier than rejecting them.

Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. We support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy & data security.