Week of September 13, 2021

–

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC’s PRIVACY REMIT cOMES INTO FOCUS

The biggest news of the week was that President Biden announced his intention to nominate Alvaro Bedoya, a privacy expert and advocate and founding director of the Center on Privacy & Technology at Georgetown Law, as an FTC Commissioner.

Meanwhile, the FTC’s privacy enforcement capabilities should get a major boost: the House Energy and Commerce committee passed the Build Back Better Act, which, among other measures, would extend $1 billion to, as the Chairman noted, “provide the Federal Trade Commission with more resources to better protect consumers from privacy and data abuses.”

Finally, the FTC announced 8 key enforcement areas, including acts or practices affecting children, algorithmic bias, and deceptive and manipulative conduct (expanded to include dark patterns).

OUR TAKE

Taken together, this week’s FTC news demonstrates the executive, legislative and regulatory focus on data protection under the FTC’s authority, but the FTC key areas of enforcement indicates its intent to focus at least its existing data protection resources on narrower subsets of children, algorithmic bias and dark patterns.

EUROPE

CNIL ENFORCEMENT UPDATE

The France DPA, CNIL, announced this week that, of the 40 entities that were notified back in June of non-compliance with the DPA’s Cookie rules, 80% are now in compliance. The remaining companies will either be granted an extension or will be fined up to 2% of their turnover. The CNIL also announced that new control campaigns are being prepared, continuing to focus on the possibility of refusing cookies as easily as accepting them and the effective compliance with that choice.

WHY THIS MATTERS

This was the CNIL’s second round of notices regarding violations of its cookie rules. The first round, sent in May, resulted in a 100% compliance rate within the required cure period, so this will be our first look at financial penalties resulting from violation of CNIL cookie rules.

FInlAND COOKIE GUIDANCE

The Finish Transport and Communications Agency, Traficom, published a revised guide on cookie storage in response to a new interpretive policy on cookies issued by the Helsinki Administrative Court in Spring 2021. The updated guidance clarifies that browser settings cannot be considered sufficient for consent, because browser settings cannot be considered a unique and active expression of intent when it comes to accepting different cookies and collection of data for a variety of uses.

OUR TAKE 

The issue of whether browser-level settings can/should be relied upon as an expression of user privacy preferences is a hot topic not just in Finland, but across the world, with varying viewpoints.

Finland has indicated here that browser settings cannot be relied upon as an active expression of user intent under an opt-in regime, while the California Attorney General’s office has expressed a requirement for businesses covered by the California Consumer Privacy Act to honor the Global Privacy Control, a setting in some browsers, as a valid consumer request to stop the sale of personal information.

Meanwhile, European privacy group noyb published a technical proposal in June to enable users to configure privacy consent preferences at the browser level, while the ICO announced an open consultation earlier this month inviting feedback as to whether, among other questions, leaning on browsers, software applications, device settings, data fiduciaries or trusted third parties is the right approach to manage individual consent preferences

GLOBAL

SAUDI ARABIA PERSONAL DATA PROTECTION LAW

The Saudi Arabia Cabinet reportedly approved the Personal Data Protection Law to be implemented March 13. The new law is designed to protect from unconsented collection and processing of personal data and extends user rights to view, access or restrict processing of personal data and know the purposes of its processing.

OUR TAKE 

General data protection laws are rapidly spanning the globe, with South Africa’s POPIA having gone into effect in July, Brazil implementing the final measure of the LGPD in August, China’s PIPL going into effect November 1 and several other countries with existing or pending legislation for the general protection of personal data.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.