California agency issues draft privacy regulations

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Agency Issues Draft Privacy Regulations

The California Privacy Protection Agency (CPPA) issued draft regulations pursuant to its rulemaking authority under the California Privacy Rights Act (CPRA). The CPPA will discuss and potentially take action on the draft regulations at the next board meeting on June 8. 

WHY IT MATTERS

The draft regulations include multiple changes that would impact the digital advertising industry, including:

a. the regulations would require businesses to obtain explicit consent for use, retention and sharing of personal information for purposes unrelated or incompatible with the context in which the personal information is collected (consistent with what an average consumer would expect);

b. businesses would be required (not given the option) to treat universal opt-out preference signals as a valid request to opt out of sale/sharing of personal information, but would be given the option whether to additionally include “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, the decision for which impacts whether the business can charge a fee, alter the consumer’s experience, display content in response to the opt-out preference signal, or limit the application of the preference signal to only online personal information; and

c. companies contracted to provide cross-contextual behavioral advertising would constitute “third parties” (not “service providers” or “contractors”) under the law, giving consumers the right to opt out of the use of personal information for such purposes. 

Twitter Fined $150 Million for Using Account Security Data for Targeted Ads

The Federal Trade Commission (FTC) ordered Twitter to pay $150 Million based on allegations that the company used phone numbers and email addresses for targeted advertising that were originally collected on the pretext of protecting user accounts.

Twitter was under an FTC order from 2011 that specifically prohibited the company from misrepresenting its privacy and security practices.

In addition to paying the fine, Twitter is ordered to cease profiting from deceptively collected data and to make several adjustments to its privacy and security practices. 

WHY IT MATTERS

This case highlights the importance of having a comprehensive privacy program that takes into account all use of data, provides transparency to users regarding such use, and implements and maintains internal controls to ensure that the policy is followed throughout the lifecycle of such data.   

Washington Judge Allows Google Location Tracking Suit to Move Forward

Google’s motion to dismiss a location tracking lawsuit against it was denied, holding that the Attorney General, who brought the case, properly pled a Washington Consumer Protection Act claim against Google.

The Washington AG alleges that Google used a number of deceptive and unfair practices to obtain user consent to be tracked, in violation of the Washington Consumer Protection Act.

Specifically, Google allegedly provided hard-to-find location settings, misleading descriptions of location settings, repeated nudging to enable location settings and incomplete disclosures of Google’s location data collection.

The case will now proceed in King County Superior Court. 

WHY IT MATTERS

This case is one of four cases brought by State Attorneys General in the District of Columbia, Indiana, Texas and Washington regarding Google’s location tracking practices, all of which were filed in January 2022.

While only California (so far) has acomprehensive privacy law in place, it’s important for companies to keep in mind that the FTC and most state Attorneys General have the ability to take action against deceptive and unfair practices, which may result from implementing data collection practices and privacy settings that are misleading or difficult to use. 

Zuckerberg Sued Individually Over Cambridge Analytica Scandal

The District of Columbia Attorney General filed a lawsuit directly against Meta CEO Mark Zuckerberg based on allegations that he was aware or should have been aware of, possessed and/or exercised the authority to control, was responsible for creating and implementing, participated in, and directed, managed, or supervised employees who participated in, Facebook’s deceptive policies and trade practices leading to the Cambridge Analytica Scandal.

The complaint seeks an injunction to prevent Zuckerberg from violating the D.C. Consumer Protection Procedures Act, in addition to payment of restitution, civil penalties and attorneys’ fees. 

WHY IT MATTERS

This case demonstrates an additional layer of risk that executives of a company should consider when assessing privacy and data collection practices.

Although the thresholds to hold an executive directly liable vary by state law, it is not uncommon for company executives, particularly those with direct day-to-day decision-making, to be named as defendants or even sued individually, for decisions that result in harm, or violate the rights of, individual consumers. 

EUROPE

European Commission Publishes Q&A re Standard Contractual Clauses

The European Commission published a set of questions and answers based on stakeholder feedback from the first few months of using the Standard Contractual Clauses (SCCs), with the intent to provide practical guidance and assist in compliance efforts.

The Q&A outlines requirements for signing, modifying, and supplementing the SCCs, changing the parties, and updating from old to new SCCs and explains the scope and application of the SCCs, individual rights and obligations of exporters and importers, and the impact of local laws, judgments such as Schrems II and local authorities.

WHY IT MATTERS

With respect to the transfer of data to third countries, the Commission stresses the importance of conducting a “transfer impact assessment” that takes into account the specific circumstances of each transfer (e.g., the categories and format of the data, the type of recipient, the economic sector in which the transfer occurs, and the length of the processing chain) and points out that the parties may consider different elements as part of an overall assessment, such as application of the country’s laws in practice, the existence or absence of requests in the same sector, and documented practical experience of the data exporter and data importer. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.