Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
Bicameral, Bipartisan Discussion Draft of Federal Privacy Bill Announced
Two legislators (the Republican chair of the House Energy and Commerce Committee and the Democrat chair of the Senate Commerce, Science and Transportation Committee) released April 7 a discussion draft of the American Privacy Rights Act, a comprehensive privacy bill that, if passed, would preempt most aspects of existing and future U.S. state comprehensive privacy laws and terminate the current FTC “surveillance advertising” rulemaking.
The bill includes requirements for data minimization, transparency, consumer requests, impact assessments, opt-outs (including universal opt-out mechanisms and data broker opt-out mechanisms), sensitive data consent, and a data broker registry. The bill also includes a limited private right of action. The law would take effect 180 days after enactment, unless specified otherwise.
TAKEAWAY
The bill is still in very early stages, so it would likely go through some modifications before (and if) it passes. The current version contains some potential inconsistencies or ambiguities, particularly as it relates to targeted advertising. For example, the bill includes a specific right to opt out of targeted advertising, but the definition of “sensitive covered data” (the transfer of which requires opt-in consent) includes information revealing an individual’s online activities over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company. This definition could encompass most third-party targeted advertising, requiring opt-in consent.
Additionally, there is an outright ban on the collection, processing, retention, or transfer of covered data that is not necessary, proportionate and limited to maintain a specific product or service requested by the individual. Although there is an exception to that ban to process or transfer covered data to provide targeted advertising, that exception doesn’t apply to sensitive covered data (which, as mentioned, is defined to potentially include most targeted advertising).
Yes, my brain hurts too.
Either the intent is for businesses (and consumers) to splice targeted advertising into various narrow circumstances to determine whether opt-out or opt-in rights or an outright ban applies, or some clean-up and clarification is needed.
FTC Order Bans another Service’s Sharing of Health Data for Advertising
The FTC announced a proposed $2.5 million Order settling its complaint against Monument based, in part, on allegations the alcohol addiction treatment service engaged in unfair acts or practices by failing to employ reasonable measures to prevent the disclosure, and to obtain consumers’ affirmative express consent before disclosing, consumers’ health information via tracking technologies to third parties for advertising and the third parties’ own purposes. The complaint also included allegations of deceptive practices based on the service’s alleged misrepresentation of its activities and compliance with HIPAA.
In addition to a $2.5 million monetary settlement, the FTC proposes a ban on disclosure of health information for advertising purposes, a requirement to obtain affirmative express consent for any other disclosure of health information, a prohibition against misrepresentations regarding Monument’s activities, a requirement to cause all third parties who previously received health information from Monument to delete such information and a mandated privacy program, among other requirements.
TAKEAWAY
The coupling of monetary settlements with bans on sharing data for advertising seems to be a common tactic for the FTC in cases regarding the sharing of data with third-parties via tracking technologies (see, for example, similar approaches in the FTC’s Betterhelp and Avast cases). Although, in this case, the ban is limited to health information, that term is broadly defined to include, among other categories, “information concerning the consumer’s use of, creation of an account associated with, or response to a question or questionnaire related to, a service or product offered by [Monument] or through one of any of [Monument’s] online properties, services, or mobile applications”, “information concerning medical or health-related purchases” and “information derived or extrapolated from [any of the categories] (e.g., proxy, derivative, inferred, emergent or algorithmic data).”
Nebraska Sends Comprehensive Privacy Bill to Governor’s Desk
The legislature of Nebraska (a single chamber state) passed LB1074, an omnibus bill containing a comprehensive privacy law referred to as the Data Privacy Act. If signed by the Governor, the Data Privacy Act would take effect January 1, 2025, the same day as Iowa, Delaware and New Hampshire.
TAKEAWAY
The Nebraska Data Privacy Act largely resembles (and is in large part word-for-word copied from) the Texas Data Privacy and Security Act. Interestingly, one aspect of the Texas law that was not adopted by Nebraska was the requirement to include a specific notice (“NOTICE: We may sell your [sensitive/biometric] personal data”) when engaging in such activities.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.