Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
FTC Blog Post Says “Browsing and Location Data are Sensitive. Full StoP.”
The Federal Trade Commission posted on its blog a summary of takeaways from its recent proposed settlements with Avast, X-Mode and InMarket.
Gaining attention is a bolded statement in the middle of the post: “Browsing and location data are sensitive. Full stop.”
The post goes on to say that “[w]hat makes the underlying data sensitive springs from the insights they reveal and the ease with which those insights can be attributed to particular people”, noting that “datasets often contain sensitive and personally identifiable information”.
TAKEAWAY
Taken as a whole, it’s not clear whether the FTC’s proposed settlements and blog post are implying that all browsing and location data are sensitive, regardless of whether the datasets contain sensitive insights that can be contributed to particular people, or if removing the sensitive nature of the insights and the ease with which those insights could be contributed to particular people would also remove the data from the “sensitive data” category.
Precise geolocation data has been included in the definition of “sensitive data” in other contexts, including under several state laws.
However, “browsing data”, if considered to be per se sensitive, would be a new entry into the “sensitive data” category.
New Hampshire Governor Signs Comprehensive Privacy Law
New Hampshire officially became the 14th State to enact a comprehensive privacy law when New Hampshire Governor Chris Sununu signed SB 255. The law will take effect January 1, 2025, the same day that Delaware, Iowa and Tennessee laws will take effect.
TAKEAWAY
SB 255 is largely identical to Connecticut’s privacy law, with some differences, including lower consumer data processing thresholds for application of the law to businesses.
Like Connecticut and over half of the comprehensive privacy laws enacted so far, the New Hampshire law would require recognition of universal opt-out preference signals.
Bill Banning TikTok and Other “Foreign Adversary Controlled Applications” Advances
The U.S. House Energy and Commerce Committee approved a bill that, if passed, would prohibit any entity from distributing, maintaining or updating a “foreign adversary controlled application” through an online app store or other marketplace or providing internet hosting services to enable such distribution, maintenance or updating.
A “foreign adversary controlled application” includes any website or desktop, mobile or augmented or immersive technology app operated by ByteDance, TikTok, their foreign-adversary-controller subsidiaries and successors, and entities owned or controlled by those subsidiaries and successors.
The bill also allows the definition to include additional entities posing a significant threat to the national security of the United States, as determined by the President, if they meet certain thresholds and criteria. Exclusions apply for any entity (including TikTok) that is divested, such that it is no longer controlled by a foreign adversary.
TAKEAWAY
The immediate implications of this bill, if passed, primarily focus on TikTok and essentially force a divestiture of the company if it wants to be available through U.S. app stores. However, the bill also opens the door to apply to other qualifying foreign-adversary-controlled entities that the President (now or in the future) deem to be a threat to national security.
EUROPE
CJEU Answers Critical Questions in APD GDPR Case Against IAB Europe
The EU Court of Justice (CJEU) issued answers to questions posed by the Belgian Market Court hearing the IAB Europe’s appeal of the Belgian Data Protection Authority (APD)’s February 2022 decision holding IAB Europe’s Transparency and Consent Framework (TCF) in violation of the GDPR. Specifically, the CJEU found:
(1) the Transparency and Consent (TC) String of the TCF constitutes personal data under the GDPR;
(2) IAB Europe can be considered a “controller” of the TC String; and
(3) IAB Europe should not necessarily be considered a “controller” of other personal data processed by participants using the TCF.
TAKEAWAY
Now that the CJEU judgment has been delivered, the Belgian Market Court can continue its deliberations on the substantive issues raised in IAB Europe’s appeal.
The Market Court will then either uphold or overturn the APD decision, in whole or in part.
Based on the mixed nature of the answers given by the CJEU, the decision by the Belgian Market Court is likely to be a mixture of upholding and overturning various aspects of the decision, so it is likely that we’ll see the case remanded back to the APD for further consideration and modification.
In the meantime, the APD has voluntarily suspended its enforcement of its decision pending a ruling from the Market Court, which means that IAB Europe will not be required to implement the action plan submitted by IAB Europe in response to the APD decision at least until after the Market Court ruling is issued.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.