Week of September 6, 2021

Julie Rubash, Chief Privacy Counsel
September 12, 2021

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.



A bi-partisan bill was filed in the Oklahoma House of Representatives to create the Oklahoma Computer Data Privacy Act of 2022, described by one of its authors as “the most stringent data privacy law in the nation”.


Among other requirements, the law would require covered businesses to limit use of a consumer’s personal information to “that which is reasonably necessary to provide a service or conduct an activity that a consumer has a requested or for a related operational purpose.” “Operational purpose” is defined to include customization of advertising or marketing, but the law would require covered businesses to extend to consumers the right to opt out of personalized advertising.


U.S. House Democrats unveiled a budget proposal that would include $1 billion for FTC enforcement relating to privacy, data security, identity theft, data abuses and related matters.


Earlier this summer, we saw an Executive Order from President Biden encouraging the FTC to establish rules on surveillance and the accumulation of data, introduction of the federal Safe Data Act to (among other things) strengthen the FTC’s rulemaking authority, and a whitepaper from an FTC commissioner discussing how FTC rulemaking could address harmful outcomes from algorithmic decision-making. In combination with this budget proposal, these initiatives indicate strong focus at executive, legislative and regulatory levels to drive data reforms through FTC rulemaking and enforcement.


Following UK Digital Secretary Dowden’s August announcement of plans to develop a “world-leading data policy”, the UK government launched an open consultation to explore various options to resolve issues with existing privacy requirements. The consultation poses several questions and invites responses through November 19.


Among other data reform topics, the consultation cites impact on audience measurement data and the number of cookie pop-ups on websites as issues to resolve and proposes various options to explore, including permitting organizations to use analytics cookies and store and collect information from user devices for limited purposes without user consent, as well as leaning on browsers, software applications, device settings, data fiduciaries or trusted third parties to manage individual consent preferences.

Beyond its own proposals for data reform (see above), the ICO this week announced that it would call on the other G7 data protection and privacy authorities (from Canada, France, Italy, Japan, U.S., and Germany) to “bring practical solutions” to tackle challenges with cookie consent pop-ups.


The ICO consultation and G7 communications make clear an intent not to remove cookie consent altogether but to take a step back, collaboratively assess the practical impact of existing laws on digital data collection, and explore alternative approaches to give consumers more meaningful control where it’s most important.


The data protection authority of France (CNIL) released a self-assessment tool to aid companies in achieving a “maturity model” in data protection management. The model proposes 5 maturity levels and applies them to 8 typical data protection activities in order to “quantify the rigor and formalism with which Data protection management activities are managed” within a company.


Although the maturity model isn’t law, it may be a helpful tool for companies to assess where their data protection policies sit in the spectrum of the CNIL’s expectations and recommendations.



The Hindu reported that the new chairman of India’s Joint Parliamentary Committee on a Personal Data Protection Bill is reopening consultations after the panel finalized a draft report last year. The chairman reportedly made several changes to the bill, including expanding certain provisions to cover both personal and non-personal data, specifically in the context of data breaches. The committee has been asked to submit a report by the Winter session that will be called in the third week of November.


Previous versions of India’s Personal Data Protection Bill contains several concepts similar to GDPR, including requirements to obtain consent to collect personal data (with several exceptions) and to extend certain rights to individuals from whom data is collected. Based on Hindu’s report, it doesn’t appear that such provisions have changed in the most recent version, although the process has been delayed with renewed deliberations.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]