APD approves IAB Europe action plan

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Four More States Introduce Comprehensive Privacy Legislation

 Indiana, Iowa, Mississippi and Oregon all introduced comprehensive privacy bills, bringing the total number of states with active comprehensive privacy legislation to 9 (including a roll-over bill from 2022 in New Jersey).

TAKEAWAY

The Indiana, Iowa and Mississippi bills are more business-friendly (less restrictive) versions of existing comprehensive privacy laws in Virginia, Utah and California.

The Oregon bill introduces several new elements, however, including a private right of action and a consumer right to receive a list of specific third parties to whom a controller has disclosed personal data.  

Three States Introduce Kids Privacy Bills

Virginia, West Virginia and Oregon all introduced bills to impose heightened protections for the  personal information of children under the age of 18.

The Virginia bill would amend the Virginia Consumer Data Protection Act to, among other changes, prohibit the knowing processing of children’s personal data for targeted advertising, sale or profiling.

The Oregon bill is closely based on the California Age Appropriate Design Code, applying certain restrictions to online services that a child under 18 is “reasonably likely to access”. 

The West Virginia bill is closer to the existing federal Children’s Online Privacy Protection Act, except that it applies to children under 18, rather than 13. 

TAKEAWAY

 Children’s privacy has increasingly come into focus at both the state and federal level, with no signs of slowing down.

After an end-of-year push by several advocacy groups, the federal bill to implement the Kids Online Safety Act was revised in December 2022 in an attempt to pass the childrens’ privacy bill by end of year.

Although it didn’t pass, President Biden is calling this year for strong protections for young people, including banning targeted advertising altogether for children. 

EUROPE

APD Approves IAB Europe Action Plan

The Belgian Data Protection Authority (APD) announced that it approved IAB Europe’s action plan submitted in response to the APD’s February 2022 decision holding IAB Europe’s Transparency and Consent Framework (TCF) in violation of the GDPR.

The APD’s approval starts a 6-month clock for IAB Europe to implement changes in accordance with its action plan, putting the deadline in July 2023. 

CONTEXT + TAKEAWAY

 IAB Europe submitted its action plan in April 2022, while in parallel appealing the APD’s decision.

The Belgian Market Court hearing the appeal subsequently sent two questions up to the European Court of Justice (CJEU), specifically whether the Transparency and Consent String of the TCF constitutes personal data under the GDPR and whether IAB Europe should be considered a “controller” of either the Transparency and Consent String or other personal data processed by participants using the TCF.

Both of these questions, depending on how they’re decided, could dramatically alter (or even invalidate) the APD decision and IAB Europe’s resulting action plan; however, it’s possible that decisions from the CJEU may not come down for another year or longer, putting IAB Europe in a rough position if they are forced to implement their action plan within 6 months.

IAB Europe made these points in their reaction to the APD’s decision, making clear that they will be looking to take measures that will be sustainable with EU-level (i.e., CJEU) GDPR interpretations, rather than measures that might need to be rolled back at the end of the appeal process.

This reaction is consistent with a statement issued by IAB Europe in October 2022 reserving “the right to engage in any form of available legal action should the APD attempt to enforce its illegal decision and preempt responses from the CJEU on the central issues that have been referred to it.”

Follow our updates on the Belgian DPA and the TCF

CJEU Interprets Access Right to Include Recipient Identities, Unless Exceptions Apply

The Court of Justice of the European Union (CJEU) issued a decision in response to a request from the Supreme Court of Austria asking whether Article 15 of the GDPR grants the data subject the right of access to the specific recipients of data disclosed by the controller, or rather, whether the controller has discretion as to whether to disclose specific recipients or categories of recipients.

The CJEU answered that disclosure of specific recipients is required, unless it is either impossible to provide that information (e.g., if it is not yet known) or where the controller can demonstrate that the request is unfounded or excessive. 

TAKEAWAY

It is not clear from the decision what circumstances, specifically, would warrant applying an exception (e.g., what would rise to the level of an excessive or unfounded request).

The case at issue involved Österreichische Post, a publisher of telephone directories that provided personal data to trading partners for marketing purposes; however, the CJEU remanded back to the referring court the question of whether Österreichische Post had demonstrated that the request for specific identities of its trading partners was manifestly excessive or unfounded, in light of the specific circumstances.

CNIL Announced 5M Euro Fine of TikTok for Insufficient Cookie Consent

The French Data Protection Authority (CNIL) announced that it had fined TikTok 5 million euros for violations of the Data Protection Act, France’s implementation of the ePrivacy Directive and GDPR.

Specifically, the CNIL held that, while TikTok did have a cookie banner allowing acceptance of cookies, there was no equivalent method of refusing cookies, and users were not sufficiently informed of the purposes of the different cookies. 

TAKEAWAY

The CNIL’s requirement for cookie banners to allow rejection as easily as acceptance should not come as a surprise.

They have issued similar decisions against other platforms, including a decision against Facebook in 2021, prompting Facebook to add a refusal button entitled “only allow essential cookies” above an acceptance button entitled “allow essential and optional cookies”, which the CNIL found to be satisfactory.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.