California Agency Opposes Federal ADPPA

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Agency Opposes Federal ADPPA

The California Privacy Protection Agency (CPPA) unanimously voted to oppose HR 8152, the federal bill implementing the American Data Privacy and Protection Act (ADPPA), citing the bill’s broad preemption language as the reason for its opposition.

Through a separate motion, the CPPA voted that it would support federal legislation that provides a floor for states while allowing states to implement stronger protections.

WHY IT MATTERS

The CPPA is not alone in its opposition to the ADPPA.

The Washington Attorney General expressed in a letter his opposition to various aspects of the ADPPA, including its preemption provision, stating that “Congressional legislation is stronger when it establishes baseline protections and allows states to adopt stronger consumer protections to meet the individual needs of its residents.”

The Electronic Frontier Foundation expressed similar sentiments, calling on Congress not to roll back state privacy protections.

The ADPPA passed out of a House committee earlier this month, but it won’t see anything further action until at least mid September, when the House returns from break. 

Children’s Privacy Bills Advance to Senate Floor

The U.S. Senate Committee on Commerce, Science and Transportation voted to recommend to the Senate bills implementing two children’s privacy privacy.

The Kids Online Safety Act would impose a duty of care and transparency obligations on platforms with respect to minors under 17.

The Children and Teens Online Privacy Protection Act would expand COPPA to cover data from minors under 18, requiring consent from minors ages 13-16 for targeted marketing and prohibiting targeted marketing to children under 13.  

WHY IT MATTERS

While the ADPPA (see first post above) would include some protections for minors, some Senators have reportedly said that children’s privacy should be the focus of privacy legislation, prioritized over a more comprehensive privacy bill.

This focus could distract from efforts to move the ADPPA forward, particularly in light of opposition to the preemption provisions of the ADPPA. 

TikTok to Pay $92 Million Privacy Settlement

A federal judge approved a class-action settlement against TikTok based on claims under a number of data protection laws, including the federal Video Privacy Protection Act (VPPA).

The consolidated class action complaint asserted, among other complaints, that TikTok shared with Google and Facebook TikTok users’ device IDs and advertising IDs in combination with the users’ video viewing history without user consent in alleged violation of the VPPA. 

WHY IT MATTERS

The question of whether a device ID in combination with video viewing history constitutes “personally identifiable information” under the Video Privacy Protection Act (VPPA) has been resolved inconsistently across jurisdictions, leaving video streaming and similar services unsure whether collection and sharing of video viewing history in combination with device IDs or Advertising IDs requires user consent under the VPPA.

The VPPA creates a private right of action against such service providers that disclose “information which identifies an individual as having requested or obtained specific video materials or services”. Although the TikTok settlement is merely a settlement, and therefore not binding precedent, it demonstrates the risk of testing the waters in this unsettled area of law. 

FRANCE

CNIL Closes Injunction After Meta Implements of Cookie Refusal Button

The French Data Protection Authority (CNIL) announced its decision to close its previous injunction against Facebook parent company Meta, issued December 31, 2021, after Facebook complied with the CNIL’s order to allow users of facebook.com to refuse cookies as easily as to accept them.

Facebook.com now includes a refusal button entitled “Only allow essential cookies”, which appears above the acceptance button entitled “Allow essential and optional cookies”, which the CNIL found to be satisfactory to comply with its order.

However, the CNIL reserved the right to control the compliance of facebook.com with other requirements, in particular the requirement to provide clear and complete information and to obtain consent for each purpose. 

WHY IT MATTERS

The CNIL is not alone in its insistence on allowing users to reject as easily as consent to cookies and personal data collection.

Greece issued letters to 30 websites in May 2022 warning that users were not able to reject consent with the same number of actions, and at the same level, as their ability to consent.

The Hamburg DPA issued similar letters to Google and other media houses in April 2022. Several other DPAs, including Ireland, Italy, Finland and Denmark, have issued guidance requiring extending an equal opportunity to accept and reject consent. 

CNIL Calls for Privacy-Friendly Age Control on Websites

The CNIL issued guidance for implementing age control on websites, where necessary, in a manner compatible with the General Data Protection Regulation (GDPR).

Primarily, the CNIL cautions that, by default, websites should be without identity or age checks, reserving such checks only for sites for which it is necessary (e.g., for pornographic websites).

Where age verification is necessary, the CNIL stresses the use of a trusted third party that can receive reliable proof of age and transmit it with triple privacy protection, such that no participant in the process holds all pieces of the puzzle: proof of age, the identity of the user, and the site consulted. 

WHY IT MATTERS

Reservation of age screens only for “adult content” websites may, in some circumstances, be inconsistent with children’s privacy guidance in other jurisdictions. For example, in the United States, the Federal Trade Commission has suggested implementing an age screen on websites that target a mixed audience (children under 13, teens and adults) in order to implement different privacy controls for different users, based on age. 

INDUSTRY

Google Delays Cookie Deprecation to 2H 2024

Google announced that it will once again push back its deprecation of third-party cookies in its Chrome browser, now beginning the phase-out process in the second half of 2024.

Google’s announcement cited the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome.

WHY IT MATTERS

With new comprehensive privacy laws coming into effect in several U.S. states in 2023, this delay means that companies will need to consider a world with and without third-party cookies when designing and implementing privacy compliance processes. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.