CPPA hails bill mandating browser support of opt-out signals

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

CPPA Hails Bill Mandating Browser / Device Support of Opt-Out Signals

The California Privacy Protection Agency (CPPA) announced the introduction of California AB 3048, which, if passed, would require all browsers and devices through which consumers interact with businesses to include a setting that enables consumers to send an opt-out preference signals to businesses.

The bill requires the setting to be “easy to locate and use”, but it otherwise grants the CPPA the ability to adopt regulations to address the implementation and administration of the law, including by updating the definitions of “browser” (currently defined as “a software application for accessing internet websites and information on the internet”) and “device” (currently undefined). 

TAKEAWAY

The introduction of AB 3048 follows the CPPA staff’s issuance, and the CPPA board’s subsequent approval, of a memorandum proposing support of legislation requiring browsers, platforms and devices to include an opt-out preference signal feature, so this legislation is not unexpected.

Currently, businesses are required to honor opt-out preference signals enabled via participating browsers and browser plug-ins, but the choice for a browser to offer users the option to enable an opt-out preference signal is entirely voluntary.

Browsers Firefox, DuckDuckGo and Brave currently offer the feature, and it is also available through a number of browser plug-ins.

Mandatory adoption across all browsers and devices may lead to a significant uptick in consumers opting out of the sale and sharing of their personal information across all apps and websites, which could lead more websites and apps to explore alternative revenue models, such as subscription-based offerings. 

Meta Denied Dismissal of Case Claiming Unauthorized Use of Voiceprint

A lawsuit alleging that Meta’s Facebook and Messenger apps collected the plaintiff’s “voiceprint” without her knowledge or consent in violation of Illinois’s Biometric Information Privacy Act (BIPA) has overcome, in part, Meta’s motion to dismiss the case (Northern District of California Case No 23-cv-04181-SI).

Meta allegedly used audio input by users into Facebook or Messenger (e.g., to dictate messages or to make audio calls) to create an acoustical model to recognize the user by voice.

Meta argued that the complaint only alleged Meta’s collection of a voice recording, not a “voiceprint” and therefore that the complaint did not sufficiently allege Meta’s collection of a biometric identifier in violation of BIPA. A “Biometric Identifier” is defined under BIPA as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”, and a “voiceprint” is not specifically defined.

Meta’s argument was dismissed by the court on the basis of two items presented in the complaint:

(1) a series of patent applications filed by Meta describing methods for recording and analyzing a user’s voice “to determine a digital voiceprint for the user”, which the social-networking system may then use to identify or authenticate the user based on audio input; and

(2) an update to Meta’s “United States Regional Privacy Notice” disclosing that Meta may collect “voice recordings which may be used to identify you when you use relevant features”. Meta’s argument that the privacy notice was targeted towards compliance with California’s CCPA was also rejected by the court, noting that the privacy notice states it “is for people living in the United States”, not simply California, and therefore that it is proper to consider the privacy notice when assessing allegations regarding Meta’s violation of Illinois law. 

TAKEAWAY

This case exemplifies the challenges and obstacles companies face when implementing privacy compliance programs across multiple jurisdictions.

There are many benefits to taking a national approach to privacy compliance (applying a single privacy notice and set of privacy rights to all users, regardless of their location or residency), as Meta allegedly did in this case, but doing so could backfire if the national disclosures and processes selected do not comply with the requirements of all applicable jurisdictions. 

EUROPE

Advocacy Group Files GDPR Complaints Over LiveRamp Practices

Open Rights Group filed complaints with the UK ICO and the French CNIL alleging that adtech company LiveRamp’s RampID identify graph system, which facilitates behavioral advertising without the need for third party cookies, breaches the GDPR and UK GDPR requirements of data minimisation and retention, purpose limitation, security of processing, transparency and fairness, and having a lawful basis for processing.

The complaints urge the DPAs to investigate the lawfulness of LiveRamp’s processing and, if necessary, take further regulatory action. 

TAKEAWAY

The complaints are based on an investigation commissioned by Open Rights Group and carried out by an independent research institute.

The investigation does not make legal conclusions, but rather raises legal questions based on its findings.

For example, the report notes that LiveRamp’s personal data processing activities link and match pseudonymous RampIDs and other digital identifiers maintained in LiveRamp’s databases to identifiers processed by its clients and other companies, which companies use to combine personal data across different sources and databases for digital profiling and personalization, to transmit the data to third-party companies for for ad targeting and other purposes, and to buy personal data about consumers from other companies. 

Based on these findings, the report raises the question of whether LiveRamp may determine the means and purposes for the personal data processing activities that rely on LiveRamp’s linking and matching of identifiers across companies and whether LiveRamp has a legal basis for such linking and matching. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.