Draft U.S. federal privacy legislation released

Julie Rubash, Chief Privacy Counsel
June 7, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Draft Federal Privacy Legislation Released

A bipartisan group of U.S. representatives and senators released a discussion draft of comprehensive privacy legislation titled “the American Data Privacy and Protection Act”. 

According to a press release from the House Committee on Energy & Commerce, the draft is “the first comprehensive privacy proposal to gain bipartisan, bicameral support”. 


The draft legislation adopts several concepts from enacted state privacy legislation, including an obligation to provide consumers with the means to opt out of targeted advertising and an obligation to obtain express consent for processing of sensitive data.

The legislation also includes a preemption clause specifying that it would preempt state laws covered by the federal legislation, with several exceptions, including exceptions for state laws covering breach notification, biometric and facial recognition data, employment data, and certain health and financial data, among other exceptions. 


CNIL Reveals 2021 Activity / 2022 Priorities

In a 2021 Activity Report, the French data protection authority (CNIL) revealed that, out of the 135 formal notices issued by the CNIl in 2021, 89 concerned cookies.

According to the report, sanctions were issued in ‘the most serious cases, concerning players who did not allow millions of Internet users to refuse cookies as simply as to accept them”. 

The report also revealed the CNIL’s strategic plan for 2022-2024, including three priorities for a trusted digital society: promoting respect for rights, promoting the GDPR as an asset, and targeting regulation on high stakes subjects.

Under these priorities, the CNIL strategic plan includes (among other strategic plans) increasing the efficiency of its complaint investigations, strengthening legal certainty through practical and clear guidelines, and developing certification and code of conduct tools.

The CNIL also said it would implement a global action plan on three priority themes: augmented cameras and their uses, data transfers in cloud computing, and collection of personal data in smartphone applications. 


The report indicates that the CNIL’s approach to its 2022-2024 priorities will follow a similar path “as it was able to do for cookies”, beginning with a phase of fixing the doctrine, a second phase of providing practical compliance assistance tools, and finally conducting control campaigns and adopting corrective measures if necessary.

As we saw with cookies, companies will be wise to pay close attention to early guidance issued by the CNIL in the stated priority areas to avoid being the subject of corrective measures in later phases.  


Thailand’s Personal Data Protection Act Reaches Compliance Deadline

Thailand’s Personal Data Protection Act (PDPA), which was enacted in May 2019, went into force June 1, 2022, after an extension of the compliance deadline issued in response to COVID-19.


The PDPA includes several similarities to the EU’s GDPR, including an extraterritorial scope, applying the law to any organization processing data of Thailand residents, regardless of whether the organization is located in Thailand.

The PDPA also includes an obligation to have a legal basis for processing that may include consent, legitimate interest, performance of a contract, legal obligation or vital interests. 

Tim Hortons App Tracking in Violation of Canadian Privacy Laws

After an investigation, federal and provincial authorities discovered that the mobile app offered by restaurant chain Tim Hortons was tracking and recording user movements every few minutes, even when the app was not open, in violation of Canadian privacy laws.

Notably, the authorities found the app’s vast data collection was not proportional to the benefits from better targeted promotion and that language in its contract with a third-party location services provider was “so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes.”

Tim Hortons was ordered to delete, and direct third parties to delete, any remaining location data and establish and maintain a privacy management program that includes impact assessments, proportional data collection, and clear and accurate privacy communications.


In its statement about the investigation, the Privacy Commissioner of Canada expressed that it is “unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought” and that “what happened here once again makes lain the urgent need for stronger privacy laws to protect the rights and values of Canadians”.

This comment is consistent with the Canadian DPA’s push for an overhaul of Canadian data protection laws at the federal level, recently issuing key recommendations for a new federal private sector privacy law. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Revised Version of APRA Advances Out of U.S. House Subcommittee

May 28, 2024

New Version of the American Privacy Rights Act of...

Exciting New Diagnose Features: New Filters and More Vendor Details

May 21, 2024

New features to help you with your vendor governance,...

Minnesota Sends Comprehensive Privacy Law to Governor

May 20, 2024

Minnesota Sends Privacy Law to Governor. One day before the...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]