California Privacy Agency rulemaking delay; IAB Europe clarifies Belgian DPA decision for pubs

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Privacy Agency Announces Delayed Rulemaking Timeline

In a board meeting, the California Privacy Protection Agency (CPPA) announced that formal rulemaking proceedings, originally expected to commence in Q1, would not commence until Q2 and would not conclude until Q3 or Q4 of this year.

WHY IT MATTERS

With the California Privacy Rights Act becoming operative in January 2023, this delayed timeline means that companies could only receive clarity a few months in advance on key open questions, such as the scope of automated decision-making, profiling, sensitive personal information, and dark patterns. 

States Continue to Make Progress on Privacy Legislation

Indiana’s SB 358, which closely resembles Virginia’s VCDPA and passed the Senate earlier this month, received a 12-0 vote in the House Committee on Small Business and Economic Development, with an amendment to create an exception for certain government contractors.

Iowa and Oklahoma also passed bills out of committee this week, and Maine and Utah introduced new bills resembling California and Virginia existing laws, respectively. Virginia also saw a lot of activity this week on bills proposing amendments to the VCDPA.

WHY IT MATTERS

Although certain states were active over the last week, there were also several states where activity on privacy legislation has slowed down or seemingly stopped. Georgia, Hawaii, New Jersey, Pennsylvania and Vermont, for example, all have privacy bills that were introduced in January and have not since seen any activity.  

Facebook Settles Cookie Tracking Lawsuit for $90M

Facebook agreed to settle a 2012 lawsuit regarding user tracking for $90 million. The lawsuit accused Facebook of using cookies to track logged-out user browsing activity on websites containing Facebook “like” buttons without user consent and using or selling resulting information for targeted advertising purposes. As part of the settlement, Facebook has agreed to sequester and delete the data that it allegedly wrongfully collected.

WHY IT MATTERS

The case was filed in U.S. federal court (in the Northern District of California) regarding activity that occurred in 2010-2011. Although comprehensive privacy legislation requiring opt-in consent did not exist in 2010-2011, and still does not exist today, this lawsuit accused Facebook of violating the federal Wiretap Act, which prohibits interception of an electronic communication without prior consent from one of the parties to the communication.

In this case, the plaintiffs alleged that the transmission of data between users and the websites that the users visited constituted “electronic communications” under the Act, that Facebook’s collection of the data constituted “interception” of the data, that the user and the websites were the “parties” to the communication, and that neither the users nor the websites had consented to Facebook’s collection.

The lawsuit also made several claims under California State and common law. 

EUROPE

Grindr Appeals Norway’s Privacy Fine

Grindr reportedly filed an appeal disputing a $7.1 million fine that was imposed by the Norwegian Data Protection Authority. The Norwegian DPA alleged that the Grindr dating service shared sensitive information with third party ad networks in violation of the General Data Protection Regulation (GDPR). Grindr allegedly conditioned access to the free version of the service on user agreement to the use and sharing of information for ad purposes, which, according to the DPA, should have been optional due to the sensitive nature of the data.

Grindr reportedly disputes that the data shared with third parties constitutes “sensitive information” under GDPR, arguing that the DPA’s decision is based on “ill-founded, sweeping, and discriminatory assumptions” regarding users of the service and that use of the service, in and of itself, doesn’t reveal sexual orientation.

OUR TAKE

The question of whether sensitive inferences constitute sensitive information is unclear under the GDPR and most laws that place restrictions on the use of sensitive information. This question is applicable to the advertising industry beyond dating sites, particularly as individuals are grouped into segments based on potentially sensitive inferences (e.g., individuals whose browsing history indicates they might suffer from certain medical conditions or belong to a certain race, gender or religion). 

IAB Europe to Publishers: The Belgian DPA Has Not Prohibited the TCF

In response to various publications (including guidance from DPAs) indicating that publishers should not use IAB Europe’s Transparency and Consent Framework (TCF), IAB Europe issued a statement clarifying that the Belgian DPA has not prohibited the TCF, but has given IAB Europe two months to come up with a plan for correct measures to remedy alleged non-compliance and an additional 6 months to implement such measures. IAB Europe notes in its statement that “the version of the Framework that emerges from this process will be an even stronger standard.”

OUR TAKE

The Belgian APD’s decision ordering IAB Europe to remedy certain alleged areas of non-compliance with the GDPR is an administrative decision, which IAB Europe has announced it will appeal.

The decision is not binding on publishers or other participants of the TCF, and no part of the decision obligates participants to take any certain action. However, certain aspects of the decision indicate that IAB Europe’s action plan should include certain adjustments that will likely impact how participants use the TCF once the action plan is implemented, including the legal basis that participants can rely upon to process personal data using the TCF and the way in which vendor disclosures are presented to users.  

Read our FAQ on the Belgium DPA decision (continuously updated).

INDUSTRY

GOOGLE EXPANDS PRIVACY SANDBOX TO ANDROID

Google announced that it would be expanding its Privacy Sandbox, a collaborative initiative to build internet privacy standards and solutions, beyond Chrome to Android, with a goal of operating without cross-app identifiers. Google plans to continue supporting existing features for at least two years while it designs, builds and tests new features.

WHY IT MATTERS

Google’s deprecation of third-party cookies on Chrome is still scheduled to begin its transition phase in Q4 of 2022. Its Privacy Sandbox efforts on Chrome received scrutiny from regulators, including the UK’s Competition and Markets Authority (CMA).

The CMA recently accepted a set of commitments from Google, including that Google would not give preferential treatment to Google’s ad products or site. In the documentation for Google’s attribution reporting proposal on the Android Sandbox, Google made a point to clarify that all ad tech platforms (even Google’s) would be required to complete an enrollment process to ensure platforms don’t bypass privacy restrictions. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.