FTC rulemaking and CPRA comment periods close

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

FTC Rulemaking Comment Period Closes

Several organizations submitted last-minute comments to the Federal Trade Commission’s Advance Notice of Proposed Rulemaking in the final days before the November 21 deadline, adding to the previous mix of publicly available comments.

The latest submissions included comments from the Future of Privacy Forum, recommending that the FTC codify long standing privacy and security norms derived from FTC enforcement actions and consent decrees, such as requirements for companies to provide material, clear and prominently accessible data use policies, to implement reasonable security measures, to comply with privacy and security promises, and to respect user preferences.

California Attorney General Bonta submitted comments recommending that the FTC require that businesses minimize the collection of data, be more transparent in their privacy policies, universally recognize a “do not sell signal”, implement appropriate age-verification procedures, and implement reasonable data security standards.

AG Bonta also recommended prohibition of the collection of certain sensitive information and use of certain algorithmic decision making.

Comments from the News/Media Alliance requested that any FTC rules be consistent with existing laws and regulations, that obligations be apportioned based on company size and risk, that enforcement and remedies be restricted to instances of direct and proximate harm to consumers, and that the FTC consider a data poaching rule to unwind the ability of dominant tech platforms to poach first-party consumer data from independent digital properties.

NEXT STEPS

Now that the deadline for comment has passed, the FTC will review all submitted comments and, based on its review, may then issue a Notice of Proposed Rulemaking, which would include the text of the proposed rules and the FTC’s reasoning behind the rules.

This would trigger another public hearing and comment period, followed by issuance of Final Rules, which could (and likely would) be challenged in the D.C. Court of Appeals. 

CPRA Comment Period Closes

In parallel with the FTC comment deadline, the last day to submit comments in response to updated California Privacy Rights Act regulations was also November 21, in this case after a brief 15-day comment period.

Responses included comments from the Network Advertising Initiative (NAI) requesting deletion of the requirement to extend application of opt-out preference signals to “pseudonymous profiles” and the section on the reasonable expectations of consumers and enhancing future rulemaking processes to allow for more robust participation by stakeholders.

A coalition of consumer advocacy groups, including ACLU California Action, Electronic Frontier Foundation, and Privacy Rights Clearinghouse, among others, submitted comments requesting further guidance on the calculation of, and reinstatement of illustrative examples for, financial incentives that can be offered to consumers, reintroduction of “manipulative language” from the concept of dark patterns, and removal of business intent as a factor in assessing dark patterns, among other requests.

NEXT STEPS

Now that the 15-day comment period is closed, the California Privacy Protection Agency (CPPA) staff will either make additional changes in response to the comments (which may or may not involve additional comment periods, depending on the substance of the changes) or submit the rules to the CPPA board as-is.

Once a final package is submitted, the updated regulations must be formally approved by the CPPA and the Office of Administrative Law before they become final.

The OAL will have 30 business days to review the final rules, so it will likely be at least late January or February before the regulations are final. 

EUROPE

Anti-Big-Tech Group Announces UK “Surveillance Ad” Suit Against Meta

Non-profit Foxglove announced that its senior fellow, Tanya O’Carroll, filed a lawsuit in the High Court of England and Wales against Meta, claiming violations of the UK GDPR based on practices labeled by the non-profit as “surveillance advertising”.

Specifically, the lawsuit alleges that Meta continued to process known or inferred characteristics about the claimant for direct marketing purposes after the Claimant exercised her right to object under the UK GDPR.

WHY IT MATTERS

O’Carroll is seeking relief in the form of a declaration that Meta breaches the UK GDPR and an order for Meta to cease processing O’Carroll’s personal data for direct marketing purposes; she is not seeking monetary damages.

According to the complaint, Meta stated in a response to letters from O’Carroll’s attorneys that Meta relies on the performance of a contract as its legal basis for personalised Ads and therefore that the right to object under the UK GDPR does not apply.

Luminate, a funding source for the case, said in a blog post that “the case we are funding challenges Facebook’s demand that users accept personalised advertising as a condition for using the service.”

They are looking to “set a precedent for millions of users of search engines and social media”.    

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.