FTC says “Browsing and location data are sensitive. Full stop.”

Julie Rubash, General Counsel and Chief Privacy Officer
March 11, 2024

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


FTC Blog Post Says “Browsing and Location Data are Sensitive. Full StoP.”

The Federal Trade Commission posted on its blog a summary of takeaways from its recent proposed settlements with Avast, X-Mode and InMarket.

Gaining attention is a bolded statement in the middle of the post: “Browsing and location data are sensitive. Full stop.” 

The post goes on to say that “[w]hat makes the underlying data sensitive springs from the insights they reveal and the ease with which those insights can be attributed to particular people”, noting that “datasets often contain sensitive and personally identifiable information”. 


Taken as a whole, it’s not clear whether the FTC’s proposed settlements and blog post are implying that all browsing and location data are sensitive, regardless of whether the datasets contain sensitive insights that can be contributed to particular people, or if removing the sensitive nature of the insights and the ease with which those insights could be contributed to particular people would also remove the data from the “sensitive data” category.

Precise geolocation data has been included in the definition of “sensitive data” in other contexts, including under several state laws.

However, “browsing data”, if considered to be per se sensitive, would be a new entry into the “sensitive data” category.

New Hampshire Governor Signs Comprehensive Privacy Law

New Hampshire officially became the 14th State to enact a comprehensive privacy law when New Hampshire Governor Chris Sununu signed SB 255. The law will take effect January 1, 2025, the same day that Delaware, Iowa and Tennessee laws will take effect. 


SB 255 is largely identical to Connecticut’s privacy law, with some differences, including lower consumer data processing thresholds for application of the law to businesses.

Like Connecticut and over half of the comprehensive privacy laws enacted so far, the New Hampshire law would require recognition of universal opt-out preference signals. 

Bill Banning TikTok and Other “Foreign Adversary Controlled Applications” Advances

The U.S. House Energy and Commerce Committee approved a bill that, if passed, would prohibit any entity from distributing, maintaining or updating a “foreign adversary controlled application” through an online app store or other marketplace or providing internet hosting services to enable such distribution, maintenance or updating.

A “foreign adversary controlled application” includes any website or desktop, mobile or augmented or immersive technology app operated by ByteDance, TikTok, their foreign-adversary-controller subsidiaries and successors, and entities owned or controlled by those subsidiaries and successors.

The bill also allows the definition to include additional entities posing a significant threat to the national security of the United States, as determined by the President, if they meet certain thresholds and criteria. Exclusions apply for any entity (including TikTok) that is divested, such that it is no longer controlled by a foreign adversary. 


The immediate implications of this bill, if passed, primarily focus on TikTok and essentially force a divestiture of the company if it wants to be available through U.S. app stores. However, the bill also opens the door to apply to other qualifying foreign-adversary-controlled entities that the President (now or in the future) deem to be a threat to national security. 


CJEU Answers Critical Questions in APD GDPR Case Against IAB Europe

The EU Court of Justice (CJEU) issued answers to questions posed by the Belgian Market Court hearing the IAB Europe’s appeal of the Belgian Data Protection Authority (APD)’s February 2022 decision holding IAB Europe’s Transparency and Consent Framework (TCF) in violation of the GDPR. Specifically, the CJEU found:

(1) the Transparency and Consent (TC) String of the TCF constitutes personal data under the GDPR;

(2) IAB Europe can be considered a “controller” of the TC String; and

(3) IAB Europe should not necessarily be considered a “controller” of other personal data processed by participants using the TCF. 


Now that the CJEU judgment has been delivered, the Belgian Market Court can continue its deliberations on the substantive issues raised in IAB Europe’s appeal.

The Market Court will then either uphold or overturn the APD decision, in whole or in part.

Based on the mixed nature of the answers given by the CJEU, the decision by the Belgian Market Court is likely to be a mixture of upholding and overturning various aspects of the decision, so it is likely that we’ll see the case remanded back to the APD for further consideration and modification.

In the meantime, the APD has voluntarily suspended its enforcement of its decision pending a ruling from the Market Court, which means that IAB Europe will not be required to implement the action plan submitted by IAB Europe in response to the APD decision at least until after the Market Court ruling is issued. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Unlimited Data Export for Easier Privacy Audits and CMP Disclosures

July 12, 2024

Keeping track of all your tracking technology partners to...

What is Global Privacy Control? Frequently Asked Questions

July 9, 2024

How does Global Privacy Control work? How is it...

Comprehensive Privacy Laws Take Effect in Texas and Oregon

July 9, 2024

Now in effect: privacy laws in Texas, Oregon, and...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]