Google settles in multi-state location tracking suit

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Google Enters $391.5M Settlement with AGs Over Location Tracking

 Google settled a multistate privacy lawsuit with 40 state Attorneys General based on allegations Google violated various state consumer protection laws by deceptively tracking user location even when location tracking had been turned off.

In addition to the payment, the settlement requires Google to improve its location-tracking disclosures and privacy settings.

NEXT STEPS

Although most of the states entering the settlement do not have comprehensive privacy laws, it is common for states to have laws prohibiting deceptive or unfair acts and practices, which was the basis for this settlement.

The plethora of recent cases from state Attorneys General and privacy plaintiffs under these laws is a strong reminder to companies to ensure that, beyond (and perhaps more important) than complying with the specifics of comprehensive privacy laws, companies must take a step back and ensure that their privacy practices in general are transparent and not misleading to users. 

FTC Rulemaking Comments Pour In

Industry groups and other stakeholders weighed in over the past three months in response to the Federal Trade Commission (FTC) Advanced Notice of Proposed Rulemaking (ANPR) regarding “commercial surveillance and lax data security practices”, the comment period for which ends November 21.

Among other comments, the Interactive Advertising Bureau asked the FTC to reconsider the ANPR, suggesting that, “if privacy will be federally regulated, such efforts should start with Congress”, pointing out several potential violations of the FTC Act by the ANPR, and asserting that “there is not evidence to suggest that data-driven advertising…could reasonably meet the definition of either an unfair or deceptive Act or practice under Section 5 of the FTC Act”, which the FTC would have to demonstrate in order to issue rules prohibiting or restricting such practices.

Tech trade association NetChoice also advocated for the FTC to abandon the ANPR, suggesting that the FTC “would certainly face legal challenges” if it proceeds, citing the recent case West Virginia v. EPA, in which the U.S. Supreme Court held that the Environmental Protection Agency exceeded its congressional authority under the Clean Air Act in its attempt to regulate carbon dioxide emissions.

NetChoice suggested that the FTC focus on enforcement against consumer harms within its existing authority.

Conversely, a group of state attorneys general submitted comments commending the FTC’s efforts in preparing the ANPR. Such comments focused on specific consumer harms, however, highlighting harms from the collection of location data, biometric data, and medical data and mass collection by data brokers, and suggested that data minimization requirements may mitigate such harms. 

NEXT STEPS

The question of whether the FTC is exceeding its authority with the ANPR is debated and yet to be determined.

The FTC Act grants the FTC authority to prescribe rules which defined with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce” within the meaning of Section 5(a)(1) of the FTC Act, but before commencing the rulemaking proceeding, the FTC is required to have reason to believe that the practices to be addressed by the rulemaking are “prevalent’.

Many stakeholders, such as the IAB and NetChoice, believe the FTC has exceeded such authority.

In the meantime, the ANPR and resulting comments are creating a public dialogue weighing the potential harms and benefits of data collection in the digital marketing industry that could influence action from interested legislators and regulators at any level. 

EUROPE

DSA Enters Into Force

The EU Digital Services Act (DSA) entered into force November 16, 2022 after being published in the EU Official Journal October 27, 2022.

This kicks off a 3-month clock for covered digital services to report the number of monthly active users on their platforms (starting February 17, 2023) and a 15-month clock (until February 17, 2024) for digital services to comply with the remainder of the Act’s obligations.

In the meantime, the European Commission will be tasked with adopting rules and technical conditions under the Act. 

WHY IT MATTERS

The DSA is the second pillar (with the Digital Markets Act, which went into force on November 1, 2022) of a digital services framework designed to balance user protection and innovation in the digital economy.

The obligations under the DSA apply differently to different types and sizes of companies, with the most stringent obligations imposed on online platforms and search engines with over 45 million monthly active users in the EU, including an obligation to carry out an annual risk reduction analysis and offer users a content recommendation system without profiling.

Smaller online platforms providing services in the EU will still be subject to other provisions, however, including prohibitions on use of minors’ personal data for targeted advertising and use of dark patterns. 

APD Lays Out 2023 Priorities

The Belgium Data Protection Authority (APD) issued a statement listing the main priorities for 2023, specifically:

• further explaining its point of view on cookies with an aim to furthering a harmonized point of view at the European level;
• better supporting the DPO function; and
• developing prevention actions and dialogue with actors in the “Smart Cities” field. 

WHY IT MATTERS

The APD’s list was coupled with a request for additional means to carry out its legal missions and urgent challenges, such as cooperation in international enforcement actions, proactive support for data controllers, and the digitization of its services.

This sentiment is consistent with the APD’s plea in May 2022, after launching a survey concerning the use of cookies on the most popular Belgian press sites.

The Inspector General made clear at the time that “comprehensive investigations of this type can only take place in the future if the parliament provides us with sufficient means and personnel.” 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.