Indiana privacy law signed; Florida sent to governor

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Indiana Privacy Law Signed; Florida Sent to Governor

Indiana’s Governor signed SB 5, enacting a Virginia-style comprehensive privacy law that will take effect January 1, 2026.

Meanwhile, an amended version of Florida SB 262 was fast-tracked through the legislature, passing the House and Senate on the same day.

If signed by the Governor, the Florida law will go into effect December 31, 2023.

TAKEAWAY

The Indiana law is largely modeled after Virginia’s VCDPA, which is a common model for proposed privacy bills across several states.

The Florida bill, on the other hand, contains several notable departures from existing privacy laws.

For example, controllers that engage in the sale of sensitive data or biometric data are required to include in their privacy notices the following specific language: “NOTICE: This website may sell your [sensitive][biometric] personal data”.

Additionally, the bill creates certain exceptions for pseudonymous data or aggregate consumer information but requires that controllers disclosing such information exercise reasonable oversight to monitor compliance with any contractual commitments to which the data is subject.

COPPA 2.0 Reintroduced

A bipartisan team of Senators reintroduced the Children and Teens’ Online Privacy Protection Act, which they refer to as COPPA 2.0.

Among other changes, the bill would require consent to process personal information from teens age 13-16, ban targeted advertising to children and teens, and change COPPA’s actual knowledge standard to a reasonably likely to be used standard.

COPPA 2.0 was previously introduced, but failed to pass, in 2022. 

TAKEAWAY

This bill would bring federal children’s privacy requirements much closer to the “California Age Appropriate Design Code“, which will go into effect in California in 2024.  

FTC Aims to Ban Meta From Monetizing Youth Data

In response to alleged repeated violations by Facebook of a 2020 FTC Order, the FTC has threatened to modify the Order to, among other restrictions and requirements, prohibit Meta from monetizing data of children under 18 or from collecting or using such data for any purpose other than to provide the services or for security purposes.

Meta would also be required pause new programs and features until it can demonstrate full compliance with the Order and broaden other requirements, such as those around notice and consent and third-party monitoring. 

Among other alleged violations, the FTC claims that Facebook has failed to undertake third-party compliance monitoring measures required by the 2020 Order and has failed to enforce its policies against third parties who fail to comply. 

NEXT STEPS

Meta will have 30 days to respond to the FTC’s allegations and proposals.

The FTC will then determine whether to modify the 2020 order based on Meta’s response and consideration modification is in the public interest or justified by changed conditions of fact or law. 

Federal Judge Sends FTC Back to the Drawing Board in Kochava Case

In response to FTC allegations (filed in August 2022) that Kochava, a digital marketing and analytics company, engaged in unfair practices by selling precise geolocation data collected from consumer mobile devices, a federal judge has found that the FTC failed to make sufficient allegations for an unfairness claim under the FTC Act but has allowed the FTC to amend the complaint to bolster its allegations.

Specifically, the judge found that the FTC has not sufficiently alleged a likelihood of substantial consumer injury, because it only alleged harms (stigma, discrimination, physical violence, and emotional distress based on the tracking of movements to and from sensitive locations) that are theoretically possible, not that consumers are suffering or likely to suffer such harms.

The judge also found that the FTC failed to allege the severity of harms sufficient to make a claim for invasion of privacy.

The FTC has 30 days to file an amended complaint to fix these insufficiencies. 

TAKEAWAY

Although it is yet to be determined whether the FTC will be able to proceed with a lawsuit against Kochava specifically, the federal judge’s ruling in this case included some notable findings.

First, the judge found that a claim under Section 5(a) of the FTC Act need not be based on a violation of another law or public policy or allege that practices are immoral, unethical, oppressive, or unscrupulous.

It must only allege that the practices cause, or are likely to cause, substantial injury to consumers that are unavoidable by consumers and that are not outweighed by countervailing benefits to consumers.

Second, an invasion of privacy may constitute substantial injury under the FTC Act.

Third, the FTC’s allegations that consumers have no insight into how Kochava uses their data and are specifically unaware that their data will be aggregated, linked to MAIDs, and sold to the public were found to be sufficient to claim that the purported injury is unavoidable to consumers.

Fourth, the purported injury to consumers was found not to be outweighed by the benefits of disclosing coordinates near certain sensitive locations.

Finally, the court found that Kochava could have reasonably foreseen that selling substantial quantities of precise geolocation data without restrictions near sensitive locations could be construed as injurious–and therefore unfair–to consumers under the FTC Act. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.