Blog
Even more US state privacy bills, plus European Parliament approves Digital Services Act
January 24, 2022
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
State Privacy Bills Continue to Roll In
New privacy bills were introduced in Mississippi, Nebraska, and Pennsylvania, bringing the total number of U.S. states with active privacy bills as of January 21 to 21 (many of which with multiple pending bills).
The Nebraska bill is a copy of the Uniform Law Commission’s Uniform Personal Data Protection Act, which would require that controllers obtain consent to process personal data, unless the processing is for “compatible data practices” consistent with the ordinary expectations of data subjects or likely to benefit data subjects substantially. The Mississippi and Pennsylvania bills borrow heavily from California and Virginia laws, respectively.
OUR TAKE
One notable element of these bills is that, for the most part, they don’t provide the lengthy lead time that we’re experiencing with the California, Virginia and Colorado laws. Most of the bills (with a few exceptions), if enacted in their current form, would go into effect on either January 1 or July 1, 2023, coinciding with the state privacy laws that have already passed.
New Federal Bill Would Prohibit Some Targeted Ads
The Banning Surveillance Advertising Act was introduced, proposing to prohibit “advertising facilitators” (persons that receive monetary consideration for, and collect personal information with respect to, the dissemination of advertisements) from targeting, or knowingly enabling an advertiser or third party to target advertisements to, an individual, connected device or group of individuals or connected devices based on personal information of such individuals or connected devices, unless the targeting is contextual, based on a recognized place associated with the individual or device, or based on data provided by an advertiser with an attestation that the data wasn’t obtained from a third party and doesn’t identify or act as a proxy to identify an individual as a member of a protected class.
The Act also prohibits advertisers from targeting or knowingly enabling a third party to target advertisements based on personal information other than as permitted above. Personal Information is broadly defined to include data inferred or derived about an individual or device from other data (if linked or linkable to the individual or connected device), contents of communication, internet browsing history and online activity, and unique identifiers.
WHY IT MATTERS
Many participants in and representatives of the advertising industry, including the Interactive Advertising Bureau (IAB) have come out in opposition to this bill.
IAB CEO David Cohen predicted that the bill “would disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly.” He pointed out that “reasonable and responsible data use provides tremendous benefits to consumers, the economy, and society”.
This bill, in combination with Cohen’s statements, are a good reminder to all participants in the advertising industry to insist upon reasonable and responsible data use throughout the industry in order to protect the benefits that Cohen references.
EUROPE
EDPB Adopts Access Right Guidelines / Consent Letter
The European Data Protection Board announced that, during its January plenary session, it adopted guidelines on the right of access and a letter in reply to calls for consistent interpretation of cookie consent. The guidelines, which have not yet been publicly released, will provide clarifications on the scope of the right of access, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests, among others.
The letter reiterates that the EDPB is committed to ensuring the harmonized application of data protection rules throughout the European Economic Area and reminds inquiring authorities of the recently created taskforce on cookie banners and its guidelines on consent, but it does not provide any new clarification.
WHY IT MATTERS
The EDPB guidance regarding the right of access is timely, coming shortly after a Brussels Court of Appeal held that a supervisory authority should consider whether an access request constitutes “abuse” and that a supervisory authority in the instant case violated its duty of due care by not considering the complainant’s intention behind the exercise of a right of access.
The GDPR does allow a controller to refuse a data subject’s requests to right of access if it is unjustified or excessive, but the scope of an unjustified or excessive request has not been made clear. The EDPB’s coming guidance, which will be subject to a public consultation period, may shed some light for businesses and supervisory authorities in drawing that line.
European Parliament Approves Digital Services Act
A draft of the Digital Services Act was approved after a 530-78 vote in the European Parliament, moving the bill to negotiations with the European Council. The legislation, in its current form, would (among other things) give users the ability to opt out of certain tracking via browser settings, ban use of “dark patterns” to cause users to sign up or pay for a product or service, and allow users to ask about their characteristics used to target advertisements.
WHY IT MATTERS
These restrictions, although impactful, are far less aggressive toward digital advertising than some earlier proposals, which went as far as to suggest banning digital advertising altogether. There will likely be several months of debate between the European Parliament and the European Council before we know the contents of a final version.
GLOBAL
Australia Information Commissioner Submits Privacy Proposals
In response to a discussion paper presented by the Attorney General’s Department, the Australia Information Commissioner (OAIC) made several recommendations for how potential privacy reform would operate in practice, including through new rights and enhanced transparency requirements, strategic enforcement, and global interoperability.
WHY IT MATTERS
Of note to the digital advertising industry, the OAIC recommended placing restrictions on targeted advertising generally and prohibiting profiling, online personalisation and behavioral advertising using children’s personal information.
INDUSTRY
IAB Canada Announces Q1 Transparency and Consent String Release Date
In a press release, IAB Canada announced an estimated release date of March 2022 for the IAB’s Global Privacy Project, V.1 of which would include a Canadian-specific Transparency and Consent string. According to the press release, the IAB global framework will continue to evolve to serve additional markets and channels.
WHY IT MATTERS
Of note to the digital advertising industry, the OAIC recommended placing restrictions on targeted advertising generally and prohibiting profiling, online personalisation and behavioral advertising using children’s personal information.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
FTC and Sensitive Location Data; New Pen Register Class Actions
December 9, 2024FTC takes action against the sale of sensitive data...
California CPPA Issues Notice of Proposed Rulemaking
November 25, 2024News out of California this week. The CPPA moved...
Mitigating risk under the Video Privacy Protection Act (VPPA)
November 23, 2024Because VPPA is just one of many tools being...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.