Even more US state privacy bills, plus European Parliament approves Digital Services Act

Julie Rubash, Chief Privacy Counsel
January 24, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


State Privacy Bills Continue to Roll In

New privacy bills were introduced in MississippiNebraska, and Pennsylvania, bringing the total number of U.S. states with active privacy bills as of January 21 to 21 (many of which with multiple pending bills).

The Nebraska bill is a copy of the Uniform Law Commission’s Uniform Personal Data Protection Act, which would require that controllers obtain consent to process personal data, unless the processing is for “compatible data practices” consistent with the ordinary expectations of data subjects or likely to benefit data subjects substantially. The Mississippi and Pennsylvania bills borrow heavily from California and Virginia laws, respectively.


One notable element of these bills is that, for the most part, they don’t provide the lengthy lead time that we’re experiencing with the California, Virginia and Colorado laws. Most of the bills (with a few exceptions), if enacted in their current form, would go into effect on either January 1 or July 1, 2023, coinciding with the state privacy laws that have already passed. 

New Federal Bill Would Prohibit Some Targeted Ads

The Banning Surveillance Advertising Act was introduced, proposing to prohibit “advertising facilitators” (persons that receive monetary consideration for, and collect personal information with respect to, the dissemination of advertisements) from targeting, or knowingly enabling an advertiser or third party to target advertisements to, an individual, connected device or group of individuals or connected devices based on personal information of such individuals or connected devices, unless the targeting is contextual, based on a recognized place associated with the individual or device, or based on data provided by an advertiser with an attestation that the data wasn’t obtained from a third party and doesn’t identify or act as a proxy to identify an individual as a member of a protected class.

The Act also prohibits advertisers from targeting or knowingly enabling a third party to target advertisements based on personal information other than as permitted above. Personal Information is broadly defined to include data inferred or derived about an individual or device from other data (if linked or linkable to the individual or connected device), contents of communication, internet browsing history and online activity, and unique identifiers. 


Many participants in and representatives of the advertising industry, including the Interactive Advertising Bureau (IAB) have come out in opposition to this bill.

IAB CEO David Cohen predicted that the bill “would disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly.” He pointed out that “reasonable and responsible data use provides tremendous benefits to consumers, the economy, and society”. 

This bill, in combination with Cohen’s statements, are a good reminder to all participants in the advertising industry to insist upon reasonable and responsible data use throughout the industry in order to protect the benefits that Cohen references.  


The European Data Protection Board announced that, during its January plenary session, it adopted guidelines on the right of access and a letter in reply to calls for consistent interpretation of cookie consent. The guidelines, which have not yet been publicly released, will provide clarifications on the scope of the right of access, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests, among others.

The letter reiterates that the EDPB is committed to ensuring the harmonized application of data protection rules throughout the European Economic Area and reminds inquiring authorities of the recently created taskforce on cookie banners and its guidelines on consent, but it does not provide any new clarification.


The EDPB guidance regarding the right of access is timely, coming shortly after a Brussels Court of Appeal held that a supervisory authority should consider whether an access request constitutes “abuse” and that a supervisory authority in the instant case violated its duty of due care by not considering the complainant’s intention behind the exercise of a right of access.

The GDPR does allow a controller to refuse a data subject’s requests to right of access if it is unjustified or excessive, but the scope of an unjustified or excessive request has not been made clear. The EDPB’s coming guidance, which will be subject to a public consultation period, may shed some light for businesses and supervisory authorities in drawing that line. 

European Parliament Approves Digital Services Act

A draft of the Digital Services Act was approved after a 530-78 vote in the European Parliament, moving the bill to negotiations with the European Council. The legislation, in its current form, would (among other things) give users the ability to opt out of certain tracking via browser settings, ban use of “dark patterns” to cause users to sign up or pay for a product or service, and allow users to ask about their characteristics used to target advertisements.


These restrictions, although impactful, are far less aggressive toward digital advertising than some earlier proposals, which went as far as to suggest banning digital advertising altogether. There will likely be several months of debate between the European Parliament and the European Council before we know the contents of a final version. 


Australia Information Commissioner Submits Privacy Proposals

In response to a discussion paper presented by the Attorney General’s Department, the Australia Information Commissioner (OAIC) made several recommendations for how potential privacy reform would operate in practice, including through new rights and enhanced transparency requirements, strategic enforcement, and global interoperability.


Of note to the digital advertising industry, the OAIC recommended placing restrictions on targeted advertising generally and prohibiting profiling, online personalisation and behavioral advertising using children’s personal information. 


In a press release, IAB Canada announced an estimated release date of March 2022 for the IAB’s Global Privacy Project, V.1 of which would include a Canadian-specific Transparency and Consent string. According to the press release, the IAB global framework will continue to evolve to serve additional markets and channels.


Of note to the digital advertising industry, the OAIC recommended placing restrictions on targeted advertising generally and prohibiting profiling, online personalisation and behavioral advertising using children’s personal information. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]