Tentative transatlantic data flow agreement reached

Julie Rubash, Chief Privacy Counsel
March 28, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Advocates Urge Congress to Enact Safeguards for Children

A group of 60 organizations led by children’s advocacy group Fairplay sent a letter to federal lawmakers pushing for legislation to expand privacy legislation to covers all minors (not just those under 13) on all platforms (not just those that are child directed).

The letter also urged Congress to ban targeted advertising and algorithmic discrimination for children and teens, establish a duty of care to protect children, require the most protective settings applied to minors by default, and provide greater enforcement resources to the Federal Trade Commission.


This letter comes on the heels of President Biden’s State of the Union address earlier this month, in which Biden commented that “it’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children”.

This sentiment is consistent with a statement earlier this month from the European Data Protection Supervisor suggesting additional safeguards to prevent use of data for targeted advertising that can exploit children, as well privacy proposals from the Australia Information Commissioner earlier this year recommending prohibiting profiling, online personalisation and behavioral advertising using children’s personal information. 

Utah Becomes Fourth State to Enact a Comprehensive Privacy Law

The Governor of Utah signed into law a bill enacting the Utah Consumer Privacy Act (UCPA), making Utah the fourth state after California, Virginia and Colorado to enact a comprehensive consumer privacy law. The law will go into effect December 31, 2023, 6 months after the effective date of the Colorado Privacy Act and one year after the effective date of the Virginia Consumer Data Protection Act.


The UCPA is the least restrictive of the four state laws, most closely resembling Virginia’s VCDPA. Notably, enforcement under the Utah law requires overcoming a number of procedural hurdles not present in the other laws.

The Utah law also expressly allows businesses to apply different prices, rates, levels, quality or selection of goods or services if a consumer opts out of targeted advertising.

Consumer rights are also more limited, with no right to correct inaccuracies or to opt out of profiling. 

Oklahoma House Passes Bill Requiring “Opt-In” Consent

bill that would enact the Oklahoma Computer Data Privacy Act passed the State House, moving the bill forward for consideration by the Senate. 

The Act would, among other things, prohibit businesses from collecting consumer personal information without first notifying the consumer of the categories of personal information to be collected and the purposes for which it will be used and obtaining the consumer’s consent.


If passed, the Oklahoma law would be the first U.S. state law to require sweeping opt-in consent for collection of personal information. Unlike the GDPR in Europe, the Oklahoma law would not provide other possible legal basis for processing, such as legitimate interest. 


EDPB Publishes Guidelines re Dark Patterns in Social Media

The European Data Protection Board published “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them“. Comments to the guidelines can be submitted through 2 May, 2022.


As examples of dark patterns, the guidelines include “dead end” dark patterns, where the user is provided with a data protection related action or option (such as withdrawing consent to processing) at the sign-up process that they cannot find later, “misleading information” such as presenting users with a link to withdraw consent to targeting advertising, which directs to a page with general explanations of how to manage consent, rather than a page that allows them to directly withdraw their consent, “hindering”, such as not providing a direct opt-out from a targeted advertisement processing even though the consent (opt in) only requires one click, “overloading” such as making the user follow a privacy maze to find the link to withdraw consent deep in their account settings, and “continuous prompting”, such as regularly prompting users to consent to personalised advertising if the user initially does not consent.

Although these guidelines are specific to social media, they provide insights that can likely be applied across other platforms and contexts. 

U.S. / Europe Reach Tentative Transatlantic Data Flow Agreement

In a press conference from U.S. President Biden and European Commission President Ursula von der Leyen, Biden announced that their countries had “reached a major breakthrough in transatlantic data flows” with a “new agreement [that] will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy”, which “will allow the European Commission to once again authorize transatlantic data flows”. 

Von der Leyen referred to the agreement as an “agreement in principle”, indicating that specifics of the deal have yet to be determined


The previous version of the Privacy Shield Framework was invalidated by the Court of Justice of the European Union based on a finding that U.S. surveillance laws are not sufficiently limited to what is strictly necessary and do not extend effective remedies to data subjects, as required by the EU Charter on Fundamental Rights.

It is unclear from the press conference what impact this new agreement will have on U.S. surveillance laws, but it appears that it will provide a path forward for EU companies to transfer personal data to the United States. 


Saudi Arabia Postpones Enforcement of Privacy Law

The Saudi Data & AI Authority posted a Tweet announcing that it would postpone the full enforcement of the Saudi Personal Data Protection Law (PDPL) until 17 March 2023.

The decision was made based on feedback from stakeholders.


The PDPL was approved in September 2021 and was previously scheduled to go into effect March 13, 2022, giving covered entities only 6 months to prepare.

The law is designed to protect from unconsented collection and processing of personal data and extends user rights to view, access or restrict processing of personal data and know the purposes of its processing.     

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]