Nebraska Becomes 16th State to Enact Comprehensive Privacy Law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Nebraska Becomes 16th State to Enact Comprehensive Privacy Law

Nebraska’s Governor signed LB 1074, making Nebraska the 16th state to enact a comprehensive US state privacy law (not counting Florida).

TAKEAWAY

The Nebraska Data Privacy Act, which largely mirrors the Texas Data Privacy and Security Act, will take effect January 1, 2025, the same day as the privacy laws in Iowa, Delaware and New Hampshire.

Cerebral Agrees to $7MM FTC Order Over Sensitive Data Sharing Practices

A proposed FTC Order, if approved by the court, would require online mental health service Cerebral to pay a $7.1 million settlement and abide by a list of requirements and restrictions, including a permanent ban on the disclosure of consumer personal data to third parties for marketing and advertising purposes and a requirement to obtain consumer consent before disclosing personal data to third parties for most other purposes. The Order is based on an FTC complaint alleging violations of the FTC Act arising, in part, from Cerebral’s use and disclosure to third parties of consumer protected health information (including through the use of third-party tracking tools) without obtaining consumer affirmative express consent.

TAKEAWAY

This is the second proposed FTC Order in less than 2 weeks based on a service’s sharing of health data for advertising, reflecting a potential uptick in the frequency of such cases. The first was against Monument, an alcohol addiction treatment service, proposing a $2.5 million settlement in addition to a ban on disclosure of health information for advertising purposes and a requirement to obtain affirmative express consent for any other disclosure of health information, among other requirements and restrictions.

EUROPE

EDPB Details Requirements for Large Online Platform “Pay or Ok” Models

The European Data Protection Board (EDPB) issued an opinion on the GDPR compliance of “pay or ok” consent models by large online platforms in response to inquiries from the Dutch, Norwegian and German supervisory authorities. The 42-page opinion concludes that “pay or consent” models relating to behavioral advertising by large online platforms may be valid if the consent is freely given, informed, and an unambiguous indication of wishes, and that the platform complies with all other rules and principles provided by the GDPR. To assess each element of the requirements, the opinion lays out factors for large online platforms to consider, including whether an equivalent alternative (different only to the extent necessary as a consequence of the controller not being able to process personal data for behavioral advertising purposes) is offered for an appropriate fee to those who do not consent (a concept built on the CJEU’s  Bundeskartellamt judgment), whether any fee imposed inhibits data subjects from making a genuine choice or nudges them toward consent, whether data subjects are provided, prior to making a choice, with clear information about the processing activities linked to each of the options, and whether separate (not bundled) consents are required and defined for the processing activities that allow the service to be accessed for free and the processing of personal data for different purposes.

TAKEAWAY

It is important to highlight that the EDPB’s opinion does not apply to all services or all circumstances.The EDPB makes a point of clarifying at the start of the opinion that the scope of the opinion is limited to the implementation by large online platforms of “consent or pay” models where users are asked to consent to processing for the purposes of behavioral advertising. The opinion therefore dedicates a significant portion of the opinion discussing the need for such large online platforms to assess the potential imbalance of power between the data subject and the platform, including the position of the large online platform in the market, the existence of lock-in or network effects, the extent to which the data subject relies on the service and the main audience of the service, as part of the analysis in determining whether its “pay or ok” model is compliant. The opinion does not provide an exact definition of a “large online platform” but says that it may cover certain controllers of “very large online platforms” as defined under the DSA and “gatekeepers” as defined under the DMA, and provides elements to be assessed, on a case-by-case basis, to determine whether a controller is to be considered a “large online platform” for purposes of the opinion, including the amount of data subjects the service attracts, the position of the company in the market, and the scale of its processing.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.