UK ICO issues Privacy by Design guidance

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Illinois / Rhode Island Introduce Comprehensive Privacy Legislation

Two new states, Illinois and Rhode Island, joined the list of states with active comprehensive privacy legislation, bringing the total number to 19.

TAKEAWAY

Rhode Island HB 5745 contains familiar elements from existing privacy laws (most closely resembling Connecticut).

Illinois HB 3385, on the other hand, borrows heavily from the American Data Privacy and Protection Act (ADPPA), a federal bill that was introduced and failed to pass in 2022.

HB 3385, like the ADPPA, includes strong limitations on the use of sensitive covered data, which is defined broadly to include information identifying an individual’s online activities over time and across third party websites or online services. 

EUROPE

Danish DPA Allows Cookie Walls, Within Limits

The Danish Data Protection Authority announced two recent decisions, as well as general guidelines, that collectively allow websites to condition access to content on consent to the processing of personal data, as long as certain criteria are met. Specifically:

(a) users must be given a reasonable alternative to the processing of their personal data (e.g., access to the content for a reasonable monetary fee);

(b) any data processed after a user provides consent (as an alternative to payment) must be a necessary part of the non-monetary alternative, or else separate consent must be obtained (e.g., if the non-monetary alternative is processing of personal data for marketing purposes, the company must obtain separate consent for any other purposes); and

(c) if the user chooses to make monetary payment, no personal data should be processed other than as necessary to provide the service requested, unless separate consent is provided.

CONTEXT

The Danish DPA’s guidance closely resembles the Cookie Wall Evaluation Criteria issued by the French DPA (the CNIL) in May 2022, which advised that websites conditioning access to a service on the acceptance of cookies or other tracer’s on the user’s terminal device should provide a fair alternative at a reasonable price, that the cookie walls should be limited to the purposes that allow for fair remuneration, and that the selection of the paid alternative should result in appropriate limitation of unnecessary tracers. 

ICO Issues Privacy By Design Guidance

The UK Information Commissioner’s Office (ICO) issued new guidance titled “Privacy in the product design lifecycle” that reminds companies of recommended data protection practices when designing products, communicating privacy information, obtaining consent and extending user rights.

NEXT STEPS

Some notable guidance includes:

providing privacy information at relevant moments, which may, as appropriate, include multiple points in the data collection process (e.g., at account sign up and again at the time of data collection);

offering consent options with clear affirmative actions and a way to reopen consent interfaces later on, making consent as easy to withdraw as to give;

and, where appropriate, giving the option to exercise user rights directly through a product (through the same medium used to collect the data). 

Canada

Canadian Authorities to Investigate TikTok Compliance with Privacy Laws

The Office of the Privacy Commissioner of Canada (the OPC) announced that it will, in conjunction with privacy commissioners in Quebec, British Columbia and Alberta, conduct an investigation to determine whether the organization’s privacy practices are in compliance with Canadian privacy law. In particular, the authorities will investigate whether valid and meaningful consent is being obtained for the collection, use and disclosure of personal information and whether the company is meeting its transparency obligations.

NEXT STEPS

Although Canada’s federal law, PIPEDA, allows for the form of consent for the processing of personal information to vary based on the type of information and reasonable expectations of the individual, the OPC seems to be cracking down on circumstances where consent may not be reaching the appropriate threshold.

Last month, the OPC revealed an investigation finding that Home Depot’s practices of making privacy disclosures on its website and upon request at retail locations were “insufficient to support meaningful consent” for the sharing of customer email address collected at checkout with Meta for ad measurement purposes.

The OPC found that Home Depot should have obtained express consent because customers would not reasonably expect, or have reason to suspect, that their e-mail address and offline purchase details would be shared with Meta for measuring the impact of ad campaigns.

It has not been made clear what other specific circumstances may rise to this level of requiring express consent. In the case of TikTok, the OPC noted that an important proportion of TikTok users are younger users and that, given the importance of protecting children’s privacy, the investigation will have a particular focus on TikTok’s privacy practices as they relate to younger users, including whether the company obtained meaningful consent from such users. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.