U.S. State Signal specs released for comment as part of Global Privacy Platform 

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

California Privacy Protection Agency Receives New Board Member

California Attorney General Bonta appointed Alastair Mactaggart to the California Privacy Protection Agency Board, replacing Board Member Angela Sierra, who will be moving to California’s Racial and Identity Profiling Advisory Board. Mactaggart will begin his duties immediately. 

CONTEXT

Mactaggart co-founded Californians for Consumer Privacy, the consumer rights advocacy group that sponsored the ballot referendum that led the California Legislature to pass the California Consumer Privacy Act (CCPA), as well as Proposition 24 implementing the California Privacy Rights Act (CPRA).

He is a strong advocate of giving consumers and parents control over their and their families’ personal information. 

Colorado Formal Rulemaking Begins

The Colorado Attorney General’s office released draft rules onto the secretary of state’s website for public comment, officially kicking off the formal rulemaking process under the Colorado Privacy Act.

Official public comments will be accepted through the CPA rulemaking comment portal as well as at stakeholder meetings to be held November 10, November 15 and November 17.

A hearing on the proposed rules will then be held February 1.

TAKEAWAY

The notice of proposed rulemaking invites public comment generally, as well as in response to several specific questions.

Particularly notable to the advertising industry, the notice poses several questions around recognition of Universal Opt-Out Mechanisms, including:

• what would be required to a controller to display to a consumer that it has processed the signal
• ways in which a controller can authenticate residents of Colorado when receiving the universal opt-out signal in a manner that won’t frustrate the efficiency or purpose of the signal
• whether additional technical specifications would help further clarify the requirements of the mechanism. 

FTC Extends Comment Deadline on Commercial Surveillance Rulemaking

The Federal Trade Commission (FTC) announced a one-month extension (until November 21, 2022) for public comments in response to the agency’s Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and lax data security practices, which was launched in early August. 

TAKEAWAY

The ANPR sought feedback about harms from “commercial surveillance” practices and whether rules are needed to protect people’s privacy and information, including, in particular, with respect to harms to consumers, children and teenagers.

The FTC sought feedback on how to balance the costs and benefits of current practices and whether regulations should address data security, use of biometric information, automated decision-making, algorithmic discrimination, and methods for consent, notice, transparency and disclosure.

The ANPR has resulted in strong statements from advertising industry associations, including from the NAI, calling “surveillance” a loaded term to describe tailored advertising, and from the IAB, warning of the impact severe restrictions on digital advertising could have on the “data-driven economy and ad-supported internet”. 

EUROPE

EDPB Sends “Wish List” of GDPR Enforcement Procedures to European Commission

In an effort to “promote effective cooperation in view of strong and swift enforcement of the GDPR”, the European Data Protection Board sent for consideration by the European Commission a “wish list” of procedural aspects that it wishes to see harmonised at the EU level.

The list includes harmonising procedural rights of parties to a procedure, procedural deadlines, complaint admissibility requirements, complaint rejection and dismissal processes, investigatory, monitoring and enforcement powers of supervisory authorities, and cooperation requirements across Member States.

CONTEXT & TAKEAWAY

The EDPB is tasked with ensuring the consistent application of the GDPR pursuant to various cooperation and consistency mechanisms intended to harmonise the level of protection offered by the GDPR across Member States.

The EDPB announced in April 2022 that, going forward, it would implement certain new measures to foster cooperation among DPAS in their application of the GDPR, including yearly identifying cross-border cases of strategic importance, applying an action plan and a fixed timeline for cooperation to such cases, identifying annual enforcement priorities and identifying a list of administrative procedural aspects that could be further harmonised.

This “wish list” is issued in response to that April statement.

The EDPB stated in its letter to the European Commission that this harmisation is “necessary to iron out the differences in administrative procedure and practices which may have a detrimental impact on cross-border cooperation.” 

INDUSTRY

IAB Tech Lab Releases U.S. State Signal Specs for Public Comment

IAB Tech Lab, a non-profit consortium that develops technology and standards for the digital media ecosystem, has released for public comment a set of specifications for companies to pass to one another privacy signals communicating user preferences and requests under privacy laws in five states: California, Virginia, Colorado, Utah and Connecticut.

The specifications are intended to be used in conjunction with the IAB Tech Lab’s Global Privacy Platform (GPP), a platform intended to support privacy compliance frameworks across multiple jurisdictions worldwide.

The specifications are also designed to be used in combination with the Interactive Advertising Bureau (IAB)’s Multi-State Privacy Agreement, an agreement among all parties who sign it governing the use of the US State Signals.

Public comments on the specifications can be submitted until October 27, 2022. 

TAKEAWAY

IAB Tech Lab previously developed the US Privacy Framework, a separate set of specifications specifically designed to pass signals regarding user preferences in California pursuant to the California Consumer Privacy Act.

The new US State Signals will supersede the US Privacy Framework and will likely continue to evolve as more comprehensive state privacy laws are enacted across the United States.

The US State Signals and the Multi-State Privacy Agreement address particular challenges posed by pending state laws, such as new user rights to opt out of the “sharing” of personal data in California and “targeted advertising” in Virginia, Colorado, Utah and Connecticut. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.