Federal online privacy act reintroduced

Julie Rubash, Chief Privacy Counsel
November 22, 2021

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Bedoya testifies in Nomination Hearing

Alvaro Bedoya, an FTC Commissioner nominee, testified before the Senate Commerce, Science and Transportation Committee at a Confirmation Hearing. In response to questions from the Committee, Bedoya expressed his admiration for introducing the concept of a duty of loyalty in privacy legislation. In the context of facial recognition, he also emphasized the importance of applying greater scrutiny to situations where collection and use is opaque, where there is broader dragnet data collection, where people aren’t allowed to consent, and where data is free flowing, without restriction.

In the context of children’s data, Bedoya said he supports updates to the law to give 13, 14 or 15 year olds control over their data, to ban targeted ads and create an erase button so that parents can insist that children’s data is erased from data records forever. However, when asked about FTC rule making authority, he clarified that he thought it preferable for Congress to pass a law, rather than the FTC opening a rule making for privacy.

The question and answer period will continue until November 29, after which the committee will vote on Bedoya’s confirmation. If approved, the nominations will proceed to the full Senate.


Bedoya’s nomination has been celebrated by consumer and civil rights advocates, several of which sent a letter to the Senate Committee last month stressing the importance of confirming him as soon as possible to fill the vacant seat left by Rohit Chopra, who was confirmed as Director of the Consumer Financial Bureau.

If confirmed, Bedoya is expected to be a key third vote in favor of Democratic-leaning FTC decision-making, breaking the existing 2-2 split. The FTC has rule making authority under Section 5 of the FTC Act, prohibiting unfair and deceptive acts and practices, and consumer advocates have been putting pressure on the FTC to use that authority for privacy rule making.  

Federal Online Privacy Act Reintroduced

U.S. Representatives Eshoo and Lofgren reintroduced privacy legislation that would extend user rights, establish a Digital Privacy Agency, require consent for processing, and allow for enforcement through state attorneys generals and private class actions. The legislation would not preempt state privacy laws. It was previously introduced in 2019, but the bill never made it out of committee. 


Multiple comprehensive privacy bills have been introduced in the House and Senate, including the Digital Accountability and Transparency to Advance (DATA) Privacy Act and the Control Our Data Act introduced earlier this month, neither of which contain a private right of action. The bills differ in various respects, but the private right of action, opt in consent (vs. opt out), and state preemption continue to be dividing issues.     


ICO Undertakes “Systemic Approach” to Children’s Code Enforcement

In a letter to the 5Rights Foundation in response to the charity’s research into breach of the Age Appropriate Design Code, Elizabeth Denham, the UK Information Commissioner, explained that the ICO is conducting an evidence gathering process to assess compliance with the Code. According to Denham, the ICO is focusing on three “high risk” sectors: social media and messaging; gaming; and video content and music streaming. She said the ICO has written to 40 organizations across the three sectors and plans to write to a further nine companies mentioned in the 5Rights research.


The transition period for the Age Appropriate Design Code ended in September, giving the ICO to start enforcing the Code against non-compliant companies.

One concern 5Rights raised to the ICO based on their research was that there is a great disparity in approaches to compliance across companies and that a clear opinion from the ICO is needed to establish what is adequate and what is best practice. Based on the ICO’s response, it appears that the ICO is in an initial exploratory phase that will need to be completed before any more formal enforcement, guidance or regulatory action may take place. 


Brazil Issues Annual LGPD Report

Brazil’s National Data Protection Authority released a report summarizing its activity in the first year after implementation of the country’s General Data Protection Law (LGPD), including publication of various guidelines and technical cooperation agreements.


Although the LGPD has been in effect for over a year, the enforcement provisions have only been in place since August 2021, and Brazil’s DPA pledged to take a responsive approach to organizations failing to comply. Accordingly, enforcement is notably missing from the report. 


Artificial Intelligence is raising concerns among industry and advocacy groups

Two updates this week:

Advocacy Groups Urge Facebook to End Use of AI for Children’s Advertising

A group of 48 consumer advocacy groups signed a letter urging Facebook to “immediately end all surveillance advertising to children and adolescents, including the use of artificial intelligence to optimize the delivery of specific ads to the young people most vulnerable to them”. The letter accuses Facebook of making misleading statements regarding the company’s plans to limit ad targeting to children, citing that Facebook is using data about children’s online behavior to feed their machine learning enabled Delivery System to optimize targeting in children’s feeds. The letter invites Facebook to reveal the full detail of how teens receive optimized, targeted ads and to commit to end the practice altogether. 

IAB Issues Report Re Bias in AI for Marketing

The IAB released a report focused on AI bias that it describes as a “must read and a starting point for companies to develop frameworks for better AI solutions” as “AI champions and arbiters of bias”. The guide encourages companies to consider data volume, data quality, computing power, data privacy and security risks, legal and regulatory risks, and public trust and reputational risk when developing AI, and provides a checklist and list of questions for each phase of an AI system’s lifecycle. 


AI was identified as an area of policy focus by the Global Privacy Assembly last month, and we’re starting to see proposals, guidance, and white papers around AI from the UK, Hong Kong, the U.S. and other countries. It’s likely only a matter of time before proposals, guidance and advocacy letters turn to laws and regulations in this area, so companies taking a trust-first approach to AI development may be better positioning themselves for future compliance obligations.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]