Norwegian DPA criticizes consent through browser settings

–

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

Amazon Appeals Luxembourg Fine

Amazon reportedly filed an appeal challenging the Luxembourg DPA’s July decision regarding Amazon’s reliance on its contract terms of service for ad targeting. According to a letter from the CNIL published by the French complainant, Amazon would receive a 746 million euro fine per day of delay under the decision if Amazon doesn’t establish a proper legal basis for its ad targeting practices by January.

WHY IT MATTERS

Amazon reportedly expressed its intention to appeal at the time the decision was issued, communicating at that time that “there has been no data breach, and no customer data has been exposed to any third party” and that it strongly disagreed with the DPA’s findings, so this news shouldn’t come as a surprise.

However, depending on the basis of the appeal, the ultimate decision may shed further light on the meaning of “distinguishable, clear and freely given” consent and the requirements to consider data processing “necessary for the performance of a contract”, which insight may become more of a gray area as companies explore identity solutions relying on first-party data.

ICO Releases Draft Chapter on ANONYMISATION

The UK data protection authority (ICO) published the second chapter of its draft anonymisation, pseudonymisation and privacy enhancing technologies guidance.

The first chapter, released in May, provided an “Introduction to Anonymisation”, defining anonymisation, pseudonymisation and their respective benefits. This more detailed second chapter goes further to pose the question “How do we ensure anonymisation is effective?”, exploring the key indicators of identifiability, factors to assess identifiability risk, and the decision-making process companies should use to determine when and how to review and release data models.

Both chapters are part of a consultation accepting feedback on the guidance until November 28.

WHY IT MATTERS

Understanding DPA perspective on anonymisation and pseudonymisation may be particularly important for companies looking to create or rely upon alternative identity solutions for advertising.

As expressed in the ICO’s draft guidance “identifiability exists on a spectrum, where the status of information can change depending on the circumstances of its processing”, so companies will need to have an intricate understanding of the specifics of processing, the data environment(s), and the risk management process for each data model to understand where it falls on the spectrum and whether it truly meets the definitions of anonymisation and pseudonymisation from the DPA’s perspective.  

Norwegian DPA Criticizes Consent Through Browser Settings; Requests Supervisory Authority Over Cookies

In response to the Ministry of Local Government and Modernization proposal for a new Electronic Communications Act issued in July, the Norwegian DPA and Consumer Agency submitted a joint response expressing support of the proposal’s efforts to bring Norway’s cookie consent requirements more in line with the rest of the EU and the EEA, but criticizing the proposal’s acceptance of a technical setting in the browser or equivalent as meeting the requirement for consent when technically possible.

The DPA’s response expressed that previous regulations allowing for consent through pre-settings in the browser “led to an extensive collection of personal data with very limited control and choice for users” and that, with respect to the new proposal, “in today’s market, in our view, there are no technical solutions for consent through browser settings that meet the Privacy Ordinance’s consent requirements”. Finally, the response asked that the DPA be given supervisory authority going forward over the use of cookies.

OUR TAKE

Perspectives on whether browsers or other technical settings may be sufficient or appropriate for cookie consent are inconsistent across the globe.

Finland published revised cookie guidelines last month clarifying that browser settings cannot be considered sufficient for consistent, while the ICO has expressed support for exploration of consent through browsers, software applications and device settings, and the California Attorney General’s office has expressed a requirement for businesses covered by the California Consumer Protection Act to honor GPC browser settings as a valid request to stop the sale of personal information. 

USA

Massachusetts Holds Hearing on Privacy Legislation

The Massachusetts Joint Committee on Advanced Information Technology, The Internet and Cybersecurity held a virtual hearing on bills related to data privacy, the Internet and broadband access, including the Massachusetts Information Privacy Act (MIPA), which has been introduced in both the Senate and House.

The Committee heard testimony from TechNet, State Privacy & Security Coalition, Retailers Association of Massachusetts, and Internet Association, among others, in opposition to MIPA, and from Consumer Federation of American, Electronic Privacy Information center, ACLU, and Electronic Frontier Foundation, among others, in support of MIPA.

Testimony in opposition included criticism of MIPA’s departure from other state privacy laws, its subjectivity (leading to confusion and cost for businesses), its private right of action (leading to unnecessary risk exposure to businesses), and its requirements to obtain double opt-in consent and to respond to access requests with a specific list of third parties (causing consent fatigue for consumers and technical challenges for businesses). Opposition testimony also encouraged alternative legislation that is clearly written, seeks uniformity across state lines, provides for narrowly tailored regulation with sufficient lead time, follows a notice and opt-out structure, and provides for exclusive AG enforcement with a right to cure.

Supporting testimony included assertion of the importance of the legislation’s two-pronged enforcement measures, notice and consent requirements, imposition of fiduciary duties of care, loyalty, and confidentiality, protections against discrimination, and heightened restrictions on selling sensitive personal information.

WHY IT MATTERS

Whether in support or opposition, those testifying seemed to be in agreement that MIPA, in its current form, is a significant departure from state privacy laws in other states.

One particularly interesting departure for the advertising industry is the legislation’s broad definition of “Sensitive Information” to include IP Address, coupled with extensive restrictions and requirements for processing Sensitive Information, including specific notice and consent requirements for processing the information and heightened restrictions and requirements for disclosing or monetizing from the information.

CPPA HOLDS Public Board Meeting

The California Privacy Protection Agency released the agenda and materials for a board meeting held October 18. Among other topics, the agency discussed updates to CCPA rules (including submission and compliance with opt-out requests, creation of a uniform opt-out logo or button, definition of the requirements and technical specifications for opt-out preference signals, including requirements for a signal indicating that the consumer is a minor), creation of new CPRA rules, as well as introduction of the new Executive Director Ashkan Soltani.

WHY IT MATTERS

The comment period in response to the CPPA’s recently released Invitation for Preliminary Comments is still open until November 8, so it will be interesting to see whether the CPPA takes a more reserved approached until after close of the comment period.   

glOBAL

India to Consider Non-Personal Data Under Personal Data Protection Bill

The Joint Parliamentary Committee on India’s Personal Data Protection Bill is reportedly expected to meet October 20 to formally adopt a resolution to include non-personal (anonymized) data in the scope of the bill and change the name to “Data Protection Bill”. According to The Indian Express, a panel convened on the topic of non-personal data issued a report in 2020 expressing that data can still be dangerous, even in anonymous form, in certain circumstances.

WHY IT MATTERS

India’s Personal Data Protection Bill, at least in previous versions, has looked in many respects similar to GDPR, with similar consent requirements and extension of user rights. The Hindu reported last month that the chairman of the Joint Parliamentary Committee had made changes to include non-personal data in the context of data breaches. It’s unclear whether the proposal to be adopted October 20 will include non-personal information beyond that context. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.