Week of September 13, 2021

Julie Rubash, Chief Privacy Counsel
September 20, 2021

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.



The biggest news of the week was that President Biden announced his intention to nominate Alvaro Bedoya, a privacy expert and advocate and founding director of the Center on Privacy & Technology at Georgetown Law, as an FTC Commissioner.

Meanwhile, the FTC’s privacy enforcement capabilities should get a major boost: the House Energy and Commerce committee passed the Build Back Better Act, which, among other measures, would extend $1 billion to, as the Chairman noted, “provide the Federal Trade Commission with more resources to better protect consumers from privacy and data abuses.”

Finally, the FTC announced 8 key enforcement areas, including acts or practices affecting children, algorithmic bias, and deceptive and manipulative conduct (expanded to include dark patterns).


Taken together, this week’s FTC news demonstrates the executive, legislative and regulatory focus on data protection under the FTC’s authority, but the FTC key areas of enforcement indicates its intent to focus at least its existing data protection resources on narrower subsets of children, algorithmic bias and dark patterns.



The France DPA, CNIL, announced this week that, of the 40 entities that were notified back in June of non-compliance with the DPA’s Cookie rules, 80% are now in compliance. The remaining companies will either be granted an extension or will be fined up to 2% of their turnover. The CNIL also announced that new control campaigns are being prepared, continuing to focus on the possibility of refusing cookies as easily as accepting them and the effective compliance with that choice.


This was the CNIL’s second round of notices regarding violations of its cookie rules. The first round, sent in May, resulted in a 100% compliance rate within the required cure period, so this will be our first look at financial penalties resulting from violation of CNIL cookie rules.


The Finish Transport and Communications Agency, Traficom, published a revised guide on cookie storage in response to a new interpretive policy on cookies issued by the Helsinki Administrative Court in Spring 2021. The updated guidance clarifies that browser settings cannot be considered sufficient for consent, because browser settings cannot be considered a unique and active expression of intent when it comes to accepting different cookies and collection of data for a variety of uses.


The issue of whether browser-level settings can/should be relied upon as an expression of user privacy preferences is a hot topic not just in Finland, but across the world, with varying viewpoints.

Finland has indicated here that browser settings cannot be relied upon as an active expression of user intent under an opt-in regime, while the California Attorney General’s office has expressed a requirement for businesses covered by the California Consumer Privacy Act to honor the Global Privacy Control, a setting in some browsers, as a valid consumer request to stop the sale of personal information.

Meanwhile, European privacy group noyb published a technical proposal in June to enable users to configure privacy consent preferences at the browser level, while the ICO announced an open consultation earlier this month inviting feedback as to whether, among other questions, leaning on browsers, software applications, device settings, data fiduciaries or trusted third parties is the right approach to manage individual consent preferences



The Saudi Arabia Cabinet reportedly approved the Personal Data Protection Law to be implemented March 13. The new law is designed to protect from unconsented collection and processing of personal data and extends user rights to view, access or restrict processing of personal data and know the purposes of its processing.


General data protection laws are rapidly spanning the globe, with South Africa’s POPIA having gone into effect in July, Brazil implementing the final measure of the LGPD in August, China’s PIPL going into effect November 1 and several other countries with existing or pending legislation for the general protection of personal data.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]