Privacy & Data Security Law Alerts

June 2nd, 2022

Privacy News for Q2 2022

Privacy News for Q2 2022

Upcoming Event: Platform Advertising in a Shifting Multi-Jurisdiction Legal Environment. Join Frankfurt Kurnit Privacy & Data Security Group Chair Daniel M. Goldberg and privacy lawyers from ByteDance, LinkedIn, and Nextdoor during the virtual IAB Public Policy and Legal Summit on June 8th. The panel will discuss compliance for platform advertising in light of shifting multi-jurisdiction privacy requirements in the US and abroad. Topics include the use of first-party data for on-platform advertising, new challenges for “combining” data for measurement and optimization purposes, and new consumer choices around targeted advertising and the use of sensitive data categories. Registration is free. If you would like to attend, please register here.

Chambers USA Guide 2022

Chambers and Partners ranks our Privacy and Data Security practice as "Band 1" Nationwide. Practice Group Chair Daniel is ranked individually as "Band 4" for his broad-based privacy expertise. Read the full review here.

Here is a summary of privacy news and trends we have seen in the first half of 2022:

California

California’s new privacy regulatory agency, the California Privacy Protection Agency (“CCPA”), has been actively engaged in the draft rulemaking process with respect to the California Privacy Rights Act (“CPRA”). Last Friday, the CPPA released an initial draft of its proposed regulations to CPRA. This draft is only the first part of the proposed regulations, and a second part (not yet released) will cover obligations relating to cybersecurity audits, privacy risk assessments, and automated decision making. The CPPA will hold a public meeting on June 8th to discuss the proposed regulations and other topics, after which there will be a 45 day window for the public to submit comments. CPRA, and any accompanying regulations, take effect January 1, 2023. If you are interested in submitting public comments, please contact us.

Our initial analysis of the proposed regulations is available here.

New State Privacy Laws

Utah: Utah’s new privacy law takes effect December 1, 2023. The law shares much in common with Virginia’s privacy law, but is considered more business friendly. The law notably departs from the general standard followed by other states by implementing a two-step enforcement process and permitting companies to charge differing rates to consumers based on their privacy preferences. Data subject rights are also more limited; consumers will not have the right to correct inaccuracies in their data or opt-out of profiling. Read more.

Connecticut: Connecticut’s new privacy law takes effect July 1, 2023. The law shares much in common with Colorado’s privacy law. The law requires opt-in consent for the processing of sensitive and adolescent data and, similar to Colorado, explicitly requires companies to honor opt-out preference signals for certain types of data processing. We expect preference signals to be a hot topic moving forward. Read more.

Children

In a new policy statement, the FTC made clear that companies that provide educational software and online services to students must comply with the Children’s Online Privacy Protection Act (“COPPA”). Under COPPA, companies cannot deny children access to educational technologies when their parents or school refuse to sign up for commercial surveillance. The FTC policy statement notes that data collection has become more extensive and ad targeting more sophisticated, while education technology has become more prominent in the COVID era. That combination could make children vulnerable to data privacy violations if ed tech companies try to skirt COPPA. Read more. 

Biometric Information

The collection and processing of biometric information has continued to be a hot topic in 2022. Many states and municipalities, including Illinois, Texas, Washington, and New York City, have laws expressly limiting the processing biometric information, Some jurisdictions, like Portland, outright ban the processing of biometric information. 

New comprehensive state privacy laws that take effect in 2023 will have a dramatic impact on the processing of biometric information. CPRA defines biometric information as “sensitive personal information” and will require companies to give consumers the right to opt-out of the use or disclosure of their sensitive personal information. Virginia and other comprehensive state privacy laws will require companies to obtain opt-in consent before processing sensitive data (which includes biometric information). 

It appears that the risks associated with biometric information may spur future legislation as well. During public hearings for Connecticut’s new privacy law, lawmakers highlighted the collection of biometric information as a particular concern prompting the need for the law. In California, SB 1189, a bill recently filed by Senator Wieckowski, would also impose requirements similar to Illinois’s privacy law.

We will continue to track these and other changes to the privacy landscape and update as we learn more.

Please visit Advertising Law Updates for additional blogs and alerts, and contact Daniel M. Goldberg at (310) 579-9616 or dgoldberg@fkks.com, Maria Nava at (310) 579-9626 or mnava@fkks.com, Elliott Siebers at (212) 705-4821 or esiebers@fkks.com or any other member of the firm’s Privacy & Data Security Group.