A Little Privacy: week of July 16

USA

GLOBAL PRIVACY CONTROL BACKED BY CA ATTORNEY GENERAL

The California Office of the Attorney General made an update to its California Consumer Privacy Act (CCPA) FAQs to clarify that the GPC, a user-enabled global privacy control available on certain browsers “must be honored by covered businesses as a valid consumer request to stop the sale of personal information”.   

OHIO INTRODUCES PRIVACY BILL

The Ohio House of Representatives introduced legislation to enact the Ohio Personal Privacy Act. The Act would impose certain notice requirements and grant user rights to access, delete, and opt out of the sale of personal data collected about them, would require businesses to pass opt-out requests to downstream processors and third parties, and would impose certain contractual requirements between businesses and their processors. The Act would be strictly enforced by the Ohio Attorney General and would create an affirmative defense if businesses comply with a written privacy program reasonably conforming to the National Institute of Standards and Technology (NIST) privacy framework. 

Europe

italian dpa publishes new cookie guidelines

The Italian Data Protection Authority published new guidelines for cookies and other tracking tools, giving companies until January 10, 2022 to comply. Among other requirements, the new guidelines require that the cookie consent banner include both “accept” and “reject” buttons, granular choices, and the ability for users to edit their tracking preferences at any time. The guidelines prohibit requesting consent again for 6 months after the initial request. They also allow placing first-party analytics cookies without consent but only allow third-party analytics cookies without consent in certain circumstances.  

EU ADDS TO DIGITAL SERVICES ACT

The EU Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted proposals to add certain digital privacy rights to the Digital Services Act (DSA), pending legislation previously focused on illegal content such as hate speech. The new proposals, as reported by Reuters, would, among other things, create a right to use and pay for digital services anonymously, whenever reasonably feasible, and phase out behavioral and personalized advertising for non-commercial and political advertising. The proposals would need to be agreed to by two additional committees and would likely come into force next year. 

EDPB ADOPTED BINDING DECISION ON HAMBURG DPA’S REQUEST FOR WHATSAPP DATA PROCESSING BY FACEBOoK

The EDPB adopted an urgent binding decision rejecting the Hamburg DPA‘s request to ban processing of WhatsApp user data by Facebook IE for their own purposes. Instead, the EDPB requested that the Ireland Supervisory Authority carry out a statutory investigation to determine whether the processing activities are taking place, whether there is a proper legal basis under GDPR to do so, and whether Facebook IE is acting as a processor or joint controller with respect to that processing.

UK CENTRE FOR DATA ETHICS AND INNOVATION PUBLISHES GUIDE TO USE OF PRIVACY ENHANCING TECHNOLOGIES

The UK Centre for Data Ethics and Innovation (CDEI) published a PETs Adoption Guide, an interactive tool designed to aid decision-making around the use of privacy enhancing technologies in data-driven projects. The guide poses a series of questions in a flowchart format to help companies enable safe, private and trustworthy use of data that is appropriate for their use case. 

–