IAB Europe submits action plan to Belgium DPA

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Bedoya Nomination Moves One Step Closer to Confirmation

The Senate voted 51-50 (with Vice President Harris casting the tie-breaking vote) to discharge Alvaro Bedoya’s FTC nomination from the Senate Commerce Committee after a 14-14 tie vote in the committee last year.

This latest decision means that the nomination will advance to the full Senate floor for debate and confirmation.

WHY IT MATTERS

Assuming Bedoya is ultimately confirmed, he will take the 5th FTC seat and join Chair Lina Kahn and Commissioner Rebecca Kelly Slaughter in a 3-2 democratic majority, allowing for more progressive movement on FTC regulation and enforcement.

Consumer advocacy groups have been encouraging Bedoya’s swift nomination, with expectation that he will support measures addressing big tech and algorithmic bias.  

Connecticut / Oklahoma Privacy Bills Progress

Connecticut SB 6 was reported out of the Legislative Commissioner’s Office and added to the full Senate calendar, while Oklahoma HB 2969, which passed out of the House last month, was referred to the Judiciary and Appropriations committees in the Senate.

WHY IT MATTERS

If HB 2969 passes, Oklahoma would become the first U.S. state to enact a comprehensive privacy law requiring general explicit opt-in consent for the collection of personal information.

The bill must be voted out of committee before April 14 and receive a third reading in the Senate before April 28 to survive procedural thresholds designed to narrow the number of bills for consideration before the Legislature’s May 27 adjournment.

Connecticut SB 6 resembles Colorado’s CPA, with some elements pulled from Virginia’s VCDPA.     

EUROPE

IAB Europe Submits Action Plan to the Belgium DPA

IAB Europe announced its submission to the Belgium DPA (the APD) an action plan to address areas of non-compliance by IAB Europe’s Transparency and Consent Framework (TCF) identified in an Order issued by the APD in February.

The submission was made ahead of the April 2 deadline imposed by the APD.

WHY IT MATTERS

If the APD approves the action plan, IAB Europe will have 6 months from the date of such approval to implement the plan.

However, IAB Europe has also appealed the decision, including a request to suspend the Order pending the appeal, which may impact the timeline, if granted.

A hearing on IAB Europe’s request to suspend the Order is scheduled for April 6.    

Digital Services Act Negotiations Continue in Fourth Trilogue

The European Parliament, the European Commission and the European Council held a fourth trilogue to negotiate the terms of the Digital Services Act.

Targeted advertising to minors and using sensitive data are reportedly hot remaining issues, along with dark patterns.

The next trilogue likely won’t occur until late April.

WHY IT MATTERS

Provisional political agreement has been reached on the Digital Markets Act (DMA), which, with the Digital Services Act, make up the two pillars of a digital services framework designed to protect the fundamental rights of users of digital services.

Completion of DMA negotiations will likely put pressure on finalizing the DSA. Consumer advocates such People vs Big Tech Coalition are weighing in to encourage a ban on targeted advertising to minors and use of sensitive information for ad targeting, but the degree of such restrictions on targeted advertising appears to be the subject of continued debate. 

Danish DPA Cautions re Reliance on EU / US Transatlantic Agreement

The Danish Data Protection Authority (Datatilsynet) posted on its website that the agreement in principle signed by the European Commission and US authorities re transatlantic data flows “can not yet be used in practice by Danish companies.”

The DPA advised that, because there is not yet a transfer basis and adequacy decision with the United States, companies that want to transfer personal data to the United States must continue to establish a possible transfer basis.

Particularly with respect to transfers to cloud services, the Datatilsynet recommended consulting its recently published guidelines on cloud, which suggests that, for transfers to cloud providers in the United States, an assessment should be made as to whether certain U.S. laws, such as FISA 702, will be applied in practice to the information being transferred. 

WHY IT MATTERS

We may soon have a replacement for Privacy Shield, based on a recent announcement from U.S. President Biden and European Commission President Ursula von der Leyen that they had reached a transatlantic data flow agreement “in principle”.

Until an official agreement is reached, however, companies transferring data to the United States will need to continue to conduct transfer assessments, consistent with the Europe Court of Justice’s Schrems II ruling invalidating the previous Privacy Shield, before transferring data to the United States. 

INDUSTRY

Google Expands Privacy Sandbox Testing

Google announced that developers can now begin testing globally the Topics, FLEDGE and Attribution Reporting APIs in the Canary version of Chrome.

The company will also begin testing updated Privacy Sandbox settings that will allow users to manage the interests associated with them or turn off trials entirely. 

WHY IT MATTERS

According to its timeline, testing is expected to continue through Q3 of 2022, after which Google’s deprecation of third-party cookies will begin its transition phase. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.