Blog

Draft U.S. federal privacy legislation released

Julie Rubash, Chief Privacy Counsel
June 7, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Draft Federal Privacy Legislation Released

A bipartisan group of U.S. representatives and senators released a discussion draft of comprehensive privacy legislation titled “the American Data Privacy and Protection Act”. 

According to a press release from the House Committee on Energy & Commerce, the draft is “the first comprehensive privacy proposal to gain bipartisan, bicameral support”. 

WHY IT MATTERS

The draft legislation adopts several concepts from enacted state privacy legislation, including an obligation to provide consumers with the means to opt out of targeted advertising and an obligation to obtain express consent for processing of sensitive data.

The legislation also includes a preemption clause specifying that it would preempt state laws covered by the federal legislation, with several exceptions, including exceptions for state laws covering breach notification, biometric and facial recognition data, employment data, and certain health and financial data, among other exceptions. 

EUROPE

CNIL Reveals 2021 Activity / 2022 Priorities

In a 2021 Activity Report, the French data protection authority (CNIL) revealed that, out of the 135 formal notices issued by the CNIl in 2021, 89 concerned cookies.

According to the report, sanctions were issued in ‘the most serious cases, concerning players who did not allow millions of Internet users to refuse cookies as simply as to accept them”. 

The report also revealed the CNIL’s strategic plan for 2022-2024, including three priorities for a trusted digital society: promoting respect for rights, promoting the GDPR as an asset, and targeting regulation on high stakes subjects.

Under these priorities, the CNIL strategic plan includes (among other strategic plans) increasing the efficiency of its complaint investigations, strengthening legal certainty through practical and clear guidelines, and developing certification and code of conduct tools.

The CNIL also said it would implement a global action plan on three priority themes: augmented cameras and their uses, data transfers in cloud computing, and collection of personal data in smartphone applications. 

WHY IT MATTERS

The report indicates that the CNIL’s approach to its 2022-2024 priorities will follow a similar path “as it was able to do for cookies”, beginning with a phase of fixing the doctrine, a second phase of providing practical compliance assistance tools, and finally conducting control campaigns and adopting corrective measures if necessary.

As we saw with cookies, companies will be wise to pay close attention to early guidance issued by the CNIL in the stated priority areas to avoid being the subject of corrective measures in later phases.  

GLOBAL

Thailand’s Personal Data Protection Act Reaches Compliance Deadline

Thailand’s Personal Data Protection Act (PDPA), which was enacted in May 2019, went into force June 1, 2022, after an extension of the compliance deadline issued in response to COVID-19.

WHY IT MATTERS

The PDPA includes several similarities to the EU’s GDPR, including an extraterritorial scope, applying the law to any organization processing data of Thailand residents, regardless of whether the organization is located in Thailand.

The PDPA also includes an obligation to have a legal basis for processing that may include consent, legitimate interest, performance of a contract, legal obligation or vital interests. 

Tim Hortons App Tracking in Violation of Canadian Privacy Laws

After an investigation, federal and provincial authorities discovered that the mobile app offered by restaurant chain Tim Hortons was tracking and recording user movements every few minutes, even when the app was not open, in violation of Canadian privacy laws.

Notably, the authorities found the app’s vast data collection was not proportional to the benefits from better targeted promotion and that language in its contract with a third-party location services provider was “so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes.”

Tim Hortons was ordered to delete, and direct third parties to delete, any remaining location data and establish and maintain a privacy management program that includes impact assessments, proportional data collection, and clear and accurate privacy communications.

WHY IT MATTERS

In its statement about the investigation, the Privacy Commissioner of Canada expressed that it is “unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought” and that “what happened here once again makes lain the urgent need for stronger privacy laws to protect the rights and values of Canadians”.

This comment is consistent with the Canadian DPA’s push for an overhaul of Canadian data protection laws at the federal level, recently issuing key recommendations for a new federal private sector privacy law. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Meta settles with DOJ in housing ads discrimination case

June 27, 2022

The U.S. Department of Justice announced a $115,054 settlement...

UK government responds to data reform consultation

June 19, 2022

The consultation, which ran for 10 weeks ending in...

Ad industry says draft federal privacy legislation falls short

June 13, 2022

Privacy for America, a coalition that includes several ad...

Latest White Papers

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields