More US state privacy bills and new CNIL guidance on subcontractors
January 17, 2022
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
With 2022 state legislative sessions either starting or about to start, we saw a flurry of introductions and re-introductions of comprehensive privacy legislation in the last week. Bills were filed or pre-filed in Alaska, Florida, Indiana, Vermont, Virginia (amending the previously passed VCDPA), and Washington. This is in addition to previous filings and pre-filings in Maryland, New York and Oklahoma for this session.
Although the bills contain nuanced differences, they largely borrow concepts from the three comprehensive privacy laws already passed in California, Virginia and Colorado.
A bill implementing the Terms-of-service Labeling, Design and Readability (TLDR) Act was introduced in the U.S. House and Senate, requiring websites and mobile apps to provide, at the top of its terms of service page, a short-form terms of service summary statement and graphic data flow diagram, and to tag portions of the terms of service according to an interactive data format.
The summary statement would be required to contain (among other disclosures) information about sensitive information that the entity processes, including the categories of sensitive information processed, a distinction between sensitive information required for the basic functioning of the service vs. additional features and future feature development, directions for deleting or discontinuing use of sensitive information (if available), and a list of data breaches from the previous 3 years reported to consumers. The graphic display would be required to show how sensitive information of a user is shared with subsidiaries, corporate affiliates, and third parties.
WHY IT MATTERS
Sensitive information is defined to include health, biometric, and precise geolocation information, social security numbers, and information concerning the race, color, religion, national origin, sex, age, or disability of an individual, so the bill (on its face) would not require a summary of personal information processing practices that don’t fall into those categories.
A sample infographic posted by Congresswoman Lori Trahan, a sponsor of the bill, though, indicates a much broader interpretation of the bill, including disclosure of general browser history and purchase history, without mention of categories of sensitive information. The bill would defer to the FTC rulemaking process to dictate specific requirements for disclosures and infographics.
A coalition of 97 organizations, including the Interactive Advertising Bureau (IAB) and the Association of National Advertisers (ANA), sent a letter urging Congress to pass comprehensive privacy legislation. The letter stressed that a patchwork of state laws would make compliance difficult for small businesses, that FTC rulemaking would only add further complexity to such a patchwork, and that a national privacy law that is clear and fair to business and empowering to consumers would foster the digital ecosystem necessary for America to compete.
WHY IT MATTERS
26 states and the District of Columbia considered (but failed to pass) privacy legislation last year, in addition to the two states that passed privacy legislation. As noted above, several states have already introduced bills in 2022 to implement comprehensive privacy laws, so it is likely that we will see some of those states pass privacy legislation this year. The FTC also recently disclosed in a public filing that the commission is considering initiating a privacy rulemaking.
The impact this may have on businesses will likely depend on the diversity and complexity of legislation and rulemaking we see, but it is undeniable that we haven’t seen the end of privacy law and regulation in the United States.
The France DPA (CNIL) issued guidance laying out the conditions under which a subcontractor may reuse data processed on behalf of a data controller. Specifically, in order for a subcontractor to reuse personal data processed on behalf of a controller for its own account, the initial controller must inform data subjects of the transfer and provide written authorization for each specific processing authorization.
Such authorization can only be granted if the further processing is compatible with the purpose for which the data was initially collected, taking into account the purposes of processing, the context in which the personal data was collected, the nature of the personal data, the consequences of further processing, and the existence of appropriate safeguards.
The subcontractor then becomes responsible for the subsequent processing’s compliance with GDPR.
WHY IT MATTERS
This scenario may arise when a subcontractor processes personal data on behalf of a controller but then wishes to reuse the data for improving or assessing its services. Controllers should be careful to ensure that the reuse meets the CNIL’s compatibility test and that data subjects are informed before granting this right to subcontractors.
In advance of a vote on the Digital Services Act (DSA) in the European Parliament, expected January 20, over a hundred amendments have reportedly been proposed, including two amendments addressing targeted advertising. The amendments would prohibit platforms from disabling functionality for users who don’t provide consent and require that refusing consent not be more complicated than giving it, respectively.
WHY IT MATTERS
These amendments are milder than some had been pushing for. In October, Christel Schaldemose, a Danish politician and Member of the European Parliament expressed in an interview with Reuters that she wanted to include in the Digital Services Act an outright ban on certain targeted advertising, such as advertising based on a user’s behavior on Facebook.
More recently, a coalition of 31 privacy rights organizations and CEOs reportedly published a letter urging lawmakers to ban the use of ads that target people based on their search histories, social median activity and online purchases.
The Turkey Personal Data Protection Authority published a draft guide for website operators who process personal data through cookies. The DPA will accept feedback from the public through February 10 before issuing final guidelines. Notably, the guidelines specify that cookies used for behavioral advertising require express consent.
WHY IT MATTERS
Although the EU’s General Data Protection Regulation is not applicable in Turkey (since Turkey is not an EU Member State), Turkey’s Law on Personal Data Protection (LPDP) is based loosely on the EU’s data protection laws, and further alignment with European privacy standards is a stated goal of the current Turkish government. The LPDP does not specifically address cookies, and the country does not currently have other legislation similar to the EU’s ePrivacy Directive.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.