UK government responds to data reform consultation

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

House Subcommittee Holds Hearing on Federal Privacy Legislation

In response to the release of draft federal privacy legislation earlier this month, the House Subcommittee on Consumer Protection and Commerce held a hybrid legislative hearing to gather stakeholder feedback.

The hearing included testimony from representatives of the Electronic Privacy Information Center, the Digital Justice Initiative, the Future of Privacy Forum, Common Sense Media, the Information Technology Industry Council, the App Association, the National Association of Convenience Stores, and the 21st Century Privacy Coalition.

WHY IT MATTERS

Although testimony varied regarding recommended improvements for the legislation (some requesting more robust requirements, stronger protections, and broader enforcement, while others suggesting changes to bring the legislation more in line with existing state laws), one theme was common to all stakeholders: comprehensive privacy legislation at the federal level is encouraged and long overdue.  

Lawsuit Advances Re Google Sale of Personal Data in Ad Auctions

A federal judge denied Google’s motions to dismiss for 7 of 8 claims based on Google’s alleged sale of personal information through its Real-time Bidding (RTB) process.

Specifically, plaintiffs will be permitted to proceed on claims of breach of contract, violation of the California constitution, intrusion upon seclusion, publication of private information, breach of confidence, and violation of the California Invasion of Privacy Act.

WHY IT MATTERS

One fact alleged by the plaintiffs is that Google’s Terms of Service and Privacy Policy contained or incorporated the language “We don’t sell your personal information to anyone” and other similar statements, despite sharing Google IDs, IP addresses, device identifiers, and information about account holder interests relating to race, religion, health and sexual orientation with advertisers through Google’s RTB process.

The court held these facts to be sufficient to allege a claim for breach of contract. California law requires either disclosure of the categories of personal information sold to third parties or the fact that a company does not sell personal information to third parties, so companies are forced to either admit to a sale of personal information (and extend to users a right to opt out of such sale) or risk a breach of contract claim by stating that they do not sell user personal information.

To mitigate such risks, companies are wise to have a thorough understanding of what data is collected from users on their digital properties, from whom, and for what purposes.     

EUROPE

UK Government Publishes Response to Data Reform Consultation

As expected, the UK Government has published its response to the data protection consultation conducted last autumn.

The consultation, which ran for 10 weeks ending in November 2021, involved collection of feedback from stakeholders in response to a consultation paper outlining a range of data reform proposals.

The UK government’s response highlighted three themes that emerged from stakeholder feedback:

1. the importance of maintaining data subject rights;

2. the benefits from the effective use of personal data to drive innovation and boost the economy, while continuing to protect people’s safety and privacy; and

3. the importance of data flows with the EU and the UK’s EU data adequacy decision.

The response provides a detailed analysis of each proposal, based on stakeholder feedback, and ends with a list of next steps for each proposal.

WHY IT MATTERS

Several of the consultation’s proposals involved removing consent requirements under the UK GDPR and PECR.

But, with respect to cookies, the “vast majority” of stakeholder feedback disagreed with removing the consent requirement for all types of cookies, particularly “more intrusive varieties which collect personal data for the purposes of real-time bidding and the micro-targeting of advertisements”.

In response to this feedback, the UK government suggested a phased approach to its consent proposals.

In the immediate term, the UK government plans to legislate to remove the cookie consent requirement for a small number of non-intrusive purposes.

With respect to other, more intrusive, cookies, the UK government plans to hold off on removing the consent requirement until automated technology is widely available to help users manage online preferences. 

At such time, the UK government will assess moving to an opt-out model of consent for cookies, requiring websites to respect browser-based and similar opt-out preferences and clearly communicate how users can opt out. Consent will still be required for websites likely to be accessed by children. 

CANADA

Federal Privacy Legislation Introduced in Canada

A bill to implement the Digital Charter Implementation Act, 2022 was introduced and completed its first reading in the Canada House of Commons.

The package would include three pieces of legislation

1. the Consumer Privacy Protection Act (CPPA), which would amend the existing Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to the collection and use of personal information for commercial activities;

2. the Personal Information and Data Protection Tribunal Act, which would establish an administrative tribunal and impose certain penalties for violations of the CPPA; and

3. the Artificial Intelligence and Data Act, which would impose certain obligations to mitigate harm and biased output from artificial intelligence systems. 

WHY IT MATTERS

The CPPA would only permit collection of a personal information “in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required” and would require consent except in the event of certain limited activities, such as for security or safety, to provide a product or service or in the event of legitimate interest, which cannot apply if the data is collected to influence the individual’s behavior or decisions, or if a reasonable person would not expect the collection. 

Dufresne Endorsed as Canada’s New Privacy Commissioner

The Parliament of Canada Standing Committee on Access to Information, Privacy and Ethics considered and unanimously voted to recommend the confirmation of Philippe Dufresne to the Position of Privacy Commissioner.

Dufresne was nominated last week by the Prime Minister. 

WHY IT MATTERS

In his June 14 testimony before the Senate, Dufresne emphasized the values of “recognizing privacy rights as fundamental rights, but also understanding the public interest and need for laws that are practical, realistic and that can build public confidence.” 

INDUSTRY

Mozilla Firefox Adds Default Function to Restrict Third-Party Cookies

Mozilla rolled out a new default function, “Total Cookie Protection“, to all users of the Firefox desktop browser. The function confines cookies to the site where they were created and prevents the ability to track cross-site user browsing using third-party cookies.

WHY IT MATTERS

Firefox labels itself “the most private and secure major browser available” and claims that it “has proudly been leading the fight to build a more private internet”. In October 2021, Firefox announced that it was testing implementation of Global Privacy Control, a browser setting that enables users to communicate privacy preferences to websites.   

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.