Federal online privacy act reintroduced
November 22, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Alvaro Bedoya, an FTC Commissioner nominee, testified before the Senate Commerce, Science and Transportation Committee at a Confirmation Hearing. In response to questions from the Committee, Bedoya expressed his admiration for introducing the concept of a duty of loyalty in privacy legislation. In the context of facial recognition, he also emphasized the importance of applying greater scrutiny to situations where collection and use is opaque, where there is broader dragnet data collection, where people aren’t allowed to consent, and where data is free flowing, without restriction.
In the context of children’s data, Bedoya said he supports updates to the law to give 13, 14 or 15 year olds control over their data, to ban targeted ads and create an erase button so that parents can insist that children’s data is erased from data records forever. However, when asked about FTC rule making authority, he clarified that he thought it preferable for Congress to pass a law, rather than the FTC opening a rule making for privacy.
The question and answer period will continue until November 29, after which the committee will vote on Bedoya’s confirmation. If approved, the nominations will proceed to the full Senate.
WHY IT MATTERS
Bedoya’s nomination has been celebrated by consumer and civil rights advocates, several of which sent a letter to the Senate Committee last month stressing the importance of confirming him as soon as possible to fill the vacant seat left by Rohit Chopra, who was confirmed as Director of the Consumer Financial Bureau.
If confirmed, Bedoya is expected to be a key third vote in favor of Democratic-leaning FTC decision-making, breaking the existing 2-2 split. The FTC has rule making authority under Section 5 of the FTC Act, prohibiting unfair and deceptive acts and practices, and consumer advocates have been putting pressure on the FTC to use that authority for privacy rule making.
U.S. Representatives Eshoo and Lofgren reintroduced privacy legislation that would extend user rights, establish a Digital Privacy Agency, require consent for processing, and allow for enforcement through state attorneys generals and private class actions. The legislation would not preempt state privacy laws. It was previously introduced in 2019, but the bill never made it out of committee.
WHY IT MATTERS
Multiple comprehensive privacy bills have been introduced in the House and Senate, including the Digital Accountability and Transparency to Advance (DATA) Privacy Act and the Control Our Data Act introduced earlier this month, neither of which contain a private right of action. The bills differ in various respects, but the private right of action, opt in consent (vs. opt out), and state preemption continue to be dividing issues.
In a letter to the 5Rights Foundation in response to the charity’s research into breach of the Age Appropriate Design Code, Elizabeth Denham, the UK Information Commissioner, explained that the ICO is conducting an evidence gathering process to assess compliance with the Code. According to Denham, the ICO is focusing on three “high risk” sectors: social media and messaging; gaming; and video content and music streaming. She said the ICO has written to 40 organizations across the three sectors and plans to write to a further nine companies mentioned in the 5Rights research.
WHY IT MATTERS
The transition period for the Age Appropriate Design Code ended in September, giving the ICO to start enforcing the Code against non-compliant companies.
One concern 5Rights raised to the ICO based on their research was that there is a great disparity in approaches to compliance across companies and that a clear opinion from the ICO is needed to establish what is adequate and what is best practice. Based on the ICO’s response, it appears that the ICO is in an initial exploratory phase that will need to be completed before any more formal enforcement, guidance or regulatory action may take place.
Brazil’s National Data Protection Authority released a report summarizing its activity in the first year after implementation of the country’s General Data Protection Law (LGPD), including publication of various guidelines and technical cooperation agreements.
WHY IT MATTERS
Although the LGPD has been in effect for over a year, the enforcement provisions have only been in place since August 2021, and Brazil’s DPA pledged to take a responsive approach to organizations failing to comply. Accordingly, enforcement is notably missing from the report.
Two updates this week:
Advocacy Groups Urge Facebook to End Use of AI for Children’s Advertising
A group of 48 consumer advocacy groups signed a letter urging Facebook to “immediately end all surveillance advertising to children and adolescents, including the use of artificial intelligence to optimize the delivery of specific ads to the young people most vulnerable to them”. The letter accuses Facebook of making misleading statements regarding the company’s plans to limit ad targeting to children, citing that Facebook is using data about children’s online behavior to feed their machine learning enabled Delivery System to optimize targeting in children’s feeds. The letter invites Facebook to reveal the full detail of how teens receive optimized, targeted ads and to commit to end the practice altogether.
IAB Issues Report Re Bias in AI for Marketing
The IAB released a report focused on AI bias that it describes as a “must read and a starting point for companies to develop frameworks for better AI solutions” as “AI champions and arbiters of bias”. The guide encourages companies to consider data volume, data quality, computing power, data privacy and security risks, legal and regulatory risks, and public trust and reputational risk when developing AI, and provides a checklist and list of questions for each phase of an AI system’s lifecycle.
WHY IT MATTERS
AI was identified as an area of policy focus by the Global Privacy Assembly last month, and we’re starting to see proposals, guidance, and white papers around AI from the UK, Hong Kong, the U.S. and other countries. It’s likely only a matter of time before proposals, guidance and advocacy letters turn to laws and regulations in this area, so companies taking a trust-first approach to AI development may be better positioning themselves for future compliance obligations.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.