Week of September 27, 2021

–

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

EDPB Creates Cookie Banner Taskforce

The European Data Protection Board announced a taskforce to allow supervisory authorities to exchange views and coordinate responses to GDPR cookie banner complaints.

OUR TAKE

The creation of this taskforce comes after Austrian privacy watchdog None of Your Business (noyb) filed over 400 GDPR complaints across several jurisdictions alleging non-compliant cookie banners. Chapter 7 of the GDPR requires cooperation between supervisory authorities and calls on the Board to ensure the consistent application of the Regulation

IAB Europe Steps Up TCF Policy Enforcement

Digiday reported that the Interactive Advertising Bureau in Europe (IAB Europe) has, in the last six months, temporarily suspended “one or two” consent management platforms from participation in the association’s Transparency and Consent Framework (TCF). Participants are required to comply with certain policies to participate in TCF, and the association has reportedly been issuing warning letters and extending suspensions to non-compliant platforms.

OUR TAKE

Last month, the IAB Europe implemented its new TCF Vendor Compliance Program to start enforcing its policies against non-compliant adtech Vendors registered with the TCF. The Vendor policy, like the CMP policy, also allows for suspension in the event of uncured breach. The recent CMP enforcement in combination with the new Vendor policy sends a strong message to participants to take the policies seriously.

Italy DPA Investigates Microphone Data Collection for Ad Use

The Garante, Italy’s Data Protection Authority, announced that it has launched an investigation into the use of app users’ microphones to collect spoken information about users’ tastes, projects, travels or desires for purposes of serving targeted advertisements. The Authority will be examining a series of the most downloaded apps to ensure information provided to users is clear and transparent and that consent has been correctly acquired.

OUR TAKE

Although cookies have dominated the advertising industry’s privacy compliance focus, the Garante’s investigation highlights the importance of ensuring proper notice and consent is extended for all types of data collection related to an identified or identifiable person

USA

minnesota latest state to consider privacy act

The Minnesota House Commerce Finance and Policy Committee held an informational meeting to discuss HF1492, which would implement the Minnesota Consumer Data Privacy Act. The bill, if passed, would extend basic data privacy rights, such as the right to know, correct, and delete personal data, and the right to restrict “profiling” or usage.

It would also provide the rights to opt out of the processing of personal data for targeted advertising and the sale of personal data or profiling. Opt-in consent would be required for processing of certain sensitive data.

The informational meeting agenda included testimony from representatives of the Future of Privacy Forum, DLA Piper, and the Uniform Law Commission (all authors of the bill) as well the National Association of Advertisers and other interested parties. Informational documentation, including a research summary and written testimony from advertising and marketing trade associations, the Internet Association, and TechNet, among others, were made available leading up to the meeting.

The testimony from the ad trade organizations (IAB, NAI, DAA, ANA, AAF, 4A’s) suggested that the legislature narrow the opt-in requirement to only apply where the processing has significant effects on the consumer and add exclusions from the opt-out requirements for certain essential ad operations, such as ad delivery, reporting and fraud prevention, bringing the Act more in line with Colorado and Virginia privacy laws.

WHY IT MATTERS

The Minnesota House is adjourned until January 2022, so it will be some time until we see any action on this bill; however, this informational session, coupled with a companion bill in the Senate, demonstrates momentum to prioritize privacy legislation for 2022.

Former FTC Officials Encourage Privacy Funding

Former FTC officials testified at a U.S. Senate Commerce, Science and Transportation committee hearing regarding FTC resources for privacy enforcement.

The former officials all supported more resources at the FTC and a new bureau focused on privacy and data protection, with one former official stating that “The FTC is critically under-resourced to oversee the nation’s myriad or privacy and cybersecurity issues”, that “their resources pale in contrast to their counterparts in other countries” and that the proposals are “a strong step forward at providing the commission with new resources it needs desperately to effectively protect consumers in the digital economy.”

OUR TAKE

Several U.S. Senate Democrats have been pushing for FTC rulemaking and funding around privacy, as well as privacy legislation, from various angles in recent months, including through a letter to the FTC last month urging rulemaking around the collection and use of personal data in the digital economy, as well as promotion of the Build Back Better Act, which (among other things) would extend $1 billion to the FTC for privacy rulemaking and enforcement. The Build Back Better Act, a budget reconciliation bill with implications far beyond the FTC, is reportedly caught up in intra-party debate among House Democrats.

Watchdog Proposes Banning Surveillance Advertising

Accountable Tech, a nonprofit watchdog, filed a petition with the FTC encouraging the agency to prohibit “surveillance advertising” as an unfair method of competition.

Accountable Tech defined surveillance advertising as consisting of two elements: (1) an information or communication platform collecting personal data and (2) targeting advertisements at users, based on that personal data, as they traverse the internet, including other digital platforms.

The organization suggested that, under their proposal, search and contextual advertising would be legitimate, while digital information and communication services would be barred from either collecting or (alternatively) sharing personal data for the purpose of determining to whom advertisements would be displayed.

OUR TAKE

Although the FTC has demonstrated some heightened attention to data protection in the digital advertising industry in recent months, it has resolved to focus its rulemaking and enforcement authority on certain core priority areas, such as dark patterns, algorithmic bias, conduct harmful to children, and monopolistic practices, which demonstrates a narrower and more nuanced approach than that proposed by Accountable Tech.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.