A Little Privacy: June/July Trends

There’s no summer off for privacy. We’ve seen plenty of major developments in the world of data privacy over the past month or so, particularly in the US.

We think three major trends deserve our attention.

1. Growing scrutiny of Big Tech in the EU and the US

Google working with UK regulators

Google announced their commitment to work in partnership with the UK’s ICO and the CMA to ensure that their Privacy Sandbox initiatives are both respecting user privacy and also not creating anti-competition issues. Google announced shortly afterwards that they would be delaying the deprecation of the third-party cookie in Chrome to late 2023.

President Biden issues call for more federal oversight

Meanwhile, in the US, President Biden signed an executive order on “Promoting Competition in the American Economy.” In it, Biden calls on federal agencies to create rules governing “the dominant Internet platforms” and explicitly calls out the role played by the data collection and the “surveillance” of users in achieving market dominance.

The Order also “encourages” the FTC to address how these practices may damage “consumer autonomy and consumer privacy,” in addition to competition. 

2. Global PRiVaCY controls are coming into focus

Late last year, a consortium of privacy advocates, led by privacy researcher Ashkan Soltani, announced a new “global” browser-level opt-out signal, the Global Privacy Control (GPC) signal. Several browsers, publishers, and CMPs (including Sourcepoint) announced that they would support the signal, though at that point it still wasn’t clear whether it would be a legally enforceable signal in the US. 

That’s all changed now with two big developments regarding the enforceability of a global privacy standard.

Colorado privacy law tackles global privacy controls

The first is that the Colorado Privacy Act was signed into law, and it requires the recognition of “user-selected universal opt-out mechanisms” (i.e.,  global privacy controls).

The Colorado Privacy law is actually quite interesting because it has a provision that states that publishers can override a global privacy opt-out signal by having their own informed opt-in, similar to a GDPR opt-in. This represents a major shift for the industry, however, it’s not mandatory until July 2024. 

California Attorney General affirms that Global Privacy Control is enforceable

The second big development is that the new California Attorney General has come out and explicitly stated in updated FAQs that businesses must honor the GPC. However, CCPA differs from Colorado because it actually has a provision that states that once a user opts out of the sale of their personal information, the business can’t ask them to opt in again for an entire year.

An additional complication for this requirement is that the text of the California Privacy Rights Act (CPRA) suggests that recognition of the Global Privacy Control signal may be optional in California as of 2023. 

3. UNIFORM DATA PROTECTION LAW FOR THE US

Confused by the nuances of Colorado, CCPA, CPRA and Virginia’s CDPA yet? Well, that’s our third big trend for this month: increasing calls for uniform privacy laws in the US. 

Uniform Law Commission releases model privacy law

July saw the release of the Uniform Personal Data Protection Act. This model for state privacy law is quite interesting because it actually requires consent for data processing, with an exception for what they call “compatible data practices,” which includes targeted advertising using pseudonymous data.

The Uniform Law Commission, which has representatives from every state, DC, Puerto Rico and the U.S. Virgin Islands, has the mission to help create uniform laws throughout the US. For example, the Commission has created uniform criminal codes, and the Uniform Commercial Code governing commercial transactions.

These model laws aren’t binding until adopted by each state, and therefore don’t result in every single state doing exactly the same thing. but model laws have created a lot of consistency across states in other areas. We’ll continue to monitor the states’ response in the coming months.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy.