IAB Europe to appeal Belgian DPA decision; ICCL calls on deletion of TCF data

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Four states introduce, and four states advance, privacy legislation

Arizona, Connecticut, Iowa, and Wisconsin all introduced new comprehensive privacy bills, and Florida, New York, Ohio and Virginia advanced privacy bills out of committee.

Virginia’s House also passed two bills (HB381 and SB393) by a 99-0 block vote that would amend the State’s Virginia Consumer Data Protection Act (VCDPA), referring the bills to the State Senate.

WHY IT MATTERS

Although much of the pending legislation closely resembles the California, Virginia and Colorado laws that have previously been enacted, the three bills in Florida, New York and Ohio that recently advanced out of committee all contain some unique elements.

The New York bill would require opt-in consent before processing personal data of consumers and would establish controller obligations of loyalty and care.

The Ohio bill would create a safe harbor from its requirements for companies that comply with the NIST privacy framework.

The Florida bill would require opt-in consent for the sale of data of minors under 18.

DAAP ISSUES FINGERPRINTING COMPLIANCE WARNING

The BBB National Programs’ Digital Advertising Accountability Program (DAAP) issued a compliance warning, highlighting that any combined information used to uniquely identify a device or user for purposes of interest-based advertising would be treated by the DAAP as equivalent to an Advertising ID, requiring compliance with the DAAP’s Self-Regulatory Principles for Online Interest-Based Advertising.

The warning noted that such data could include a combination of IP address, platform, brand, model, carrier, OS version, screen resolution, processor, or language settings, whether collected at once or over multiple settings, when used to tailor ads to a user/device.

The Principles, if applicable, would require notice, enhanced notice or consent, depending on the entity’s relationship to the user and the details of collection.

WHY IT MATTERS

The DAAP is a privacy watchdog that monitors the advertising industry for compliance with its published principles.

Although the DAAP cannot itself bring formal regulatory enforcement action, it brings publicly published inquiries to resolve non-compliance and/or refers non-compliant companies to the appropriate state or federal regulatory agency. 

EUROPE

IAB Europe TO APPEAL APD DECISION

IAB Europe announced its plans to appeal the Belgium Data Protection Authority’s (APD) ruling holding IAB Europe’s Transparency and Consent Framework (TCF) to be in violation of certain aspects of the GDPR. In particular, the IAB Europe announced its disagreement with the APD’s holding that IAB Europe constitutes a joint controller under GDPR of data processed by participants using the TCF Framework in the context of OpenRTB.

OUR TAKE

It is unclear at this stage what impact (if any) the appeal may have on the timeline for IAB Europe’s action plan or implementation of subsequent changes to bring the TCF into compliance with the APD’s requirements.

IAB Europe said in its announcement that it “looks forward to working with the APD and other data protection authorities to ensure the TCF’s continuing utility in the market, and with the ultimate aim of having the TCF approved as a transnational GDPR Code of Conduct.” 

Read our FAQ on the Belgium DPA decision (continuously updated).

Advocates Demand Deletion of Digital Advertising Data

The Irish Council for Civil Liberties (ICCL) and Electronic Privacy Information Center (EPIC) sent letters to the CEOs of P&G, Unilever, Bank of America, Ford, GM, IBM and Mastercard demanding that they delete all data collected through use of IAB Europe’s Transparency and Consent Framework (TCF) in response to the Belgium Data Protection Authority’s (APD) recent decision against IAB Europe (see above). 

The letters claim that the APD’s decision required that data collected through the TCF be no longer processed and removed accordingly. 

The letters also claim that frameworks based on the TCF, such as the IAB’s CCPA Framework and the Partnership for Responsible Addressable Media’s (PRAM’s) Global Privacy Platform, are unlawful in any jurisdiction with laws analogous to the GDPR.

WHY IT MATTERS

In response to news of the letters, IAB Europe stated that the advocates claims are unfounded, pointing out that the APD’s decision was against IAB Europe, not any of these advertisers (or any other participants in the TCF) and that the APD in its decision did not even order IAB Europe to discontinue use of the TCF, but rather gave IAB Europe two months to put together an action plan to fix the alleged GDPR violations, which plan could be implemented over the following six months. 

CMA Accepts Google Privacy Sandbox Commitments

The UK’s Competition and Markets Authority (CMA) announced that it has accepted Google’s commitments addressing the CMA’s previously stated concerns regarding Google’s Privacy Sandbox. 

This round of comments, submitted in November 2021, was the second round of comments submitted by Google to the CMA. 

In this latest round, Google agreed, among other commitments, to clarify internal limits on data Google can use, provide greater certainty to third parties developing alternative technologies, report regularly to the CMA on how Google has taken account of third party views, and maintain its commitments for 6 years from acceptance by the CMA. 

WHY IT MATTERS

The CMA’s acceptance of Google’s commitments will mark the close of the CMA’s investigation of Google on this matter. The commitments will become legally binding on Google, forcing Google to maintain an ongoing 6-year relationship with the CMA. 

GLOBAL

Australia Court Rejects Facebook’s Appeal re Cambridge Analytica

In a case brought by the Australian Information Commissioner against Facebook Inc. arising out of the Cambridge Analytica scandal, an Australian Court rejected Facebook’s application to dismiss orders against it served overseas. 

The Court held that the Information Commissioner established a prima facie case that Australia’s Privacy Act applied to extra-territorial conduct by Facebook, because Facebook collected in Australia the personal information that was the subject of the Commissioner’s case. Specifically, the Court held it to be sufficient to be within the Act’s jurisdiction for Facebook to collect personal information by means of cookies installed on Australian devices. 

WHY IT MATTERS

This is an important case demonstrating the application of Australia’s Privacy Act in the digital advertising context to companies outside Australia targeting Australian consumers. 

Among other requirements, the Privacy Act prohibits organizations that have collected personal information for a particular purpose to use if for another purpose, except in limited circumstances. 

It also requires organizations to take reasonable steps to protect personal information from unauthorized disclosure. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.