23 US states now have active privacy legislation; Belgium fines IAB Europe for GDPR violations

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Indiana, washington, massachuseTts , VIRGINIA PRIVACY bills make progress; WISCONSIN BILL INTRODUCED

Last week was a busy one for US state privacy legislation. Highlights include:

¶ The Indiana Senate passed a bill 49-0 that would closely resemble Virginia’s VCDPA, moving the bill to a House vote. 

¶ The Washington House Civil Rights & Judiciary committee voted to refer to the Appropriations committee a bill that would extend opt out rights over targeted advertising, data sharing and profiling and require recognition of user-enabled privacy controls. 

¶ The Massachusetts Joint Committee on Advanced Information Technology reportedly passed out of committee a bill borrowing elements from California, Colorado and GDPR

¶ Several amendments to Virginia’s VCDPA were passed out of committee, providing further clarity for certain deletion requests and providing certain exemptions under the Act. 

¶ A bill was introduced in Wisconsin that closely resembles Virginia’s VCDPA. 

OUR TAKE

23 states plus D.C. now have active comprehensive privacy legislation, although legislation in certain states (e.g., Alaska and Hawaii) has slowed down. Based on the nature of the bills that are gaining momentum, it is looking likely that we will see additional privacy laws in the United States either closely resembling one of the laws in California, Colorado or Virginia or borrowing elements from all three. 

Bedoya’s FTC Commissioner Vote Further Delayed

The Senate Commerce Committee was slated February 2 to consider Alvaro Bedoya’s nomination to the Federal Trade Commission, but the vote was delayed, reportedly due to the absence of a democratic Senator, who is recovering from a stroke.

WHY IT MATTERS

The Senate Commerce Committee voted on Bedoya’s nomination in 2021, resulting in a 14-14 split down party lines and requiring additional interim procedures before a full Senate vote, which were never completed before the end of the year. President Biden re-nominated Bedoya in 2022, bringing the nomination back to a vote in the Senate Commerce Committee.

The FTC currently consists of four commissioners, often split 2-2 without means to break a tie. Consumer advocacy groups have been pushing for a swift nomination of Bedoya. Most recently, the Leadership Conference on Civil and Human Rights sent a letter to the Commerce Committee on February 1 stressing that a full complement of commissioners would allow the FTC to better enforce existing law against online discrimination and unfair and deceptive practices in the data economy and provide for algorithmic transparency and fairness in automated decisions. 

EUROPE

Belgian DPA Fines IAB Europe for GDPR Violations

The Belgian Data Protection Authority (APD) held IAB Europe’s Transparency and Consent Framework (TCF) to be in violation of several GDPR provisions, fining IAB Europe 250,000 Euros and giving the association two months to present a plan for correction of the violations.

The APD’s ruling found IAB Europe to be a controller of the TCF’s “TC string”, which it found to constitute “personal data” under the GDPR. Accordingly, the APD found that IAB Europe had failed to fulfill its responsibilities as a controller under GDPR, such as establishing a legal basis for processing of the TC string and ensuring effective exercise of data subject rights.

The APD also found that the legal grounds offered by the TCF for the processing of personal data by adtech vendors were inadequate.

The ruling ordered IAB Europe to undertake several measures, including establishing a legal basis for the processing and dissemination of user preferences, prohibiting the user of legitimate interest as a basis for the processing of personal data by organizations participating in the TCF, and undergoing strict vetting of organizations participating in the TCF to ensure GDPR compliance.

WHY IT MATTERS

IAB Europe released a statement in response to the ruling, acknowledging the decision and assuring that the APD considers the violations to be susceptible of remedy within six months, but also rejecting the finding that IAB Europe is a data controller and stating that the association is considering all options with respect to a legal challenge.

The statement also pointed out a positive silver lining: the decision, and the resulting action plan IAB Europe will create, could clear the way to submit the TCF for approval as a GDPR transnational Code of Conduct. If IAB Europe achieves that result, the TCF would be “blessed” by supervisory authorities as a compliant method of obtaining, managing and respecting user preferences in the digital advertising industry. 

Read our FAQ on the Belgium DPA decision (continuously updated).

Brexit Freedoms Bill / UK Policy Document Pave the Way for Reform

UK Prime Minister Boris Johnson announced the coming of a Brexit Freedoms Bill, designed to allow for easier reform, repeal and replacement of outdated EU law, citing “data protection” as one of the areas for reform. In parallel, the government issued a policy document titled “The Benefits of Brexit: How the UK is Taking Advantage of Leaving the EU”, detailing how the UK government will untangle itself from 40 years of EU membership.

With respect to data protection, the policy document identifies plans for a new “pro-growth data regime” that will “help to drive growth, innovation and competition across the country and enhance the UK’s global reputation as a hub for responsible data-driven businesses, trusted by consumers to deliver high standards of data protection.” The document says that the government will be publishing its response this Spring to the data protection consultation conducted last Autumn and that such response will be ahead of introducing legislation on the reforms to the UK’s data protection regime.

WHY IT MATTERS

The policy document doesn’t provide specific detail on data protection reforms, but the consultation launched in September cited impact on audience measurement data and the number of cookie pop-ups on websites as issues to resolve and proposed various options to explore, including permitting organizations to use analytics cookies and store and collect information from user devices for limited purposes without user consent, as well as leaning on browsers, software applications, device settings, data fiduciaries or trusted third parties to manage individual consent preferences.

The Information Commissioner’s Office (under the former Information Commissioner) cautioned in its response to the consultation that delivering some of the government’s proposals (including alternative cookie consent mechanisms) would require international cooperation. 

EDPB Issues First Opinion on Certification CriteriA

The European Data Protection Board (EDPB) adopted an opinion on a national certification schema (GDPR-CARPA) proposed by the Luxembourg Supervisory Authority, a general (not sector-specific) schema that would allow processors to demonstrate compliance with the GDPR. The EDPB held that a number of changes need to be made to the draft certification criteria before it could be added to the register of certification mechanisms and data protection seals under GDPR.

WHY IT MATTERS

The specifics of the opinion have not been publicly released, but the opinion is an important step toward consistency of certification schemas among supervisory authorities in the European Economic Area. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.