Utah privacy bill awaits signature; Google to sunset analytics solution storing IP address

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Utah Privacy Bill Hits Governor’s Desk

A bill enacting the Utah Consumer Privacy Act (UCPA) was officially submitted to the Governor’s office for signature. If signed, the Act would go into effect December 31, 2023.

WHY IT MATTERS

The UCPA most closely resembles Virginia’s VCDPA, although it is narrower in some aspects.

Like the Colorado and Virginia laws, the UCPA does provide a right to opt out of sales and targeted advertising, but it does not provide a right to opt out of profiling. The law adopts Virginia’s narrow definition of a “sale”, which is limited to only the exchange of personal data for monetary consideration, rather than the broader definition seen in California and Colorado laws. 

Unlike Colorado and Virginia laws, opt in for sensitive information is not required under the Utah law.

Iowa / Connecticut Privacy Bills Progress

Iowa HF 2506, which closely resembles the UCPA (see above) passed the House and surpassed an important threshold in the Senate in order to survive a March 18 deadline designed to narrow the number of bills for consideration before the session adjourns on April 19. Connecticut SB 6, which looks more like Colorado’s CPA, passed the General Assembly’s General Law Committee and advanced to the Senate floor.

WHY IT MATTERS

The number of states with comprehensive privacy legislation with potential to progress is becoming narrower, with Maryland replacing its comprehensive bill with a bill for a 1-year workgroup to study use of data, a Tennessee bill getting voted down in committee, Vermont issuing a report calling for further study, and several other states with little to no movement. 

California / Colorado to Gather Input for Rulemaking

Iowa HF 2506, which closely resembles the UCPA (see above) passed the House and surpassed an important threshold in the Senate in order to survive a March 18 deadline designed to narrow the number of bills for consideration before the session adjourns on April 19.

Connecticut SB 6, which looks more like Colorado’s CPA, passed the General Assembly’s General Law Committee and advanced to the The California Privacy Protection Agency (CPPA) and the Colorado Attorney General’s Office both announced plans to gather further input for rulemaking under their respective privacy laws.

The CPPA will hold the first of multiple public informational sessions on March 29 and March 30, during which it will hear from experts regarding such issues as dark patterns, opt-out preference signals, and automated decision-making.

The Colorado Attorney General’s Office made available a comment form to collect informal comments “to better understand the public’s thoughts and concerns about the focus of future rulemaking”; it also announced that it will hold formal public hearings after providing public notice of proposed rules. 

WHY IT MATTERS

With the CPRA and CPA going into effect on January 1, 2023 and July 1, 2023, respectively, impacted companies are in the process of preparing their compliance plans. Until final rules are in place, which aren’t expected for several months, companies won’t have a complete picture of what is required.

However, informational sessions and public hearings can provide valuable insight into the areas of focus and expectations of state agencies, not only for rulemaking, but also for enforcement purposes.    

EUROPE

European Data Protection Supervisor Advocates for Heightened Targeted Advertising Restrictions.

In a blog post, Wojciech Wiewiórowski, the European Data Protection Supervisor, stressed that more than increased transparency is necessary to address the risks associated with targeted advertising.

He suggested further restricting the categories of data that can be processed for targeted advertising to prevent use of data that can be used to exploit vulnerable groups, such as children.

He also suggested regulatory incentives to favour less intrusive forms of advertising that do not require tracking of user interaction with content. 

WHY IT MATTERS

A draft of the proposed Digital Services Act was approved by the European Parliament in late January, and member states have since been preparing for negotiations with the European Council.

The draft passed by the European Parliament would (among other things) give users the ability to opt out of certain tracking via browser settings and allow users to ask about their characteristics used to target advertisements.

These restrictions were far less aggressive toward digital advertising than some earlier proposals though, which went as far as to suggest banning digital advertising altogether.

The European Data Protection Supervisor’s post sends the message that the current proposal for the Digital Services Act, in his opinion, “is not enough”. 

CNIL Publishes 2022-2024 Strategic Plan

The French data protection authority (CNIL) published a strategic plan highlighting three key themes for 2022-2024

1. promote the control and respect of individuals’ rights in the field;
2. promote the GDPR as a trusted asset for organisations;
3. prioritise targeted regulatory actions for high-stake privacy issues. 

WHY IT MATTERS

Notably, under the third theme, the CNIL noted a goal (among others) of making data flows in smartphone applications visible and strengthening the compliance of mobile applications and their ecosystems so as to better protect the privacy of smartphone users.

Accordingly, developers and other participants in the mobile app ecosystem may take a cue from this to button up their compliance, particularly with respect to data flow transparency, in anticipation of heightened scrutiny in this area in the coming years.

The CNIL issued a GDPR guide for developers in late 2021 that provides step-by-step guidance and examples for developer compliance, which may be a good starting point for developers looking to strengthen their compliance. 

INDUSTRY

Google to Sunset Analytics Solution Storing IP Address

Google announced that it will begin sunsetting Universal Analytics, the previous generation of Analytics, next year, to transition businesses to Google Analytics 4, which, among other differences, will no longer store IP addresses.

In its announcement, Google notes that “these solutions and controls are especially necessary in today’s international data privacy landscape, where users are increasingly expecting more privacy protections and control over their data.” 

WHY IT MATTERS

Complaints from privacy advocate None of Your Business (NOYB) resulted in enforcement actions from French and Austrian data protection authorities published in early 2022 holding that use of Google Analytics violated the GDPR due to the transfer of a combination of unique identifiers (including IP address) to Google in the United States without effective supplementary measures.

Notably, the French data protection authorities (CNIL) found that the combination of unique identifiers with other elements (such as browser or device metadata and the IP address) and the possibility to link such information to a Google Account make an individual identifiable and that it wasn’t clear from Google’s response whether its IP anonymization function was effective in preventing potential access to the entire IP address before it was shortened.

Google’s announcement is likely, at least in part, a reaction to such cases. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.