China’s privacy law goes into effect

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

GLOBAL

CHINA’S PIPL GOES INTO EFFECT

China’s Personal Information Protection Law (PIPL) went into effect November 1. 

WHY IT MATTERS

PIPL is a comprehensive data protection law, similar to GDPR in many respects, including an extra-territorial reach (applying to businesses outside the People’s Republic of China who provide products or services to, or evaluate the behavior of, natural persons in the territory). 

PIPL requires consent to process personal data with some exceptions. There is no legal basis equivalent to GDPR’s “legitimate interest”, but the law does include a catch-all exception for “other circumstances stipulated by laws and administrative regulations”, so further regulations allowing for expanded legal bases are a possibility.

The law, however, requires “individual consent” to disclose personal information, however, and does not extend the same exceptions for disclosure that it does for processing (including any possibility for administrative regulations).

PIPL was adopted August 20, 2021, leaving companies with just over two months to comply, and no regulations or official guidance has been provided leading up to the effective date. 

UNITED STATES

TWO notably different federal privacy bills announced

Privacy legislation has been introduced and announced in the U.S. Senate and House.

Senate Bill S 3605, which would implement the Digital Accountability and Transparency to Advance (DATA) Privacy Act, was re-introduced by Senator Catherine Cortez Masto (D-Nev). The Act was previously introduced by Sen. Cortez in 2019, but it didn’t reach a committee vote before the end of the 2019-2020 session. The legislation would extend consumer rights to request, dispute, transfer or delete their data and opt out of data collection or sharing. It would also require opt-in consent for sensitive data collection or disclosure or for any disclosure outside the parameters of the businesses’ relationship with the consumer and require that data collection, processing, storage and disclosure be for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk. Use of data in a discriminatory or deceptive manner would be prohibited.

Meanwhile, House Republicans announced new draft privacy legislation, which would implement the Control Our Data Act. The bill is still in draft form (not yet formally introduced).

WHY IT MATTERS

The two bills have some similarities, for example, both would look to the FTC for enforcement, rather than a private right of action. However, the areas where they differ are significant.

Notably, the House bill would create a national privacy standard that would preempt state law, whereas the Senate bill would allow states to impose more stringent requirements on top of the federal requirements.

Additionally, the definition of “personal information” under the House bill is much narrower, including only information that is linked or linkable to a “specific individual” with several exclusions, including information that is tokenized, encrypted or pseudonymized.

The Senate bill, on the other hand, covers any information collected, processed, stored, or disclosed that is linked or “practicably linkable” to an individual or device associated with an individual, including by combination with separate information, and only has limited exclusions for employment data and publicly available government records. Pseudonymous data is excluded from certain requirements (e.g., access and deletion requests) but not the definition of covered data. This distinction is significant for digital advertising, where data is often exchanged in a pseudonymized form.  

Virginia Privacy Report Issued, Emphasizing Global Opt-Out

A Work Group created pursuant to the Virginia Consumer Data Protection Act (VCDPA) to study findings, best practices and recommendations prior to implementation of the Act issued a final report summarizing six Work Group meetings. The report outlines 17 points of emphasis and specifies that recommendations based on those points will be presented during the upcoming legislative session.

A couple of points of emphasis relevant to the advertising industry are to “authorize consumers to assert and requiring companies to honor a global opt-out setting as a single-step for consumers to opt-out of data collection” and “encourage the development of third-party software and browser extensions to allow users to universally opt out of data collection, rather than individually from each website.”

WHY IT MATTERS

Colorado is the only state with a privacy law that explicitly (on the face of the law) requires companies to honor a global opt-out setting, although the mandate won’t be in place until 2024.

California’s CCPA does not explicitly address global opt-out settings, but the California Attorney General’s Office subsequently (after the law was passed) issued regulations under the law requiring businesses that collect personal information from consumers online to treat browser- or device-level “do not sell” signals as valid requests.

It is yet to be seen how this regulation will be impacted by California’s CPRA, which explicitly gives businesses an option whether to offer opt out options through links on their website or through opt-out preference signals. Like the CCPA, Virginia’s VCDPA does not address global opt-out preference signals, but the Work Group report indicates that they may attempt to retro-fit the law to include a global opt-out mandate. 

EUROPE

Danish DPA Issues Guidance on Supervision of Data Processors

The Danish DPA issued a guide to aid data controllers in overseeing their data processors. The guide provides a point-based model for controllers to use when assessing the risk posed by data processors and the level of supervision required. Points are assigned based on the number of individuals whose data is processed by the processor, the type personal data processed, and the nature of the the processing activities. The document then provides 6 concepts to guide a controller’s supervision efforts.

WHY IT MATTERS

One type of data treatment the guide specifically flags as potentially intrusive, requiring a higher level of supervision, is combining purchase information with online behavior data and using it for targeted marketing. Companies using third-party vendors to assist with such processing activities may need to implement enhanced supervisory efforts beyond contractual commitments and self-attestations to ensure the practice is conducted in a secure and compliant manner, consistent with the controller’s disclosures and consents. 

Belgian DPA To Issue Draft Ruling re IAB TCF

IAB Europe announced that the Belgian DPA has notified them of a draft ruling identifying infringements of the GDPR by IAB Europe.

According to the announcement, the draft ruling is expected to be shared with other DPAs, who will have 30 days to review it, after which the ADP may adopt a final ruling or it may be referred to the European Data Protection Board for a binding decision.

If a final ruling is issued, IAB Europe will have six months to correct the alleged infringements pursuant to an agreed-upon action plan. Notably, the draft ruling is expected to find the “TC Strings” that signal data subject choices to constitute “personal data” and IAB Europe to be a data controller for those TC Strings, despite that, according to IAB Europe,  “IAB Europe does not in any way process, own, or decide on the use of specific TC Strings”.

WHY IT MATTERS

If a final ruling is adopted, IAB Europe will likely be required to implement (and/or take responsibility for ensuring that those processing TC Strings are implementing) certain practices required of controllers under GDPR, such as appropriate technical and organizational measures, data protection policies, records of processing activities, and extension of data subject rights. The GDPR provides for the approval of codes of conduct prepared by associations representing categories of controllers and processors in certain sectors and, as mentioned by IAB Europe in their announcement, this decision may present an opportunity for IAB Europe to work with a DPA to establish approved practices that could serve as the baseline for an official industry code of conduct.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.