Want to receive these weekly privacy recaps in your inbox?
The California Privacy Protection Agency (CPPA) selected Ashkan Soltani to serve as the Agency’s Executive Director. Soltani will carry out the day-to-day operations of the Agency, oversee enforcement, rulemaking, and public awareness and build and lead the Agency staff. Soltani has previously served as a Senior Advisor to the U.S. Chief Technology Officer and the Chief Technologist for the FTC.
One of the tasks of the CPPA is to “issue regulations to govern how a business that has elected to comply with [the Section of the CPRA giving businesses the option to allow consumers to opt out through an opt-out preference signal rather than a “Do Not Sell My Personal Information” link] responds to the opt-out preference signal and provides consumers with the opportunity subsequently to consent to the sale or sharing of their personal information…”
Soltani was one of the original spearheaders of the Global Privacy Control (GPC) and has been outspoken encouraging its legal recognition, including through testimony just last month recommending that the U.S. Senate Committee on Commerce, Science and Transportation direct the Federal Trade Commission “to adopt a Global Privacy Control (GPC) as a legally adequate opt-out mechanism”.
FTC Commissioner Rebecca Kelly Slaughter gave a keynote speech at the BBB National Advertising Division Conference, in which she challenged five “truisms” in digital advertising: (1) privacy is the key issue; (2) transparency is the key solution; (3) the policy options are opt-in or opt-out; (4) surveillance advertising is necessary to support free services; and (5) the FTC is toothless absent new federal legislation.
She stressed the importance of thinking beyond just data privacy to a broader concept of “data abuses” (of which data privacy is a critical, but not the only, element), identifying and addressing unfair, deceptive, and anticompetitive data practices, adopting bright-line purpose and use restrictions that minimize the data that can be collected and how it can be used, and enforcing such principles at the FTC, regulatory level.
Commissioner Slaughter’s comments should not come as a surprise. We’ve seen recent increased focus on a broadened concept of data harms and data ethics, beyond data privacy, previously from Slaughter (see her whitepaper on algorithmic decision-making published last month, specifically addressing potential harms in the use of algorithmic decisioning making in the advertising industry) as well as in the form of executive encouragement (see President Biden’s Executive Order issued in July encouraging the FTC to establish rules on surveillance and the accumulation of data).
California passed AB 694 to clarify a discrepancy in the CPRA regarding the timing of CPPA rulemaking authority. As previously drafted, one section said the Agency would assume rulemaking authority on the earlier of July 1, 2021 and six months after the Agency provides notice to the Attorney General, and another section said it would happen on the later of such dates. The amendment clarifies that the Agency will assume such responsibility on the later of such dates.
The Agency has not yet provided notice to the Attorney General, so they will assume rulemaking authority no earlier than April 2022. However, they have already published an invitation for preliminary comments on proposed rulemaking with comments due by November 8.
The UK Information Commissioner’s Office (ICO) published a response to the Consultation issued last month by the Department for Digital, Culture, Media & Sport (DCMS) on reforms to the UK’s data protection regime. The ICO’s response expressed support for certain proposals (including exploration of alternative (browser and non-browser) consent mechanisms) and concern or discouragement of other proposals (including with respect to some aspects of the Government’s proposals around AI and automated decision-making).
ICO Commissioner Elizabeth Denham, in her forward accompanying the response, also expressed “strong concerns” about proposals for the Secretary of State to approve ICO guidance and appoint the CEO, stressing that the proposals do not sufficiently safeguard the ICO’s independence.
WHY IT MATTERS
The ICO Response cautioned that delivering some of these proposals (including alternative cookie consent mechanisms) would require international cooperation. This sentiment is consistent with the ICO Commissioner’s recent meeting with her G7 counterparts, in which the G7 authorities reportedly committed to find better ways to secure informed and meaningful consent online, including examination of web browsers, software applications and device settings as potential vehicles for privacy preferences.
Christel Schaldemose, a Danish politician and Member of the European Parliament, expressed in an interview with Reuters that she wants to include in the Digital Services Act a ban on some targeted advertising, such as advertising based on a user’s behavior on Facebook. She said she hopes to finalize her draft proposal in the next two months.
WHY IT MATTERS
The Digital Services Act was proposed by the European Commission and currently sits with the European Parliament. Schaldemose is the lead MEP shepherding the DSA through Parliament.
The DSA is a draft law that, in its current form, imposes certain transparency, accountability and safeguarding obligations on intermediary and hosting services and online platforms, including an obligation for online platforms that display advertising to display that the information is an advertisement, the person on whose behalf the advertisement is displayed, and meaningful information about the main parameters used to determine the recipient to whom the advertisement is displayed, as well as more detailed advertising reporting requirements for large platforms.
Google released an updated Privacy Sandbox timeline, showing that the “testing” phase for FLoC and FLEDGE APIs has been pushed from Q4 2021 to Q1 2022. As reported by MediaPost, the update comes shortly after Criteo posted a blog entry identifying certain flaws with FLoC.
The timeline for deprecation of third-party cookies remains set to begin transitioning in Q4 2022, but as reported in Google’s original July announcement, the start of Stage 1 for such transition will only be announced “once testing is complete and APIs are launched in Chrome.”
Want more of the privacy highlights that matter to adtech and martech?
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.