Blog

Week of September 6, 2021

Julie Rubash, Chief Privacy Counsel
September 12, 2021

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

STATE OF OKLAHOMA PROPOSES PRIVACY BILL

A bi-partisan bill was filed in the Oklahoma House of Representatives to create the Oklahoma Computer Data Privacy Act of 2022, described by one of its authors as “the most stringent data privacy law in the nation”.

WHY THIS MATTERS

Among other requirements, the law would require covered businesses to limit use of a consumer’s personal information to “that which is reasonably necessary to provide a service or conduct an activity that a consumer has a requested or for a related operational purpose.” “Operational purpose” is defined to include customization of advertising or marketing, but the law would require covered businesses to extend to consumers the right to opt out of personalized advertising.

FTC FUNDING PROPOSAL

U.S. House Democrats unveiled a budget proposal that would include $1 billion for FTC enforcement relating to privacy, data security, identity theft, data abuses and related matters.

OUR TAKE

Earlier this summer, we saw an Executive Order from President Biden encouraging the FTC to establish rules on surveillance and the accumulation of data, introduction of the federal Safe Data Act to (among other things) strengthen the FTC’s rulemaking authority, and a whitepaper from an FTC commissioner discussing how FTC rulemaking could address harmful outcomes from algorithmic decision-making. In combination with this budget proposal, these initiatives indicate strong focus at executive, legislative and regulatory levels to drive data reforms through FTC rulemaking and enforcement.

EUROPE

Following UK Digital Secretary Dowden’s August announcement of plans to develop a “world-leading data policy”, the UK government launched an open consultation to explore various options to resolve issues with existing privacy requirements. The consultation poses several questions and invites responses through November 19.

WHY THIS MATTERS

Among other data reform topics, the consultation cites impact on audience measurement data and the number of cookie pop-ups on websites as issues to resolve and proposes various options to explore, including permitting organizations to use analytics cookies and store and collect information from user devices for limited purposes without user consent, as well as leaning on browsers, software applications, device settings, data fiduciaries or trusted third parties to manage individual consent preferences.

Beyond its own proposals for data reform (see above), the ICO this week announced that it would call on the other G7 data protection and privacy authorities (from Canada, France, Italy, Japan, U.S., and Germany) to “bring practical solutions” to tackle challenges with cookie consent pop-ups.

OUR TAKE 

The ICO consultation and G7 communications make clear an intent not to remove cookie consent altogether but to take a step back, collaboratively assess the practical impact of existing laws on digital data collection, and explore alternative approaches to give consumers more meaningful control where it’s most important.

CNIL MATURITY SELF-ASSESSMENT TOOL

The data protection authority of France (CNIL) released a self-assessment tool to aid companies in achieving a “maturity model” in data protection management. The model proposes 5 maturity levels and applies them to 8 typical data protection activities in order to “quantify the rigor and formalism with which Data protection management activities are managed” within a company.

OUR TAKE

Although the maturity model isn’t law, it may be a helpful tool for companies to assess where their data protection policies sit in the spectrum of the CNIL’s expectations and recommendations.

GLOBAL

INDIA PRIVACY LEGISLATION BACK TO SQUARE ONE

The Hindu reported that the new chairman of India’s Joint Parliamentary Committee on a Personal Data Protection Bill is reopening consultations after the panel finalized a draft report last year. The chairman reportedly made several changes to the bill, including expanding certain provisions to cover both personal and non-personal data, specifically in the context of data breaches. The committee has been asked to submit a report by the Winter session that will be called in the third week of November.

OUR TAKE

Previous versions of India’s Personal Data Protection Bill contains several concepts similar to GDPR, including requirements to obtain consent to collect personal data (with several exceptions) and to extend certain rights to individuals from whom data is collected. Based on Hindu’s report, it doesn’t appear that such provisions have changed in the most recent version, although the process has been delayed with renewed deliberations.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Week of November 15, 2021

November 22, 2021

Bedoya testifies in FTC nomination hearing, plus federal online...

Week of November 8, 2021

November 15, 2021

UK denies privacy class action against Google. European commission...

FAQ: Updates on the Belgian DPA’s investigation of the IAB’s TCF

November 11, 2021

The IAB Europe’s Transparency & Consent framework is the...

Latest White Papers

Ebook: A Publisher’s Guide to Vendor List Curation

August 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with the latest privacy and media news.

Let's explore what we can do together.

We'll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields