By Alex Schlight and Emeka Egwuatu

Here’s a snapshot of a few of the privacy developments we followed over the past couple of months from March 22, 2022 – to June 6, 2022. If you missed our last post, you can find it here.

The United States Federal Privacy Updates

The American Data Privacy and Protection Act

• A discussion draft of The American Data Privacy and Protection Act was released. It is the first comprehensive national data privacy and data security bill to gain bipartisan, bicameral support.

FTC

• The FTC fined Twitter for allegedly violating its 2011 order prohibiting deceptive statements relating to the use of accounts security data for advertising.

CFPB and FTC File Amicus Brief in FCRA Class Action Lawsuit

• The Consumer Financial Protection Bureau and the Federal Trade Commission filed an amicus brief supporting the plaintiff’s class. They argued the FCRA does not distinguish between “factual” and “legal” accuracy.

CFPB Bolsters Enforcement Efforts by States

• The Consumer Financial Protection Bureau issued an interpretive rule that allows authorities to pursue lawbreaking companies and individuals that violate the law. The government affirms that: (1) States can enforce the CFPA, including provisions making it unlawful for covered person service providers to violate any provision of federal consumer financial protection law; (2) states can pursue claims and actions against a broad range of entities; (3) CFPB enforcement actions do not put a halt to state actions.  

Dark Patterns & Transunion decision

• The Consumer Financial Protection Bureau filed two complaints against TransUnion for deceptive marketing and the use of “dark patterns” on the TransUnion website.

Global Cross-Border Privacy Rules Forum

• The United States, together with Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei, have established a Global Cross-Border Privacy Rules Forum to “promote interoperability and help bridge different regulatory approaches to data protection and privacy.”

FCRA updates

• Circuit Courts remain split on harms required under FCRA to show standing.

Fifth Circuit: SEC administrative proceedings unconstitutional  

• The Fifth Circuit issued an opinion vacating a Securities and Exchange Commission Administrative Law Judge’s decision that George Jarkesy, Jr. and his investment adviser Patriot28, L.L.C. committed securities fraud.   The basis for the decision was the court’s determination that the SEC’s proceedings, authority, and structure violated the Seventh Amendment, Article I and Article II of the Constitution, respectively.  It could trigger similar challenges to other federal administrative agencies like the FTC if the decision stands.

U.S. State Privacy Updates

California: Age-appropriate design code act

• California’s AB 2273 introduces an age-appropriate design code requiring companies offering goods or services which are likely to be accessed by children to implement enhanced privacy standards geared towards protecting the best interests of those children.

California:  CCPA draft proposed rules

• The California Privacy Protection Agency has shared a draft of proposed regulations implementing the CCPA.  The draft is not comprehensive but does address issues around consumer decision-making regarding privacy and data collection.

California: Data broker bill updates

• State Senator Josh Becker has introduced California’s SB 1059. The bill would significantly strengthen California’s existing data broker law and give California additional visibility into the practices of businesses operating as data brokers.

California: Mental Health App legislation

• California's Bill AB 2089 was introduced in Assembly. The bill would establish privacy obligations for mental health app providers and privacy protections for information related to a consumer's inferred or diagnosed mental health or substance use disorder collected by a mental health app.

Connecticut: Enacts Comprehensive Consumer Data Privacy Law

• Connecticut has recently become the fifth United States state with data privacy legislation. The comprehensive law will go into effect alongside the Colorado Privacy Act on July 1, 2023, giving organizations some time to comply with the new law.

New Jersey: Employee vehicle tracking law now in effect

• New Jersey’s AB 3950, requiring private employers to provide employees with written notice before using tracking devices on vehicles operated by employees, took effect on April 18, 2022.

New York: New York requires electronic monitoring notices for employees

• New York Governor Kathy Hochul amended New York Civil Rights Law requires employers to notify employees of electronic monitoring of telephone, email, and internet access and usage. The law went into effect on May 7, 2022.

Texas: AG's lawsuit against Google’s private browsing amended

• Texas Attorney General amended a state lawsuit to include Google’s Incognito mode in his previous lawsuit, which relates to Big Tech’s use of geolocation data. The amendment implies that regardless of incognito status, Google has misled consumers by tracking their personal location without consent.

Texas: Drone law struck down

• Texas’ drone law (Chapter 423 of the Texas Government Code) was struck down by a U.S. District Court Judge for First Amendment violations, constituting the first time that a state law regulating drone operations has been deemed unconstitutional.

Virginia: VCDPA Amendments

• Virginia Governor Glenn Youngkin signed three amendments to the Virginia Consumer Data Protection Act. These amendments introduce new exemptions to the VCDPA’s right to delete, amend the VCDPA’s definition of a non-profit organization, and repeal the Consumer Privacy Fund. 

North America Privacy Updates

Mexico: Mexican courts give finance agencies access to private banking information

• A Mexican Supreme Court ruling gives the country's finance agencies automatic access to citizens' and companies' banking information. 

Ontario: Employee monitoring

• Bill 88, an employee monitoring bill requiring heightened notice and policy retention practices, was signed into law.

Europe & UK Privacy Updates

European Commission: Trans-Atlantic Data Privacy Framework

• President Joe Biden and European Commission President Ursula von der Leyen announced that a preliminary agreement had been met to enable trans-Atlantic data flows in the wake of the invalidation of Privacy Shield.

European Commission

• The EDPB issued Q&As providing guidance regarding the European Commission standard contractual clauses.

Belgium: EDPB expresses concern about the future independence of GBA/APD

• The European Data Protection Board issued a letter expressing concern about recent Belgium legislative developments aimed at reforming the structure, governance, and staff of the GBA/APD, the Belgian Data Protection Authority.

Netherlands: Enforcement actions

• The Dutch Data Protection Authority fined tax authorities €3.7 million for violating the GDPR. The fine is the highest that the Dutch Authorities have ever imposed. The fine was based on six violations, including no legal basis for the processing of personal data.  

Spain: Enforcement actions

• The Spanish Agency for Data Protection (AEPD) has decided to fine Google €10 million. This fine was issued in violation of the GDPR because of an infringement of Article 6 – lawfulness and processing – and Article 17 – right to be forgotten.

Asia, Middle East & Africa Privacy Updates

Hong Kong: Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data

• The Office of the Privacy Commissioner for Personal Data (PCPD) issued Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data. It provided two sets of Recommended Model Contractual Clauses (RMCs) to cater to two different scenarios in cross-border data transfers, namely (i) from one data user to another data user; and (ii) from one data user to a data processor.

Bahrain: PDPA executive decisions published

• The Personal Data Protection Authority issued several executive decisions that supplement Bahrain’s existing Personal Data Protection Law No. (3) of 2018. The executive decisions cover several critical data privacy topics, including subject data rights, data transfers, sensitive data processing, and security measures. 

 Rwanda: Guidance on controller and processor registration published

• The National Cyber Security Authority published guidance on the requirement for data processors and data controllers to register their processing activities. The guidance includes details on how to register and what information must be provided by the data processor or data controller.

 Saudi Arabia: PDPL Enforcement Delayed 

• The Saudi Data & AI Authority announced that full enforcement of Saudi Arabia’s Personal Data Protection Law will be delayed until March 17, 2023.

Singapore

• Singapore was granted adequacy for cross-border data transfers by Dubai International Financial Centre Authority (DIFC or DIFCA). The Personal Data Protection Commission of Singapore published guidance for organizations on anonymizing personal data.

About Hintze Law Hintze Law PLLC is a boutique privacy firm that provides counseling exclusively on global data protection. The firm’s attorneys and privacy analysts support technology, health, biotech, advertising, social networking, media, gaming, ecommerce, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.