Here’s a snapshot of a few privacy developments from the past few weeks. If you missed our last post, you can find it here.
US State Law
Arkansas Files Lawsuits Against TikTok, Meta
The state of Arkansas filed lawsuits on March 28 against social media companies TikTok and Meta. The lawsuits claim that these companies deceived consumers regarding children's safety on their platforms. Specifically, two lawsuits were filed against TikTok and its parent company, ByteDance, while another lawsuit was filed against Meta. The allegations state that the companies violated Arkansas' deceptive trade practices act. One of the complaints against TikTok alleges that it failed to adequately protect minors from being exposed to indecent content. The complaint against Meta alleges that it leveraged Facebook to increase the amount of time young people spend on the platform.
Arkansas Passes Children's Social Media Bill
The Arkansas House of Representatives has given its final approval for Senate Bill 396, also known as the Social Media Safety Act. This bill aligns with Utah's social media legislation, focusing on age verification and parental consent for minors under the age of 18. Pending the governor's signature, the bill is expected to come into effect on September 1, 2023.
Indiana Becomes the Seventh State to Enact a Comprehensive Data Privacy Law
Indiana’s Consumer Data Protection bill (S.B. 5) was signed by Governor Eric Holcomb on May 1, 2023. The bill, which offers similar protections to Virginia’s Consumer Data Protection Act, goes into effect on January 1, 2026. Notable differences from other comprehensive privacy laws:
Unlike most other access rights afforded under state privacy laws, Indiana allows for either a copy or a “representative summary” of personal data to be provided upon request.
Unlike most other correction rights afforded under state privacy laws, Indiana only requires controllers to correct information that the consumer previously provided to the controller rather than all personal data held by the controller.
Like Virginia, the law requires an opt-in consent to the processing of sensitive data, but the definition of mental or physical health diagnoses that are considered sensitive only include diagnoses made by a healthcare provider.
The law offers a unique carveout for facial recognition software used by certain riverboat casinos approved by the Indiana gaming commission.
The law goes into effect on January 1, 2026, offering companies a longer period to prepare to meet the law’s requirements than typical.
The thirty-day right to cure provision does not expire, unlike similar provisions in California, Colorado, and Connecticut.
New Florida Digital Bill of Rights
The Florida legislature voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor DeSantis for signature. He is expected to sign. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies only to companies earning over $1 billion in global revenue.
Tennessee Information Protection Act Is Signed into Law
The Tennessee Information Protection Act was signed into law May 11, 2023, and will go into effect July 1, 2025. The law bears many similarities to the Virginia Consumer Data Protection Act, with a couple of notable features:
A low threshold for covered entities: $25MM in revenues (presumably per year) and:
Either control or process information of 25,000 consumers and derive 50% of gross revenue from selling personal information, or
In a calendar year, control or process personal information of at least 175,000 Tennessee consumers.
A covered entity’s voluntary privacy program that (i) adheres to the NIST Privacy Framework “or other documented policies, standards, and procedures designed to safeguard consumer privacy”, (ii) as updated, and (iii) provides consumers with all the substantive rights granted by the law, is an affirmative defense to any enforcement action. There is no private right of action.
Washington: My Health My Data Act
The My Health My Data Act (“MHMD Act”) was signed into law, creating new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “consumer health data.” New protections include prohibiting the sale of consumer health data, requiring disclosure and consent for data collection and sharing, allowing consumers to have their consumer health data deleted, and banning geofences around facilities that provide in-person healthcare services. Read Hintze Law's blog series on the MHMD Act here.
US Federal Law
Apple and Google Creating Industry Specification to Combat Unauthorized Tracking via Bluetooth
Apple and Google are reportedly working together to develop an industry-standard specification to enable unauthorized Bluetooth tracking detection and alerts on iOS and Android platforms. The spec is being created as a best practice guide for device manufacturers (such as Samsung or Tile) to follow as they develop their products.
CFPB Launches Inquiry into Business Practices of Data Brokers
The CFPB has initiated an inquiry into the business practices of data brokers. The primary objectives of this inquiry are to gain a comprehensive understanding of the scope and practices of data brokers, assess their impact on consumers, and determine whether they adhere to the same regulatory standards.
Ovulation Tracking App Will be Barred from Sharing Health Data for Advertising Under Proposed FTC Order
The FTC announced a proposed order against Premom in its second enforcement action under the Health Breach Notification Rule. Consistent with the FTC’s recent activity in the digital health space, the FTC alleged that Premom shared individually identifiable health information with third parties via tracking technologies in violation of the promises it made to its users.
Judge Dismisses FTC. Lawsuit Against Location Data Broker
On May 4, 2023, the United States District Court for the District of Idaho dismissed the FTC's complaint against Kochava, Inc., which alleged that Kochava’s sale of geolocation data and device identifiers was an unfair trade practice under the FTC Act. The court ruled that the FTC’s allegations were insufficient to show a likelihood of substantial injury to consumers, as (1) the FTC only alleged a theoretical risk of potential harm which was not likely to cause substantial injury, and (2) the alleged privacy intrusion was insufficiently severe to constitute a substantial injury to consumers. The Court is permitting the FTC to amend its complaint to include additional allegations.
US Federal Law Enforcement Released Joint Statement on Discrimination and Bias in Automated Systems
Today, the heads of the CFPB, DOJ Civil Rights Division, EEOC, and FTC released a joint statement on enforcement efforts against discrimination and bias in automated systems. The statement reiterates each department’s resolve to address automated systems that contribute to unlawful discrimination and otherwise violate federal law. In particular, officials point to three problem sources:
1. Data and datasets: “Automated system outcomes can be skewed by unrepresentative or imbalanced datasets, datasets that incorporate historical bias, or datasets that contain other types of errors. Automated systems also can correlate data with protected classes, which can lead to discriminatory outcomes.”
2. Model opacity and access: “Many automated systems are ‘black boxes’ whose internal workings are not clear to most people and, in some cases, even the developer of the tool. This lack of transparency often makes it all the more difficult for developers, businesses, and individuals to know whether an automated system is fair.”
3. Design and use: “Developers do not always understand or account for the contexts in which private or public entities will use their automated systems. Developers may design a system on the basis of flawed assumptions about its users, relevant context, or the underlying practices or procedures it may replace.”
US Department of HHS Issued Notice of Proposed Rulemaking Regarding HIPPA
On April 12, 2023, the Office for Civil Rights at the U.S. Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking to modify the HIPAA Privacy Rule to strengthen reproductive health care privacy. The proposed rule would prohibit a HIPAA regulated entity from using or disclosing PHI when the use or disclosure is primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
Europe & UK Law
Austrian DPA Decides Newsreaders Can Choose Yes or No at Cookie Paywalls
The Austrian Data Protection Authority (DSB) has reached a verdict concerning the use of 'cookie paywalls' on several Austrian news websites. These paywalls create a dilemma for users: they can either pay for a subscription or allow their data to be shared with tracking companies in exchange for untracked access to content. Under the General Data Protection Regulation (GDPR), user consent must be freely given. However, the DSB found that the choice between paying a subscription fee or effectively "paying" through personal data sharing could present complications for users.
CJEU Announcement on DSARs
On May 4, 2023, the CJEU announced a decision relating to data subject access rights (DSARs), specifically what must be produced as part of an access request. The CJEU held that the “right to obtain a copy of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data.” It further held that the “right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data, if that is essential in order to enable the data subject to exercise effectively the rights conferred on the him or her by that regulation.”
Clearview AI Cannot Process the Biometric Data of Austrian Complainant
According to noyb, an information privacy advocacy organization, the Austrian data protection authority, DSB, has acknowledged that the collection of images of individuals for use in a biometric search engine is not permissible under the GDPR. However, it is noteworthy that the DSB did not impose a fine on Clearview AI for this practice, nor did it impose a blanket ban on such data collection.
Commission Announces First Platforms to Fall Under EU Digital Rulebook’s Stricter Regime
The EU Commission has announced the first 19 platforms that have been identified as qualifying VLOPs/VLOSEs (Very Large Online Platforms/Very Large Online Search Engines) under the Digital Services Act. These platforms will be subject to the new rules starting from August 25, 2023. The platforms identified are as follows: Alibaba AliExpress, Amazon Store, Apple AppStore, Bing, Booking.com, Facebook, Google Play, Google Maps, Google Search, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, and Zalando.
Croatia Sends Out Mandatory DPO Questionnaire
Croatia’s DPA, AZOP, published a notice to data protection officers that they must respond to a mandatory questionnaire concerning their appointment and roles. The questionnaire was sent to data protection officers over email, and responses are due June 1, 2023.
New Guidance from Denmark on GDPR for Small Businesses
Denmark’s DPA, Datatilsynet, published the guidance as a resource designed to be more accessible than existing information on GDPR, featuring example scenarios and an FAQ on legal requirements.
Denmark Determines a Child’s Right to Access is Personal
Denmark’s data protection authority, Datatilsynet, made this finding that in practice means that while a parent may request access on behalf of their child, a controller requiring two parents to jointly request access would unduly impede the child’s personal right.
EDPB Adopts Guidelines on Data Subject Rights
The EDPB has adopted the final version of its Guidelines on Data Subject Rights, providing clear context for employment DSAR procedures and clarity on verification processes, including collection of national ID information. It specifies that subjective comments on an individual’s behavior during job interviews fall within the data collection scope, subject to national law and Article 23 compliance. Furthermore, the Guidelines illuminate complex areas such as telemetry data, inferred data, and pseudonymous data, aiding in a deeper understanding of data subjects’ rights.
EU Ruling on Transfer of Pseudonymized Data
The EU General Court held that a transfer of pseudonymized data is not a transfer of personal data if the recipient does not have legal means to re-identify the data. At issue was data shared with Deloitte by an EU body, the Single Resolution Board, and therefore governed by Regulation (EU) 2018/1725 (the “GDPR for EUIs”), a companion Regulation to GDPR with the same definitions as GDPR for pseudonymization. Note the EU General Court sits below the CJEU; this holding is consistent with draft ICO guidance on anonymization, pseudonymization and privacy enhancing technologies.
EDPB Adopts Guidelines on Article 60 GDPR
The EDPB has recently adopted several important guidelines and a toolbox related to data protection. These include the Guidelines on Article 60 of the GDPR, Guidelines on dark patterns in social media, and a toolbox on essential data protection safeguards for cross-border enforcement cooperation.
Irish Guidance on Records of Processing Activities
The Irish Data Protection Commission recently released guidance on records of processing activities as a result of its 2022 compliance monitoring sweep involving 30 diverse organizations. This guidance aims to assist organizations in meeting the requirements of the GDPR regarding records of processing activities
Spain Publishes Guidance on AI Systems
Spain’s DPA, AEPD, published guidance on implementing AI systems and determining if AI processing is fully automatic or involves human supervision. The guidance emphasizes that the controller is ultimately responsible for whether there is human involvement.
New Guidance from Spain on Federated Learning
Spain’s DPA, AEPD, published guidance on federated learning as a type of privacy-enhancing technology. The guidance provides examples of horizontal and vertical federated learning and how each enhances data privacy.
Portugal new guidelines on GDPR rules
Portugal’s DPA, CNPD, published five new guidelines regarding the application of GDPR rules for public authorities, including guidance around third-party sharing, internet publication of certain personal data, and the conflict of interest between the functions of the data protection officer and the person responsible for access to information.
Spain Amends National GDPR Implementation
Spain amended their national privacy law and GDPR implementation, LOPDGDD. The amendments address multiple topics, notably clarifying that a warning is a non-punitive correctional power of Spain’s data protection authority and extending some deadlines during investigations and disciplinary procedures.
New Guidance from Spain on Encryption
Spain’s DPA, AEPD, published guidance to help an organization assess whether its encryption procedures is adequate. The guidance also provides considerations for designing and validating new encryption systems.
New Guidance from Spain Emphasizes Privacy by Design, DPOs
Spain’s DPA, the AEPD, published guidance to generally address personal data protection regulations with an emphasis on the GDPR. The document is meant to overview existing regulations around “data spaces” with an emphasis on privacy by design and the requirements for data protection officers.
South American Law
Brazilian DPA Enacts Regulation on Administrative Penalties Under Brazilian General Data Protection Law
The Brazilian Data Protection Authority (DPA) has implemented a regulation concerning the setting and application of administrative penalties under the Brazilian General Data Protection Law (LGPD). This regulation specifically outlines the methodology for calculating fines in cases of non-compliance.
Asian Law
Vietnam issues decree on the Protection of Personal Data Law
On February 7, 2023, Vietnam issued Decree No. 13/2023/ND-CP, which focuses on the Protection of Personal Data Law (PDPD). This decree was subsequently published on April 17, 2023. The PDPD incorporates various elements that are similar to the GDPR, including provisions related to data subject rights.