Privacy Report: California Can Enforce Net Neutrality Law After Court Victory

Headlines that Matter for Privacy and Data Security.

US News

California Can Enforce Net Neutrality Law After Court Victory

California’s net neutrality law bars internet service providers from prioritizing, blocking, slowing down, or speeding up internet content. California’s law was created after the Trump-era Federal Communications Commission rolled back the federal net neutrality regulation in 2017. The Justice Department sued to overturn the California law, and several trade associations followed with a request for a preliminary injunction to stop the California law pending the outcome of the lawsuit. Judge John Mendez of the US District Court for the Eastern District of California recently gave California a green light to move forward with the net neutrality law after denying a motion for a preliminary injunction to stop the law from going into effect. California Attorney General Xavier Becerra called the ruling a “critical net neutrality win.”

The First But Not Last Comprehensive US Privacy Bill of 2021

The Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in the 117th US Congress. Broadly speaking, the proposed federal bill would create protections for the processing of sensitive personal information. For the collection, processing, and sharing of non-sensitive information, companies would be required to allow consumers to opt-out at any time. More specifically, it would provide additional rulemaking authority to the Federal Trade Commission to devise requirements for entities that collect, transmit, store, process, sell, share, or otherwise use the sensitive personal information of members of the public. These requirements would include obtaining “affirmative, express, and opt-in consent” for requests involving the collection, sale, sharing, or other disclosure of sensitive personal information.

CCPA Regulations Update and the Opt-Out Icon Has Arrived

The California Consumer Privacy Act (CCPA) Regulations are updated with clarifications and examples, particularly for requirements surrounding the “sale” of personal information. Businesses, particularly those that sell personal information, should review the latest clarifications to the CCPA. The updates also introduce the long-awaited opt-out icon to accompany the “Do Not Sell My Personal Information” link. While previous versions of the opt-out icon were introduced and then disappeared, this time, the opt-out icon appears here to stay.

CCPA Enforcement Board Elected

The California Privacy Protection Agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. Members are:

  1. Jennifer M. Urban -  Urban is appointed Chair of the California Privacy Protection Agency Board by Governor Newsom. Urban has been a Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law since 2009, where she has held multiple positions since 2002, including Fellow, Lecturer, and Visiting Acting Clinical Professor of Law.
  2. John Christopher Thompson - Thompson has been Senior Vice President of Government Relations at LA 2028 since 2020. Thompson is a member of the California Science Center Foundation, Public Media Group of Southern California, and Public Policy Institute of California Statewide Leadership Council.
  3. Angela Sierra - Sierra recently served as Chief Assistant Attorney General of the Public Rights Division, overseeing the work of the Division’s over 400 employees in areas related to safeguarding civil rights, protecting consumers against misleading advertising claims, fraudulent business practices, and privacy violations, maintaining competitive markets, protecting consumers’ health care rights, preserving charitable assets and safeguarding the State’s natural resources and environment.
  4. Lydia de la Torre - Since 2017, de la Torre has been a professor at Santa Clara University Law School, where she has taught privacy law and co-directed the Santa Clara Law Privacy Certificate Program, a cutting-edge program that enables students to graduate ready to practice privacy law. She also has served as of-counsel to Squire Patton Boggs, where she specialized in privacy, data protection, and cybersecurity.
  5. Vinhcent Le - Le currently serves as a Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias.

Virginia Consumer Data Protection Act: Here Comes the Next State Privacy Law of the Land

Virginia passes the second state comprehensive consumer privacy law in the US. The Virginia Consumer Data Protection Act (CDPA) applies to entities that conduct business in Virginia or produce products or services that target Virginia residents and meet one of the following thresholds: (i) during a calendar year, control or process personal data of at least 100,000 Virginia consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The CDPA is scheduled to take effect on January 1, 2023, so businesses have a little less than two years to review and implement requirements. The next stage of the CDPA involves a working group that will submit findings, best practices, and recommendations regarding the implementation of the CDPA to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology, and Innovation by November 1, 2021.

EU News

Bidders and Brokers: Investigation into Real-Time Bidding and Data Broker Activities in AdTech

Companies using real-time bidding for advertising should take heed of the investigation developments across the pond. The Information Commissioner's Office (ICO) has resumed its investigation into real-time bidding and the advertising technology (AdTech) industry. The investigation was paused back in May 2020 as ICO focused on prioritizing its response to the COVID-19 pandemic. The investigation has been an ongoing project since February 2019, and ICO partly started its original efforts into the review of real-time bidding due to the risks it poses to the rights and freedoms of individuals.

European Commission Draft Adequacy Decisions for United Kingdom

The European Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure has been completed, the Commission could proceed to adopt the two adequacy decisions.

European Data Protection Board Adopts Guidelines on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications

Not only vehicles, but drivers and passengers are also becoming more and more connected. As a matter of fact, many models launched over the past few years on the market integrate sensors and connected on-board equipment, which may collect and record, among other things, the engine performance, the driving habits, the locations visited, and potentially even the driver’s eye movements, his or her pulse, or biometric data for the purpose of uniquely identifying a natural person. The scope of this document focuses in particular on the personal data processing in relation to the non-professional use of connected vehicles by data subjects: e.g., drivers, passengers, vehicle owners, other road users, etc. More specifically, it deals with the personal data: (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user’s smartphone), or (iii) collected locally in the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.

EU Justice Commissioner and US Secretary of Commerce Intensify Negotiations for Enhanced Privacy Shield

EU Commissioner for Justice, Didier Reynders, and US Secretary of Commerce, Gina Raimondo, have made the following statement regarding the negotiations on transatlantic data privacy flows: “The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case… Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.”

Asia News

Successful Conclusion of Adequacy Talks Between European Union and the Republic of Korea

Commissioner for Justice Didier Reynders and Chairperson of the Personal Information Protection Commission Yoon Jong In welcomed the successful conclusion of the adequacy talks between the European Union and the Republic of Korea. The adequacy dialogue confirmed the high degree of convergence between the European Union and the Republic of Korea in the area of data protection, which increased further with the recent entry into force of the new Personal Information Protection Act in the Republic of Korea and the strengthening of the powers of the Personal Information Protection Commission. The European Commission will now launch the procedure for the adoption of its adequacy finding.

Singapore’s Personal Data Protection Commission Releases Guidance on Enforcement

Following the amendments to the Personal Data Protection Act 2012 (PDPA) which came into force on February 1, 2021, this guide on Active Enforcement Guide Framework articulates the Personal Data Protection Commission (PDPC) approach in deploying its enforcement powers to act effectively and efficiently on the increasing number of data breach incidents. This guide targets both consumers as well as organizations that handle personal data and outlines how the PDPC handles data protection complaints, investigates incidents, and the types of enforcement actions that the PDPC may undertake in various circumstances. In addition, this guide will explain the general principles for determining the financial penalty amount imposed for cases where the organizations are found to be in breach of the PDPA.


Office of the Australian Information Commission Submits Comments Regarding the DAT Bill

The Data Availability and Transparency Bill 2020 (the DAT Bill) proposes to create the Data Availability and Transparency scheme (DAT scheme) to enable Australian Government agencies to share public sector data with particular entities for particular purposes and under particular conditions. The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth regulator and submits comments on the DAT Bill noting that robust data protection and privacy safeguards are central to successful data sharing initiatives. The OAIC’s submission recommends the inclusion of several privacy measures to provide further protections for individuals and clarity for data scheme entities about their privacy obligations.

Analysis You Can Use

UN Digital Protection Recommendations

The UN Committee on the Rights of the Child has laid out the ways that young people and children should be treated in the digital world, and how their rights should be protected. The document, adopted at the 86th session of the Committee, emphasizes that the rights of every child must be respected, protected, and fulfilled in the digital environment and that children should have access to age-appropriate and empowering digital content, and information from a wide diversity of trusted sources. The recommendations of the Committee were published in the form of a “general comment,” following two years of consultations with a wide range of groups, involving the Member States, inter-governmental organizations, civil society, and national human rights institutions. In addition, over 700 children and young people, aged between nine and 22 years old, in 27 countries, were consulted during the process, during which they were asked how digital technology impacts their rights, and what actions they want to see taken to protect them.

Smart In Your World

Arent Fox’s Privacy, Cybersecurity, & Data Protection attorneys help clients navigate Big Data issues in spaces as diverse as health care, nonprofits and trade associations, telecommunications, retail, consumer products, gaming and entertainment, and media.


Continue Reading