Privacy Report: FTC Publishes Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security

Headlines that Matter for Privacy and Data Security.

US News

FTC Publishes Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security

Concerned that companies use secret surveillance practices to collect “vast troves” of consumer information, the Federal Trade Commission (FTC) just published an Advance Notice of Proposed Rulemaking (ANPRM) to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. The FTC is particularly concerned about inadequate data security practices, harm to minors, forced consent, the use of unrepresentative datasets, and bias and discrimination. It is seeking comment on whether it should implement new trade regulation rules or other alternatives to regulate how companies: (1) collect, analyze, and retain; as well as (2) deceptively share, sell, or monetize data related to commercial surveillance. It invites public input on the nature and prevalence of harmful surveillance practices, the balance of costs versus the benefits of surveillance practices, and proposals for protecting consumers from harmful surveillance practices. The FTC is hosting a virtual public forum on Thursday, September 8, 2022, from 2-7:30pm. Find the fact sheet here.

California Privacy Protection Agency Opposes the American Data Privacy and Protection Act

The California Privacy Protection Agency (Agency) recently held a special meeting to discuss the American Data Privacy Protection Act (ADPPA) and held that the Agency opposes any bill that seeks to preempt the California Consumer Privacy Act, as amended by the California Privacy Rights Act) or provides substantially weaker protections. Notably, as the ADPPA is currently drafted, it would preempt nearly all provisions of the California Consumer Privacy Act. 

Are You Ready for 2023? New Privacy Laws to Take Effect Next Year

The US currently does not have a federal omnibus privacy law, but states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Notably, while most of the laws apply to for-profit businesses, Colorado’s Privacy Act also applies to non-profits. Organizations that fall under the scope of these new privacy laws should review and prepare their privacy programs. The list of updates may involve: 

  • Making updates to privacy policies,
  • Implementing data subject request procedures, 
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and 
  • Providing training for employees.  

For more information on the scope of these laws, please see our alert here

Life After Dobbs: FTC Now Plans to “Vigorously Enforce the Law” Against Illegal Use and Sharing of Highly Sensitive Data 

The recent Dobbs decision not only impacted abortion rights, but also included provisions diminishing constitutional privacy protections. Given this impact on privacy, the FTC has moved to ensure that businesses take steps to protect highly sensitive data, which includes precise location and health data. As a first step, the FTC released an announcement that not only reinforces the widespread role of sensitive data in our lives, but also states its plans to fully enforce the law against illegal use and sharing of highly sensitive data. As the FTC prepares to increase its enforcement activity, companies should regularly review their data privacy and security practices. In particular, companies should avoid making false statements about how they handle data and ensure they are clear about data practices when communicating with consumers. For more information, please see our alert here

Timing Is Everything: Ninth Circuit Finds Retroactive Consent for Tracking Technologies Insufficient for CIPA

A recent Ninth Circuit ruling in Javier v. Assurance IQ, LLC holds that the requirement to obtain prior consent of all parties to a communication applies to online recording of website activity, including for recording chatbot activity or collecting information for an online questionnaire as a user is providing it. In this case, the court reviewed Section 631(a) of the California Invasion of Privacy Act. The Ninth Circuit found that though Section 631(a) is written in terms of wiretapping, Section 631(a) applies to Internet communications. With this ruling in mind, businesses should: 

  • Obtain two party consent prior to tracking or recording interactions,
  • Fully inform consumers of their privacy practices,
  • Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices, and
  • Fully understand at which point in user engagement users are notified that their interactivity is monitored and stored.

DOJ Provides Update on Data Access Agreement by Releasing US and UK Joint Statement 

The Department of Justice (DOJ) recently released a joint statement explaining that the US and UK intend to bring into force the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (Data Access Agreement) on October 3, 2022. Originally signed in 2019, the Data Access Agreement will allow each country’s investigators to gain better access to crime-related data. Specifically, the DOJ’s announcement states that the Data Access Agreement will allow the prevention, detection, investigation, and prosecution of serious crime to be carried out “more quickly than before,” as it allows the respective governments to directly request data held by telecommunications providers in the other party’s jurisdiction for the exclusive purpose of handling serious crimes. Further, the announcement explains that this new tool will maintain strong oversight and will uphold the “democratic and civil liberties standards” the DOJ values. 

Congressional Officials Put Pressure on the FTC to Address Deceptive Data Practices 

Congressional officials Anna G. Eshoo and Ron Wyden sent a letter to the Federal Trade Commission (FTC), urging it to address deceptive data practices by VPN providers. According to the officials, there are several abusive practices in the consumer VPN industry, including promoting false and misleading claims about services; selling user data and providing user activity logs to law enforcement, despite promises of total anonymity; and a lack of oversight of the industry in general. Describing the VPN industry as “extremely opaque,” and claiming “many VPN providers exploit, mislead, and take advantage of consumers,” the officials advocated for the FTC to take immediate action under Section 5 of the FTC Act to curtail abusive and deceptive data practices in companies providing VPN services. Find the press release here. Find the letter here.

Global News

ICO Simplifies the UK Binding Corporate Rules Approval Process

Referring to the Binding Corporate Rules (BCRs) as the “gold standard” transfer mechanism, the Information Commissioner’s Office (ICO) recently published new guidance on UK BCRs. Because some BCR applicants may desire to seek both EU and UK BCRs, the ICO has simplified the UK BCR approval process. Now, the ICO will only request supporting documents and commitments once during the process. The guidance also addresses the impact of Schrems II and the importance of undertaking a risk assessment. Specifically, though the ICO does not need to see evidence of a transfer risk assessment as part of the UK BCR approval process, the ICO expects entities to undertake transfer risk assessments whenever transfers of personal data from the UK to another country take place. The ICO also expects entities to regularly adjust assessments if reviews reveal that data protection rights are or may be undermined via transfers. The ICO’s BCR-Controller application form is here. The ICO’s BCR-Processor application form is here.

Communications Data Retention Amendment Act Signed into Law in Ireland

Ireland’s president recently signed the Communications (Retention of Data) (Amendment) Act 2022 into law. The Act largely focuses on data retention and access measures that are permitted for the purposes of an effective response by state agencies to issues of national security, crime, and safety. Specifically, the Act explains that retention of traffic and location data is permitted on national security, crime, and safety-related matters with prior approval by a designated judge. The Act also establishes that this data will be retained for 12 months. Find the press release here.

Sensitive Personal Data Includes Data Indirectly Disclosing Sexual Orientation According to CJEU Ruling

The Court of Justice of the European Union (CJEU)’s preliminary ruling in OT v Vyriausioji tarnybinės etikos komisija clarifies that data that indirectly discloses sexual orientation is considered a special category of personal data (sensitive personal data). Although the case concerns national anti-corruption legislation, the relevant issue in the case focuses on whether the name of a spouse or partner amounts to the processing of sensitive personal data because it reveals sexual orientation. According to CJEU, it does. Therefore, entities that process this data—data that indirectly discloses sexual orientation—must identify a lawful basis for processing under Article 6 and a separate condition for processing under Article 9 of the EU GDPR. Find the ruling here.

Kenya’s Data Protection Commission Publishes Guidance on Registration of Data Controllers and Data Processors 

Kenya’s Office of the Data Protection Commission (ODPC) recently published guidance to explain further data processor and controller obligations with respect to mandatory registration on the online registration portal. With the Data Protection Act of 2019 and Data Protection Regulations in mind, the ODPC‘s guidance reiterates that the mandatory registration requirement applies to all entities in the public sector offering government functions and entities within the private sector that: (1) process personal data, defined as “any information relating to an identified or identifiable natural person,” of persons located in Kenya including citizens, residents, and visitors; and (2) have an annual turnover or revenue of five million Kenyan shillings and above ten employees. These entities shall not act as controllers or processors of personal data unless registered with the ODPC. Moreover, the guidance features a data processor checklist and data controller checklist, which assists entities in ascertaining if they are data controllers or data processors. 

Continue Reading