The third quarter saw some major developments across the privacy space. In the U.S., we saw a federal bill for comprehensive privacy achieve more than ever before, children’s privacy proved to remain a top concern, and the Federal Trade Commission formally began its heavily criticized “Magnuson-Moss rulemaking” process. Not to be outdone, the international community saw marked progress as well, with Indonesia passing a data protection law, Ireland expanding its Data Protection Commission to include two additional members, and the European Union showing a commitment to setting the bar when it comes to Artificial Intelligence (AI) legislation.
Privacy in the US
The prospect of a federal privacy law took center stage this quarter. The American Data Privacy and Protection Act (ADPPA) was voted out of the House Energy and Commerce Committee by a vote of 53-2 before the August recess. While the list of proposed federal privacy legislation may now stretch a mile, nothing introduced to date has proved as strong, as bi-partisan, and as substantial as the ADPPA. Despite all this, the bill was met at the Senate with immediate disregard as Speaker Nancy Pelosi issued a statement saying the committee should be “commended on its work,” but that the bill would not be voted on in its current form due to concerns from California leaders that “it does not guarantee the same essential consumer protections as California’s existing privacy laws.” This argument has induced much debate, with many privacy advocates and professionals arguing that the ADPPA offers greater protections for all. By the end of the third quarter, California lawmakers continued to successfully block its advancement.
In addition to its general opposition of the ADPPA, California also made news this quarter as it passed the California Age-Appropriate Design Code Act, a first-of-its kind state law modeled after the U.K.’s Age-Appropriate Design Code, which restricts the collection and sharing of children’s personal data and takes effect July 1, 2024. The law will require businesses that offer online services, products, or features “likely to be accessed by children” to put in place strong privacy protections, by design, and by default. It will require businesses to produce data protection impact assessments for all new products and services “likely to be accessed by children,” and will require that entities comply with age estimation practices. This law likely indicates a coalescing around the U.K. code, and we expect to see mirror legislation to surface (as NY has recently proven).
Lastly, the Federal Trade Commission initiated its rulemaking process on August 11th, and published its Advance Notice of Proposed Rulemaking (ANPR) to explore potential new rules regarding the prevalence of “commercial surveillance” and “lax data security practices.” The ANPR is sweeping in scope, poses 95 questions on which it seeks public comment, and covers nearly every form of data collection.
The international community rallied this quarter as many countries introduced legislation, opened periods for public comment, and published guidance. Most notably, Indonesia, the world’s fourth most populous country, passed a highly anticipated data protection law. Drafted in 2016 and modeled after the EU General Data Protection Regulation (EU GDPR), the law will provide privacy protections for more than 270 million people, following a two-year adjustment period.
Ireland, which has long been criticized for its lack of enforcement outcomes when it comes to the GDPR, also announced this quarter that it has approved the expansion of its Data Protection Commission to include two more commissioners in hopes of easing the backlog of enforcement cases.
Lastly, the EU pursued legislation on artificial intelligence (AI) this quarter, introducing the AI Liability Directive on September 28th, to complement the EU’s AI Act. With hopes of producing the next global standard — as they did with data protection — the EU is quickly advancing both pieces. The AI Act would establish new requirements for “high risk” uses of AI, while the Liability Directive would extend the ability to sue for damages after being harmed by an AI system.
This quarter proved that advancing children’s privacy continues to be top of mind across the globe as Ireland’s DPC issued the second highest GDPR fine to date against Instagram for violating children’s privacy. The fine of €405 million marked the end of a lengthy process, which included other supervisory authorities, and a dispute resolution procedure at the European Data Protection Board.
California also doled out its first ever fine under the California Consumer Privacy Act. The California Privacy Protection Agency fined Sephora $1.2 million for violations of the law’s “do not sell” provisions, highlighting a broad definition of “sale” that included the sharing of consumer data with third parties that utilize online tracking technologies in exchange for monetary or other valuable consideration, and for failing to process user requests to opt out of sale via user-enabled global privacy controls. The fine was issued despite a 30-day cure period.
Looking ahead to Q4
If the last week of the third quarter and the first week of the fourth quarter give any indication, privacy will stay busy for the remainder of 2022. Here is what we are watching as we approach the end of the year:
- As Colorado begins the rulemaking process around its Colorado Privacy Act, how will this affect implementation and enforcement of other U.S. state privacy laws?
- The global response to President Biden’s Executive Order on the U.S. and EU trans-Atlantic data flow mechanism.
- With the EU and U.S. moving forward with artificial intelligence regulation, who will take the lead and what will the initiatives look like?
About the Authors:
Emily Leach is the privacy director at Blueprint Technologies, overseeing privacy operations, creating content for the company’s privacy program management technology and consulting for businesses from Fortune 500 to SMBs. Emily has been working in data privacy for 15 years and holds CIPP/US and CIPP/E certifications from the IAPP.
Molly Hulefeld is a privacy analyst at Blueprint Technologies, supporting consultants and clients by tracking and reporting on changes in the privacy landscape globally. Molly creates content for the company's privacy program management technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.