Hashed & Salted | A Privacy and Data Security Update
Happy new year to our Hashed & Salted readers!
We are coming up on one year of Hashed & Salted. We have had so much fun taking time for deep dives into the critical issues of privacy and security this year—2022 was a wild ride for privacy and there appears to be no slowing down. In addition to the four state laws that will go into effect, 2023 will likely usher in a new wave of state privacy laws as efforts to pass a federal bill, which that failed this year, may face new challenges under the 118th Congress. The Federal Trade Commission (FTC) will continue its long journey of privacy rule-making next year, and we expect it to continue aggressive enforcement of existing privacy rules. Children’s data, AI and automated decision-making, and dark patterns will remain focuses, as will the concerns about the use of health and location information following the Dobbs decision earlier this year. Adtech is pushing toward its new cookieless future, although the pace is slower than expected. Nonetheless, in light of the restrictions coming from current and potential regulation, the use of privacy-enhancing technologies will likely take a bigger role in 2023. Outside the U.S., there are a number of regulations in Europe (including the AI Act, the Data Act, the DMA and the DSA) that will significantly impact how companies do business there. We are keeping an eye on privacy changes in India, Australia, Quebec and several countries in Africa, which have implemented and are now enforcing new regulations. We are also watching privacy stretch into new related areas, including ethics, antitrust, corporate deal-making and AI.
In our last issue, we asked the question: As we head toward the end of the year, will the implementing regulations for the California Privacy Rights Act (CPRA) be finalized in time for the Jan. 1, 2023, implementation?
Now we know—the answer is a definite no.
During its Dec. 16 board meeting, California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani predicted that the proposed regulations would come before the board for final approval at the end of January and the final rule-making package, which would include the Final Statement of Reasons and responses to all the public comments received by CPPA throughout the rule-making process, would be presented to the California Office of Administrative Law (OAL) in mid-February. Given the 30-day review window with OAL, the regulations could finally take effect—if approved—in early April. Privacy, Security & Data Innovations Chair Jessica Lee and associate Shely Berry take a deeper dive into the CPPA’s process and the proposed regulations in our first article.
On the U.S. privacy front, bolstering privacy protections for children and teens remains a focus for lawmakers. A bi-partisan group of senators, including Sens. Ed Markey (D-Mass.), Cynthia Lummis (R-Wyo.), Bill Cassidy (R-La.) and Richard Blumenthal (D-Conn.) called on Congress enact legislation before the end of the current session focused on four key areas: banning targeted advertising to children; expanding data privacy protections to teens; creating a new division of the FTC, the Youth Marketing and Privacy Division, focusing on specific issues related to children and teens online; and commissioning a study of the safe harbor provisions under the Children’s Online Privacy Protection Act. Efforts to push through two specific pieces of legislation—the Children and Teens’ Online Privacy Protection Act and the Kids Online Safety Act—as part of the federal government’s 2023 budget plan were ultimately unsuccessful, however. Neither bill was included in the text of the final package.
On the international privacy front, associate Ritu Narula offers a deep dive into the European Union’s proposal for the much-anticipated EU Data Act, a key pillar of the EU’s February 2020 Strategy for Data.
And in our Team Member Spotlight, associate Chanda Marlowe talks about how her time with the Future of Privacy Forum (FPF) during and after law school spurred her interest in privacy, what she foresees on the children’s and students’ privacy fronts, and how her pre-law work had her—and others—doing backflips.
In This Issue:
- The CPRA Regulations: A Journey That Will Extend Well Beyond 2023
- EU Data Act
- Team Member Spotlight: Chanda Marlowe
- In Case You Missed It
- Event Spotlight
At the Dec.16 meeting of the CPPA, Executive Director Ashkan Soltani provided an update on the rule-making process, predicting that the proposed regulations would come before the board for final approval at the end of January. Given the rule-making process, the regulations could finally take effect—if approved—in early April 2023.
The European Commission unveiled its proposal of the much-anticipated EU Data Act in February. The Data Act, which is considered a key pillar of the EU’s February 2020 Strategy for Data, is a sweeping proposal intended to “form the cornerstone of a strong, innovative and sovereign European digital economy,” according to the commission’s press release, sitting alongside the EU’s Data Governance Act.
- How did you develop your area of focus?
I worked at the Future of Privacy Forum (FPF) as a summer intern during law school and returned after graduation for two years as the inaugural Christopher Wolf Fellow. My work at FPF centered on location and advertising technologies, which allowed me to take the lead organizing and moderating monthly working group discussions on some of the most pressing issues in privacy with industry leaders, academics and other experts in the field. I also worked closely with FPF’s education team on projects related to child/student privacy. I find this background useful every day in my current practice, where I advise clients on compliance with various state and federal privacy laws, regulations, and best practices. I have incredible mentors to thank for helping me understand and navigate this space.
- What’s exciting you/grabbing your attention right now?
I’m excited to see what’s next for child/student privacy. The legal landscape has been generally limited to COPPA, FERPA and SOPIPA-like student privacy laws for quite some time, but now we’re seeing movement at the state level, with the passage of California’s Age Appropriate Design Code and similar bills being proposed in other states, and at the federal level, which would not only raise the age of children’s privacy protections but also introduce concepts beyond privacy, including what’s in the best interest of the child.
- What’s one thing most people would be surprised to know about you?
Prior to law school, I taught ninth through 11th grade English for five years, and I was a high school cheerleading coach.
- Jessica Lee spoke to the International Association of Privacy Professionals (IAPP) about the anticipated finalization of CPRA regulations, which have recently been pushed back again.
- In other California privacy news, the California Age-Appropriate Design Code Act (ADCA), was signed into law on Sept. 15 and will become effective on July 1, 2024. The ADCA will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children’s Online Privacy and Protection Act (COPPA), with the aim of better protecting children’s privacy and online safety.
Read our full alert here.
- Jessica Lee spoke with Eric Seufert on his Mobile Dev Memo podcast, discussing digital privacy legislation.
You can listen to the podcast and read the transcript here.
- Senior Counsel Robyn Mohr and Jessica Lee joined IAB Executive Vice President of Public Policy Lartease Tiffith and IAB Director of Public Policy Virginia Poe for a virtual briefing on A Look Ahead: What to Expect from a Fully Staffed FTC under President Biden.
You can watch the virtual briefing on the IAB website here.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.