Hashed & Salted | A Privacy and Data Security Update
Welcome to the summer issue of Hashed & Salted
In this issue, we’re reporting on developments in children’s privacy, from self-regulatory initiatives to Federal Trade Commission (FTC) enforcement actions, as well as new and proposed legislation. In our first article, partner Nerissa Coyle McGinn and associate Chanda Marlowe give us a midyear roundup of self-regulatory and Federal Trade Commission efforts around children’s privacy. In the second article, they offer a deeper dive into state efforts to address the privacy, as well as the mental and physical health of children and teens, whether through specific children’s privacy laws or general privacy laws that incorporate special protections for minors.
In our spotlight section for this issue, special guest Dona Fraser, Senior Vice President, Privacy Initiatives, BBB National Programs, tells us what issues she’s watching in the children’s privacy space, how BBB National Programs is helping companies navigate this increasingly complex landscape, how her dedication to protecting children online has shaped her career—and why purple just might be her favorite color.
It also wouldn’t be an issue of Hashed & Salted without an update on what’s happening with the California Privacy Rights Act (CPRA) and the California Privacy Protection Agency (CPPA). As we recently reported, the California Superior Court stayed enforcement of the CPRA regulations until March 29, 2024, as the result of a lawsuit brought by the California Chamber of Commerce arguing that the CPRA mandates that the CPPA have all final regulations published by July 1, 2022, and that businesses should have a one-year grace period between the adoption of regulations and their enforcement. The court ruled that for the current package of regulations, which the CPPA approved on March 29, 2023, enforcement cannot begin until March 29, 2024, and that, going forward, the CPPA will not be able to enforce any new regulation until one year following its final adoption and approval by the Office of Administrative Law. In addition, under the CPRA, the CPPA will not be able to bring enforcement actions for violations occurring before the enforcement date (March 29, 2024). The CPPA has appealed the decision.
The CPPA also discussed enforcement priorities during the July board meeting. Deputy Director of Enforcement Michael Macko reported that the agency expects to take aggressive enforcement action on violations and plans to consider a variety of factors in determining whether to bring an action, including the harm to consumers, the nature and severity of that harm, the good faith efforts of the business to comply, and the business’s size and resources. The agency will prioritize protecting children, the elderly and marginalized groups susceptible to privacy violations or being overlooked. In particular, enforcement will likely focus on a short list of obligations under the CPRA, including privacy notices and policies, the right to delete, and the implementation of consumer requests (for example, when consumers make a request, how businesses are operationalizing the request and what potential barriers they may be implementing to make requests more difficult).
In This Newsletter:
- Self-Regulatory and FTC Efforts Focus on Children’s Privacy
- A Roundup of State Laws Related to Children’s Privacy
- Q&A with Dona Fraser, Senior Vice President, Privacy Initiatives, BBB National Programs
- In Case You Missed It
If you’re waiting for the effective dates of newly enacted state privacy laws related to children to draw nearer before evaluating whether any updates are needed to your privacy program, you may already be behind. There has been a lot of activity in this space, outside of legislation, due in large part to the launch of the United Kingdom’s Age-Appropriate Design Code, which went into force in September 2021. Since then, the United States has kept the ball rolling, as evidenced by self-regulatory initiatives and Federal Trade Commission enforcement actions that incorporate many principles found in the UK AADC and continue to make children’s privacy a priority.
Read more here.
For a wide variety of entities — from the Biden administration and the Federal Trade Commission (FTC) to state attorneys general and advocates — protecting children’s privacy has been a top priority in the past two years. While the issues that arise from children’s online activities aren’t limited to privacy, the potential misuse of children’s personal information has put children’s digital rights in the spotlight. As we look at the legislative landscape, it is evident that the forefront of action lies not at the federal level, but within individual states. While Congress has not yet passed an update to the Children’s Online Privacy Protection Act (COPPA) or any other federal privacy law, a patchwork of state-level initiatives has emerged, each attempting to fill the regulatory void and provide safeguards for children.
Read more here.
How did you develop your area of focus?
I became interested in privacy law when I attended Brooklyn Law School, one of the few schools that offered a curriculum with this area of focus. My intention when pursuing law school was to focus on entertainment law, which is an amalgamation of different areas of law (e.g., contracts, copyright, trademark, corporations, trusts and estates) and had much in common with where I ended up in privacy law, or “internet law” as it was called at the time. I was fortunate to receive an excellent, and diverse, legal education with Paul Schwartz, one of our current leaders in privacy law, teaching the classes.
Following law school, I joined a record label as in-house counsel to pursue my passion for the entertainment industry, but the Children’s Online Privacy Protection Act (COPPA) and other emerging privacy issues were always in the back of my mind. I made the decision to leave the music business and to merge the entertainment industry with the children’s space at the Entertainment Software Ratings Board(ESRB), and since then my career has continued to reflect my dedication to protecting children online, my diverse interests in the privacy space, and my commitment to helping well-intentioned companies choose the right path in privacy.
With respect to kid-tech privacy issues, what’s on your radar? What issues are you watching most closely now?
There is much to keep your eye on in today’s kid-tech and privacy landscape, but there are two questions that are of great interest to me that currently are meeting at a crossroads. How do we define the age of a child? How can technology continue to evolve and innovate while taking into consideration the unique needs of and complex privacy risks for children?
For instance, the ability to verify a user or who a person is. This is a big concern and, in some instances a requirement, for businesses.
The rapidly changing legislative landscape in the United States and around the world regarding children and teens complicates things. If we cannot all agree on the age of a child, we create a patchwork of rules, laws and regulations that are impossible for businesses to navigate, let alone innovate, within. When, and in which states, is verifiable consent required? What should that look like in a mobile app versus on different platforms that have each deployed their own rules? When should children be given autonomy? The list goes on.
As an industry, the one thing we can agree upon are the potential harms and risks that face youth in an online environment, but what we have yet to fully embrace is how technology can be used to assist in navigating or avoiding those harms and risks.
Instead, we are taking a hammer to a needle and thread, meaning that as new legislation emerges trying to “fix things,” we squash possible conversations about finding real answers that could lead to real, achievable solutions.
How is BBB National Programs helping companies navigate this increasingly complex child privacy landscape?
At BBB National Programs, we help companies “get to yes.”
Let me explain what I mean by that. Part of my role is leading the Children’s Advertising Review Unit (CARU), a self-regulatory program that celebrates its 50th year next year. Since 1974, CARU has helped companies comply with laws and guidelines that protect children under age 13 from deceptive or inappropriate advertising. The CARU Advertising Guidelines are widely recognized industry standards to ensure that advertising directed to children is not deceptive, unfair or inappropriate for its intended audience. CARU monitors child-directed media to ensure that advertising is compliant with its self-regulatory guidelines.
When COPPA came on the scene, CARU became the first COPPA Safe Harbor program approved by the Federal Trade Commission, expanding the reach of our mission to include the responsible collection and management of children’s data.
When companies come to CARU, either through CARU’s COPPA Safe Harbor program or some other way, it is because they want to do the right thing. As we have discussed, it isn’t always easy to know what the right thing is, especially as the landscape changes so quickly. We discuss with that company their business goals, listen to their questions, and ultimately help them creatively achieve compliance while still creating engaging content for their users and being true to their brand.
Our COPPA Safe Harbor program helps content creators, publishers and their vendors ensure their products (e.g., website, mobile app, platform, connected device or toy) or services directed to children under age 13 are fully compliant with COPPA and CARU’s Privacy Guidelines. We also have prescreening services, which allow a company to bring us their advertising before the ad or promotional website and assets go live so we can help the business or the agency developing the ad spot problems while there is still time to correct them.
There are many ways to “get to yes.” Through our various services, providing different solutions that require various levels of effort, time, financial resources, etc., while being mindful of where companies are, where they want to be, and how they want to grow is a huge part of our day-to-day work. Many people see us as a watchdog—monitoring the marketplace and holding bad actors accountable for irresponsible practices. And though that is part of our responsibility, we also understand that the good actors outweigh the bad and often education is the key to empowering businesses to identify and take the right path.
What role does/can self-regulation continue to play in the kids privacy space?
Despite a rapidly changing and sometimes overwhelming legislative landscape, self-regulation can spark hope. As an industry, businesses can not only move faster than the legislative process but we are also able to convene industry around agreed-upon best practices and standards that can ultimately demonstrate to legislators and regulators that industry can self-regulate. We can fill the gaps and develop the roadmap for legislators and regulators to follow. And why shouldn’t we? We know this business best.
And we can go beyond developing best practices and standards. In partnership with industry groups, companies can work with independent third-party accountability agents like BBB National Programs to develop certification and verification programs that align to those best practices and standards, resulting in seals that meaningfully help companies demonstrate their compliance efforts and standing as one of the good actors.
What’s one thing most people would be surprised to know about you?
This will not be a surprise for those who know me well, but prior to his very untimely death, I saw Prince live in concert 63 times, both here in the U.S. and abroad. And yes, I realize that many Purple One fans have exceeded that number. One of the best of those 63 was an impromptu show the evening he was inducted into the Rock & Roll Hall of Fame. Standing room only, and I was at the front by the stage and touched his shoe!
Privacy Issues in the Use of Artificial Intelligence
Brian Heidelberger, chair of Loeb’s Advertising, Marketing & Promotions practice, and Jessica Lee, chair of the Privacy, Security & Data Innovations practice, along with partner Caroline Hudson and associate Eric Cook, discuss the privacy issues that accompany the rapid advancement of artificial intelligence and its adoption by businesses, including how personal data is collected and managed, data privacy, intellectual property, and other legal liability issues.
You can watch the webinar here.
The Cookie Conundrum: Navigating the Latest Trends in Privacy Litigation and FTC Enforcement
Jessica Lee and partners Christopher Ott and John Taliaferro discuss the latest trends in data privacy litigation and class actions, FTC enforcement rule developments, and security response strategies.
You can watch the webinar here.
Associate Eric Cook Speaks at Black Tech Week
Associate Eric Cook spoke on the July 18 panel “Health and Data Privacy” during Black Tech Week in Cincinnati, Ohio. Black Tech Week connects Black tech entrepreneurs, investors and professionals to education, resources and opportunities—as well as one another—and features more than 10 speakers and 50 workshops.
For more information, visit the event website.
Loeb Associate Chanda Marlowe Named to Lawyers of Color’s 2023 Hot List
Loeb associate Chanda Marlowe has been named to the Lawyers of Color 2023 Hot List, which recognizes lawyers working in law firms, companies and government agencies across the U.S. who show promise in their careers and demonstrate a strong commitment to advancing diversity in the legal profession. Chanda and her fellow honorees were profiled in the Lawyers of Color Hot List 2023 issue and celebrated at a reception in Washington, D.C., on July 19.
You can view the full list of 2023 Hot List honorees on the Lawyers of Color website.
Loeb Welcomes Partner Harry Valetk to the New York Office
Harry Valetk joined the firm in early July 2023 as a partner in Loeb’s Advanced Media & Technology group. Harry provides counsel to companies and organizations of all sizes on privacy, data protection and requirements related to incident response. He has worked with clients on global privacy and data protection issues in multiple fields, including financial services, retail, pharmaceutical and health care, travel and hospitality, cloud technology, and manufacturing.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.