On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”
Category: Privacy
NIST Releases New Draft of Artificial Intelligence Risk Management Framework for Comment
The National Institute of Standards and Technology (NIST) has released the second draft of its Artificial Intelligence (AI) Risk Management Framework (RMF) for comment. Comments are due by September 29, 2022.
NIST, part of the U.S. Department of Commerce, helps individuals and businesses of all sizes better understand, manage and reduce their respective “risk footprint.” Although the NIST AI RMF is a voluntary framework, it has the potential to impact legislation. NIST frameworks have previously served as basis for state and federal regulations, like the 2017 New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).
The AI RMF was designed and is intended for voluntary use to address potential risks in “the design, development, use and evaluation of AI products, services and systems.” NIST envisions the AI RMF to be a “living document” that will be updated regularly as technology and approaches to AI reliability to evolve and change over time.
FTC Signals Intention to Move Forward to Adopt New Privacy Rules in the Absence of Federal Legislation
The Federal Trade Commission (FTC), on a split party vote on August 11, approved an Advanced Notice of Proposed Rulemaking (the Notice) that focuses on potential new rules and requirements that could apply to entities engaged in targeted advertising or other forms of personal information gathering and sharing. Once this Notice is published in the Federal Register, the public will have 60 days to comment on the merits of the proposed new rules. There is also a public forum on the Notice slated to take place on September 8. The FTC’s action comes on the heels of legislative attempts to codify federal privacy protections that have yet to come to fruition.
UK’s Data Protection Reform Proposals Show Distinct Divergence from EU Rules
The UK government has recently published proposals to amend UK data protection legislation with moves towards divergence from EU rules and regulation following the UK’s decision to leave the EU (“Brexit”). The Data Protection and Digital Information Bill (“DPDI Bill”) proposes to make significant changes to existing UK data protection legislation, including the UK General Data protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”). The proposals include some measures that will result in a significant divergence, particularly for companies operating on a pan-European basis. While some compliance obligations will be relaxed, most of the changes can best be described as “similar but different” in approach. It remains to be seen what the final text will look like when the bill is passed into law, with some of the more radical proposals already having been dropped from consideration. A crucial point of consideration for UK legislators when the DPDI Bill is making its way through the various stages of the legislative process in the Houses of Parliament will be whether this legislation remains sufficiently similar to the EU’s General Data Protection Regulation (“EU GDPR”) that the UK is able to retain its adequacy status for the purposes of exports of personal data from the EU to the UK by companies operating internationally.
Continue reading “UK’s Data Protection Reform Proposals Show Distinct Divergence from EU Rules”
Progress on Federal Privacy Legislation, but Still a Long Way to Go
A bipartisan group of legislators in Washington, D.C., recently released a discussion draft of a federal privacy bill — the American Data Privacy and Protection Act (ADPPA). This draft bill reaches compromise positions on two key issues that have been the largest obstacles to passing such legislation: state preemption and a private right of action. This discussion draft preempts most comprehensive state privacy laws and includes a narrow and limited private right of action. The compromises on these issues in the bill, however, are likely to draw criticism from both Democrats and Republicans, along with industry and privacy advocates.
Continue reading “Progress on Federal Privacy Legislation, but Still a Long Way to Go”
Faegre Drinker on Law and Technology Podcast: The CCPA, CPRA and the Future of Privacy Laws
The California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA) are the most comprehensive privacy rights laws passed in any state — and are widely viewed as potential models for future privacy laws. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with former Faegre Drinker associate Michael Jaeger, an authority on the California privacy landscape, to take a deeper look at these sweeping laws, how they are being enforced and the effect they have had on impacted businesses.