California’s privacy regulator says no to the new US federal privacy bill. FTC says “no” to telehealth provider for alleged sharing of user info.

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• European data protection authorities say “no” to (some) “consent or pay”.
• California’s privacy regulator says “no” to the new US federal privacy bill.
• The Federal Trade Commission (FTC) says “no” to telehealth provider Cerebral's alleged sharing of its users’ sensitive information.
• What we’re reading: Recommended privacy content for the week.

EDPB gives a qualified ‘no’ to ‘consent or pay’ models

The European Data Protection Board (EDPB) has issued an opinion on “consent or pay” policies among large online platforms.

• The opinion comes at the request of Netherlands, Hamburg, and Norway data protection authorities (DPAs), who are concerned about Meta’s policy of charging users to access Facebook and Instagram without behavioral ads.
• The EDPB says large online platforms’ pay-or-consent policies are unlikely to meet the GDPR’s consent requirements unless they offer users a free alternative version of their services without behavioral ads.
• The opinion is not binding on any specific company but indicates how regulators across the European Economic Area (EEA) will likely approach enforcement of this issue.

? Has the EDPB settled the ‘consent or pay’ issue?

No, this opinion doesn’t settle this contentious issue of data protection law. The EDPB’s opinion is not binding in the same way as a court judgment would be and only covers “large online platforms.”?

The opinion uses a lot of “shoulds,” “is likely to”s, and other conditional language that gives Meta and other large online platforms considerable wriggle room.

? How does the EDPB define ‘consent or pay’?

The opinion is about consent-or-pay models where the controller offers data subjects at least two options, including:

1. Consent to the processing of their personal data for a specified purpose (in this case, behavioral advertising), or
2. Pay a fee and gain access to the service without the processing

The EDPB states that behavioral advertising is “considered a particularly intrusive form of advertising.”

A “large online platform” appears only to exists for the purposes of this opinion. Such a controller has a large number of users and a strong market position. It may or may not be an “online platform” under the Digital Services Act (DSA) or a “gatekeeper” under the Digital Markets Act (DMA).

? What does the EDPB say about ‘consent or pay’?

In its 42-page opinion, the EDPB assesses consent-or-pay against the GDPR’s requirements for valid consent, occasionally drawing on other laws such as the ePrivacy Directive, the DSA, and the DMA.

The EDPB also references July’s Bundeskartellamt judgment from the CJEU, where the court said (in passing) that if Meta wished to undertake behavioral advertising, it should offer users “an equivalent alternative not accompanied by such data processing operations” but added that this alternative could be offered “if necessary, for an appropriate fee.”

Here are some interesting statements and observations from the EDPB’s opinion:?

• “Personal data cannot be considered as a tradeable commodity”.
• The imbalance of power between large online platforms and users affects the validity of consent.
• Whether a fee is “necessary” or “appropriate” should be decided on a case-by-case basis.
• Consent-or-pay models must meet all the GDPR’s elements of valid consent.
• If a person loses access to a service that is “part of their daily lives,” this may be a “detriment” per Recital 42 GDPR.
• Not having access to social media can affect some users’ “emotional and psychological well-being”.

? So, is consent-or-pay OK or not?

Here’s the gist: The EDPB thinks that if a large online platform offers a free tier and a paid tier, the free tier should (probably) not involve behavioral advertising.

“In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.”

So, for example, the EDPB would likely approve of the following model:

• Option 1: Paid subscription, no behavioral advertising
• Option 2: Free service, consent to behavioral advertising
• Option 3: Free service, contextual ads without behavioral advertising

Option 3 is likely to be popular among users—but it might not fit with Meta’s business model.

California regulator voices opposition to draft federal privacy law

The California Privacy Protection Agency (CPPA) has written to the US House of Representatives expressing firm opposition to the American Privacy Rights Act (APRA).

• The APRA is a federal privacy bill introduced earlier this month. It would preempt many state privacy laws in an effort to unify privacy standards across the US.
• The CPPA notes that the APRA would strip the CPPA of its powers to regulate privacy in California while handing supposedly lesser enforcement powers to the Federal Trade Commission (FTC).
• The letter also highlights several alleged deficiencies in the APRA in areas such as AI, data brokers, and sensitive data.

? What is the CPPA’s issue with the APRA’s preemption?

Fundamentally, the CPPA does not like how the APRA preempts state privacy laws like the California Consumer Privacy Act (CCPA). Preemption means that a federal law takes precedence over state laws that have similar effects.?

Preemption was essentially the issue that killed the last attempt at a US federal privacy law, the American Data Privacy Protection Act (ADPPA), thanks in large part to California.

APRA’s preemption model means that the law would be a “ceiling” for state privacy protections rather than a “floor” on which states can build.?

As a rule, APRA would pre-empt comprehensive state privacy laws like those passed in California, Virginia, Colorado, and many other states—but not laws covering areas like:?

• Consumer protection
• Data breach notification
• Employee and student privacy
• Provisions of laws addressing issues like financial records, wiretapping, and spam

Entities in compliance with the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA) would be deemed in compliance with the relevant parts of the APRA.

And crucially—the APRA would strip the CPPA of its enforcement powers. The FTC would get new powers to enforce the APRA, but the CPPA says these would not be enough to preserve Californians’ privacy protections.

What else does the CPPA say about the APRA?

The CPPA claims that the APRA is weaker than the California Privacy Protection Act (CCPA) and its regulations in several key areas, including:

• Automated decision-making and AI: The CPPA’s (severely delayed) automated decision-making technology (ADMT) regulations would offer consumers the right to opt out of the use of their personal information for training ADMT, a protection that the APRA lacks.
• Data brokers: The California Delete Act lets consumers delete personal information held by data brokers via a central portal. The APRA provides the right to make a “Do Not Collect” request to data brokers, which the CPPA says would still allow data brokers to “retain and sell consumers’ information.”
• Sensitive data: Unlike the CCPA, the APRA does not include sexual orientation, union membership, or immigration status as categories of sensitive data.

? Does the CPPA have a point?

The US has a second chance at passing a privacy law that would provide new protections for millions of people.

On the other hand—around one-third of states have now passed comprehensive privacy laws. This trend is not slowing down—this month, Maryland and Nebraska both passed new legislation that is awaiting a governor’s signature.

This means legal compliance is more complicated than ever. However, it also means that if the APRA is weaker than a given state law, it would weaken many people’s new-found privacy protections.

FTC hits Cerebral with proposed $7m penalty and partial advertising ban

The US Federal Trade Commission (FTC) has issued a proposed order against online therapy provider Cerebral.

• Cerebral allegedly shared sensitive health information with companies like LinkedIn, Snapchat, and Facebook to target users with ads.
• The FTC also accuses the company of security failings and violations of retail law.
• The proposed order imposes a $7 million civil penalty and a ban on using sensitive data for advertising purposes.

? What did Cerebral allegedly do wrong?

Many of the FTC’s allegations against Cerebral are similar to those levied against other health-related companies such as GoodRX, BetterHelp, Flo, and, most recently, the New York alcohol addiction clinic Monument.

Among many other allegations, the FTC says Cerebral collected its users’ sensitive health information via pixels and other tracking technology and shared this data with advertisers without appropriate notice or consent.

Cerebral’s privacy notice referred to “non-personal” and “aggregate” information, which the FTC does not consider an accurate description of the data types collected by pixels and trackers Cerebral deployed.

The complaint is particularly scathing of Cerebral’s CEO, Kyle Robertson, who is characterized as the driving force behind Cerebral’s allegedly unlawful activity. Having refused to settle with the FTC personally, Robertson will face the agency separately in court.

? What other issues are addressed in the order?

According to the FTC, Cerebral also allegedly:

• Sent users marketing postcards that appeared to reveal their health conditions
• Failed to block former employees from accessing medical records?
• Used insecure access methods that exposed patient data
• Failed to implement adequate security policies and training

The company’s refund policy also allegedly violated the Restore Online Shoppers’ Confidence Act (ROSCA).

What We’re Reading

• The Shifting Privacy Left Podcast: Debra Farber discusses how a “Privacy Engineering Center of Excellence” shifts privacy left with Aaron Weller from HP.
• US House subcommittee kicks off draft American Privacy Rights Act consideration: Joe Duball reports on APRA developments from DC.
• Artificial intelligence: A reading list: The UK’s House of Commons Library provides some AI-related reading recommendations.