?? The Data is Out There

Lucid folks,

The European Commission has given passing grades to 11 countries whitelisted under the EC’s data transfer adequacy schema. Countries like Canada, Israel, Switzerland and Uruguay are still ‘adequate’ protectors of Europeans’ personal data and can continue to enjoy unimpeded data flows in/out of the EU.?

Our eyes are now on the UK, whose post-GDPR?status remains in question; and the US, whose Data Privacy Framework could hang on the actions of the next President.

Speaking of data flows…

In this issue:

• FTC x Location data brokers
• Marketers x NJ?‘Daniel’s Law’
• CNIL x Transfer Impact Assessments

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. If you enjoy what we're doing, please subscribe. For more unvarnished insights, visit our Blog. Comments and discussions are welcome!

Correction: Last week we crossed our wires and stated that New Jersey’s Privacy Act offers a private right of action. It does not. Rather, it is NJ’s?Daniel’s Law with the PRA.

FTC Dings Another Location Data Broker?

The Federal Trade Commission has barred mobile data broker X-Mode (now Outlogic) from selling “sensitive location data”. That is, precise GPS and closely triangulated bluetooth and wi-fi communication signals that can be used to profile individuals’ movements over time.?

Core issues: FTC alleges that the broker’s datasets pinpoint health facilities, places of worship and domestic abuse shelters. Similarly to their case against Kochava, the watchdog accused X-Mode of recklessly selling raw location data on the open market, doing nothing to prevent that data from being tied to unique mobile users. The FTC considers this an unfair and harmful business practice deserving the enforcer’s special attention.

Compliance order: The FTC requires X-Mode to keep track of and blocklist sensitive locations, and to expunge such previously collected data unless mobile users consent to its sale. Notably, the FTC brings LGBTQ+ support centers and spaces where political protesters congregate into the scope of its restrictions.

Lessons and implications: Mobile devs and marketers are on notice as much as data brokers.

• Devs must exercise oversight over the third-party SDKs they use in apps, and take steps to collect users’ affirmative consent for sharing location data with third parties.
• In turn, data aggregators must vet their data source providers, scrub sensitive locations from sold/licensed datasets, and enforce data use and re-identification restrictions.
• For their part, mobile marketers are tasked with introspection and restraint. (The NAI’s Health Advertising Best Practices can help.)

Zooming out: In a post-Dobbs America where a visit to an abortion clinic can be readily correlated with public records and purchased mobile data, singled out patients and their associates (i.e. an Uber driver) can face a range of legal and social consequences. Although the FTC is serious about curbing unscrupulous brokering practices, the enforcer’s limited authority means it must play enforcement whack-a-mole. It will take Congressional bans such as those proposed by Senators Wyden and Warren to force durable reforms.

NJ Daniel's Law? Anti-Doxxing DSRs on the Rise

Automated data subject requests are on the rise and from a rather uncommon source -- public servants. The latest spike is attributed to 'Do Not Disclose' requests under a New Jersey law few have heard of.??

What it is: Daniel’s Law (NJDL) was enacted in 2020 to protect active or retired judges, prosecutors and law enforcement personnel and their immediate families from doxxing, stalking, physical and other harms by disgruntled individuals. ?

What it does: The law enables "covered persons" to request that individuals and businesses stop disclosing their names, home addresses or unpublished telephone numbers on the Internet. Businesses must honor requests within 72 hours.

Business recipients: Typically, people search companies like Spokeo and Intelius. But increasingly, a broader set of marketing data and tech companies, the majority of whom do not process public record data or any real-world data at all, have been receiving thousands of NJDL requests.?

How it’s enforced: PRA. Private plaintiffs can seek injunctive relief or damages of up to $1000 per violation in the NJ Superior Court.

How DSRs are delivered: Templated emails through a privtech app that allows its users to select some or all companies from a curated list.?

List sources: California’s data broker registry and similar such public databases.??

Why this matters:?Compliance is a two-way street. When sent under an expansive law like the CCPA, the volume and velocity of DSRs becomes a fathomable trial of a marketers' operational readiness. But when sent under a niche law like NJDL, the phenomenon becomes a matter for Mulder and Scully. Is this spam? Why us? Why now? Respond when?? The truth (and data) is out there.?

Other Happenings

1. CNIL Drafts Practical Guide to Transfer Impact Assessments. The "Schrems II" ruling by the CJEU highlighted the responsibility of data exporters & importers during & after data transfers.?Transfer Impact Assessments can be an onerous task for businesses, so CNIL are now seeking public input to help draw up guidelines to help businesses evaluate the level of protection in the destination country and implement additional safeguards.? ?
2. EDPB Considers Creating 'Pay or OK' Guidelines. Although this guidance will focus primarily on Meta's use case, many publishers across Europe will be waiting on tenterhooks for any guidance from Europe's parliament of data protection authorities. Reminder: German and Austrian DPAs have grudgingly permitted only some flavors of PUR by news publishers. Since Meta has been designated an Internet Gatekeeper, we expect market regulators and perhaps the EUCJ to weigh in too. #consumerprotection #notjustprivacy?
3. CA's 'Age-Appropriate Design Code' Law Clones on the Way? AADC aims to shield minors on social media from inappropriate content and strangers. While well-intentioned, critics fear enforcement challenges, unintended consequences along with infringement on free speech and privacy rights. Despite being blocked in courts, an appeal is pending in the 9th Circuit.? Minnesota, Maryland, New Mexico are considering similar bills while the debate on its broad and unworkable nature continues.
4. Not Identifiable? Estee Lauder BIPA Suit Dismissed. Last year, cosmetics giant Estee Lauder faced a class action lawsuit for allegedly violating a bankruptcy-inducing Illinois biometric privacy law. The issue? Plaintiffs alleged Estee failed to notify cosmetics “try on” tool users about its biometric data practices. On Jan 10, the IL Northern District Court dismissed plaintiffs’ claims as failing to establish that Estee linked facial scans to customer profiles. Estee maintained it did not create unique biometric IDs or tie them to users.

Lucid Resources

• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)