?? Looking ahead

Lucid folks,

The new year is officially upon us, and as we re-aquaint ourselves with our alarms and struggle with our resolutions (we made those commitments under duress!), we tap back into a privacy world about to change completely here in the States.

Or maybe not. ?Privacy remains a largely bi-partisan issue and government institutions are more stubborn than either party would care to admit, and California remains … an undimmed poppy, and member of a growing club of states that won’t wait around for the Feds to take the lead.

Come with us on another year of careful observation and parse the nuance with us.

In this issue:

• A new FTC chair with a new attitude … but also, manning the same ‘ole aircraft carrier
• A banner year for the ICO, with big changes in store
• California new data broker opt-out mechanism seeks Do Not Call status

…and more.

Colin O'Malley & Lucid Privacy Group Team

With Alex Krylov (Editor/Lead Writer), Ross Webster (Writer, EU & UK), Raashee Gupta Erry (Writer, US & World), McKenzie Thomsen, CIPP/US (Writer, Law & Policy)

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

For FTC Enforcement, Let it Go, Let it Go? (??)

Under Andrew Ferguson’s Chairmanship, the FTC is expected to shift from aggressive privacy enforcement and sweeping rulemaking efforts to more targeted actions grounded in fraud and tangible consumer harms.??

Why it matters: ?Fundamentally, Ferguson views the current FTC as overstepping its authority in seeking to use its limited deceptive business practices powers as a substitute for a comprehensive privacy law. Like other Republican Commissioners who resigned over the agency’s direction (1, 2), Ferguson believes Congress alone should handle the “difficult choices and expensive tradeoffs” such a law requires.

• These particular views are neither radical nor partisan. The outgoing Chair, Lina Khan, has herself called on Congress to address a post-Dobbs environment where companies are allowed to “collect [and sell personal] data indiscriminately”, including to law enforcement.
• While he concurs that the U.S.’s notice and choice regime is fundamentally broken regarding sensitive data collection, and should be reformed, he would prefer to move away from penalizing businesses simply because the data or inferences they utilize “might be on an indeterminate naughty [sensitive] categories list.”

The key difference between Khan and Ferguson to watch for in 2025 would be the lengths to which Ferguson will go to stay within the boundaries of the agency’s Congressional authority. Khan had been particularly creative in wielding the FTC’s historically dormant powers on privacy and competition grounds, in the process facing criticism from fellow Commissioners, Republicans and Wall Street alike. Against this political backdrop Ferguson is expected to play safer chess.

Zooming out: Ferguson’s views on enforcement are nuanced and shared by many in the privacy community, and it’s unlikely he will sleep on the “data privacy crisis” he sees unfolding in the U.S. But recent reports by Free Press and Tech Dirt raise notable concerns -- the FTC, like the DoJ, risks becoming subordinate to the Oval Office’s reactionary agenda, rewarding companies the President likes (Twitter/X) and punishing those he doesn’t (Google, Meta). Watch this space.?

Auld GDPR Syne, Le Tòiseachadh ùr (??)

In 2024 the UK's Information Commissioner's Office had considerable success in delivering on its core priorities.?

• Protecting children: Enforcing the Children's Code and its restrictions on targeting ads to minors.
• Regulating AI: Launching a Gen AI consultation, as well as action against Meta and Linkedin for violations.
• Fair and transparent adtech: Focussed on publisher transparency driving greater user choice, and the appropriate gatekeeping of ad related “storage and access technologies”. (We’ll cover this further in our next issue.)

Why it matters: Rather than depend on hefty headline-grabbing fines by the Irish DPC, the ICO has been driving internal cultural change while maintaining focus on its operational delivery and internal data literacy. The ICO has engaged with a helpful measured consultative approach to demonstrate how a regulator can engage in a positive way, for example:

• Launching consultations on Generative AI and the “Consent or Pay” model.
• Publishing guidance reports on Biometric data, how fines are calculated, and the lessons from the common security “mistakes of others.”
• Producing useful tools to build bespoke privacy notices and audit frameworks.

Zooming out: There is still substantial unfinished business across all these priorities, and not in small part due to potential changes on the horizon in 2025 -- the Data Use and Access Bill (DUA) and an Adequacy Review. The DUA, expected this spring, will reshape the ICO, expanding its role in tech innovation and privacy enforcement to create a more unified regulatory framework. This move bolsters the UK’s case for Adequacy renewal, a status previously jeopardized by the last Conservative government’s fixation on a “Brexit Dividend.” With the European Commission’s review looming in June 2025, the DUA positions the ICO to meet evolving digital challenges while keeping Brussels satisfied.

IAB to EDPB: Please, No Hammer (??)

The IAB Europe has submitted a response to the EDPB ahead of the regulator's decision on Meta’s "Consent-or-Pay" (CoP) business model. The effort represents a year-long effort to advocate on behalf of news and other other content publishers more-so than the tech giant.

Why it matters: The EDPB siding with Privacy Advocates and ruling against Meta’s use of CoP continues to vex the online advertising community. As an industry trade, the IAB EU has the unenviable task of advocating for a diverse membership, some of whom are particularly vulnerable to revenue losses from less valuable ads. In short, publishers should not be obligated to provide a completely ‘free’ alternative to personalized advertising. Moreover…?

• CoP can represent a valid form of consent, provided it is not inherently coercive or otherwise violates data protection principles.
• Publishers, like other market participants, should have the flexibility to set their own pricing.
• Contextual Advertising is not a cost-effective replacement for Behavioral Advertising.
• Which services are essential and should be ‘free’, like other pan-EU socio-economic issues, lies outside of the scope of the EDPB’s competence.?

Zooming out: If the EDPB rules handicap all Behavioral Advertising, it would have a significant effect in the viability of free online publishing, and we will certainly see the model wither. Like much of the regulatory enforcement around online advertising, this will not be a simple one-time fix. And whichever way the EDPB rules, expect legal challenges coming from the IAB EU, the large online platforms and privacy advocate groups for many years.

Have Yourself A Pricey Little DROP List (??)

The California Privacy Protection Agency (CPPA) is ramping up its efforts to regulate a wider spectrum of ‘data brokers’ in the state. In November, the CPPA Board voted to expand the scope of covered data sellers and to have registrants pay a substantially higher fee to help cover the cost of the Delete Act’s implementation.

Why it matters:

• By law, the Agency must finish its accessible deletion mechanism (DROP) by Jan 1, 2026, making it ready for ‘brokers’ — from humble MAID mongers to people-search barons — to tap into by Aug 1, 2026.?
• The project is non-trivial and requires substantial coordination between the Agency, its vendor and industry stakeholders. Delays are possible, and stakeholders will want plenty of time to test drive the platform through the summer of 2026 in any event (hello, Google Sandbox).
• Given these complexities, the platform may cost the CPPA upwards of $12,000,000, a price tag the Agency aims to cover, at least in part, with a 1,550% increase in annual broker fees.
• Whether the $6,600 price tag becomes a burden on SMBs and a deterrent for startups remains to be seen. But to borrow from Dickens, eating the fee is arguably better than getting “skewered through and through with office-pens”, as was the case with two penalized no-shows.

Zooming out: Dickens may have a point about taxes too. But if you subscribe to Kafka's brand of socio-bureaucratic surrealism, 2025 won’t see DROP delayed or consumers disinterested. The FTC’s Do Not Call Registry was a success and remains popular, after all. Rather, it’s that at the end of the day the Delete Act itself, if left unamended, will turn the well-intentioned bulwark into a costly revolving door.

Little Opt-In Boy… and Teen Girl Too? (??)

The protection of Children’s Privacy in the US is at a tipping point. The damning FTC Behind the Screens report clearly illustrated the widespread evasion of responsibilities by tech platforms towards children’s data.??

Why it matters: Regulators may be keen to take stronger action to protect young users, but nothing is so easy in the current political climate.?

• Congressional efforts with KOSA and KOSPA aim to enable parents to protect their children's exposure and increase the accountability of platforms, But House legislators continue to raise alarms over legislated content moderation impinging on free speech.
• If successful, however, federal upgrades to COPPA will provide a meaningful change in how the US protects children and adolescents online.?

What proponents want: Substantive measures being debated, decried as First Amendment issues, and worth watching from the sidelines this year include…?

• Raising the age of consent for restricted activities to 17 y/o.
• Expanding definitions to broaden the scope of personal information to include biometric data like fingerprints, voiceprints, and facial imagery.
• Introducing a "duty of care" for social and other platforms, requiring them to take reasonable steps to prevent harm to minors.
• Allowing minors opt-out of algorithmic newsfeeds and recommendations, including as a default.
• Limiting or prohibiting the targeting of minors with ads without explicit consent.
• Expanding rights for minors and their parents to enforceably request the deletion of their data.

Zooming Out: Despite familiar hurdles, children’s privacy remains a largely bipartisan issue on Capital Hill, and may well continue to be the kind of populist item even the President could get behind. But progress in Congress will not necessarily be a boon for the FTC -- the agency’s COPPA 2.0?rulemaking project will likely remain on ice well past inauguration.? Watch this space too.

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)