?? Lucid Privacy Bulletin: Working holiday express

Lucid folks,

The European data protection freight train does not seem to be slowing down despite a short run to winter holidays. It’s Polar Express for some and Snowpiercer for others.

Meanwhile in the U.S., California’s mini-FTC, the CPPA, published their long-awaited draft rules for automated decision-making technologies. There’s much to unpack there, but at first blush the regulations appear to gel in principle with 2016 guidance by the EU’s then Article 29 Working Party. There is one notable, and to GDPR practitioners familiar, requirement in the proposed ADMT rules: businesses must proactively provide consumers with “Pre-use Notices” and offer them the opportunity to decline and otherwise object to impactful ADM, with few exceptions.?

In this issue:

• Is ICO the Grinch or Krampus? You decide
• GDPR gets a deserved pat on the head
• VPPA class actions slow down

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

UK ICO Issues Cookies Ultimatum to Top Websites

Have you ever added espresso to your eggnog??

The week before Black Friday, in the run up to Xmas and holiday code freeze, the UK ad industry was looking forward to a little respite after intricate IAB TCF 2.2 implementations. For some publishers the UK data protection authority, the ICO, has declared R&R a foregone conclusion.????

On 21 November 2023 the ICO publicized that it had issued a final warning to some of Britain’s top website publishers. Publishers?must come into compliance with UK cookie compliance rules… or else.

The ICO is giving publishers 30 days to ensure their websites comply or face consequences ranging from public embarrassment to fines, and will issue an update in mid-January.

We cover this development in further depth in our new blog. Read it here.

5 Years In, the GDPR Gets a Passing Grade

The EU Council of Ministers (legislative body) has delivered a nice report card to the GDPR’s parents -- themselves. This is while national governments call for “an overarching and comprehensive evaluation” of the five-year old’s scholastic achievements by the European Commission (executive body).?

Our notes below.

TL;DR: Good progress, but needs to try harder. Doesn’t always play nice with smaller kids.

Magna cum laude

The GDPR was praised for:

• Staying technology-neutral… although regulators remain obsessed with cookies)
• Effectively facilitating data protection rights… but privacy activists point to ineffective enforcement.
• Increasing private sector compliance efforts… but still cumbersome and costly for Little Tech.

Cum laude The GDPR has shortcomings in its:

• Legislative interplay… because policymakers need to reconcile adjacent laws like the DMA against existing GDPR guidelines… and lawmakers are yet to de-mummify the ePrivacy Regulation.??
• Enforcement practices… because administrative procedures vary from Member to Member and are the most difficult to harmonize, and may need changes to national laws.?
• International transfers… because some lawmakers and regulators don’t trust the process by which the EC grants adequacy decisions, like to the EU-US Data Privacy Framework & Program.

Sinne laude

The GDPR barely dodged detention over:

• Public authorities… because the GDPR’s complexities have challenged its parallel role of ensuring the “free flow of personal data throughout the Union” (Recital 3), particularly among European governments.?
• Specific data processing… because of arguably unrealistic standards for anonymization and diverging national guidelines concerning sensitive data stymie researchers.
• Cooperation mechanism… because the ongoing spat over Meta between the Irish DPC and the EDPB threatened to fracture the One-Stop Shop Principle.??

Zooming out: If we were to give GDPR a grade based on the CoM’s findings we’d offer a solid B-. Disharmony at the national level continues to be the EU’s greatest challenge. But credit must be given where it is due -- at least the EU government is functional. Meanwhile, in the storied hallways of Congress kidneys get punched.

Other Happenings

1. Video Privacy Lawsuits Decline in the US, but Pixel Lawsuits Continue. Plaintiffs lawyers seem to be running out of ways of forming fresh classes and moving past summary dismissal as businesses button up their terms and video players. Class actions claiming businesses violated state wiretapping (i.e. CIPA) and invasion of privacy laws are finding better traction, with a number of claims surviving motions to dismiss in whole or in part. Check your CMP and tag configurations, folks!?
2. Ripples from the UK Online Safety Act. The UK’s communication regulator Ofcom has published its first guidance for technology companies since the passing of the Online Safety Act (OSA) last month. The OSA is controversial, not only because of the subjectivity of what it aims to regulate -- content, but what some argue it aims to undermine in the pursuit of this goal -- end-to-end encryption.
3. Europe Passes Data Act to Break Down Data Fiefdoms. The Data Act, a part of Europe’s digital policy package that includes the DSA, DMA and AI Act to name a few, is a win for European users. For consumers, the Act is the GDPR’s Right of Portability on steroids. For Little Tech and other data-driven SMBs, the Act boosts protections against unfair data sharing terms by Very Large market players.??
4. Europe Eyes GDPR 2.0, UK Moves Closer to GDPR -0.5?. The EU GDPR faces calls for revision after 12 years, with debates surrounding the need for specific updates. Recent laws like the DMA, DSA and upcoming AI Act challenge GDPR principles. Commissioner Reynders signals a broader 2024 evaluation, focusing on procedural harmonization and potential amendments, seeking stakeholder input to navigate the complex legislative, regulatory, and technological landscape.

Lucid Resources

• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)