?Lucid Privacy Bulletin: New PIPIA Resource, Google Preps for CCPA Enforcement

It’s getting warmer… including under the collar of?one lawyer?sorry for believing ChatGPT’s plausible but totally bogus case references. July 1st is around the bend, and that means Colorado’s and Connecticut’s consumer privacy laws becoming effective.?

The date also means California’s Privacy Protection Agency making house calls…

In this issue:

• Say hello to PIPIA
• Google revises its restricted processing positions
• CNIL reports on the effects of its cookie sweeps

...and more.

Give us a comment or a shout.

From our bullpen to your screens,

Colin O'Malley and the Lucid team

SPOTLIGHT

???Lucid Releases China PIPIA Template

On June 1 2023, China’s updated accountability measures for cross-border data transfers will come into effect. The Cyberspace Administration of China (CAC) requires companies who wish to rely on China’s new Standard Contracts (China SCCs) must complete a hybrid privacy impact and data transfer assessment called “PIPIA”.?

To help you keep pace with China requirements and to help you understand what such an assessment likely entails, Lucid is releasing our?China Personal Information Processing Impact Assessment?template as a public reference.??

PIPIA Template?

Important Note:?The template is based on the current but limited guidance from the Cyberspace Administration of China (CAC) and analogous EU guidance informing China’s approach in part. As such it is subject to change pending further guidance.

As with all new regulatory requirements, we are expecting practical aspects to evolve with time and regulatory effort.?We’ll plan to update this resource as necessary over time.

Scroll down for more Lucid Privacy resources.?

HEADLINES

??Google Updates Contracts Ahead of CCPA Enforcement, Other States

With the upcoming enforcement of California's Consumer Privacy Act (CCPA). certain Google services are undergoing a change. Customer Match and Audience Partner API, do not meet the CCPA's requirements for service providers. Starting from July 1, 2023, Google will no longer use its "Restricted Data Processing" feature for these services.

Google can still be a limited service provider for Google Analytics, but customers need to?disable data sharing?with other Google products,?which can only be done?in GA4. Google also warned?personal information shared with third-party intermediaries?for bidding purposes may not be covered under existing California "service provider"?terms.

These changes ahead of CCPA 2.0 enforcement are a reminder?that, like it or not,?most adtech disclosures are “shares”...?and all “shares” are “sales”. This also puts pressure on the success of IAB’s?Global Privacy Platform?efforts. Stay cool, stay nimble and watch this space.

???CNIL Reports on Impact of is Cookie Sweeps

The French privacy watchdog, CNIL, has been conducting enforcement sweeps, sending warning letters, and issuing fines?totaling?€421M. Common violations include?inadequate privacy notices, improper cookie consent, missing refusal mechanisms, and biased UX designs.?

CNIL’s observations from the field:?

• 24% → 12%.?The number of France’s top 1,000 websites setting 6 or more 3rd party cookies without a user’s express acceptance or refusal was halved.?
• 20% → 29%.?The average number of websites not setting any 3rd party cookies increased.?
• 43% →?49%.?The number of French users comfortable with rejective cookies.

While there were improvements in compliance, CNIL intends to continue monitoring popular French websites. Most recently,?doctissimo.fr?was fined €380K for violating data privacy, including setting advertising cookies without consent. The case?emphasizes the importance of checking CMP and tag manager setups.

???Costa Rica Seeks a Better Right to Be Forgotten

Costa Rica's National Liberation Party's deputy, Andrea Alvarez, is pushing for the Right to be Forgotten (RtbF) to be included in the Personal Data Protection Law. Unlike the EU's concept of deleting information, Alvarez proposes de-indexing to remove incorrect or harmful online content.

• Ticos?would be able to challenge incorrect, slanderous or otherwise reputationally harmful information about them online and ask for it to be removed.
• This would impact digital news aggregators, website owners, and search engine operators like Google and Apple.
• Individuals whose valid requests are ignored can report to CR’s privacy protection agency.
• Exceptions would include protecting free speech, public health, and the legal rights of third parties, as long as the published information is true.?

Since 2001 Costa Rica has been looking to?update its privacy framework?to bring protections (and trade relations) in closer alignment with Europe and Brazil. Yet, a full-fledged RtbF would require costly adjustments, advantaging wealthy?foreign interests operating in the country.

ROUNDUP

1. Google to Publishers: Adopt IAB TCF. In a demonstration of support towards the embattled IAB EU TCF framework, Google said they will require all publishers using AdSense, Ad Manager or AdMob to adopt TCF when serving ads to users in the European Economic Area or the UK.?This announcement follows IAB EU releasing TCF v2.2, which further streamlines options for businesses and choices for consumers.?
2. Apple's Latest Ad Campaign Takes a Humorous Look at Health Data Privacy.?Given the health data privacy scrutiny, Apple’s has a new global ad campaign features Jane Lynch and touts its commitment to protecting user health information through data minimization, on-device processing, transparency and control, and security measures. Its principles?include transmission of necessary data to its servers only, and require user consent for data sharing, in its Health app and Healthkit.
3. TikTok's Lead EU Supervisor Under Political Fire?MEPs in the EU Parliament criticized the Irish DPC due to delay in investigating TikTok's privacy practices,?expressing concerns about the enforcement of the GDPR on major digital platforms. DPC’s two inquiries dating September 2021 are yet to conclude. The UK's data protection watchdog has already taken enforcement action against TikTok which the Irish data protection commissioner used as a defense stating that its legal analysis is generally accepted by fellow regulators.
4. Swiss Proton Offers Pro-Privacy Alt to MS, Google. Proton, and Proton Mail in particular, has enjoyed a pro-privacy reputation since the 2010s. Non-enterprise inbox and office productivity products like Google Workplace?make up for free subscriptions?through personalized ads. Your authenticated Gmail self is valuable to advertisers. Proton is looking to nab some of those users through its limited free-tier, but still end-to-end-encrypted, alternatives.

READINESS TOOLS

??Pan-US Readiness Record (US)??

??Utah Readiness Record (UCPA)?

??California Readiness Record (CCPA/CPRA)

??Virginia Readiness Record (VCDPA)

??Colorado Readiness Record (CPA)

??Connecticut Readiness Record (CTDPA)

??Transfer Impact Assessment Template