TikTok's Legal Battle Against GDPR Rules, UK ICO's Cookie Banner Crackdown, Colorado's Universal Opt-Out Mechanism

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• TikTok seeks to fundamentally undermine cross-border GDPR enforcement at the CJEU.
• The ICO writes a letter about cookies.
• Colorado provides details on universal opt-out mechanisms.
• What we’re reading: Our picks for privacy and privacy-adjacent content this week.

GDPR’s ‘Binding Decision’ Process Illegal Under EU Law, TikTok Argues

The Court of Justice of the European Union (CJEU) has published the arguments in TikTok’s case against the European Data Protection Board (EDPB).

• Case T-1030/23 is an application by TikTok before the CJEU’s General Court, seeking to overturn the EDPB’s Binding Decision 2/2023, adopted in August.
• The EDPB’s Binding Decision forced the Irish Data Protection Commission (DPC) to find that TikTok’s account setup process violated the GDPR’s “fairness” principle.
• In a challenge to an important took for GDPR enforcement, TikTok alleges that the whole “Binding Decision” process violates the EU’s Charter of Fundamental Rights (“Charter”).

What’s the background?

In August, the Irish DPC fined TikTok €345 million for various GDPR violations, including:

• Data minimisation and data protection by design and by default (making children’s profiles publicly accessible by default).
• Implementing GDPR compliance measures (failing to properly assess and mitigate risks).
• Violating the “fairness” principle (nudging users towards less privacy-protective settings via “dark patterns”).

That last finding was the issue here. The Irish DPC did not want to find that TikTok’s account setup process violated the “fairness” principle, but the EDPB forced it to do so via a Binding Decision.

Why is that such a big deal?

The “fairness” issue was one of six findings by the Irish DPC, and it was the only one that the DPC was forced to adopt via the EDPB’s Binding Decision.

The finding did not contribute to the €345 million fine, and TikTok says it had fixed the issues before the fine was even imposed.

So why is TikTok taking this to court?

The case could be an attempt to undermine the entire “Binding Decision” process.

Many tech firms base their European operations in Ireland for tax purposes. But it has also been alleged that the Irish DPC offers a relatively lenient approach to GDPR enforcement.

Most of the largest GDPR fines have been issued by Ireland, but normally as the end result of a long-winded and resource-intensive round of negotiations between the Irish DPC and its peers on the EDPB.

TikTok alleges that this part of the GDPR violates EU law.

How can EU law violate EU law?

The GDPR is secondary law. The regulation was proposed by the Commission, and amendments were made by the Council and the Parliament.

The Charter is primary law. The Charter applies to all actions of EU institutions. Therefore, all EU legislation must comply with the Charter.

If there’s a conflict between the GDPR and the Charter, the Charter will prevail.

Does the Binding Decision process really violate the Charter?

We don’t have much detail regarding TikTok’s arguments, but the company allegations are about Article 65 (1) of the GDPR, which allows the EDPB to adopt a Binding Decision when regulators can’t agree over a GDPR issue.

TikTok argues that this GDPR provision violates the following articles of the Charter:

• Article 41: Right to good administration. Among other things, this ensures “the right of every person to be heard, before any individual measure which would affect him or her adversely is taken.”
• Article 46: Right to an effective remedy and to a fair trial.
• Article 47: Presumption of innocence and right of defense.

TikTok can’t challenge the Binding Decision directly because the Binding Decision was directed to the Irish DPC.?

But, the Irish DPC was forced to sanction TikTok as a result of the Binding Decision, so TikTok will likely argue that the Binding Decision affects TikTok directly and, therefore, should be open to challenge directly by TikTok.

WhatsApp tried something similar earlier this year and failed. WhatsApp argued, much like TikTok, that the EDPB had violated the Charter by failing to allow a challenge to a Binding Decision.?

But unlike TikTok, WhatsApp did not challenge the legality of the GDPR itself.

If TikTok can successfully argue that the Binding Decision process is illegal under EU law, Ireland-based tech firms might be isolated from the more voracious enforcement attitudes of stricter EU regulators.

UK Regulator Addresses Cookie Banner Non-Compliance

The UK Information Commissioner’s Office (ICO) has written to the operators of “some of the UK’s top websites” to warn them that they “could face enforcement action” due to their allegedly non-compliant cookie banners.

• Earlier this year, the ICO stated its position that cookie banners should include a “refuse all” button on the first layer.
• The ICO has now written to “many of the UK’s most visited websites” requesting changes to their cookie banners within 30 days.
• The regulator says it will name those companies that have failed to comply with the law in January.

Which companies have received the letter?

We don’t know.

How many companies got the letter?

We don’t know.

What does the letter say?

We don’t know.

It might have been helpful to have been able to read the letter…

Yes. The decision not to publish the names of the companies who have received the letter is arguably justifiable, as the ICO can threaten to “name and shame” those companies that don’t comply with its requirements.

But it would have been helpful to at least see a copy of the letter to understand precisely what the regulator’s requirements are.

Contrast this approach with that of the US Federal Trade Commission (FTC) and Office for Civil Rights (OCR), who published a joint letter to 130 (named) healthcare providers setting out concerns over the non-consensual use of tracking technologies earlier this year.

So what do we know?

We know that the websites in question do not include a “reject all” button on the first layer of their cookie banners.

Many websites provide the option to “accept all” cookies upfront. To reject cookies, users might have to navigate additional “settings” menus or toggle off each type of cookie individually.

In the summer, the ICO published a joint position paper on Harmful Design in Online Markets with the UK Competition and Markets Authority (CMA), which clarified its position on cookie banners.

The ICO has never enforced the law against a company for violating the cookie rules, so some privacy fans might be encouraged to see at least some activity in this area.

Colorado Announces ‘Universal Opt-Out’ Shortlist

The Colorado Attorney General (AG) has announced three protocols that could be eligible for recognition under the Colorado Privacy Act’s “universal opt-out mechanism” provisions.

• The Colorado Privacy Act took effect in July 2023, but provisions requiring covered businesses to recognize “universal opt-out mechanisms” will take effect in July 2024.
• The Colorado AG invited providers of opt-out mechanisms to apply for recognition under the law. Once finalized in January, businesses subject to the Colorado Privacy Act will need to treat signals under the mechanisms as valid requests under the law’s “right to opt out”.
• The three shortlisted mechanisms are called OptOutCode, the Global Privacy Control, and Opt-Out Machine.

What’s a universal opt-out mechanism?

A universal opt-out mechanism transmits a signal from a user’s browser to a website the user is visiting, requesting the website to treat data sent or collected from the browser in a particular way.

An early example is “Do Not Track” (DNT), which is embedded into certain browsers and sends a request to websites not to “track” the user’s online activities across different websites.

The DNT protocol is widely considered to have failed—although a case against LinkedIn earlier this month found that DNT signals could be a valid request under the GDPR’s “right to object”.

The Global Privacy Control (GPC) is considered DNT’s successor, and the California AG penalized a business (Sephora) for failing to respect Global Privacy Control requests last year.

What does this all mean?

The upshot is that, if you’re covered by the Colorado Privacy Act, you’ll likely need to configure your website to respond to these three universal opt-out mechanisms in respect of Colorado consumers.

The Colorado Privacy Act provides Colorado residents with a right to opt out of targeted advertising, the sale of their personal data, and certain forms of profiling.?

The law states that businesses must treat requests under universal opt-out mechanisms as valid requests under these rights.?

So, if…

• You’re covered by the Colorado Privacy Act.
• You operate a website that conducts “targeted advertising” (etc) according to the act.
• Someone from Colorado visits your website after July 1, 2024.
• That person has one of the universal opt-out mechanisms enabled in their browser…

…you must not use that person’s personal data for targeted advertising, sell their personal data, or use their personal data for the Colorado Privacy Act’s listed profiling activities.

The Colorado AG must publish the finalized list of universal opt-out mechanisms by January 1, 2024.

What We’re Reading

Take a look at these three privacy-related reads published this week:

• Shifting Privacy Left: Privacy Engineering Contracting: State of the Market & 2024 Predictions: Debra J Farber talks about the privacy engineering contracting to Jared Michael Coseglia, co-founder and CEO at TRU Staffing Partners.
• Reynders announces European Commission's latest international data transfer plans: Could we finally see more countries getting “adequacy decisions”, including Brazil? Jennifer Bryant reports for the International Association of Privacy Professionals (IAPP).
• Norway’s Privacy Battle With Meta Is Just Getting Started: An overview and update on Norway’s battle with Meta over its “pay or consent” model.