Vermont's Law Stalled, Meta Shifts, and Snap Appeased Regulators

Privacy Corner Newsletter: June 20, 2024

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• Vermont’s novel privacy bill gets killed: What was so scary about it?
• Meta u-turns on its AI training policy: Can noyb take the credit?
• The ICO reveals why it dropped its enforcement against Snap: 10 things Snap did to assuage the regulator’s concerns.
• What we’re reading: Recommended privacy content for the week.

What’s so scary about Vermont’s comprehensive privacy bill, H.121?

Vermont’s new comprehensive privacy law was vetoed by the state’s governor last week, and on Monday, the state’s legislature declined to reverse the governor’s decision.

• Last month, Vermont passed H.121, which was among the strongest and most novel of America’s comprehensive state privacy laws.
• Governor Phil Scott vetoed the bill last week, claiming that its private right of action would make Vermont a less attractive place to do business.
• On Monday, the Vermont legislature voted against overturning the governor’s veto, meaning that the bill is now dead.

? Why was H.121 so significant?

H.121 was a bold bill. Declining to copy/paste the Virginia Consumer Data Protection Act (VCDPA) like many states before it, Vermont drafted a privacy law with some pretty serious teeth.

Starting with a Virginia-style framework, Vermont’s bill included all the optional “add-ons” seen across many other states—consent to process sensitive data, mandatory data protection assessments, and the full suite of consumer privacy rights.

On top of all that sat a strict “data minimization” requirement that, while not going quite as far as Maryland’s Online Data Protection Act (which passed in the same week), would have required businesses to think carefully before collecting personal data.

But the biggest deal was the bill’s private right of action—the only such provision in a comprehensive privacy law other than the narrow version in the California Consumer Privacy Act (CCPA).

? Why did Governor Scott hate this law so much?

The governor’s main objection to the bill appears to have been its private right of action.

“…the bill’s ‘private right of action’... would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits—a reputation we already hold in a number of other areas,” Scott claimed in his veto letter.

Compromises around the scope of the private right of action proved insufficient to save H.121 from Governor Scott’s gigantic red veto stamp (which he presumably uses to veto stuff).

“I appreciate this provision is narrow in its impact, but it will still negatively impact mid-sized employers, and is generating significant fear and concern among many small businesses,” Scott said,

The bill was coupled with a “Kid’s Code,” which Scott noted was much like the one recently challenged in the California courts.

? Why didn’t the legislature overturn Scott’s veto?

The Vermont legislature overturned a record-breaking six vetoes on Monday, but the decision to return H.121 was not among them.

While the state’s House voted overwhelmingly to rescue H.121, the Senate disagreed, endorsing the governor’s veto by one vote.

Senators were concerned about the bill’s impact on “Vermont-based businesses, non-profits, medical facilities, educational institutions, utilities, and employers,” according to local news outlet VT Digger .

In his Veto letter, Governor Scott urged the legislature to “adopt Connecticut’s data privacy law” instead of the more ambitious H.121 to ensure “regional consistency.” It remains to be seen whether the downfall of H.121 will cause other states’ lawmakers to be more timid when drafting comprehensive privacy bills.

Why has Meta u-turned on its AI training plans?

Meta has announced a delay to plans to train its AI models on Facebook and Instagram users’ posts.

• The policy was announced late last month when Meta offered European users the opportunity to opt out.
• Privacy campaign group noyb subsequently launched a series of complaints about Meta’s plans.
• Meta announced on Friday that it would delay the project until further notice at the request of the Irish Data Protection Commission (DPC).

? What’s the background?

Earlier this month, Meta notified European Facebook and Instagram users that it would be using their public posts to train and develop its AI products.

The company provided a form enabling users to request an opt out if they explained how they would be personally affected by the policy.?

Noyb submitted complaints about the plans across 11 European Economic Area (EEA) countries, alleging that the opt-out process was “fake” and designed to deter users from exercising their rights.

? What’s changed?

The Irish DPC published a short statement on Friday saying it “welcomed” Meta’s decision to “pause” its AI training plans following “intensive engagement between the DPC and Meta.”

But Meta explained that it had already incorporated several compliance measures in cooperation with the DPC, suggesting that the regulator had initially given the company the green light. The company suggested that other DPAs had pressured the Irish DPC into changing its approach.

Noyb says the DPC’s decision represents a “preliminary win.” The group said it did not know why the DPC had changed course and asked Meta to delay but that the “obvious explanation” was that “pressure on the DPC increased” following noyb’s complaints.

Meta said it was “disappointed” by the DPC’s request. The company suggested that the delay would hamper European innovation and defended its practices as “more transparent” than competitors OpenAI and Google.

Ten things Snap did right to avoid an ICO enforcement notice

The UK Information Commissioner’s Office (ICO) has published further details about its decision to drop an enforcement notice against social media firm Snap.

• Last year, the ICO announced a preliminary enforcement notice against Snap, accusing the company of failing to properly assess the data protection risks associated with its My AI chatbot feature.
• In May, the ICO announced it was dropping the case against Snap following the implementation of satisfactory risk mitigation measures.
• The decision notice, published Thursday, reveals some of the steps Snap took to assuage the ICO’s concerns.

? What did Snap do to avoid enforcement?

Snap’s My AI feature is a version of ChatGPT integrated into Snapchat. The ICO initiated enforcement proceedings after an initial investigation suggested that the company had not properly considered the data protection risks associated with the feature, including those regarding children.

Among other things, the ICO’s decision notice reveals that Snap took the following steps to meet its obligations under the UK GDPR.

1. Providing a more detailed breakdown of its purposes for processing personal data in the fifth (!) iteration of its Data Protection Impact Assessment (DPIA).
2. Acknowledging and assessing the risks associated with the processing of special categories of personal data via My AI.
3. Assessing the risks of My AI against each of the 15 principles set out in the ICO’s Children’s Code.
4. Assigning each user to an “age bucket” (sometimes based on inferences about their age) and instructing OpenAI to only serve age-appropriate outputs to younger users.
5. Rewriting My AI’s just-in-time transparency notice to make it more accessible to children.
6. Enabling parents to check whether their children are using My AI and turn off the feature via a Family Control Center.
7. Implementing controls to limit the risk that children would use My AI to do their homework.
8. Turning My AI off by default.
9. Enabling users to delete personal data processed via My AI.
10. Limiting the amount of personal data processed by My AI, including from other parts of Snap’s ecosystem and third-party services.

The ICO had also preliminarily concluded that Snap violated Article 36 (1) of the UK GDPR, which requires controllers to consult with the ICO if a DPIA reveals residual risks that cannot be mitigated.

An earlier version of Snap’s DPIA indicated that there were indeed such residual risks. However, Snap failed to consult the ICO.

The ICO dropped this allegation after Snap promised—including via a signed witness statement—that it had recorded the residual risk in error.

What We’re Reading

• The Shifting Privacy Left Podcast : 'How Intentional Experimentation in A/B Testing Supports Privacy' with Matt Gershoff (Conductrics)
• The Vermont veto is a step backward for privacy : Neil Richards and Woodrow Hartzog analyze the downfall of H.121 for the International Association of Privacy Professionals (IAPP).
• NIS2’s cybersecurity requirements : Digiphile’s Phil Lee has published an insightful look at how the EU’s cybersecurity regulations could impact your business.