This Week in Data Privacy

This Week in Data Privacy we are covering a number of subjects!

New privacy developments are concurring in the United States. On the state level, Hawaii, Montana, and Utah are laying the groundwork for a series of new regulations that will impact consumer privacy in those markets.

Meanwhile, in the federal space, the FTC fines online counselor, BetterHelp, $7.8M, halts sensitive data sharing, and Congress is considering bills that could regulate how advertisers interact with children this year.

Across the pond in Europe, the European Data Protection Board (EDPB) has published three guidelines for privacy.

Before we jump into this week's news, I want to take a moment to acknowledge that today is International Women's Day. I want to acknowledge the role that the following women have played in nurturing my professional development and allowing me to stand where I stand now, as a founder and female CEO in the tech industry. Thank you,

Meredith C. Moore , Cat Coode , Andrea Heuston , Amanda Brandenburg , Emily Kapit, MS, MRW, ACRW, CPRW , Christy Brown , Dominique Shelton Leipzig , Odia Kagan , Heidi Soloway , Kimberly Burnham, JD, CIPM , Rosemary Gigante and a few special men: Andrew Richardson , Justin Daniels , David Stauss , Zach Morrison , Pedro Pavón ?? , Joe George

Your support has meant and means so much to me!

US state privacy developments: Hawaii, Montana, Utah

Here is a quick update on US state privacy laws:

Hawaii: Hawaii?Senate Bill 974?is now available for second reading on the Senate floor prior to more committee consideration and a potential final reading.

Montana: Montana Senate voted 50-0 to advance?Senate Bill 384?to House consideration. Covered entities include companies holding data on more than 100,000 individuals or deriving 25% of annual revenue from data belonging to more than 25,000 consumers. The bill's effective date is Oct. 1, 2024.

Utah: Utah?Senate Bill 152?on social media regulation amendments earned final passage. The bill contains provisions for platforms to adopt required age-verification processes and obtain parental consent for various online activities of minors under the age of 18.

Sourced from IAPP :

https://iapp.org/news/a/us-state-privacy-developments-hawaii-montana-utah/

EDPB publishes three guidelines following public consultation

Following public consultation, the EDPB has adopted three sets of guidelines in their final version:

Guidelines on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR

The Guidelines clarify the interplay between the territorial scope of the GDPR and the provisions on international transfers in Chapter V. Following public consultation, the guidelines were updated and further clarifications were added -?

1. A clarification was added regarding the responsibilities of the controller when the data exporter is a processor.?
2. Further examples were added to clarify aspects of the direct collection, as well as the meaning of “the data importer is in a third country”.?
3. An annex was added with further illustrations of the examples included in the guidelines to facilitate understanding.

Guidelines on certification as a tool for transfers

The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool. The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers.?

Guidelines on deceptive design patterns in social media platform interfaces

The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid?deceptive design patterns?in social media interfaces that infringe on GDPR requirements. The guidelines give concrete examples of?

1. Deceptive design pattern types,?
2. Present best practices for different use cases and?
3. Contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR.

Sourced from the @EDPB:

https://edpb.europa.eu/news/news/2023/edpb-publishes-three-guidelines-following-public-consultation_en

Congress is considering bills that could regulate how advertisers interact with children

Congress is reconsidering?bipartisan?legislation that would further regulate how social media companies and the advertisers that help fund them interact with young people.

The push largely is based in concerns centered on the potential?effects?of social media on children. Legislators are taking more steps to crack down on digital advertising that caters to children.

“A clear point in all of these [legislative] proposals is that they’re specifically going after marketing and advertising,” Anthony Prestia, former senior privacy counsel for Snap and head of privacy at TerraTrue, told Marketing Brew.

COPPA 2.0, an updated version of the original law passed in 1998, “would finally put in place commonsense guardrails to stop Big Tech from tracking, targeting, and traumatizing America’s youth,” Rosemary Boeglin, a spokesperson for Sen. Markey, told Marketing Brew over email.

As proposed last year, COPPA 2.0—which Markey plans to?reintroduce—would have?raised?the age limit for privacy protections from 13 to 16 and outright banned targeted ads aimed at children.

Ultimately, the significance of bills like COPPA 2.0 marks another example of the US “trying, at various levels, to move to a more European-style privacy framework,” Brennan said.

More from the Marketing Brew here: https://www.marketingbrew.com/stories/2023/03/01/congress-is-considering-bills-that-could-regulate-how-advertisers-interact-with-children

FTC fines online counselor, BetterHelp, $7.8M, halts sensitive data sharing

The U.S. FTC announced a proposed order against online counseling service BetterHelp over alleged improper data sharing for advertising purposes. BetterHelp allegedly sent mental health data to various platforms, including Facebook and Snapchat.?

"When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy,” said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "Instead, BetterHelp betrayed consumers’ most personal health information for profit. Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation."

The agency ordered a USD7.8 million payout to affected customers while banning the service from conducting further data sharing that leads to nonconsensual use for third-party advertising campaigns.?

This is the first Commission action returning funds to consumers whose health data was compromised. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward.

More from the FTC here: https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

What is Global Privacy Control?

If your users are looking to set-and-forget their privacy preferences, global privacy control (GPC) is a big step in that direction for them.?

But what is global privacy control to begin with???

?? Global Privacy Control (GPC): a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.

In short: GPC acts like a control panel that communicates a user’s privacy preferences (specifically, whether they consent to have their personal information sold or shared) to a website.?

The result: a set-it-and-forget-it strategy for privacy that makes it easier and more user-friendly for users.?

So, how does global privacy control work?

For consumers

To put GPC to work, users download a browser extension that supports GPC specifications. Once they’ve installed it, they can implement privacy controls. GPC allows for a high degree of customization; users can apply GPC settings across all websites or activate it for specific ones.

If the GPC signal is turned on and, crucially, the website is set up to recognize the signal, the user automatically opts out of targeted advertising and anything that could be seen as “selling” their personal information.

Which web browsers support global privacy control?

Some, but not all, web browsers support the GPC signal. The list currently includes:

1. Brave
2. DuckDuckGo?
3. Firefox
4. Mozilla?

For businesses

As GPC becomes more widely adopted, businesses will need to identify strategies for recognizing and upholding requests that come through the GPC signal.?

To start, businesses will need to track which privacy regulations have indicated support for GPC and make sure their privacy practices align with regulatory requirements.?

Businesses may need to adapt current privacy workflows, particularly if they use third-party systems to track users for ad targeting or other commercial purposes.??

Cookie consent, GPC, and privacy strategies

GPC removes the need for users to engage with the cookie banner.?

This means less work for the user—but not necessarily for website owners.?

Businesses will need to adopt cookie and consent management platforms that support the GPC signal, as well as update privacy notices and other public-facing privacy communications.?

For more on GPC and positioning your business here: https://redcloveradvisors.com/2023/02/21/what-is-global-privacy-control/