AG Campbell will be using the rule making power from the Massachusetts Consumer Protection Act, and the office will be taking public comments until December 20, 2023, holding a hearing and comment session on the same day.

Junk Fees

Some aspects of the junk fee proposed regulations mirror California’s junk fee statute and the FTC’s proposed junk fee rule:

• Requiring the total price to be disclosed when an offer is made; and
• Allowing required government fees to be excluded from the total price.

Others are closer to the FTC’s proposed rule:

• Requiring the total price be disclosed more prominently than any other price;

• Not excluding any particular industries or products; and

• Banning misrepresentations of fees.

Finally, still other portions differ from both:

• Requiring the disclosure of optional, refundable, or waivable fees at every offer point; and
• Requiring the disclosure of a total price each time it is presented, and before any personal information is collected (unless it is necessary to determine a legal sale or if the product is available in a geographic location).

These proposed requirements could have a huge impact on companies who had planned to deal with all-in pricing through providing optional fees or waiting to disclose the total price -- because the rule seems to require the disclosure of both the total price and any optional fees from the outset, and before any personal information (which isn’t defined) is collected.

Recurring Fees (Autorenewals) & Trial Offers

Some of the proposed MA regulations on autorenewals (940 C.M.R.38.05) do not tread new ground in comparison to some other states’ autorenewal statutes. For example, the proposal requires:

• businesses with online enrollment to provide online cancellation;
• disclosure of key terms of the trial offer prior to acceptance of the offer; and
• a reminder notice for trial offers exceeding 30 days that must disclose how the customer can cancel.

Where it seems to go further than other current state requirements is:

• Both the consent to the terms and any required reminder notice must include the calendar date the customer would incur the charge.
• The reminder notice “shall be provided in a manner substantially similar to that by which the consumer accepted the trial offer.”

This additional reminder notice and specific date requirement – particularly in the initial offer terms which are usually a static display – could pose technical challenges for companies. What will it mean to provide a notice in a similar manner to the acceptance if the customer accepted the offer on a website or app – would a push notification be required? A notification on the website?

Enforcement

The Massachusetts Consumer Act allows the AG to make rules, but it should be noted that “Such rules and regulations shall not be inconsistent with the rules, regulations and decisions of the Federal Trade Commission and the Federal Courts interpreting the provisions of 15 U.S.C. 45(a)(1) (The Federal Trade Commission Act), as from time to time amended.” This will make things interesting if the FTC continues to roll out its potentially inconsistent junk fee and negative option rules.

If the rule is finalized, the AG (and “any person”) has the same authority as it has under its Consumer Act to enforce and bring an action for damages, fees, and equitable relief. The AG may also seek penalties of up to $5,000 and restitution for certain violations.

Takeaways

The draft regulations include some confusing provisions and could have a significant impact on many companies. Companies who may be affected should consider submitting comments before the December 20 deadline. And expect more to come as other states continue to weigh in on “junk fees” and enforce their automatic renewal statutes.

California Senate Bill 478, which was signed over the weekend and goes into effect on July 1, 2024, will generally require under the Consumers Legal Remedies Act that companies include all mandatory fees when they advertise prices. The law states that the following practices are unlawful:

• Advertising, displaying, or offering a price for a good or service that does not include all mandatory fees or charges other than either of the following: (i) Taxes or fees imposed by a government on the transaction; [or] (ii) Postage or carriage charges that will be reasonably and actually incurred to ship the physical good to the consumer.

The law has a few narrow exceptions. For example, it wouldn’t be unlawful for a food delivery company to list the menu prices of food items without factoring in its own fees. And companies in other separately-regulated industries – such as broadband providers, financial entities, and car manufacturers and rental and manufacturer companies – will not be deemed to be in violation of this law, if they comply with other laws in their industry specifying how fees must be disclosed.

Notably, the preamble to the bill takes the position that drip pricing – or presenting part of a price up front and presenting fees later – was a form of “bait and switch advertising” and already “prohibited by existing statutes.” That echoes the position that AGs across the country have already taken in various cases. Click here, for example. AG Bonta’s press release highlights several industries they allege specifically as having used hidden fees, such as lodging, ticketing, and food delivery.

We expect that efforts to push companies to disclose mandatory fees up-front will continue to intensify at both the federal and state levels.

Among the most significant of these developments is California’s SB 362 – a data broker bill that goes well beyond the registration requirements contained in California’s existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.

Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he’ll veto it. Indeed, the bill’s chief sponsor, state Senator Josh Becker, has said that, while he hasn’t reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers’ collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).

What Does SB 362 Require?

Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California’s current data broker law by providing a centralized place where consumers can delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026 or even 2028. Specifically, SB 362:

• Requires data brokers to register with the California Privacy Protection Agency (CPPA) (instead of the California AG’s office, as required by the current law), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
• Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information, subject to the same deletion and other exceptions available under CCPA (beginning in 2026);
• Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
• Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
• Requires any data broker that receives a request to direct their service providers and contractors to delete the information (2026);
• Requires a data broker that denies a request to delete because the request cannot be verified to process the request as an opt-out of sale/sharing and to direct its service providers and contractors to do the same (2026);
• Allows “authorized agents” to assist consumers in making deletion requests (2026);
• Requires data brokers to undergo independent compliance audits every three years (beginning in 2028);
• Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.); and
• Gives the CPPA discretionary rulemaking authority to implement the new law.

Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act and similar California laws, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but also to many members of the advertising industry that collect and sell data but do not have a consumer-facing relationship.

What Did Opponents Argue?

In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn’t carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.

Why is this Significant?

As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).

The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it’s possible that other states will follow suit, amplifying these effects considerably.

Stay tuned as we continue to monitor this important topic.

Background on Data Broker Regulation

The debate surrounding data brokers and regulation isn’t new. For decades, policymakers and enforcers have raised concerns about the collection and sale of consumer data by these entities, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. (See, e.g., here, here, and here.)

In the 1970s, Congress passed the Fair Credit Reporting Act (the nation’s first commercial privacy law) to regulate consumer reporting agencies (CRAs), an important subset of these entities. The FCRA sets forth data privacy and accuracy requirements when CRAs sell (and companies furnish and use) consumer data for decisions affecting people’s eligibility for credit, jobs, and insurance. The FCRA didn’t end the debate, however. Since then, some policymakers have pressed for broader regulation of data brokers, especially with the advent of mobile devices and other technological advances, enabling data brokers to collect more detailed data about consumers, and to make more granular inferences and predictions, and then sell this information to the public. In response, data brokers have pointed to the beneficial services they provide, and have argued that existing laws (including the FCRA, the Gramm Leach Bliley Act, the FTC Act, and now numerous state privacy laws) are adequate to address any harms that occur.

Recently, this debate has accelerated, as shown by the increased regulatory activity we are seeing today. For some policymakers, the repeal of Roe v. Wade and its implications for reproductive privacy has added an important new dimension to the debate. On April 15, the White House convened a roundtable of government officials, academics, advocates, and other experts to discuss “harmful data broker practices” and provide further impetus for regulation.

Congress

So, what specific proposals are we seeing? Not surprisingly, some of them are coming from Congress. In July, we blogged about two bipartisan efforts to stop the government from purchasing consumers’ location and web browsing and search history from data brokers, absent a warrant or other due process measures. One of these proposals (an amendment to the House National Defense Authority Act bill) would restrict such purchases by DOD. Another (the Fourth Amendment is Not for Sale Act, now introduced in both the House and the Senate) would restrict such purchases more broadly across the federal government. All of these bills are pending, with Congress now in recess.

Readers also may recall that the leading federal privacy bill (the bipartisan American Data Privacy and Protection Act) contains strict data broker provisions requiring online registration and a one-stop mechanism allowing consumers to delete data held by data brokers and prevent further collection by these entities. Other recent federal bills (e.g., the bipartisan DELETE Act) contain even stricter data broker requirements.

Federal Trade Commission

The FTC is also very active in this area. In a 2022 blogpost, an FTC official warned that the FTC will use the “full scope of its authorities” to stop the “illegal use and sharing” of consumers’ location, health, and other sensitive data. Soon after, the FTC filed a lawsuit against data broker Kochava, alleging that its sale of location data obtained from mobile devices harms consumers and is legally “unfair” because the data can reveal sensitive locations that consumers visit, such as reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. In addition, the ANPR in the FTC’s Commercial Surveillance and Data Security Rulemaking is replete with references to data brokers and data sales, suggesting that this could be a focus of any rule it proposes.

Like Congressional efforts, the FTC’s actions here are pending. In Kochava, the court dismissed the FTC’s initial complaint due to what it viewed as the hypothetical nature of the FTC’s injury allegations, but the FTC has filed a new complaint (under seal). In the FTC’s rulemaking, the comment period for the ANPR closed last November, so the FTC could release a proposed rule any day now. We await news on both fronts.

California – SB 362

No privacy discussion would be complete without California. And sure enough, the California legislature is currently considering new data broker legislation. In brief, SB 362 would amend the state’s existing data broker law by establishing an “accessible deletion mechanism” where consumers can direct data brokers to delete their information. This would in turn trigger a ban on further data collection by these entities, unless consumers opt in. The law also would allow an “authorized agent” to request deletion for the consumer, require independent compliance audits every three years, and mandate regular reports to the public and to the California Consumer Protection Agency. Due to the broad definition of “data broker,” the bill would cover a wide array of entities, including members of the advertising industry.

If passed, this law would substantially up the ante for data brokers operating in California, and could spread to other states. Currently, eleven states have enacted comprehensive baseline privacy laws, but only a few have data broker laws, with mostly modest requirements. Not surprisingly, opposition to the bill is strong in the data broker and ad industries, who (according to news reports) say it will hurt anti-fraud efforts and the economy, and have launched an effort to defeat the bill. Because California’s legislature adjourns September 14, the window for action is closing soon.

Consumer Financial Protection Bureau

Finally, in what could be the most consequential data broker regulation of all, CFPB Director Rohit Chopra just announced (on the day of the White House roundtable) that the CFPB will soon launch a rulemaking to “modernize” the FCRA so that it reflects how today’s data brokers “build even more complex profiles about our searches, our clicks, our payments, and our locations” and “impermissibly disclose sensitive contact information” of people who don’t want to be contacted, such as domestic violence survivors.

Among other things, per Director Chopra, the CFPB is considering proposals to bring within the FCRA (1) a data broker’s sale of certain types of data (e.g., payment history, income, criminal records) because the data is “typically” used to make credit, employment, or certain other eligibility determinations and (2) credit header information, a major source of information for data brokers that has long been considered to fall outside the FCRA. Such proposals would dramatically extend the FCRA’s reach to a broader class of data brokers than are currently covered. According to Director Chopra, the CFPB will publish an outline of proposals and alternatives next month.

* * *

All of the above proposals are now pending, so it’s not clear whether they will reach fruition or what shape they will ultimately take. However, the sheer volume of activity shows that data brokers are in the spotlight and are likely to remain there for a while

That’s because, tucked away on pages 2800-2819 of last year’s 4000+ page Omnibus Appropriations Bill (between provisions addressing furniture tip-overs and Tribal swimming pools), is legislation requiring the marketplaces to collect and verify certain information from “high-volume third party sellers,” suspend sellers that fail to comply, and disclose the sellers’ contact information to purchasers.

The new law (the Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act, or the INFORM Consumers Act) charges the Federal Trade Commission (FTC), the state Attorneys General (AGs), and “other state officials” with enforcement; gives the FTC rulemaking authority; and authorizes substantial civil penalties for violations. The law was the result of a bipartisan effort led by Senators Durbin and Cassidy, as well as Representatives Schakowsky and Bilirakis, who remain invested in its success. (Note that Durbin and Schakowsky both mentioned INFORM at recent Congressional hearings.)

For companies that haven’t heard about this new law – or who just want to learn more – here are the key things to know as we approach the June 27 effective date:

What exactly does the law require?

In brief, INFORM requiresonline marketplaces (i.e., platforms that enable third parties to engage in sales, purchase, payment, storage, shipping, or delivery of consumer products in the US) to do the following:

• Collect and Verify Seller Information: Marketplaces must collect and verify certain identifying, contact, and financial information from high volume third party sellers operating on their platforms. Such sellers are those that (in any 12-month period during the previous 24 months) have entered into 200 or more transactions involving new or unused products, with aggregate gross revenues of $5000 or more, and for which payment is processed by the marketplace or its payment processor. Marketplaces also must request and obtain information updates, at least annually.
• Disclose Information to Purchasers: For high volume sellers with aggregate gross revenues of $20,000 or more, marketplaces must “clearly and conspicuously” disclose each seller’s contact information, so that purchasers have recourse if something goes wrong. The disclosures must be made either on the seller’s product listing pages or in the purchaser’s order confirmation and transaction history.
• Reporting Mechanism: Online marketplaces must include a reporting mechanism on each high volume seller’s product listing page(s) to allow consumers (and presumably anyone) to report “suspicious marketplace activity” to the marketplace, either by phone or electronically.
• Suspend Noncompliant Sellers: Marketplaces must suspend any seller that fails to comply with the above collection, verification, update, and disclosure requirements within specified timeframes.
• Protect the Information: Marketplaces may only use the data they collect to comply with the law and must provide reasonable security for this data.

Notably, INFORM’s legal obligations all fall on the marketplaces. They are the entities subject to enforcement and civil penalties if INFORM’s requirements are not adhered to. They are the ones responsible for ensuring compliance after a seller reaches the “high volume” sales and revenue thresholds. (This is true even for the disclosure requirements, which must appear on sellers’ landing pages or in their communications with purchasers.) However, the Act will have significant, if indirect, effects on high volume sellers, too, who will risk swift suspension if they fail to furnish accurate and timely information to the marketplaces, or fail to cooperate in providing the required disclosures.

Why was this law passed?

The law is designed to address concerns about the sale of stolen and counterfeit goods online, which, according to the law’s sponsors and several influential reports (see here and here), harms consumers and costs legitimate businesses billions of dollars a year. These sales often occur through online marketplaces, where criminals exploit the anonymity of the web to sell goods that have been stolen from stores, and/or are counterfeit or unsafe, and where the marketplaces historically have had minimal obligation to verify the identity of sellers.

As press releases heralding passage of the Act explained, requiring marketplaces to verify sellers’ identities will “shine a light” on anonymous online sellers, thus choking off a key avenue for them to sell stolen and harmful goods, while also protecting online purchasers and legitimate competitors.

What happens on the effective date?

On June 27, all of the above requirements kick in, which means that marketplaces must have systems in place to comply with all of them or risk enforcement (with substantial penalties) by the FTC, state AGs, and/or potentially “other state officials.” At the same time, high volume sellers must be ready to furnish the information, and cooperate in providing disclosures, or risk suspension by the marketplaces.

Should we expect enforcement immediately? Yes, it’s quite possible, though the FTC (and AGs) might start with warning letters or an announcement of a coming “crackdown.” Indeed, the Act touches on numerous FTC and state AG priorities – including protecting consumers from fraud and unsafe products; maintaining a fair marketplace; holding platforms accountable, both for their own conduct and as “gatekeepers” in critical markets; and authorizing all-important civil penalties of up to $50,020 per violation. It’s also the product of bipartisan consensus at a very partisan time.

In addition, with so many cops on the beat, action could come from, not just one enforcer, but many, possibly working in tandem. In recent budget testimony to Congress, FTC Chair Khan highlighted the Act (at p. 26), including the potential for joint FTC-state action:

Ensuring Honest Online Marketplaces

Our consumer reports data show that online platforms have become fertile ground for fraud and abuse, and we are taking on this problem using all of our tools. The newly enacted INFORM Consumers Act requires online marketplaces to collect and verify information about certain third-party sellers, and to disclose third-party seller contact information to consumers to ensure transparency. The Commission will enforce the law to the fullest extent possible and will collaborate with our state partners as well.

In short, whether you’re an online marketplace or a third party seller, it would be wise to bone up on INFORM’s requirements before the effective date, and make sure you’re ready to implement them when the magic date arrives. Kelley Drye will shortly be announcing a webinar on this topic – stay tuned for more details.

Overall, the hearing did a far better job of illuminating members’ concerns than in gathering information. Many questions were too broad, complex, or accusatory to be answered in a “yes” or “no” fashion (as frequently requested by Committee members). And at times, Chew was simply evasive. Nevertheless, the hearing highlighted, once again, bipartisan concerns surrounding TikTok, national security, children’s safety, and privacy.

As the debate about TikTok continues, we wanted to share more details about what happened:

First up, opening remarks from Chairwoman Rodgers (R-WA) and Ranking Member Frank Pallone (D-NJ)

Rep. Rodgers kicked off the five+ hour hearing by discussing the threat TikTok poses to national security, and calling for the app to be banned in the U.S. She said that TikTok answers to the Chinese Communist Party (CCP) through its parent company ByteDance, spying on Americans (especially journalists) through collection and use of their data. It also manipulates its users (for example, censoring information and erasing events China wants the world to forget) and encourages harmful behavior among children by promoting dangerous content in its “For You” recommendations. Finally, she noted that TikTok has 150 million American users and emphasized the urgency with which Congress needs to act, both on TikTok and in passing the ADPPA.

Rep. Pallone said that Big Tech, including TikTok, has become a super-spreader of danger. It collects more data than it needs and sells it to generate billions of dollars in revenue. Like Rodgers, Pallone emphasized that Congress cannot wait any longer to pass federal privacy legislation. While there are benefits to TikTok, he said he is not sure they outweigh the risks to Americans – risk that are exacerbated by TikTok’s potential ties to the CCP. Pallone further expressed concern that addictive algorithms cause emotional distress, especially for children who are particularly vulnerable.

Next, Statement from TikTok CEO Chew

Chew used his testimony to showcase TikTok as a place where people can be creative and where businesses (especially small ones) can fuel their growth. He also argued that TikTok (together with ByteDance) is a global company that is not owned or controlled by the CCP. Indeed, he said that TikTok is not even available in mainland China and is headquartered in California and Singapore.

Chew made four commitments during the hearing:

1. TikTok will keep safety, particularly for teens, a top priority;
2. TikTok will implement Project Texas, a plan to store all U.S. user data in the U.S. and firewall it from unwanted foreign access;
3. TikTok will remain a place for free expression, not manipulated by any government; and
4. TikTok will be transparent and will allow third-party monitoring to ensure accountability for its commitments.

Committee Members Questions by Topic

• ByteDance

Many representatives, including Chairwoman Rodgers, probed the relationship between ByteDance, the parent company, and TikTok. They asked Chew whether he is in regular contact with ByteDance, including its CEO and legal team. (He is.) Rep. Burgess (R-TX) asked whether ByteDance’s legal team helped Chew prepare for the hearing, to which Chew responded that his phone was “full of well wishes.” (He later affirmed their assistance to Rep. Griffith (R-VA).) Some members also asked about the political affiliations of ByteDance employees, which Chew claimed not to know, and how extensive the Chinese government’s control is over ByteDance. Still others asked whether the Chinese government would approve a sale of TikTok, to which Chew responded that he could not answer hypotheticals. (China has since stated that it would oppose any forced sale). Many representatives also asked Chew about TikTok’s finances and Chew’s own financial connections to ByteDance. He generally refused to answer.

• Connection to the Chinese Government

A common theme among members was censorship. Many expressed concern over the CCP’s ability to erase content regarding certain events – specifically, videos on China’s human rights violations, its treatment of the Uyghur population, and even the Tiananmen Square massacre. Several also pointed to reports that a TikTok employee stated “everything [i.e., data] is seen in China.” Chew said he was unaware of the statement, and disagreed with it. Rep. Johnson (R-OH) asked whether the CCP could gain access to U.S. user data through the source code or if TikTok had the capacity to change the source code. Chew used one of his prepared (and often repeated) answers, explaining that the source code is a global collaborative effort, an answer that did not respond to the question.

• Data Protection

Another hot topic was whether and what types of data TikTok collects and sells. Some members, such as Rep. Tonko (D-NY), raised concerns about the collection of sensitive data, such as health and geolocation information. Rep. Joyce (R-PA) discussed the tracking of keystrokes. A handful of members, such as Rep. Dunn (R-FL), equated TikTok’s data collection with the CCP’s “spying” on Americans, a characterization that Chew rejected. Others asked Chew to commit to refraining from selling data at all. Chew often answered that TikTok does not collect any more data than other companies. Rep. Schakowsky (D-IL) explained that that is not a good standard.

In addition, Rep. Pallone asked Chew to commit to various requirements in the ADPPA and when Chew demurred, cited this as evidence of TikTok’s ill-intent as to privacy. Rep. Obernolte (R-CA) (a former video game developer) used his time (and time yielded to him by other members) to ask questions about the software code, where the programmers are located, and how easily the code could be compromised, even after Project Texas.

• Project Texas

Chew evaded many questions about what is happening with U.S. users’ data now and relied on Project Texas to explain what will happen in the future. Members stated that this plan is not enough. Rep. Pallone and others, such as Rep. Fulcher (R-ID), explained that they believe the CCP would or could still control and influence what TikTok does. Rep. Eshoo (D-CA) emphasized her continuing concerns about what data the CCP or TikTok employees in China may have already, with Rep. Hudson (R-NC) expressing particular concern about TikTok tracking the location of military families.

• Targeted Advertising

When asked by Rep. Castor (D-FL) and others whether TikTok would prohibit targeted marketing to people under the age of 17, Chew responded (as he did to many other questions) that he would get back to the committee.

• Harmful Content and Misinformation

In a particularly notable moment, Rep. Cammack (R-FL) played a video depicting gun violence and death threats against Chairwoman Rodgers. The video had been up on TikTok for 41 days and had yet to be removed (although it was finally taken down after the hearing), highlighting TikTok’s inability to effectively monitor harmful content. Rep. Bilirakis (R-FL) also showed a video displaying harmful “challenges” that go viral, stating that these are threats to minors that TikTok can’t or doesn’t control.

Rep. DeGette (D-CO) raised concerns about people looking for information on topics such as abortion, and finding harmful, misinformation. Rep. Veasey (D-TX) cited election misinformation published on TikTok. Chew responded that TikTok invests a significant amount to try to limit these harmful or incorrect results. Others, such as Rep. Cardenas (D-CA), Rep. Barragán (D-CA), and Rep. Ruiz (D-CA), sought information regarding content control for TikTok’s Spanish speaking audience, and asked whether, if TikTok can't control harmful content in English, how will it be able to monitor and remove such content in Spanish. Chew said he would have to get back to them.

• Children

TikTok’s community guidelines and publication of harmful content directed at children came under fire a number of times. Members raised questions about TikTok being used as a platform for trafficking, fentanyl and drug purchases, and other harms such as the promotion of eating disorders and suicide. Chew explained that TikTok is not perfect, but that the code redirects certain search terms to resource pages – i.e., if you search “#drugs,” it directs you to a drug information resource. Rep. Craig (D-MN) pointed out that a teen looking to buy drugs is likely too savvy to simply search “#drugs.”

Another topic discussed was Section 230 immunity. Rep. Latta (R-OH) expressed concern that TikTok enjoys Section 230 immunity for the dangerous and deadly challenges that it promotes and pushes onto children’s “For You” pages. Chew explained that this is an industry problem (another repeated answer that appeared to frustrate members). Chew also said that freedom of speech is important, while also recognizing that companies need to raise the bar.

Chew explained that TikTok does not advertise to children under 13, who have an entirely different experience than adults on the app. He also touted the 60-minute time limit (which in practice is simply a notification to minors that they have been using the app for 60 minutes). Chew also explained that currently, TikTok employs “age-gating,” where the user is asked how old they are in order to determine what settings apply to the account. Rep. Kuster (D-NH), among others, pointed out how easy this is for children and teens to by-pass.

Rep. Sarbanes (D-MD) cited concerns about TikTok’s effects on the brain, and specifically, the impact that algorithm recommendations have on the mental and behavioral health of kids and teens.

• Algorithmic Accountability

Several members, including Rep. Matsui (D-CA) and Rep. Dingell (D-MI) called for greater transparency in the use of algorithms, and suggested that TikTok submit reports regarding its algorithms to the FTC. Matsui also recommended that TikTok have special algorithmic policies for sensitive information, such as when the algorithm suggests information on depression or extreme sports. Rep. Clarke (D-NY) said that there should be transparency for algorithms to ensure they are not operating with bias or in a discriminatory manner. Although Chew had cited transparency as one of TikTok’s commitments, his position on these specific issues was not clear.

Other members in attendance included Reps. Guthrie (R-KY), Walberg (R-MI), Carter (R-GA), Palmer (R-AL), Curtis (R-UT), Rochester (D-DE), Lesko (D-AZ), Soto (D-FL), Pence (R-IN), Schrier (D-WA), Trahan (D-MA), Armstrong (R-ND), Balderson (R-OH), Fletcher (R-TX), Weber (R-TX), Allen (R-GA), Peters (D-CA), Pfluger (R-TX), Harshbarger (R-TN), Miller-Meeks (R-IA), Duncan (R-SC), and Crenshaw (R-TX).

* * *

By all accounts, Chew failed to assuage members’ concerns about the TikTok (and is likely still recovering from his five+-hour drubbing). The question now is what will Congress actually do? Legislative proposals in the House and Senate take different approaches, ranging from forcing ByteDance to sell the TikTok to establishing a process for evaluating whether a sale or a ban in the U.S. is needed. Another question is whether concerns about TikTok could help light a fire under perennially-stalled federal privacy legislation. Stay tuned as we continue to track these and other developments related to privacy.

We will cover the following topics:

• What exactly would the proposed rule prohibit?
• Could a rule this sweeping become final?
• What can we expect in the next several months?
• What should employers do to prepare?

To RSVP for this webinar, please click here.

Mark Konkel, chair of Kelley Drye’s Labor and Employment practice, details what employers need to know - https://www.labordaysblog.com/2023/01/ftc-insights-how-employers-can-prepare-for-a-world-without-noncompetes/

In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.

New Disclosure Requirements

Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.

Notice at Collection

The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.

• Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
• • the categories of personal information collected, including sensitive personal information;
  • the purposes for which the categories of personal information are collected and used;
  • whether the categories of personal information listed are sold or shared;
  • the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
  • a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
  • if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
  • a link to the business’ privacy policy (or, in the case of an offline notice, where the privacy policy can be found online).
• Presentation of the Notice at Collection. The Draft Regulations also prescribe how a business must present its notice at collection. According to the Draft Regulations, it is insufficient to direct consumers to the top of a privacy policy or to require consumers to scroll to find the notice at collection disclosures. Instead, a business must include a link that takes consumers directly to the section of its privacy policy that includes the required information. The link to the notice at collection must be made “readily available where consumers will encounter it at or before the point of collection.” As an example, the Draft Regulations provide that, when a business collects personal information from a consumer via a webform, it should include a “conspicuous link” to the notice at collection in “close proximity” to either the fields where the consumer enters his/her personal information or the button the consumer hits to submit his/her personal information.
• First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.

Privacy Policy

The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:

• a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
• details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
• an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
• the date the privacy policy was last updated; and
• the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.

Takeaways

While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.

To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.

Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.

* * * *

Join us today for State Attorneys General 102.

In brief, on June 23, the House E&C Consumer Protection Subcommittee held a markup during which it considered a substitute version of the bill (HR 8152), approved it by voice vote, and forwarded it to the full E&C Committee for consideration. The amended bill contains a host of changes, many of which push it in a more business-friendly direction. Senate Commerce Chair Cantwell is more critical of the bill than ever, and has told the media that she won’t take it up in the Senate without substantial improvements. Meanwhile, the FTC, not to be forgotten, released another notice stating that it intends to launch its “commercial surveillance” rule in June 2022. (Yeah, this month.)

That may be all that many of our readers need to know. However, for more details, read on!

The Amended Bill

As noted above, the amended bill contains lots of changes – some small, some big, and some just moving text around. A few of the changes enhance protections for consumers, but most create more flexibility for businesses. Here are some of the changes that jumped out at us:

• The amended bill completely revamps its approach to service providers and third parties. Instead of imposing multiple obligations on these entities directly, the bill moves closer to the GDPR-style approach of characterizing these entities as “processors” whose obligations flow primarily from the contracts with, and/or disclosures of, the first parties from whom they receive data. These changes appear in the service provider/third party provisions (§302) and elsewhere, too. For example, each provision in the bill now specifies whether it applies to service providers and/or third parties (most don’t), and the bill now defines “covered entity” as an entity or person that “alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data…” §2(9)
• The new bill provides more leeway to engage in marketing and advertising. Of note, it adds exceptions for first party marketing and targeted advertising to the data minimization provisions (§101(b)(11) & (12)); deletes “online activities” from the sensitive data category (§2(24)); and allows the collection and processing of sensitive data, without opt in, to provide a product or service requested by an individual and for a range of other permissible purposes. §102(a)(2) (Transfers still require opt in, subject to limited exceptions. §102(a)(3)). Other provisions remain somewhat confusing in this regard. For example, the bill now excludes first party marketing from the opt out of data transfers (§204(b)(2)) but not targeted advertising. §204(c) Further, even as the bill deletes online activities from the sensitive data category, it now requires opt in for, not just the transfer, but also the collection and processing of aggregated internet search or browsing history. §102(a)(4)
• The bill also exempts from coverage government agencies and their service providers (§2(9)(C)); broadens the exceptions for small businesses (§209); expands the provisions allowing loyalty programs (§104(b)(2)); and limits the PRA to actual damages (vs. compensatory damages). §403(a)(2) On the other hand, it expands the restrictions on “dark patterns” (§§203(b) & 204(d)); requires the FTC to develop a Unified Opt Out (i.e., no study needed) (§210); authorizes enforcement by not just state AGs, but also other “State Privacy Authorities” (§402); and settles on a “knowledge” standard (in lieu of “actual knowledge”) for determining who is a minor, with some important caveats. §205

The Markup

The markup was fairly quick and uneventful. Members on both sides of the aisle noted their support for the bipartisan effort and stressed that the bill is not the final product. Two Republicans offered amendments – Rep. Lesko to address political bias by the platforms, and Rep. Armstrong to address concerns about the enforcement, preemption, and PRA schemes – but both agreed to withdraw them in the interest of getting the bill to the full Committee. The full Committee could mark up the bill – likely, another substitute amendment – after the House’s July 4^th recess.

The Challenges Ahead

Despite quick action by the Subcommittee, the bill still faces daunting challenges with little time to resolve them. It’s late June in an election year. Some of the issues raised in response to the “discussion draft” haven’t been addressed – including, as Chairman Pallone noted at the hearing, concerns about preemption and the PRA. In addition, the changes in the amended bill create additional questions that will need to be resolved.

Perhaps the darkest cloud over the bill is the lack of support from Senator Cantwell (and her Democratic colleagues Sens. Wyden, Blumenthal, and Schatz, too.). While Cantwell was critical of the “discussion draft,” she has excoriated the revised bill, telling the Washington Post and other news outlets that it has “enforcement loopholes,” that it’s “too weak” to justify preempting state privacy laws, and that Schumer backs her decision not to even bring up the bill in the Senate. (In comments to a reporter last week, her staff also cited concerns about women’s privacy in light of the then-likely, now official, reversal of Roe v. Wade.) Meanwhile, the frustration among the bill’s sponsors is palpable, with Rep. Schakowsky snapping back at Cantwell in the press, and all of the sponsors urging Cantwell to come the table. Without Cantwell’s support, the bill has little or no chance of becoming law.

FTC Privacy Rulemaking Imminent

Meanwhile, in an updated filing with OMB, the FTC just announced that it will launch its “commercial surveillance” rulemaking this month by issuing an Advance Notice of Proposed Rulemaking with a 60-day comment period. As a reminder for our readers, the rulemaking would follow Mag-Moss rulemaking procedures, and would be designed to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Per Mag-Moss procedures, the ANPR will seek public comment but will not yet propose rule text.

If the FTC keeps to this schedule, that means that we will see the ANPR this week. So, for folks who are already whipsawing between privacy developments in California, Colorado, Europe, and Congress (with big news often announced on Friday nights), add this to your late-night reading list. The FTC announcement also confirms that, even if HR 8152 falters, the FTC plans to run with the ball on privacy, perhaps emboldened by the bipartisan efforts and shared concerns that propelled HR 8152 forward.

We’ll continue to track privacy developments at the federal and state level here.

* * *

Join us June 30 for State Attorneys General 102 which answers a number of questions regarding:

• Pre-suit/investigation notice requirements for Attorneys General
• Additional information on the scope of Attorneys General investigative authority and how to challenge an investigation
• Consumer Complaints: differences among the AGs on handling and use

Register here

On Wednesday, we described draft legislation circulating in the Senate Commerce Committee that would have given the Federal Trade Commission almost unfettered authority to enjoin permanently any act, practice or method of competition that did not meet its approval. https://www.adlawaccess.com/2022/05/articles/senate-commerce-committee-chair-pushes-one-sided-13b-fix/ All the Commission would need to do is show that a reasonable person had fair notice that the conduct “could” violate the FTC Act.

Senator Cantwell has now introduced the bill and it’s more one-sided today than it was in draft form. The need to show fair notice of even a possible violation is gone.

S. 4145, the “Consumer Protection Remedies Act,” was introduced by Chair Cantwell last night, with co-sponsors Senators Klobuchar (D-MN), Warnock (D-GA), and Lujan (D-NM). If this bill becomes law, to stop a practice, the Commission would merely need to persuade a judge that “the public interest” is on its FTC’s side . That is effectively no standard at all.

At least defendants will have an opportunity to argue that the Commission cannot obtain money until it proves a violation of some law the FTC enforces. The bill says that restitution, disgorgement, and rescission or reformation of contracts are available only in suits with respect to a violation of a provision of law enforced by the Commission.”

The Cantwell bill no longer confines relief under Section 13(b) to violations that are occurring or about to occur. Any violation within the past ten years remains exposed to monetary recovery. This doubles or triples the period for which the Commission can seek money.

In short, S. 4145 gives the Commission virtually unlimited authority to enjoin methods of competition, marketing practices, privacy protections, and information-security practices. And it would expose a decade of revenues to the agency’s monetary demands. The “Consumer Protection Remedies Act” would not simply streamline the procedures in the FTC Act; it would expand the Commission’s powers, handcuff the courts, and leave American businesses wondering when their conduct might run afoul of three Commissioners’ interpretation of the public interest.

Expect some movement next week in advance of the Commerce Committee markup, with Senator Lee likely to offer an amendment in the nature of a substitute. With 14 Democrats and 14 Republicans on the Committee, however, a party line vote would allow the Cantwell bill to advance. But once it does, it likely loses traction. Without 60 votes as a stand-alone on the Senate floor, Chair Cantwell would need to slip this into must-pass legislation for it to become law.

Given the rapidly evolving situation in Ukraine, we thought it would be helpful to offer our AdLaw Access readers a link to the ongoing guidance being published by our Export and Sanctions Team at Kelley Drye. For more information on the situation and how it may impact your business, please contact our Export and Sanctions Team - Rob Slack at [email protected] or Eric McClafferty at [email protected].

If you would like to receive daily updates from our sanctions team, please contact Heather Tighe ([email protected]).

Our International Trade Practice also maintains the Trade and Manufacturing Monitor blog.

As we continue to watch the slow motion, often circular efforts in Congress to develop and enact comprehensive privacy legislation, federal action on privacy could end up coming from some surprising places.

By this, we mean it might not come from Senators Cantwell or Wicker, who have championed the leading, competing privacy bills in the Senate Commerce Committee over the past few years. Nor from Senator Wyden, who just re-introduced his bill to create algorithmic accountability – or from the House and Senate members who just proposed to ban most third-party targeted advertising. And it might not even come from Senators Markey and Cassidy, who support stronger privacy protections for kids and teens, an area of relative consensus among the parties.

Instead, while privacy watchers have their eyes on all of the expected places, the action might come from somewhere else.

Antitrust Bills

Notably, two bipartisan Senate antitrust bills – both already marked up in committee – contain privacy provisions applicable to the tech platforms and virtually the entire app marketplace.

The first bill (The American Innovation and Online Choice Act, S. 2992) is designed to prevent dominant tech platforms from giving preference to their own products and services. The bill, sponsored by Senators Klobuchar and Grassley, would accomplish this chiefly by giving other companies interoperability and access to the platforms so they can reach the platforms’ users and have an opportunity to compete.

The original version of the bill addressed privacy in a limited way – allowing the platforms to assert, as an affirmative defense to law enforcement, that any actions they took in apparent violation of the law were narrowly tailored, non-pretextual steps necessary to protect safety, user privacy, and the security of the platform or nonpublic data. But after critics of the bill argued that more privacy protections were needed, the committee approved an amendment clarifying that the bill:

• Does not require the platforms to interoperate or share data with anyone on a federal government list (1) prohibiting them from engaging in U.S. economic transactions or (2) identifying them as a risk to national security, intelligence, or law enforcement risks;
• Does not prohibit the platforms from obtaining users’ consent before sharing non-public personally identifiable data with other entities; and
• Does not prevent the platforms from offering full end-to-end encryption for products that allow communication between users.

The proposed law would be enforced by the FTC, DOJ, and the State Attorneys General.

The second bill (The Open Markets Act, S. 2710) is designed to increase competition by requiring the largest app stores (Apple and Google) to provide greater access to other app stores and third party apps, and to reduce the controls (and fees) Apple and Google impose on these entities. As before, the original version of the bill contained minimal privacy protections, so the sponsors here (Senators Blumenthal, Blackburn, and Klobuchar) offered a privacy amendment during the markup.

The amendment makes clear that the bill would not prevent platforms from imposing narrowly-tailored and non-pretextual actions “necessary to achieve user privacy, security, or digital safety,” which are defined to include:

• Allowing a user to opt-in, and providing information about risks, prior to enabling installation of third party apps or app stores;
• Removing malicious or fraudulent apps or apps stores from users’ devices;
• Providing an end user with the technical means to verify the authenticity and origin of third party apps or app stores; and
• Providing an end user with the option to limit the collection and sharing of data with third party apps or app stores.

The FTC, DOJ, the State AGs, and app developers can all sue under the law.

Whether these bills will be enacted, and in what form, remains uncertain – particularly given some concerns that have been expressed by more tech-friendly Democrats. However, it seems clear that privacy issues are now in play as policymakers consider antitrust legislation. Further, it’s notable that two antitrust bills (with privacy provisions in them) have made it through committee markup with strong bipartisan support, while copious privacy bills are…well… still being discussed.

In short, the next action Congress takes on privacy could very well occur within the context of antitrust legislation.

Republican Privacy Action Post Midterms?

Another possibility is that the Republicans (if they win the Senate, House, or both in the midterms) could take control of the privacy debate and pass legislation.

Until a few years ago, Democrats have generally been the drivers on federal privacy legislation, with Republicans arguing that it would stifle innovation and hurt the U.S. economy. However, the States’ enactment of privacy laws, as well as pressure from the EU and the GDPR, have changed the dynamic considerably.

Republicans and their constituencies now badly want a federal privacy law to create a national standard (with some level of state preemption), prevent or strictly limit private rights of action, shore up our position internationally, and protect our critical infrastructure. A recent letter from Senate and House Republican committee leaders to President Biden makes this perfectly clear. So does the widespread and growing support for federal privacy legislation among industry members.

So as we proceed through 2022 towards Congressional elections, stakeholders on all sides of the debate should keep in mind that if the current Democratic majority doesn’t pass a federal privacy law, a potential Republican majority just might, potentially drawing support from moderate Democrats seeking a solution on this critically important but unresolved issue. Perhaps the Wicker bill – with broad preemption and no private right of action – could emerge triumphant after all. For those that support middle-grounds on these issues, maybe now is the time to get serious about finding compromise.

We will continue to monitor developments in this space and post updates as they occur.

Background

On Tuesday, Congressional Democrats unveiled a new bill to outlaw a wide swath of targeted advertising. The Banning Surveillance Advertising Act would prohibit ad tech companies from using consumers’ personal information to target ads, with limited exceptions. It also would prohibit advertisers from using third party data, or data about a person’s membership in a protected class, to target ads. The bill would authorize the FTC, state attorneys general, and private litigants to enforce the law, and the FTC to write rules implementing it.

The effort, led by Senator Cory Booker (D-NJ) and Congresswomen Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), arrives at a time of unprecedented regulatory developments impacting the ad tech industry – most notably, the enactment of new state privacy laws in California, Virginia, and Colorado with provisions regulating the industry. While these privacy laws have focused on giving consumers the opportunity to make choices about data sharing for purposes of targeted advertising, the Banning Surveillance Advertising Act would place blanket prohibitions on such advertising. As we describe here, the FTC has also announced that it is developing a rule targeting “surveillance-based business models,” though the contours of that rule are still unknown.

In a press release, Senator Booker explained his view that “surveillance advertising is a predatory and invasive practice. The hoarding of people’s personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence.” Echoing Booker, Rep. Eshoo said that the practice “fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms.” Rep. Schakowsky, who chairs the House Energy and Commerce Consumer Protection Subcommittee, said the practice “exacerbates manipulation, discrimination, misinformation, and extremism.”

Given the dramatic changes that the bill would impose on the marketplace, it is not surprising that industry groups have already criticized it forcefully. In a press release today, IAB stated that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly,” and that it could “eliminate the commercial internet almost entirely.”

Contextual Ads Would Be Permitted

In a background brief, the legislators wrote that they recognize certain benefits of advertising online, but believe that advertisers do not need to use personal data to effectively target advertising. “Advertising enables many of the ‘free’ internet products that exist today, and it enables small businesses, nonprofits, and challenger politicians to cheaply reach customer, funders, and voters,” the legislators wrote. But, according to the brief, “targeted ads only yield a 4% bump in efficacy for advertisers over contextual ads” (i.e., ads based on the content of a website the consumer is viewing, as opposed to the consumer’s personal information or browsing history). As a result, the bill would allow contextual advertising.

Some First-Party Ads Would Be Permitted

As drafted, the bill focuses primarily on banning targeted advertising based on third party data rather than first party data. For example, brands would be able to target their own customers using first party data but not third party data. Brands also would be able to provide ad tech companies with first party data for targeted advertising (including for purposes of re-targeting), as long as the advertiser certifies to compliance with the proposed law. However, the bill would strictly prohibit any targeting by advertisers that is based on an individual’s membership in a protected class.

The bill also focuses on targeting consumers based on “personal information,” defined as data linked or reasonably linkable to an individual or a connected device. This definition appears to leave room for targeted advertising based on data that has been de-identified in some form.

Here’s a summary of what would be banned and permitted under the new legislation:

Summary of Conduct that Would Be Banned

• Ad tech companies could not build segments with third party data: This means they could not provide advertisers or third parties with personal information for purposes of targeting the dissemination of ads, including: (1) lists of individuals or devices; (2) contact information; (3) unique identifiers; and other personal information, such as browsing history.
• Advertisers could not target ads based on protected classes: Protected classes would include actual or perceived race, color, ethnicity, national origin, religion, sex, sexual orientation, gender identity, gender expression, familial status, or disabilities.
• Advertisers could not target ads based on third party data: Such data would include information from data brokers.
• Advertisers could not hire an ad tech company to target ads based on third party data: This means that ad tech companies could not (a) target ads based on third party data or (b) enable an advertiser or a third party to do so.

Summary of Conduct that Would Be Permitted

• Advertisers could target ads based on first party data: The bill does not restrict this practice, as long as the ads are not targeted to protected classes.
• Advertising could be targeted to a general location: The bill specifically exempts advertising based on an individual’s general location (i.e., state or municipality but not zip code).
• Contextual advertising: Ad tech companies could still facilitate dissemination of ads based on context or search terms. However, they would not be able to use information they collect from contextual advertising to target additional ads.
• Hiring an ad tech company to target ads based on first party data: This would be permitted, but only if the ad tech company provided written attestation to the advertiser that the ads were not targeted based on protected classes or third party data.
• Targeting advertising using non-personal information: As noted above, the bill likely leaves room for ad tech providers to develop ways to target advertising without using personal information that identifies or can identify an individual or device. If enacted, the legislation could accelerate efforts by some companies to develop ad targeting without use of personal information, using privacy enhancing technologies like targeting based on cohorts or secure multiparty computation.

* * *

The prospects for Congress actually enacting this bill (or a similar one) are not at all clear at this time. However, the bill is yet another sign that digital advertising is under scrutiny, and that policymakers are pushing companies to provide greater transparency and more robust privacy protections for the collection, use, and sharing of consumers’ personal data for advertising purposes.

We will continue to track data privacy bills as they make their way through the legislative process and post updates here.

Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle Wednesday, January 26 at 4:00pm ET/ 1:00pm PT

Privacy compliance is a daunting task, particularly when the legal and tech landscape keeps shifting. Many companies are still updating their privacy compliance programs to address CCPA requirements, FTC warnings on avoiding dark patterns and unauthorized data sharing, and tech platform disclosure, consent, and data sharing changes. But in the not too distant future, new privacy laws in California, Colorado, and Virginia also will go into effect. Addressing these expanded obligations requires budget, prioritizing action items, and keeping up to date on privacy technology innovations that can help make some tasks more scalable.

This joint webinar with Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform, will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth.

Register Here

The key requirements are largely consistent with the ones highlighted by the FTC (and which are also reflected in other state statutes):

• Disclosure: Marketers must clearly and conspicuously disclose key terms, such as that the contract will automatically renew unless a consumer cancels, the length of the term, the amount of the charges, and the cancellation policy.
• Consent: Marketers must get consent to the autorenewal terms.
• Reminders: Marketers must send reminders before a contract renews within a specified timeline. The reminders must generally inform consumers that the subscription will renew unless cancelled, and provide cancellation instructions.
• Cancellation: Marketers must establish an easy-to-use cancellation mechanism. For example, if consumers sign up online, they should generally be able to cancel online.

It’s important to note that although automatic renewal laws have similar requirements, they can differ in important ways. For example, although the Colorado law applies to most subscription plans, the Delaware law only applies to subscriptions that involve “merchandise” though that term is still defined pretty broadly. And although the Colorado law can only be enforced by the state AG or DAs, the Delaware law also includes a limited private right of action.

Both laws will take effect on January 1, 2022. As our colleagues wrote in a recent post, this is an area where we expect to see more aggressive AG enforcement.

• Requirements for Free Trials: If a program includes a free or discounted trial period of 31 days or more, unless the consumer cancels, a business must send consumers a reminder that the service will renew, the length of the renewal term, and how to cancel. This notice must be sent between three and 21 days before the expiration of the trial period.
• Requirements for One-Year Terms: If a program has an initial term of one year or longer, a business must send a reminder that includes similar information as what is required for free trials. This notice must be sent between 15 and 45 days before the expiration of the term.
• Cancellation Requirements: Existing law states that consumers must be allowed to cancel online if they were able to sign up online. The new law adds to this requirement. For example, for subscriptions a customer can purchase online, a business must provide a cancellation option via a prominent link which may be located within a customer account or profile, device or user settings, or via an immediately accessible termination e-mail provided by the business that a consumer can send without additional information.

The law states that using a “chasing arrows symbol, a chasing arrows symbol surrounding a resin identification code, or any other symbol or statement” on a product or package to indicate that it is recyclable, “or otherwise directing the consumer to recycle the product or packaging” is deceptive or misleading, unless the product or package is considered recyclable pursuant to specific criteria to be developed by the state’s Department of Resources Recycling and Recovery.

The Department is required to publish standards on or before January 1, 2024, specifying what sorts of material types and forms are considered recyclable. Among other things, the material type and form must be collected by recycling programs for jurisdictions that collectively encompass at least 60 percent of the population of California, and they must be sorted into defined streams for recycling processes by large volume transfer or processing facilities. The standards will be updated every five years.

Fortunately, the law provides a grace period for products or packages that are manufactured up to 18 months after the Department issues its standards. A similar 18-month grace period will be available after each five-year update, provided that a product or package met the recyclability requirements under the previous version of the standards. There are also other narrow exemptions for items that are covered by other state recycling laws, such as certain kinds of batteries and beverage containers.

The new law will create challenges for marketers because it is likely that a product that could be advertised as “recyclable” under the FTC’s Green Guides will not be able to be advertised as such in California. That said, the FTC has indicated that it will initiate a review of the Green Guides in 2022. Although it’s too early to predict what will come out of that review, it wouldn’t be surprising if the Commission also updates its standards for “recyclable” claims. Stay tuned.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

• James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
• Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
• Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
• Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.

Discussing a Federal Data Security Bill

• Preemption. Witnesses agreed that a preemptive federal law does not necessarily mean a weaker law. Rich offered a middle ground, supporting preemption, but stating the law should fully empower the state AGs to enforce it.
• Private Right of Action. Tummarello expressed concern that lawsuits across the country would contribute to the “patchwork” of laws that increase compliance costs. However, if a private right of action were necessary, she would support only a narrow private right of action with sufficient notice and guardrails, particularly to protect startups vulnerable to bad faith litigation. Lee demurred on whether a private right of action was needed but emphasized that consumers need to be protected no matter what state they live in. Rich stated that if the legislation is strong enough – with robust protections and remedies, full enforcement authority for the states, and significant resources for the FTC – it will protect consumers without the need for a private right of action. However, Rich also described “middle grounds” that could bridge the divide.
• Sensitive Data. Although there were some questions about what constitutes sensitive data, the witnesses agreed that both biometric data and data about children should have heightened protections. Felten addressed concerns regarding artificial intelligence and facial recognition. Lee discussed the importance of protecting biometric data because it is permanent and cannot be changed – unlike a credit card number – if it is compromised.
• Process-Based Approach. Rich emphasized the need for a “scalable” federal law that takes a process-based approach so that it does not quickly become obsolete. She added that the FTC could issue more detailed guidance on a regular basis to highlight particular technologies and safeguards that companies should consider. In contrast, Felten supported specific safeguards that the FTC would require through rulemaking, and Tummarello supported an FTC rule or guidance that would give companies a “menu” of safeguards to consider.
• Inclusion with Data Privacy Bill. All witnesses supported including data security provisions into a federal privacy bill, but Rich stated that a data security law could prevent considerable consumer harm as a stand-alone measure.

FTC’s Role and Enforcement.

• FTC as Enforcer. Similar to last week’s hearing, all witnesses agreed that the FTC was the agency best equipped to oversee and enforce a federal data security law.
• Resources Needed. Felten noted that the FTC only has about ten technologists on staff, but could use 50-60 people in technologist roles to supplement its enforcement efforts. Rich added that technologists need a career path at the FTC, and that the FTC should reexamine the complicated ethics rules governing what technologists may do after they leave the FTC’s employment.
• First time penalties. All witnesses agreed that the FTC should be able to seek penalties for first-time violations. Tummarello, however, said that she supports first-time penalties only if there are clear rules of the road.

Overall, the hearing made clear that there are more areas of agreement than disagreement. The key questions are: (1) Can Congress resolve differences related to a private right of action, whether by ensuring strong protections without it or by compromising on a narrow private right of action? (2) Will Congress be willing to pass federal data security legislation on its own? We will continue to monitor developments on this issue and provide updates as they occur.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..

• Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, which permits an authorized agent to submit any consumer requests, under ColoPA, authorized agents can only submit sale opt-out requests.
• Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
• Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
• Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
• Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
• Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. By this date, the Attorney General may have established rules to issue opinion letters and guidance that businesses can rely on in good faith to defend an action that would otherwise violate the law. Such rules must go into effect by July 1, 2025.
• Establishing controller duties. ColoPA establishes certain duties for controllers, including the duties of transparency, purpose specification, data minimization, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data.
• Consent for secondary use. ColoPA also establishes a “duty to avoid secondary use.” This duty requires consent to process personal data for purposes “not reasonably necessary or compatible with” the original purposes for collection. This requirement suggests that businesses need to keep detailed records of the personal data that they are collecting, the purposes for initially collecting such personal data, confirm such purposes are consistent with disclosures made to consumers, and track the scope of consent in connection with such data uses.

Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.

Critics of the legislation have concerns about potential inconsistency with other regulatory requirements and the burden associated with identifying and tracking the origin of a specific product, particularly for products that may be sourced from different countries or that may be purchased through an intermediary.

The FTC, not Customs, would enforce the act and certainly has experience with other statutes that require country of origin disclosures in advertising. We will continue to track the legislation.

* * *

Subscribe here to our Ad Law News and Views newsletter and visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.