From kids on social media to fake reviews and junk fees, state AGs are working across state (and partisan) lines on initiatives that promise to mold the consumer protection landscape for years to come. In this post, we reflect on our conversation with Todd Leatherman, who works at the forefront of these issues as Director of the National Association of Attorneys General (NAAG) Center for Consumer Protection.

Trend 1 – Protecting America’s Online Youth

For state enforcers, children are top-of-mind, especially when it comes to social media. A coalition of 33 state AGs filed a federal lawsuit in California alleging Meta violated state consumer protection laws and the Children's Online Privacy Protection Act. The AGs claim that Meta knowingly designed and deployed addictive and harmful features on its social media platforms, intentionally addicting children and teens and misleading the public about whether its services were safe for younger children. A number of other states have filed similar lawsuits in state courts including Nevada, which also targeted TikTok and Snap. These lawsuits are ongoing and will no doubt affect how social media platforms engage younger consumers.

This year, Oregon AG and NAAG President Ellen Rosenblum chose her Presidential Initiative as: “America’s Youth: AGs Looking Out for the Next Generation.” This initiative and corresponding NAAG Presidential Summit will include programming on technology, physical health, mental and behavioral health, and financial literacy.

On the legislative front, we have seen new laws aimed at protecting young people online. Florida recently passed a law banning social media accounts for minors under 14 and requiring parental consent for 14 and 15-year-olds. Georgia may soon also require minors under 16 obtain parental consent to create an account, following similar restrictions passed in Louisiana, Texas, Arkansas (currently enjoined pending litigation), and Utah. Generals Letitia James of New York and Rob Bonta of California have also advocated for state legislation targeting the addictive features of social media. Given the aforementioned, we expect AGs to tune into emerging issues affecting children for years to come.

Trend 2 – Big Tech’s Advertising Practices

For years, big tech has been a leading issue for bipartisan cooperation among state enforcers. Last year, we saw a $700 million settlement with Google and 53 state AGs over the Google Play Store. This led to significant reforms in Google’s practices, including how consumers access apps and how payments are processed. Currently, 38 state AGs and the Department of Justice have sued Google over alleged anti-trust violations, including monopolizing the search market. The cases were consolidated with closing arguments slated to begin May 1^st.

Since our conversation with Mr. Leatherman, DOJ and 16 other state attorneys general announced a landmark lawsuit against Apple alleging that it monopolized the smartphone market. This includes allegations that Apple intentionally makes it difficult for consumers to switch cellphones and undermines innovation, among other claims.

Trend 3 – Algorithms and AI

The promise and perils of AI have drawn major focus at AG offices across the nation and at NAAG, according to Leatherman. Last year, 54 AGs sent a letter to Congressional leaders encouraging them to study how AI may lead to child sexual abuse and exploitation online. Another collation of 26 AGs submitted a comment to the FCC on the use of AI in robocalls with the FCC later voting to ban robocalls using AI-generated voices. (Revisit our post on Washington’s new AI task force here.)

Now, we’re seeing AGs particularly concerned about racial and gender bias in AI programs used in employment, housing, and financial lending and services. Enforcers are also looking into the marketing of AI, including whether companies are overpromising on what the technology can actually provide. Given how quickly AI is advancing across sectors, we expect to see more scrutiny in the months ahead. And stay tuned for additional information on AGs and AI as our team will be reporting on the NAAG and AGA Southern Region Meeting on Artificial Intelligence and Preventing Child Exploitation occurring in April.

Trend 4 – Fake Reviews

Fake reviews, including misleading influencer content, have drawn AG attention. This year, 22 AGs submitted a letter to the FTC largely supporting a new rule that would govern and ban fake reviews. That rulemaking is ongoing.

States, including New York and Washington, have taken individual action against companies engaged in deceptive review practices. This includes instructing employees or associates to post positive reviews, threatening or intimidating consumers who post negative reviews, or requiring consumers to sign NDAs to receive services. Notably, states are able to enforce the Consumer Review Fairness Act, a federal law.

Trend 5 – Automatic Renewals

States continue to enforce their recently enacted automatic renewal statutes or provisions (for example, laws in California, New York, Washington D.C., and Virginia), which generally impose disclosure requirements, require that companies obtain affirmative consent from consumers, and mandate cancellation mechanisms. This includes requiring an online cancellation option when a consumer signs up for a service online. That said, states do not necessarily need a new law to target these practices as their general consumer protection laws likely apply. AGs may also enforce the federal Restore Online Shoppers' Confidence Act.

Trend 6 – Junk Fees

Companies that advertise one price and then tack on fees should beware. Enforcers are making so-called “junk” or hidden fees a priority. California has passed a new law governing fees and Massachusetts is in the process of instating new regulations governing them. Not to be outdone, the FTC has also proposed a rule on fees with a virtual hearing to take place in late April. (This aligns with the Biden administration’s whole-of-government approach to junk fees with other rulemaking and guidance out of the FCC, CFPB, HUD, and DOT).

That said, AGs take the position they do not necessarily need new legislation to target fees. Pennsylvania has led the way in asserting claims under state consumer protection laws and the Consumer Financial Protection Act against companies that impose fees. Similarly, Connecticut and the FTC have joined forces in litigation against a car dealer that allegedly deceived consumers about the nature of fees and add-ons. And Washington D.C. has warned restaurants that service charges could be unlawful if they are not disclosed before an order is placed.

Trend 7 – Privacy

States continue to pass and enact new privacy laws. Earlier this year, New Hampshire became the 15^th state to pass a comprehensive state privacy law and several other privacy bills are currently making their way through the legislative process. Many of the new laws will become effective this year through 2026, spurring enhanced AG interest in privacy matters.

In California, we saw the first investigative sweep in this arena with General Rob Bonta sending out letters to popular streaming apps and device companies alleging they failed to comply with California’s new privacy law. According to the office, the investigation will focus on opt-out requirements for business that sell or share consumer personal information.

Trend 8 – Veterans

While veterans have long been a priority for state AGs, the uptick in businesses offering to “counsel” or support veterans in applying for government benefits has sparked new AG activity in this space. Last year, a bipartisan group of 44 AGs sent a letter to Congress urging the body to pass legislation that further protects veterans in the application process and the Texas AG’s office sued a company that misled veterans about their ability to help obtain benefits and charged alleged excessive fees in the process.

Trend 9 – Health

In the health space, opioid marketing, vaping, and illegal cannabis products continue to take center stage. While the larger opioid cases have concluded, litigation is far from over. AGs have been leading the way in targeting manufacturers, distributers, and pharmacies that engaged in deceptive marketing tactics around opioids. We’ve also seen a focus on nicotine and cannabis products, particularly those that may appeal to children. A group of 33 AGs sent a letter to the FDA urging more stringent regulations on electronic nicotine delivery products, including on the marketing of e-cigarettes and the use of influencers to promote them. Connecticut and Nebraska have also cracked down on illegal marketing of cannabis products using their state consumer protection laws.

Trend 10 – Rapid Response

Many businesses fail to realize how substantial a role AGs play in emergencies and urgent consumer issues. They face public pressure to respond to events in real-time. For instance, the Taylor Swift concert ticket debacle led to more than 2,600 consumer complaints in Pennsylvania alone.

And, when it comes to a market disruption or natural disaster, some states have specific price gouging laws that provide state AGs enforcement authority. These laws vary by state and it can sometimes be difficult for companies to know when they are in place. We’ve seen a rise in AGs targeting companies following emergency situations for increasing prices on consumer staples and targeting charities that mislead consumers about donations in the time of crisis.

Kelley Drye’s state AG team will continue to monitor consumer protection trends in 2024. To view our full conversation with NAAG’s Todd Leatherman, click here. To stay up-to-date with our AdLaw Access blog, subscribe here.

While the Connecticut Unfair Trade Practices Act (CUTPA - Connecticut’s UDAP law) is broad and robust, in the privacy and cybersecurity space, the AG has additional authority derived from specific state laws such as the Data Breach Notification law and Connecticut’s Data Privacy Act (CTDPA). General Tong noted Connecticut’s dedication to enforcing consumer protection, as it relates to privacy, traces back to at least 2011 when it was the first state to create the Privacy Task Force and eventually a standalone Privacy Section in 2015.

Enforcing the CTDPA

AG Tong noted that the CTDPA reflects a “philosophical judgment of Connecticut to return rights and power of authority to consumers regarding their Personal Information.” As we have previously reported, the CTDPA provides for several rights such as the right to access, right to portability, right to correct mistakes, right to deletion, and the right to opt out of targeted advertising, sale, and profiling of personal data.

The CTDPA also creates obligations for “controllers” which are entities that alone or jointly determine the purpose and means of processing of personal data. Some of these obligations include: minimizing data collection and storage, providing transparency about the types of data collected and why, ensuring that data is secure, and obtaining consent to process sensitive data. Notably, the CTDPA also provides heightened protections for data related to teenagers, a hot topic for State AGs. Controllers must obtain consent to sell teens’ data or conduct targeted advertising to teens.

The Connecticut AG has the exclusive authority to enforce the CTDPA’s provisions, making their insights all the more valuable. However, the law provides for a cure period. This means that if the AG’s office is aware of a potential violation, the office will reach out to the entity and issue a notice of violation if the AG determines that a cure is possible. If the controller fails to cure within sixty (60) days, then the AG may bring an action against the entity. Similar to the data breach notification law discussed below, a violation is a per se violation of CUTPA.

Connecticut AG’s Advice: How to Prepare for Compliance with the CTDPA

With the CTDPA’s effective date quickly arriving on July 1, 2023, the Connecticut AG’s office provided their own recommendations on how to take steps and prepare for compliance with the new law:

• Applicability. Entities should determine whether they meet the thresholds to trigger CTDPA obligations.
• Data Inventory. Entities should understand what data they are collecting and where it lives, while also thinking about how to minimize data collection if possible.
• Consumer Facing Updates. Entities should review their privacy policies to ensure they are up to date, and that entities are prepared to operationalize and effectuate the mechanisms for consumers to take advantage of their privacy rights (i.e. ensure links work).
• Internal Updates. Entities should review and update their vendor contracts to address CTDPA requirements and conduct employee training to minimize data security risks.

Safeguards and Data Breach Notice Laws

The Connecticut Safeguards Law, referred to by the office as the basic building blocks for Connecticut’s privacy infrastructure, requires any person in possession of Personal Information (PI) to safeguard data against misuse by third parties, and destroy, erase, or make unreadable the data prior to disposal. Penalties under the Safeguards law can be significant—up to $500 per intentional violation and up to $500,000 for a single event.

Connecticut defines PI as information capable of being associated with a particular individual through one or more identifiers. The AG’s office noted that PI is broadly defined. For instance, PI includes a person’s name, but also covers other identifiers including social security numbers, driver’s license numbers, credit/debit card numbers, passport numbers, biometric information, online account credentials, and certain medical information.

Connecticut’s Breach Notification Law requires that an entity that experiences a data breach provide notice to the Connecticut AG without “unreasonable delay” within a 60-day limit. The law also requires that the entity provide two years of ID theft prevention services if social security numbers and taxpayer numbers (ITINs) are compromised. A violation of this law is a per se violation of CUTPA. Last year, Connecticut received over 1,500 data breach notifications, and the office is experienced in reviewing all types of data breaches and determining which ones to pay attention to.

Our Take

Connecticut has consistently been a leader in data security and privacy issues over the last decade, and with the passage of the CTDPA we expect to see the office double down on enforcement efforts. Businesses should pay particular attention to the compliance tips highlighted above by Ms. Lucan and General Tong, as there is little doubt the office will be actively looking for targets right out the gate on July 1. In General Tong’s words, “data privacy and the law of data privacy are here. Its obligations are here, present, and they are demanding.” Privacy laws can’t be approached as “optional” or “too cumbersome” to take precautions and manage the risks of collecting data. Law enforcement will take action where we believe people have failed to meet their obligations under the law” as that is what people in the state of Connecticut “expect and demand.”

Given Connecticut’s leadership in the multistate Attorney General community, we would not be surprised to see other states joining Connecticut in enforcement efforts, even without a comprehensive privacy law (relying on their UDAP authority as states have done for decades). Understanding your data collection and security practices is more important than ever.

***

Be sure to look out for Part II of this blogpost where we will talk about Connecticut’s UDAP law in more detail as well as priorities and more tools that the Connecticut AG’s office uses to enforce consumer protection laws. We also have an exciting blogpost recapping our conversation with the Nebraska Attorney General just around the bend. Stay tuned.

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor their workforces. Mounting regulations attempt to curb employers’ ability to gather and utilize employee data—from its historical use in processing employee benefits and leave requests to employers’ collection, use or retention of employees’ biometric data to ensure the security of the organization’s financial or other sensitive information systems. Learn what employers can do now to protect employee data and prepare for the growing wave of data privacy laws impacting the collection and use of employee personal data.

RSVP

Avoiding Price Gouging Claims Wednesday, August 3 Recently State Attorneys General, the House Judiciary Committee, and many others have weighed in on rising prices in an attempt to weed out price gouging and other forms of what they deem “corporate profiteering.” States and federal regulators are carefully looking at pricing as consumers and constituents become more sensitive to the latest changes and price gouging enforcement is an avenue states may be able to use to appease the public. Unlike other emergencies in the past, the current state of supply chain and labor shortages, along with skyrocketing costs for businesses, make it unrealistic for companies to simply put a freeze on any price increases. This webinar will cover:

• The basics of price gouging laws and related state emergency declarations and how to comply • The differences and varied complexities in state laws • General best practice tips • How AGs prioritize enforcement

Register

* * * *

Find more upcoming sessions, links to replays and more here

A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.

Right to Opt Out of Sale/Sharing of Personal Information

The CPRA broadens the scope of the CCPA’s existing opt-out right to include the “sharing” of personal information. The Draft Regulations would add to existing opt-out obligations by requiring a business to:

• Provide a “means by which the consumer can confirm” that their request has been processed by the business (e.g., by displaying through a toggle or radio button on the business’s website that the consumer has exercised their right); and
• Notify all third parties to whom the business has sold or shared the consumer’s personal information since receiving the request that the consumer has exercised their opt-out right, direct them to comply with the request, and forward the request to any other person to or with whom they have disclosed or shared the consumer’s personal information.

Right to Delete

Following new requirements under the CPRA, the Draft Regulations clarify that a business must send deletion requests “downstream" to all relevant parties. Specifically, the Draft Regulations provide that a business must: (i) instruct its service providers and contractors to delete the consumer’s personal information from their records; and (ii) notify all third parties to whom it has sold or shared the consumer’s personal information to delete the information. Service providers and contractors must in turn notify other service providers, contractors, and third parties that accessed the personal information that is subject to the deletion request, unless the access occurred at the direction of the business. These obligations are subject to limitations if they are impossible or would require disproportionate effort to fulfill.

Right to Correct

The right to correct is a new right granted to consumers by the CPRA, and the Draft Regulations establish rules and procedures to facilitate consumers’ correction requests. Among other obligations, the Draft Regulations provide that, upon verification, a business must determine the accuracy of the personal information by considering the “totality of the circumstances relating to the contested personal information.” Pursuant to the Draft Regulations, relevant factors that a business would need to consider are: (i) the nature of the personal information; (ii) how the business obtained the contested information; and (iii) documentation relating to the accuracy of the information. A business that corrects personal information would also need to implement measures to ensure the information “remains corrected” and instruct its service providers and contractors to correct the information in their respective systems.

Right to Know

Building on the existing right to know, the Draft Regulations provide that a business must provide information beyond the 12-month period preceding the business’s receipt of the request unless doing so “proves impossible or would involve disproportionate effort.”

Right to Limit Use and Disclosure of Sensitive Personal Information

The right to limit the use and disclosure of sensitive personal information is another new right under the CPRA. The Draft Regulations would require a business to handle such “requests to limit” by:

• Ceasing to use and disclose the consumer’s sensitive personal information, except for purposes allowed under the regulations, within 15 business days of receiving the request;
• Notifying its service providers and contractors that the consumer has exercised their right to limit and instructing them to comply with the consumer’s request within the same time frame described above;
• Notifying all third parties to whom the business has disclosed or made available the consumer’s personal information for purposes other than those set forth in the regulations after the consumer submitted their request and before the business complied with the request that the consumer has exercised their right and directing the third party to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information;
• Notifying all third parties to whom the business makes sensitive personal information available for purposes other than those set forth in the regulations (e.g., third parties that the business authorizes to collect information from its property) that the consumer has exercised their right, and directing such third parties to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information; and
• Providing a “means by which the consumer can confirm” that their request has been processed by the business (similar to the obligation for opt-out requests described above).

Propagating Data Subject Rights to Service Providers, Contractors, and Third Parties

A business may have obligations to notify and instruct its service providers, contractors, and/or third parties to comply with a consumer’s request. Service Providers, contractors, and third parties may also have obligations to notify and instruct companies they’ve shared a consumer’s personal information with to comply with a request. The following chart shows obligations that each party has based on the consumer’s request.

See: Propagating Data Subject Rights Chart

Takeaways: The CPRA provides consumers with a range of rights that empower them to exercise more control over their personal information, and the additional obligations that the proposed regulations impose on businesses would help ensure that all parties processing consumers’ personal information give effect to such rights.

To reiterate, it’s unclear which of the amendments in the proposed regulations will stick. It is clear, however, that the expanded transparency and consumer rights requirements in the CPPA’s Draft Regulations are likely to require substantial time and resources to implement.

Stay tuned for additional blog posts in which we will summarize how the proposed regulations contemplate some of businesses’ other compliance obligations under the CPRA.

* * * *

Join us July 20 for How To Protect Employee/HR Data and Comply with Data Privacy Laws. This webinar will cover:

• Existing and prospective laws and regulations employers should be aware of when managing their workforce
• Key principles to adhere to when collecting and handling employee personal data
• Best practices for protecting employee personal data during the employment life cycle

Register here

• Pre-suit/investigation notice requirements for Attorneys General
• Additional information on the scope of Attorneys General investigative authority and how to challenge an investigation
• Consumer Complaints: differences among the AGs on handling and use

July 20

RSVP

Find more upcoming sessions, links to replays and more here

In this webinar in association with Mondaq, Kelley Drye provided observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals.

Click here to view the webinar recording and click here for the presentation slides.

Join us for our next webinar, State Attorneys General 102, on June 30. Register here.

Find our state privacy law portal and more here.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

.

Here is a timeline of the proposed rulemaking:

• Formal Publication of Rules: The CPPA will commence formal rulemaking in accordance with the California Administrative Procedures Act. As detailed in response to FAQs on the CPPA’s website, the agency will file a Notice of Proposed Action (NOPA), the text of the proposed regulations, and the Initial Statement of Reasons (ISOR) with the Office of Administrative Law (OAL). The NOPA will be published in the California Regulatory Notice Register (similar to the Federal Register), marking the first day of the formal rulemaking process.
• Comment & Hearing: The initial comment period will run at least 45 days, and the CPPA will hold a public hearing. Then, if any changes are made to the initial draft, a subsequent comment period of at least 15 days will run to receive comments on the revisions. The CPPA will then issue its Final Statement of Reasons (FSOR) and final regulations.
• Board Involvement During Rulemaking Process: At the CPPA’s May 26, 2022 open meeting, the Process Subcommittee provided a presentation on the rulemaking process, indicating that the CPPA intends for the CPPA Board to play an active role. The presentation proposes the following:
  • At the next meeting (20-45 days after the June 8, 2022 meeting), Staff will answer the Board’s questions about the proposed rules, and the Board will discuss the proposed rules in detail.
  • After the close of the initial comment period, the Board will hold at least one meeting where Staff will present the Board with proposed updates to the rules, and answer questions. The Board has an opportunity to bring in experts to testify about changes to the rules. The Board will then vote to approve moving forward.
  • Staff will then prepare the final package, and at a final meeting, the Board will vote to approve the filing of the package with the OAL.
• Advance Notice of CPPA Action: All action of the CPPA occurs during open meetings of the Board, and all materials to be considered by the Board must be made available 10 days before the open meeting. This will provide the public advance insight into any written materials under consideration by the CPPA before any vote.
• Additional Rulemaking: The CPPA has indicated that the initial draft rules are not the only rules that the CPPA will issue. In addition, a second round of rulemaking may focus on automated decisionmaking, cybersecurity audits, and privacy risk assessments. The timeline for issuance of additional rules is currently unclear.

* * * *

JOIN US FOR

Why is this bill significant?

As most of our readers know, the US has no overarching federal privacy law – only sector-specific laws such as GLBA and COPPA. This patchy, confusing scheme has become even more complex with passage of the GDPR (which applies to US multinational companies) and five comprehensive State laws. While many federal bills have come and gone over the years, none reflect the high-level bipartisan compromise evident here – both on longstanding privacy concepts (notice, choice, access, security) as well as more specific concerns about discrimination, algorithms, platforms, data brokers, targeted ads, and corporate accountability. If passed, the bill would apply to virtually all companies doing business in the US.

Why is this happening now?

While many observers wish a bipartisan bill had been proposed earlier, the forces driving this bill forward have never been stronger. Passage of State laws is accelerating, the EU is exerting greater influence over privacy worldwide, and the FTC is planning to launch wide-ranging privacy rulemakings. In addition, Senator Wicker, one of the bill’s authors and a longtime leader on privacy, may soon vacate his slot as Commerce’s top Republican, motivating him to cement his legacy now. To cap it all off, while election year is indeed a difficult year to pass a bill like this, it’s also creating pressure to make one last effort on privacy.

Key elements of the law

The law is extremely comprehensive and ambitious but, as expected, reflects compromise on certain issues. While we can’t possibly summarize everything in a blogpost, here are some of the highlights:

• Scope: The bill covers entities subject to the FTC Act, as well as common carriers and non-profits. It applies to data that is linked or linkable to an individual or device (if linkable to one or more individuals), including derived data and unique identifiers. There are exclusions for de-identified data, employee data, and publicly available data, but not for small businesses (though they’re excluded from certain provisions). The net effect is that the bill covers virtually every company in the US and a good portion of their data.
• “Standard” Provisions: The ADPPA contains many elements that are now fairly standard in privacy laws and bills – privacy notices; the right to access, correct, and delete data, and to request it in a portable format; data minimization; privacy by design; data security; and corporate accountability. While these requirements differ in various ways from those in the State laws, the most notable departure is the strictness of the data minimization requirement (limiting the collection, processing, and transfer of data to what’s necessary to provide a specific product or service requested by an individual, or to communicate in the context of the relationship). “Large data holders” (platforms and other large companies) must comply with enhanced notice and accountability requirements.
• Duty of Loyalty: The ADPPA includes several requirements in a section called “Duty of Loyalty” (a section that borrows its title, but not its contents, from a bill introduced by Senator Schatz). The notable requirements in this section include:
  • With certain exceptions, companies can’t collect, process, or transfer SSNs or nonconsensual intimate images. They also can’t transfer passwords.
  • With certain exceptions, companies can’t collect, process, or transfer biometric or genetic data without affirmative express consent. (Unlike State privacy laws, these protections apply even when this data doesn’t identify, or can’t reasonably identify, an individual.)
  • With certain exceptions, companies can’t transfer a person’s precise geolocation, search or browsing history, or physical activity from their device without affirmative express consent.

Note that some of these provisions appear to overlap and/or conflict with other provisions of the bill. In particular, because biometric and genetic information, precise geolocation, online activities, and log-in credentials are defined as “sensitive covered data,” they’re also subject to the opt-in requirements discussed below. The restrictions on search and browsing data may also conflict with the law’s purported opt-out regime for targeted advertising.

• Rights to Consent & Object: Like many privacy laws, the ADPPA requires opt in for certain practices and opt out for others.
  • Opt in is required before a company can process, collect, or transfer sensitive data. The bill defines sensitive data broadly and gives the FTC rulemaking authority to add new categories. Of note, the definition includes health, financial, biometric, genetic, and precise geolocation data; a person’s private communications, media viewing history, and online activities; data revealing race, religion, or union membership (if such data isn’t public); and the data of individuals under 17 (although the age is in brackets, indicating that it is still under discussion). As noted above, including “online activities” in here may conflict with the opt out for targeted advertising.
  • Opt out is required for data transfers to third parties (called “sales” in State laws) and targeted advertising (defined to exclude contextual advertising, ad reporting and measurement, and certain first party marketing). The bill also asks the FTC to study the feasibility of a unified opt-out mechanism (similar to Global Privacy Control in State laws) and authorizes the FTC to implement it via rulemaking.
• “Third Party Collecting Entities”: The bill includes special requirements for “third party collecting entities” – companies (other than service providers) that derive their principal source of revenue from processing or transferring the data of individuals that the entity didn’t collect directly from the individual. This provision is clearly designed to target data brokers and potentially ad networks or processors that operate behind the scenes. Such entities must register with the FTC and comply with a Do Not Collect mechanism allowing individuals to delete their data. Also, companies that share data with these entities must identify each of them by name in their privacy policies.
• Children & Minors: Building on recent concerns about harmful content directed at kids and teens, the bill would ban targeted advertising to minors under 17, as well as data transfers without consent. It also directs the FTC to create a division for Youth Privacy and Marketing, and asks the FTC’s IG to assess the effectiveness of COPPA’s safe harbor provisions. Here, the bill is clearly trying to address perceived weaknesses in COPPA – both its failure to protect teens and concerns that its safe harbor programs are inadequate.
• Algorithmic Fairness: To address rising concerns about the link between data collection and civil rights, the bill restricts collecting, processing, or transferring data in a manner that is discriminatory or that makes unavailable equal enjoyment of goods or services on the basis of race, religion, disability, or other protected categories. It would also require “large data holders” to conduct annual algorithmic impact assessments, and other entities to do design evaluations of their algorithms.
• Service Providers & Third Parties: In contrast to State laws and the GDPR, which use contractual requirements to control data use by service providers and third parties, the ADPPA regulates these entities directly. Service providers may only use data to perform services on behalf of covered entities, must promptly delete it thereafter, and may only transfer data to third parties with the affirmative express consent of the relevant individual (obtained via the covered entity). Third parties may not process data obtained from another entity contrary to individuals’ reasonable expectations.
• Federal and State Enforcement: The bill authorizes FTC and State AG enforcement and sets forth a coordination scheme to prevent them from bringing duplicative actions. It also directs the FTC to establish a new Privacy Bureau; gives the FTC a wide array of rulemaking authority (sprinkled throughout the law); and authorizes it to approve compliance programs that “meet or exceed” the bill’s requirements.
• Private Right of Action: The provision granting the private right of action is fairly complex, clearly reflecting extensive negotiations. It allows a person or class who suffers an injury due to a violation to bring a civil action in federal court but imposes a four-year delay until the PRA kicks in; bans mandatory arbitration clauses for minors only; and limits relief to compensatory damages, injunctions, and reasonable attorneys’ fees and costs. For certain PRAs (those that seek an injunction, or that target smaller companies), there’s a 45-day right to cure. Litigants also must notify the FTC and relevant State AG in advance, who may bring their own actions (but not, it appears, halt the private action). Finally, the bill directs the FTC to study the impact of the PRA on the economy.
• State Preemption: The preemption provision is similarly complex. It broadly preempts state laws that address the same issues as in the federal bill, and then claws back (i.e., preserves) particular laws or types of laws, including California’s data breach PRA (not the whole law, as has been mistakenly reported); Illinois’ biometric and genetic privacy laws; employee and student privacy laws; laws that solely address facial recognition, surveillance, wiretapping, or phone monitoring; state breach notification laws; and a range of general purpose laws.
• Other Federal Laws: The bill generally preserves sector-specific privacy and data security laws like COPPA, GLBA and FERPA. One notable exception is that the bill prevents the FCC from using the Communications Act, or any rule issued under it, to take action against any covered entity for privacy violations. (Bracketed language would narrow the scope of this provision to satellite carriers, cable operator, or broadband providers.) The bill thus ousts the FCC of privacy jurisdiction in favor of the FTC, a move that some telecom groups have supported for years.

What’s Next?

As we write this post, House Commerce has just announced that it will hold a hearing on the ADPPA on June 14, and we’ve heard that the Senate may hold a privacy hearing on the same day. However, time is short in this election year and Senator Cantwell (who chairs Senate Commerce) still supports her own bill, not the ADPPA, arguing that the PRA is too limited (even as industry members say it’s too broad). Still, the bill has a chance; it’s earned its “breakthrough” moniker; and if it doesn’t pass this year, it will frame discussions moving forward.

Stay tuned as we continue to track progress on this bill.

* * *

Download our free App – Ad Law Access – a first-of-its kind, one-stop portal that provides updates and analysis on advertising, marketing, and privacy/data security law. The App is now available in the Apple App Store and Google Play, and can be used on iPhone, iPad, and Android devices.

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

State Attorneys General 101 Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National Association of Attorneys General (NAAG) for State Attorneys General 101. This webinar will cover the basics of State AG consumer protection powers, what to expect if you find yourself a target of attorneys general investigation, how to look to state attorneys general to stop improper actions of competitors, and more. RSVP HERE

IAB Public Policy & Legal Summit 2022 Kelley Drye is a premier sponsor of the IAB Public Policy & Legal Summit 2022, which brings together global leaders in advertising, media, technology, and the government to discuss how organizations can lean into the coming transitions and find solutions that will enable them to build a sustainable and consumer-centric media and marketing ecosystem. Privacy practice Chair Alysa Hutnik (Solving for State Privacy Law Complexity: CPA, VCDPA, UCPA, and Beyond) and Of Counsel Jessica Rich (The FTC During the Biden Administration) will speak at this free virtual summit today. REGISTER HERE

June 14

June 23

This complimentary event is by invitation only. If you or a colleague are interested in receiving an invitation, please contact [email protected].

July 20

Other Ways to Stay Informed

• Ad Law Access App - available as a free download in the Apple App Store and Google Play, and can be used on iPhone, iPad, and Android devices
• Ad Law Access Blog (Subscribe) – Where we regularly cover advertising and privacy law developments
• Ad Law Access Daily Podcast – The Ad Law Access Daily podcast is available from a number of services (Apple, Spotify, Google Podcasts, SoundCloud and many other podcast services)
• Advertising and Privacy Law Resource Center – Addresses key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling
• Ad Law News and Views Newsletter (Subscribe) – Compiles all of our recent Advertising Law news and analysis in one place
• State Attorneys General News and Map - Updated State Attorneys General map and daily news feed

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.

Quick and Costly Potential CPPA Enforcement

Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses (and contractors, service providers, and third parties) to task for perceived non-compliance with privacy obligations. Among all of the proposed changes in the draft regulations, the enforcement provisions should cause many companies, regardless of their role, to pause and evaluate whether they’ve allocated sufficient resources to address privacy compliance. While there is not a privacy private right of action under the CCPA/CPRA, the draft rules set forth a new increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies and costly.

First, while there are provisions about requiring consumers to file sworn complaints, the CPPA provides that it can accept and initiate investigations on unsworn and anonymous complaints too. For every sworn complaint, the CPPA must notify the consumer complainant in writing of what actions the Agency has taken or plans to take and the reasons for action or non-action. Because the Agency has to respond to each complaint, this could turn into a routinized process of a high volume of complaints forwarded to businesses, with tight timeframes to respond in writing or else face violations and administrative fines.

The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.” There is no mention of extensions of time for good faith reasons. Under the statute, the CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency's consideration of the alleged violation.” The notice must contain a summary of the evidence, inform the company of their right to be present “in person and represented by counsel.” The “notice” clock starts as of the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. It’s possible this process occurs through the forwarding of unverified consumer complaints.

Under the draft rules, a company can request the proceeding be made public if they make a written request at least 10 business days before the proceeding. A company has a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted in whole or in part by telephone or video closed to the public. Participants are limited to the company representative, legal counsel, and CPPA enforcement staff. The CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.

The CPPA makes a determination of probable cause at such proceeding “based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.” If a company does not participate or appear, it waives “the right to further probable cause proceedings” (it’s not clear in the draft rules whether that is limited to the facts of that matter, or future alleged violations) and a decision can be made on the information provided to the CPPA (such as through a complainant).

The CPPA then issues a written decision and notifies the company electronically or by mail. Of concern, the draft rules provide that this determination “is final and not subject to appeal.” Under the statute, violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors. Multiple parties involved can be held jointly and severally liable. It’s conceivable that violations may be calculated on any number of factors that could add up substantially, and as contemplated by these draft rules, there is no process to challenge such judgments, including if there are factual or legal disputes. One can imagine future legal proceedings that challenge a variety of the legal bases for such a structure if these rules are finalized as drafted.

Service Provider Requirements and Restrictions

Data Privacy Addendums Get a Further Tune Up, and Open Question on Whether They Need to be Bespoke. One aspect of state privacy law compliance that has consumed much resources and time are the service provider contracts. Who is a service provider? What must the contract say? What restrictions apply to service providers (or contractors)? The draft rules continue to add more obligations.

One must have a written contract in place that meets all of the requirements outlined below to even qualify as a service provider and contractor. The contract requirements are very granular, and go beyond what most current privacy addendums (or technology provider terms and conditions) look like today, and include:

• Restrictions from selling or sharing the business’s personal information.
• Identify which specific business purposes and services are required for processing the business’s personal information, and that such disclosure occurs only for the limited and specified business purposes set forth in the contract. This cannot be stated generally with reference to the agreement, but rather requires a specific description.
• • This language suggests that a one-size-fits-all data processing agreement for all vendors processing personal information for different business purposes or functions might not be sufficient, which is very concerning from a resource and practicality standpoint.
• Restricting the processing of personal information outside or for any other purpose from those business purposes in the contract, including to service a different business, unless permitted by the CCPA. Awkwardly, the proposed rule suggests that all of the specific business purpose(s) and service(s) identified earlier would need to be restated as part of the restrictions.
• • On this last point, the draft rules underscore this specific example: “a service provider or contractor shall be prohibited from combining or updating personal information received from, or on behalf of, the business with personal information that it received from another source unless expressly permitted by the CCPA or these regulations”
• Requiring compliance with all applicable provisions of the CCPA, including providing the same level of privacy protection as applicable to businesses, to cooperate with the business for handling consumer rights requests, and reasonable data security provisions.
• Reasonable audit provisions to ensure CCPA compliance, such as “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
• Notification to the business within 5 business days if the service provider/contractor determines it cannot meet its obligations.
• Providing the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor, such as “to provide documentation that verifies that [the service provider/contractor] no longer retain[s] or use[s] the personal information of consumers that have made a valid request to delete with the business.”
• Provides that the business will notify the service provider/contractor of any consumer rights request and provide the information necessary for the service provider/contractor to comply with the request.

The Limitations on Internal Use of Customer Data by a Service Provider/Contractor. The draft rules provide that a service provider/contractor is restricted from using customer personal data for its own purposes, except for internal use to build or improve the quality of its services, provided that the service provider/contractor does not use the personal information to perform services on behalf of another person in a manner not permitted under the CCPA. This language is notably different from the governing CCPA rules. Based on the examples outlined below, and the admonition above that the service provider cannot combine or update personal information received from another source unless permitted by the CCPA, makes it ambiguous as to when updating personal information crosses the line. From the examples, it suggests that where such functions are to facilitate personalized advertising or data sales, they would not fit within a service provider/contractor role.

Use for Analysis/Data Hygiene (Sometimes). The draft rules set forth two examples that seem to allow some analysis and data correction under particular circumstances. For example, the first illustration emphasizes that the service provider/contractor can analyze how a business customer’s consumers interact with company communications to improve overall services, and the second example highlighted that a service provider/contractor can use customer data to identify and fix incorrect personal information that, as a result, would improve services to others. The draft rules underscore, however, that a service provider/contractor could not compile (e.g., enrich/append) personal information for the purpose of sending advertising to another business or to sell such personal information.

Data Security/Fraud Prevention. Consistent with the statute, the draft rules allow service providers/contractors to use and combine customer personal information “[t]o detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”

Other Legal Purposes. The draft rules acknowledge that a service provider/contractor can use customer data to comply with other laws, lawful process, to defend claims, if the data is deidentified or aggregated, or does not include California personal information.

Advertising Service Provider Functions Look Limited. The draft rules acknowledge a business can engage a service provider/contractor for advertising/marketing services if the services do not combine opted out consumer data from other sources. The draft rules also affirmatively reiterate that an entity who provides cross-contextual behavioral advertising is a third party and not a service provider/contractor.

• As an example of what would cross the line, the draft rules provide that a service provider/contractor can provide non-personalized advertising based on aggregated or demographic information (ads based on gender, age range, or general geographic location), but could not, for example, share the business’s customer information with a social media platform to “identify users on the social media company’s platform to serve advertisements to them.” This example is stated without qualification to what commitments the platform has provided on its own use and restrictions as to such data, or if and how any other permitted “business purposes” under the CPRA may apply.
• In another example, the draft rules provide that an advertising agency can be a service provider/contractor by providing contextual advertising services. Again, this example is set forth without reference to any other business purposes that may apply. However, one wonders whether the enforcement structure may inhibit broader interpretations where functions involve personalized advertising and analytics.

Notice at Collection. The draft rules have new language that, in the context of “notice at collection” provide that when more than one party controls personal information collection, such as in connection with digital advertising, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices. As an example:

• A “first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

Honoring Opt Outs. Section 7051 provides that third parties are directly obligated to honor opt outs, including as conveyed through a global privacy signal or otherwise on a first-party business’s site hosting the third party’s tag collecting personal information, unless the first-party business informs the third party that the consumer has consented to the sale/sharing, or “the third party becomes a service provider or contractor that complies with the CCPA and these regulations.”

• This latter provision is interesting because it suggests implicit support for frameworks, such as IAB’s LSPA, where a contract that contains commitments around use of personal data post-opt outs can support a continued service provider role.

* * *

JOIN US

Separately, join us as Kelley Drye privacy lawyers provide observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals. Register here.

Protecting the privacy and safety of kids and teens online is receiving enormous attention lately from Congress, the States, the FTC, and even the White House. Further, just last month, BBB National Programs unveiled a Teenage Privacy Program Roadmap offering a comprehensive framework for companies to use in identifying and avoiding online harms impacting teens.

Amidst these developments, Kelley Drye held a webinar to discuss the unique challenges associated with teen privacy. Dona J. Fraser, Senior Vice President Privacy Initiatives, BBB National Programs, and Claire Quinn, Chief Privacy Officer, PRIVO, along with Kelley Drye’s Laura Riposo VanDruff provided an update on key concerns and developments related to teen privacy, as well as practical tips for companies seeking to address these issues.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

The complaint focuses in particular on alleged abuses harming the Muslim community, including the government’s purchase of location data from popular Muslim prayer apps to conduct “warrantless surveillance” on Muslim individuals. According to the complaint, these practices have led to a “sense of constant surveillance” that has chilled Muslims’ practice of religion, freedom of assembly, and use of technology to communicate. The allegations have broader implications, too, as they describe the “unfettered” and “surreptitious” data collection across many contexts by multiple industry actors, including the operating systems, app and SDK developers, data brokers, and participants in digital advertising’s real time bidding (RTB) process.

As I write this blogpost, the complaint does not appear to have been posted on the FTC’s website. Although the FTC seeks public comment on petitions for rulemaking, this complaint may not fall within that process since it chiefly seeks investigations, citing rulemaking as a “longer term” goal. (Of course, stakeholders may want to consider providing input to the FTC anyway to assist in its consideration of the issues.)

Background on the Complainant

The Council on American-Islamic Relations (CAIR) describes itself as the nation’s largest Muslim civil liberties organization, dedicated to promoting a positive image of Muslims and defending their rights. In light of growing concerns about the link between data collection and discrimination, as well as the use of commercial data by law enforcement, its submission of this complaint is notable.

Laura Moy, who represents CAIR, is Director of Georgetown’s Communications and Technology Law Clinic and Associate Director of the Center on Privacy and Technology. (Notably President Biden’s pending nominee to the FTC, Alvaro Bedoya, a longtime critic of the “surveillance” alleged in the complaint, is Director of the latter organization). Moy is also a faculty advisor for Georgetown’s Institute for Tech Law and Policy (where, full disclosure, I remain a Distinguished Fellow) and served on President Biden’s FTC transition team. She is a respected academic and consumer advocate whose arguments here will be taken seriously by the FTC.

Summary of the Allegations

In a nutshell, the complaint alleges that:

• Multiple actors in the location data industry collect precise location data from individuals’ mobile devices constantly and invisibly.
• Disclosures regarding this practice are hidden and misleading, making it impossible for reasonable individuals to understand and avoid this practice.
• The data is readily linkable to individuals through device identifiers, and reveals highly personal details about people’s lives.
• The data is shared freely with third parties such as the government, data collectors, and stalkers.
• The uncontrolled collection and dissemination of this data leads to multiple forms of harm, including discriminatory advertising, “hyper-surveillance” by law enforcement, and the undermining of individuals’ choices and First Amendment rights.

The complaint contains detailed arguments as to how this conduct is deceptive and unfair, in violation of the FTC Act. While some of these arguments conflate legal requirements with the FTC’s policy recommendations, they nevertheless raise concerns that many readers will find compelling. The complaint includes many citations and concrete examples, some of which could lead to enforcement targets.

Request for FTC Action

As noted above, CAIR requests that the FTC investigate and take action against multiple entities, including:

• App developers that include location tracking SDKs in their apps “without fully understanding and/or disclosing their data distribution capabilities, leading to users’ sensitive data being unknowingly shared with third parties…including law enforcement and potentially foreign actors.”
• SDK developers that fail to inform apps about their location-tracking and/or ensure that the apps inform their users.
• Mobile operating systems that fail to protect location data and/or mislead users about how it’s collected and used.
• Participants in the RTB process that use data from the ad exchanges for non-advertising purposes.
• Location aggregators (and other entities) that purchase and sell location data without regard to the disclosures and choices presented when the data was collected.
• Any company that falsely claims that data is “anonymous” or that re-identifies supposedly anonymized data.

CAIR also recommends that the FTC “build on” such enforcement actions by simultaneously issuing guidance to industry on how to avoid deception. The complaint also mentions rulemaking (to require opt in for enabling ad identifiers) as a long term goal. As alternatives, CAIR floats the idea of an FTC workshop or Section 6(b) study of the issues.

Finally, the complaint emphasizes that the FTC is the only federal agency with sufficient authority to “rein in” the numerous actors in the industry, while also suggesting the agency has been slow to act here. Of note, the complaint mentions as a “good start” efforts brought during Obama Administration, including the FTC’s 2014 data broker report and its flashlight app and In Mobi cases. (I can’t resist mentioning that I was the Bureau Director then, and that our other “good starts” included cases against Snapchat and Aaron’s, mobile health app guidance, and Congressional testimony all of which addressed concerns raised by location tracking.)

* * *

Overall, the complaint presents many issues for the FTC and stakeholders in the data ecosystem to consider, framed in a compelling way and authored by a respected source who is closely aligned with FTC nominee Bedoya. The FTC will likely pay attention.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices, and state agencies continue to advance privacy rulemakings under existing law. Aaron Burstein, Laura VanDruff and Paul Singer, presented this webinar to help learn about the latest developments in state privacy law, make sense of these developments and understand their practical impact.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

As we’ve discussed here, there’s bipartisan momentum in Congress to enact stronger privacy protections for kids and teens – and specifically, tools that would enable minors and their parents to limit algorithms and online content that fuel self-harm and addictive behaviors. These efforts, reflected in several federal bills (see here and here) and now in a California bill too, build on months of testimony by a social media insider and are modeled in large part on the UK’s Age Appropriate Design Code.

In his State of the Union address, the President added to this momentum, calling on Congress to enact stronger protection for kids – a move that was heralded in the media as a potential “game changer” for privacy that could “help clear the logjam on Capitol Hill.” (Relatedly, report language accompanying the recently signed budget bill directs the FTC to prioritize kids’ privacy in its enforcement efforts.)

It’s certainly understandable why U.S. policymakers would want to protect the privacy and safety of minors. It’s also notable that that they are focusing on an area where bipartisan action might be possible and emphasizing the safety aspects of these bills (as if the word “privacy” would jinx the effort while “safety” might garner more support). But, looking past the good intentions to protect kids, some of the concepts and language in these bills pose real challenges as to clarity and enforceability.

Focusing on just a few:

• Best interests of the minor. The bills generally require companies to design and operate online services used by minors with the minors’ best interests as a primary consideration.
  • This language raises real questions about implementation and enforceability. While the bills sometimes include factors to consider (e.g., the types of harms to avoid), or authorize rulemakings or taskforces to flesh out the standards, this language is rife with subjectivity and will be difficult to interpret and apply.
  • For example, if a company demonstrates that it made a good faith effort to develop policies to address this issue, will that be sufficient? Will companies be able to develop a uniform set of criteria that apply to all minors when these types of judgments are normally left to parents? Will rulemakings or taskforces really be able to flesh out the standards in a way that the bill-drafters apparently concluded they couldn’t?
• Avoiding “dark patterns” or “nudge” techniques. The bills generally state that companies should avoid design interfaces or techniques that cause excessive use of an online service, or that encourage minors to provide more data, forego privacy protections, or engage in harmful behaviors.
  • Some aspects of these standards will be easier to apply than others. For example, it seems clear that companies shouldn’t expressly offer incentives to minors to provide more personal data or change settings. Nor should they feature bold, enticing “yes” options for data collection and sharing, in contrast to tiny or hidden “no” choices. And, of course, it shouldn’t be more difficult to cancel a service than it is to sign up.
  • But so much of this lies in a grey area. Is it a “dark pattern” to allow minors to win and advance in a game which, as parents well know, keeps kids playing? What about gaming interfaces with vivid graphic pictures and details – a dominant feature of the most popular video games? Will they go the way of Joe Camel (the ubiquitous, cartoon character in tobacco ads that ended amidst controversy and litigation in the late 90s)? Is a portal used by children inherently problematic because it encourages minors to return again and again to access varied and changing content? And, of particular relevance to the concerns that are driving these efforts, will companies be expected to block content on bulimia, suicide, cutting, or sexual activity if that’s precisely the information young teens are searching for?
• Likely to be accessed by a minor. Many of the bills’ provisions – including the best interest and dark patterns requirements, as well as provisions requiring parental controls and strong default settings – are tied to whether an online service is “likely to be accessed by a minor.”
  • This standard is very confusing and will be extremely difficult to apply. In contrast to COPPA – which covers online services “directed to children” or circumstances where an online service has actual knowledge a user is a child – this standard will require companies to anticipate access by minors even if the company hasn’t designed its service for minors, and even if it has no specific knowledge that minors are using it.
  • Although COPPA has been criticized as too narrow, this new standard could be entirely unworkable. While some companies know full well that minors are using their services, others don’t. Will this approach inevitably lead to universal identification and age-gating of all users of all online services? Given the ease with which minors can outwit age-gates, will that even be sufficient, or will companies need to set up more comprehensive data collection and monitoring systems? And would these outcomes really advance user privacy?

Certainly, the concerns driving these efforts – the harmful effects of social media on minors – are serious ones. They also unite members from different political parties, which is always a welcome development. However, as policymakers and stakeholders study these bills, they will likely (or hopefully) realize just how difficult implementation would be, sending them back to the drawing board for another try. Or maybe they will ultimately conclude that comprehensive privacy legislation is still the better approach.

As companies wait to see whether the Utah Consumer Privacy Act (UCPA) becomes the fourth comprehensive state privacy law, we are providing an overview of some of the Act’s key provisions – and how they depart from comprehensive privacy laws in California, Colorado, and Virginia.

Utah’s Senate unanimously passed the UCPA on February 25. The House – also through a unanimous vote – followed on March 2. The Legislature sent the UCPA to Governor Spencer Cox on March 15. Because the Legislature adjourned on March 4, Governor Cox has 20 days from the date of adjournment – March 24 – to sign or veto the Act. If Governor Cox takes no action, the UCPA will become law, with an effective date of December 31, 2023.

In broad strokes, the UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA). And, like the laws in Colorado and Virginia, the UCPA borrows some concepts from the CCPA – including a version of the right to opt out of the “sale” of personal data.

However, the UCPA pares back important features of all three of these laws. Some of the significant changes include:

• Applicability. The UCPA’s applicability is narrower than the three other comprehensive state privacy laws. The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers. By contrast, the $25 million revenue threshold is an independent basis for the CCPA to apply to a business; and neither the CPA nor VCDPA includes a revenue-based exemption.
• Exemptions. In addition to exempting personal data that is subject to sector-specific privacy laws and regulations, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, the UCPA provides that the Act does not apply to certain entities, including a tribes, institutions of higher education, and nonprofit corporations.
• Sale and Targeted Advertising Opt-Out Rights. Although the UCPA requires controllers to provide consumers with the ability to opt out of sale and targeted advertising, the Act does not provide a right to opt out of profiling (or otherwise address profiling). Like the VCDPA, the UCPA restricts the definition of “sale” to “the exchange of personal data for monetary consideration by a controller to a third party.” This definition does not include “other valuable consideration,” found in the definitions of “sale” under the CCPA and CPA.
• Opt-Out Consent to Process Most Sensitive Data. The UCPA does not require opt-in consent to process most sensitive data, unless the data “concern[s] a known child,” unlike the opt-in requirements of the CPA and VCDPA. Instead, the UCPA requires controllers to “present[] the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
• Other Consumer Rights. The UCPA provides consumers the right to confirm processing and to delete personal data they provided to a controller. Consumers also have the right to obtain a portable copy of personal data that the consumer “previously provided to the controller.” This “provided to” language follows the VCDPA’s access and portability right and contrasts with obligations to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer. The UCPA does not provide a right of correction or accuracy.
• Enforcement and Regulation. The UCPA does not include a private cause of action, nor does it authorize the Attorney General or other state official or agency to issue regulations. The Division of Consumer Protection, in the Utah Department of Commerce, investigates potential violations and can refer an action to the Utah Attorney General for enforcement. The Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation, but only after a 30 day notice and right to cure period.

Rumors suggest that Senator Schumer is maneuvering to confirm Alvaro Bedoya as FTC Commissioner sooner rather than later, which would give FTC Chair Khan the majority she needs to move forward on multiple fronts. One of those fronts is consumer privacy, for which Khan has announced ambitious plans (discussed here and here) that have stalled for lack of Commissioner votes. With Bedoya potentially on deck, now seems like a good time to recap those plans, as they might provide clues about what’s in the pipeline awaiting Bedoya’s vote. We focus here on three priorities Khan has emphasized in statements and interviews since becoming Chair.

Privacy Rulemakings

At the top of the list are privacy rulemakings, which could create baseline standards for the entire marketplace and enable the FTC to obtain monetary relief in its cases. (Recall that the FTC has limited authority to obtain money in its cases, especially post AMG, but that it can seek penalties or redress when it’s enforcing a rule.) Last December, Khan issued a Statement of Regulatory Priorities detailing the privacy rulemakings she wants to initiate or complete, including:

• New rules to halt “abuses stemming from surveillance-based business models,” which could curb “lax security practices” and “intrusive surveillance,” “ensur[e] that algorithmic decision-making does not result in unlawful discrimination,” and potentially limit the use of “dark patterns” to manipulate consumers. (Yes, this is an ambitious one.)
• Possible amendments to existing privacy rules – including the Children’s Online Privacy Protection Act (COPPA), the Health Breach Notification Rule, the Safeguards Rule (breach notification requirements), and the FACTA Identity Theft Rules (including the Red Flags Rule).
• Possibly other new rules to “define with specificity unfair or deceptive acts or practices.”

Of note, absent Congressional legislation, any new privacy rules would need to follow the arduous process detailed in Section 18 of the FTC Act (referred to as “Mag-Moss” rulemaking). With Bedoya on board, the FTC can start these rulemakings, but they could still take years to complete, as we discuss here.

By contrast, the FTC can amend its existing privacy rules under the more manageable Administrative Procedures Act. Further, it’s already in the midst of rule reviews for all of the rules listed above (including COPPA’s, which started back in 2019). As a result, the FTC could act on these rules relatively quickly once Bedoya is on board.

Focus on Platforms

Khan has also made clear that she intends to focus on the tech platforms – which she has described as “gatekeepers” that use their critical market position to “dictate terms,” “protect and extend their market power,” and “degrade privacy without ramifications.” In a statement and accompanying staff report last September, Khan stated that such efforts would include:

• Additional compliance reviews of the platforms currently subject to privacy orders (Facebook, Google, Microsoft, Twitter and Uber), followed by order modifications and/or enforcement as necessary.
• As resources permit, examining the privacy implications of mergers, as well as potential COPPA violations by platforms and other online services – COPPA being of special importance as children have increasingly relied on online services during the pandemic. (Relatedly, report language accompanying the omnibus budget just signed into law directs the FTC to prioritize COPPA enforcement.)
• Completion of the pending Section 6(b) study of the data practices of the social media companies and video streaming services, which was initiated in December 2020.

So far, we’ve seen limited action from the FTC on platforms (at least on the consumer protection side). Last October, the FTC issued a 6(b) report on the privacy practices of ISPs, but largely concluded that the topic should be addressed by the FCC. Then, in December, the FTC announced a settlement with online ad platform OpenX for COPPA violations. Given Khan’s bold plans in this area, it seems likely that there are matters in the pipeline awaiting Bedoya’s vote.

Stronger Remedies

The third major area that Khan has highlighted is obtaining stronger remedies in privacy cases – that is, considering “substantive limits”, not just procedural protections that “sidestep[] more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.” By this, Khan is referring to deletion of data and algorithms, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and monetary remedies based on a range of theories post AMG.

As to this priority, the FTC has moved ahead where it can (even prior to Khan’s tenure), often using strategies that have been able to garner unanimous votes. For example, its settlements with photo app Everalbum (for alleged deception) and WW International (for alleged COPPA violations) required deletion of consumer data and algorithms alleged to have been obtained illegally. Its settlement with fertility app Flo Health (for alleged deception about data sharing) required the company to notify affected consumers and instruct third parties that received their data to destroy it. The FTC also has alleged rule violations where possible, and partnered with other agencies to shore up its ability to obtain monetary relief.

But we’ve also seen signs of a more combative approach that could increase when Khan has the votes to push it forward. Of note, last September, the FTC issued an aggressive interpretation of the Health Breach Notification Rule, purporting to extend the rule’s reach (and thus its penalties) to virtually all health apps, even though a rule review was already underway. Further, FTC staff are making strong, often unprecedented demands for penalties, bans, and individual liability in consent negotiations. It’s even possible, based on an article written by former Commissioner Chopra and now-BCP Director Sam Levine, that the agency could attempt to use penalty offense notice letters (explained here) to lay the groundwork for penalties in privacy cases under Section 5(m)(1)(B). However, given the paucity of administratively litigated privacy cases (a key requirement under 5(m)(1)(B)), this would be very aggressive indeed.

* * *

For more on Khan’s privacy plans, you can read our earlier blogposts (here and here), as well as the various FTC statements and reports cited in this post. Or, if you like surprises, you can simply wait for Bedoya to be confirmed and see what happens. Needless to say, things should speed up at the FTC when he arrives.

Privacy Priorities for 2022: Tracking State Law Developments Thursday, March 24, 2022 at 4:00pm ET/ 1:00pm PT Register Here

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year:

• Utah is poised to be the fourth state to enact comprehensive privacy legislation
• Florida came close to passing legislation when the State House advanced privacy legislation by a significant margin
• Other state legislatures have privacy bills on their calendars

Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices, and state agencies continue to advance privacy rulemakings under existing law.

Please join us on Thursday, March 24 at 4:00 pm ET for this webinar to learn about the latest developments in state privacy law, make sense of these developments and understand their practical impact.

Under Chair Lina Khan, the Federal Trade Commission has announced an aggressive privacy agenda, which is unfolding on the enforcement, regulatory, and policy fronts. In recent enforcement actions, the FTC has sought stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. The FTC has also announced that it intends to launch a rulemaking to limit "surveillance advertising." The FTC has also issued two rounds of guidance on its Health Breach Notification Rule -- which has never been the subject of an FTC enforcement action and is the subject of an open rulemaking proceeding.

To help make sense of these developments -- and understand their practical impact -- Aaron Burstein and Jessica Rich took a deep look at these key recent developments and put them in the context of the FTC's recent challenges and setbacks.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

Keep up with all things Ad Law through the Ad Law Access App, now available as a free download in the Apple App Store and Google Play, and can be used on iPhone, iPad, and Android devices.

Watch a video version here or the audio version here.

Shana Gillers

Shoshana Gillers has served as TransUnion’s Chief Privacy Officer since September 2019. In this role Ms. Gillers oversees compliance with privacy laws across TransUnion’s global footprint and promotes a culture of responsible data stewardship.

Prior to joining TransUnion, Ms. Gillers spent four years at JPMorgan Chase, ultimately serving as Vice President and Assistant General Counsel, Responsible Banking, Data and Privacy. Previously, she served as a federal prosecutor for eight years at the U.S. Attorney’s Office in Chicago, and as a litigator for four years at WilmerHale in New York. Ms. Gillers clerked for the Hon. Robert D. Sack on the U.S. Court of Appeals for the Second Circuit and for the Hon. Aharon Barak on the Supreme Court of Israel.

Ms. Gillers received a B.A. from Columbia University, summa cum laude, and a J.D. from Yale Law School.

Alysa Z. Hutnik

Alysa chairs Kelley Drye’s Privacy and Information Security practice and delivers comprehensive expertise in all areas of privacy, data security and advertising law. Her experience ranges from strategic consumer protection oriented due diligence and compliance counseling to defending clients in FTC and state attorneys general investigations and competitor disputes.

Prior to joining the firm, Alysa was a federal clerk for the Honorable Joseph R. Goodwin, United States District Judge, Southern District of West Virginia.

Alysa received a B.A. from Haverford College, and a J.D. from the University of Maryland Carey School of Law.

Please join us for a webinar on February 24, 2022 at 4 p.m. on recent and upcoming FTC developments. The webinar will feature Kelley Drye’s Jessica Rich and Aaron Burstein, both former FTC officials. Here’s a taste of what we’ll be discussing, building on the commentary we have posted in this blog over the past few months:

All eyes are on the FTC this year, given its recent actions, setbacks, and ambitious plans for 2022.

As we’ve reported here, Chair Lina Khan has announced an aggressive privacy agenda, that includes new regulations; emphasis on the large platforms and other “gatekeepers” in the marketplace; stringent enforcement remedies (such as data deletion, bans on conduct, strict consent requirements, and individual liability); and significant monetary relief based on a range of creative theories.

Khan has already taken steps in this direction, including by issuing a policy statement and guidance reinterpreting the Health Breach Notification Rule; announcing a ramp-up against subscription services that use “dark patterns” to trick consumers into signing up; tightening requirements under the Gramm-Leach Bliley Safeguards Rule; and making strong demands in consent negotiations. In addition, she has announced plans to initiate privacy rulemakings under the FTC’s so-called “Magnuson-Moss” authority, including a rulemaking to limit “surveillance” in the commercial marketplace.

All of this takes place against the backdrop of recent setbacks and ongoing challenges faced by the agency. Last year, the Supreme Court’s ruled in AMG that the FTC cannot obtain monetary relief under Section 13(b) of the FTC Act, it’s chief law enforcement tool. For years, Congress has declined to pass a federal privacy law to strengthen the FTC’s authority in this area. The FTC has limited resources to fulfill its broad mission. And it cannot obtain civil penalties for most first-time law violations.

We will dive into these issues and more in our upcoming webinar, focusing on the practical impact for companies subject to FTC’s jurisdiction. Please join us on Thursday, February 24 at 4:00 pm EST for this second installment of Kelley Drye's 2022 practical privacy series. Register here.

Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle Wednesday, January 26 at 4:00pm ET/ 1:00pm PT

This joint webinar with Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform, will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth.

Register Here

State Attorney General Consumer Protection Priorities for 2022 Thursday, January 27 at 1:00pm ET

Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Advertising and Marketing Partner Gonzalo Mon, Privacy Partner Laura VanDruff, and Senior Associate Beth Chun for discussion and practical information on these and other state consumer protection, advertising, and privacy enforcement trends.

Register Here

Ad Law Access Podcast and Advertising and Privacy Law Resource Center On Demand

Subscribe to the Ad Law News and Views newsletter here and our Ad Law Access blog here.