Photo of Alexander I. Schneider

Alexander I. Schneider

Subscribe to Alexander I. Schneider's Posts

Email
(202) 342-8634
Bio

 

 

 

Contact: Read more about Alexander I. Schneider

Google updated its privacy terms earlier this month, shifting away from offering many of its advertising services on a “service provider” basis.  With the change, Google states that its Customer Match, Audience Partner API, and certain audience-building services no longer meet the CCPA’s strict new requirements to be offered on a “service provider” basis.  The

Indiana’s Consumer Data Protection Act advanced in the state legislature last week and now heads to Governor Eric J. Holcomb’s desk.  The bill mirrors comprehensive privacy legislation enacted in Virginia, Utah, and Iowa, further extending the reach of privacy protections in the United States but without the complex mandates found in laws in California, Colorado, and Connecticut.  Following on the heels of Iowa’s Act Relating to Consumer Data Protection, Indiana’s law is expected to be the second state privacy law enacted this year, and the seventh comprehensive state privacy law overall.

Continue Reading What’s in the Indiana Consumer Data Protection Act?

The Federal Communications Commission (“FCC” or “Commission”) is seeking comments on a Notice of Proposed Rulemaking (NPRM) to refresh its customer proprietary network information (“CPNI”) data breach reporting requirements (the “Rule”).  Adopted earlier this month by a unanimous 4-0 vote of the Commission, the NPRM solicits comments on rule revisions that would expand the scope of notification obligations and accelerate the timeframe to notify customers after a data breach involving telephone call detail records and other CPNI.  The FCC cites “an increasing number of security breaches of customer information” in the telecommunications industry in recent years and the need to “keep pace with today’s challenges” and best practices that have emerged under other federal and state notification standards as reasons to update the Rule.

According to the current Rule, a “breach” means that a person “without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”  As summarized in the NPRM, CPNI includes “phone numbers called by a consumer, the frequency, duration, and timing of such calls, the location of a mobile device when it is in active mode (i.e., able to signal its location to nearby network facilities), and any services purchased by the consumer, such as call waiting.”  (The NPRM does not propose any changes to the definition of CPNI.)

Continue Reading FCC Seeks Comments on Updates to CPNI Breach Reporting Rule

How To Protect Employee/HR Data and Comply with Data Privacy Laws
Wednesday, July 20

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor

On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday.  (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations

On Friday June 3, a bipartisan group of leaders from key House and Senate committees released a new  “discussion draft” bill to establish nationwide standards for consumer privacy. The proposal (the American Data Privacy and Protection Act) builds on prior bills put forth by both Democrats and Republicans, as well as principles and provisions contained in the GDPR and State privacy laws. Of significance, the bill reflects bipartisan compromise on two thorny issues that have divided the parties for years – whether to preempt state privacy laws and/or include a private right of action. While the bill has been hailed as a “breakthrough,” the prospects for passage are uncertain, particularly in this busy election year.

Why is this bill significant? 

As most of our readers know, the US has no overarching federal privacy law – only sector-specific laws such as GLBA and COPPA. This patchy, confusing scheme has become even more complex with passage of the GDPR (which applies to US multinational companies) and five comprehensive State laws. While many federal bills have come and gone over the years, none reflect the high-level bipartisan compromise evident here – both on longstanding privacy concepts (notice, choice, access, security) as well as more specific concerns about discrimination, algorithms, platforms, data brokers, targeted ads, and corporate accountability. If passed, the bill would apply to virtually all companies doing business in the US.

Why is this happening now?

While many observers wish a bipartisan bill had been proposed earlier, the forces driving this bill forward have never been stronger. Passage of State laws is accelerating, the EU is exerting greater influence over privacy worldwide, and the FTC is planning to launch wide-ranging privacy rulemakings. In addition, Senator Wicker, one of the bill’s authors and a longtime leader on privacy, may soon vacate his slot as Commerce’s top Republican, motivating him to cement his legacy now. To cap it all off, while election year is indeed a difficult year to pass a bill like this, it’s also creating pressure to make one last effort on privacy.
Continue Reading New Bipartisan Federal Privacy Bill – Breakthrough, Too Late, or Both?

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

On Tuesday, Connecticut became the fifth state to pass comprehensive privacy legislation when Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” into law.  Connecticut joins California, Virginia, Colorado, and Utah in enacting new privacy laws that take effect in 2023. Out of fifty states in the U.S., ten percent have now passed a comprehensive privacy law.

Effective July 1, 2023, the Connecticut law adopts a general framework of definitions, consumer rights, and compliance obligations based on concepts of data controller and data processor from the EU’s General Data Protection Regulation (GDPR), and the right to opt out of the “sale” of personal data as first articulated in the California Consumer Privacy Act (CCPA).  Overall, the Connecticut law mirrors Colorado’s privacy law but then borrows select concepts from the California, Virginia, and Utah laws.  The result is a hybrid of the pre-existing state laws, but not a law that introduces significant contradictions or unique compliance challenges.
Continue Reading Ten Percent and Rising: Connecticut Becomes Fifth U.S. State to Enact Privacy Law

In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.”  Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.”  OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis.  The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Continue Reading California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences

Targeted Advertising in the Crosshairs: New Bill Seeks to Ban Many Forms of Targeted AdvertisingBackground

On Tuesday, Congressional Democrats unveiled a new bill to outlaw a wide swath of targeted advertising.  The Banning Surveillance Advertising Act would prohibit ad tech companies from using consumers’ personal information to target ads, with limited exceptions. It also would prohibit advertisers from using third party data, or data about a person’s membership in a protected class, to target ads.  The bill would authorize the FTC, state attorneys general, and private litigants to enforce the law, and the FTC to write rules implementing it.

The effort, led by Senator Cory Booker (D-NJ) and Congresswomen Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), arrives at a time of unprecedented regulatory developments impacting the ad tech industry – most notably, the enactment of new state privacy laws in California, Virginia, and Colorado with provisions regulating the industry. While these privacy laws have focused on giving consumers the opportunity to make choices about data sharing for purposes of targeted advertising, the Banning Surveillance Advertising Act would place blanket prohibitions on such advertising. As we describe here, the FTC has also announced that it is developing a rule targeting “surveillance-based business models,” though the contours of that rule are still unknown.

In a press release, Senator Booker explained his view that “surveillance advertising is a predatory and invasive practice.  The hoarding of people’s personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence.”  Echoing Booker, Rep. Eshoo said that the practice “fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms.” Rep. Schakowsky, who chairs the House Energy and Commerce Consumer Protection Subcommittee, said the practice “exacerbates manipulation, discrimination, misinformation, and extremism.”

Given the dramatic changes that the bill would impose on the marketplace, it is not surprising that industry groups have already criticized it forcefully.  In a press release today, IAB stated that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly,” and that it could “eliminate the commercial internet almost entirely.”
Continue Reading Targeted Advertising in the Crosshairs: New Bill Seeks to Ban Many Forms of Targeted Advertising