Issue 31 — Like Journey, lawmakers won’t stop believin’

Oh Hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Written by longtime privacy journalist Angelique Carson, director of content strategy at TerraTrue, you can come here for insights on the hottest topics in privacy. Told through some of our peers’ social posts, this quick read aims to arm you with the knowledge you need to walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

Hi friends! Angelique here. Hope you had a nice holiday break.

The thing about PTO is that it only works how it’s supposed to if everyone else is also on PTO. I need help to leave Slack messages or emails unanswered. Even if I’m on a cruise to the Bahamas, like I was at this time last year, that notification haunts me. It beckons me. I’ll eventually click on it, one eye closed, and hope it’s just a jpeg of someone’s adorable dog in the #Pets channel. On the other hand, when everyone’s laptop closes simultaneously, those messages stop or slow, and the black veil of guilt I wear over not being at my laptop lifts off my shoulders.

It was a glorious time off! I made so much banana bread.

I did have to practice restraint when some woman sent me a cold sales outreach email on Christmas Eve – a SUNDAY, even! I started to type something snarky to her but then paused. If this woman’s pitching me on a weekend while the rest of us are undoing our top buttons to accommodate the holiday glut, she probably needs to desperately hit that Q4 outreach quota. I chose kindness. 

Here are some top developments in the privacy space since we last spoke.

The fight to protect children’s privacy forges ahead

Before the holiday break, the FTC issued its Notice of Proposed Rulemaking to update COPPA. Since it began its review of the children’s privacy law in 2019, the agency has received 176,000 comments on the proposed modifications. The proposed changes to COPPA include:

• Targeted advertising turned off by default for children.
• Limited push notifications intended to keep kids online longer.
• A restriction on using ed tech in schools.
• Tighter retention and deletion requirements.
• Limiting the purposes for which sites can use children’s personal information.

The suggested updates come as Congress grapples with better-protecting kids online in the face of new technologies since COPPA’s passage in 1998. The FTC aims to shift the burden of online safety from parents to apps, as The New York Times reports.

“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina Khan.

In the meantime, U.S. states have been pushing children’s privacy bills through their legislatures. But it’s unclear whether some of those bills will withstand legal scrutiny. In September 2023, a judge temporarily halted California’s Age-Appropriate Design Code based on tech trade association NetChoice’s assertion that the law violates the First Amendment by restricting speech. In handing NetChoice the early win, the judge said, “Data and privacy protections intended to shield children from harmful content, if applied to adults, will also shield adults from that same content.”

The AADC was to come into effect on July 1, 2024, but can’t be enacted until the case is resolved. In October 2023, California Attorney General Rob Bonta filed a notice of appeal to overturn the preliminary injunction halting the law’s implementation.

“We should be able to protect our children as they use the internet,” Bonta said. “Big businesses have no right to our children’s data: childhood experiences are not for sale.”

This week, The Washington Post reported that the group behind the AADC is forging ahead, revising state proposals to make them “stronger against illegal attack” while they await the ruling in the California case. The Post reports that Minnesota, Maryland, and New Mexico are considering “fresh language that would require companies to consider whether their products could lead to ‘reasonably foreseeable’ physical, psychological, or financial harm to a child, as well as discrimination.

As discussed in earlier editions of this newsletter, the FTC aims to bolster its understanding of how best to protect children from a regulatory standpoint by hiring at least one child psychologist to help it understand potential harm to children.

For now, states eagerly await a ruling in the NetChoice case for indications of how the courts might come down on similar laws.

You complying with Utah? It’s in effect now!

The Utah Consumer Privacy Act, a narrowly-focused law protecting the consumer data rights of Utahns, came into effect on December 31, 2023. The UCPA, which the governor signed on March 24, 2022, gives Utahns some control over the data organizations collect about them, allowing them to access, delete, or obtain a copy of the data, and opt out of data sales. The law applies to many businesses in Utah or with Utahns but does not cover any organizations with an annual revenue of less than $25 million.

While Utah, the fourth state to enact comprehensive privacy law in the U.S., contains similarities to the Virginia Consumer Data Protection Act and the Colorado Privacy Act, it takes a far lighter approach to consumer protection, as FPF’s Keir Lamont reported in his tracker blog. For example, the law doesn’t allow data subjects the right to opt-out of profiling decisions and doesn’t require opt-in consent to collect and process sensitive data. In addition, it requires consumer complaints to route through the Utah Department of Commerce before the Attorney General’s Office initiates an enforcement action.

For a reminder of your obligations under Utah’s privacy law, check out this blog post and this fact sheet comparing Utah to the bills passed before.

Oooooooo, Colorado published its accepted UOOM

On Dec. 28, 2023, the Colorado Attorney General’s Office published its recognized universal opt-out mechanisms list. The only one to survive after a public comment period? The Global Privacy Control: A browser-level setting that allows users to opt out of selling or processing their data across the web with one click.

California’s privacy law already requires sites to comply with GPC, and Colorado and Connecticut will require the same in 2024 and 2025, respectively. We’ve already seen some enforcement on GPC, remember? California Attorney General Rob Bonta settled with Sephora for $1.2 million over alleged GPC violations. Bonta said Sephora failed to inform consumers that it was selling their data and didn’t process opt-outs when consumers indicated their choice through the GPC.

For a deep-dive on the pros and cons of GPC and whether it’s likely to see widespread operationalization – unlike its predecessor, do not track (Rest in Power, DNT) – check out this blog post from the IAPP. But here’s the gist: It all comes down to implementation. The standard only works if sites universally recognize it and take action on a consumer’s request, a fate do not track never accomplished.

Of note: The Colorado attorney general retains the right to update the list of acceptable opt-out mechanisms.

Latest podcast

In this episode of the podcast, Asana’s Whitney Merrill and I discuss bridging the knowledge gap that most organizations face in the age of AI, why privacy pros need not wait for pending laws and regulations to do their jobs well, and how to approach the challenge of communicating privacy’s pillars with cross-functional teams. Listen here!

Latest webinar

I recently chatted with Ancestry’s Steve Stalder about how the company operationalizes privacy. In this fireside chat, we talk about getting the visibility you need to do your job well, how to make privacy reviews take minutes and not hours, and how he measures his success for reports to leadership. Watch our chat on-demand here!

Upcoming webinar!

I’ll be chatting with Lyft’s Brittany Rhyne, who’s a total baller, and my COO Chris Handman about adjustments you can make to your program today to prepare yourself for 2024’s changes. You know, those AI regulations, those new state privacy laws, and those FTC enforcement actions. Hope you’ll join us for a webinar with the IAPP. Bring yer questions!

Hope you’ve enjoyed the newsletter! Please share and subscribe if so!

xo,

Angelique