TerraTrueTerraTrue's privacy by design platform helps teams comply with global privacy regulations, identify risks, and trigger privacy and security reviews.

Get Started

March 17, 2023

Issue 17: No hero's welcome for Iowa's new privacy law

Oh hey! Welcome to the Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you.

This week, there was some state privacy legislation movement, a federal agency has launched an inquisition into the data broker industry's compliance with the Fair Credit Reporting Act, and Colorado finalized its regulations.

Read on, my knowledge-hungry friend.

Iowa passes the 'first uninteresting' privacy law?

I don’t even like sports, but I go to a sports bar every time there's some big game because I love passionate sports fans and how they yell. Do I even know who’s playing in whatever game? No. But I’m thrilled to be part of it. My version of Disneyland is studying people who are devastated or conversely, elated when their team misses a shot or scores big. They're holding their foreheads, their eyebrows are at their hairline, their mouths gaping. Regardless of the outcome, nothing in their life will actually change. Tomorrow, they'll go back to their proverbial cube. But they’re so invested!

There’s a similar excitement for privacy nerds on Twitter when a law passes a state privacy law, and I’m here for it. We’ve been watching the legislative horse race for some time, and Iowa finally got it over the finish line. However, FPF’s Keir Lamont, who’s sort of this community’s unofficial broadcaster on state privacy law, thinks Iowa’s law is garbage, and he’s not alone.

Lamont calls Iowa “the first uninteresting comprehensive privacy statute.” Ouch. That’s because it doesn’t introduce the GDPR-like concepts and rights we’ve seen in the earlier state laws.

In addition, Iowa doesn’t provide an opt-out for targeted advertising, and it lets businesses “cure” alleged violations before the regulatory hammer comes down. For the specifics on Iowa’s mandates, check out this comparative chart from David Stauss.

Even Joe Jerome, born and raised in Iowa, wasn’t willing to laud Iowa’s work on this. So you know it’s bad.

For more on Iowa and what it does or doesn’t do, check out The Privacy Beat Podcast next week. We'll talk to two of the foremost state privacy law experts about just that.

'We ain't the FTC, but we the CFPB!' -- (future rap hit song)

Before I talk about this news, I should disclose to those who may not know that I’m an unabashed fangirl of Rohit Chopra, director of the Consumer Finance Protection Bureau. From the time of his FTC confirmation hearings back in the day, I loved his passion for the underdog and the way he worked toward rebalancing the scale in Big Tech vs. all of us. This week, it feels like the insights Chopra gained as a data privacy regulator are lending themselves to his mandate at the CFPB to “promote fair, transparent, and competitive markets for consumer financial products and services.” And I’m here for it.

Because let's be real: None of us truly know what’s happening within the data broker industry due to it lurking in the shadows all the time. That's why the CFPB has launched an inquiry into whether the industry is complying with FCRA. It's asking questions about how the industry works: What do the business models and practices look like? Who is any given broker in bed with, metaphorically speaking?

"Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data," Chopra said in the CFPB's release, adding the inquiry will look at whether FCRA covers the market realities today.

Will the industry humor Chopra and respond? It’s anyone’s guess. But it's worth a shot.

Colorado regs are finally baked

As we all well know, a law means little until you’ve seen its regulations. Good news! Colorado has finally issued its final regs for the state’s privacy act, which becomes enforceable July 1, 2023.

As the Colorado Attorney General’s Office outlines in its press release, Colorado is the first U.S. state to include regulations on profiling via automated decision making.

I asked for reactions to the final regs, and no one had any. Like I've literally asked 2-3 times on PrivacyTwitter and no one seems to care. That might be because Colorado, like Iowa (but not as bad, according to peeps) is a boring privacy law.

Recent podcast episodes from me to you

Illinois’ BIPA is having a CCPA-like moment, non?

Plantiffs’ attorney Jay Edelson has been using Illinois’ Biometric Privacy Act to take companies like Facebook and Clearview AI to task for alleged misuse of such scans. And he’s had great success. In the meantime, without a federal law on biometrics in the U.S., states have started introducing their own versions of BIPA in rapid succession. In fact, 17 U.S. states have introduced a biometric privacy law this year already. In this episode, Edelson discusses his recent wins and his forecast for the BIPA-like landscape.
Listen here

Personalized ads: ‘We’ll survive Schrems, damnit!’

The future of personalized ads felt wildly uncertain when the Irish DPC’s final decision on the Meta case came down. The decision sent Privacy Twitter into a frenzy over the implications: You can’t bundle personalized ads into the contract for the service itself, the DPC said. At the same time, the EU and U.S. are still trying to shake hands on a new data-transfer agreement. Luckily, Phil Lee is a master of both topics, and he’s here to talk you off the ledge.
Listen here

Stuff to watch that I made for you

Doing more with less: How to scale your small privacy team in a time of layoffs
Watch on-demand!

Anyone reading the news or doom-scrolling on Twitter knows we’re in a time of downsizing and layoffs. That makes a privacy professional’s job even harder. You’ve got programs to run, reviews to get back to product, and ROPAs to complete. That’s to say nothing of the onslaught of state privacy laws to track and map. If your team is small or made smaller by this anticipated economic downturn, how can you scale your program to do more with less?
Watch it

Five ways to build a bulletproof PBD program with your security partners
Watch on-demand!

At some companies, privacy and security may enjoy an elevated existence compared to others, but life is not all kittens and rainbows. Often, both teams still struggle to find ways to articulate their benefit to the organization, cope with constant regulatory changes, and consistently get the early visibility required to do privacy and security by design.
Watch it

Hot take of the week

See you two weeks from now. Thanks for reading, loves!

Loading GTM...