Issue 4: The CPPA is mad & the CJEU made news

Oh hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you. Did you post a hot take you want included? Tag it #PrivacyBeatNews and see if it makes it into the next edition!

This week, PrivacyTwitter got excited that Europe’s High Court declared “sensitive data” is

If you follow Dr. Gabriela on the bird site, you know she’s your go-to for anything related to EU privacy. Myself? I get nervous and sweaty whenever we start talking legalese. So here’s the SparkNotes version of what happened:

The GDPR considers sexual orientation as “sensitive data.” Practically speaking, anytime a privacy pro saw a database listing whether someone was straight, bi, gay, etc., they’d know somewhere in their brain that stricter rules applied to what you could do with that data.

In this ruling, Europe’s High Court looked at an EU member states’ anti-corruption agency, which maintained a register on bureaucrats' private investments – and their spouses – to ensure no one misused public funds to better their own stocks. But that doesn’t really matter.

What matters is that the court said this register is “automatically” a list of sensitive data, even though the database is simply spouses’ names and not other details, because from spouses' names, you might guess who’s gay, straight or bi.

Takeaway: The courts are interpreting “sensitive” in more applications than might seem obvious, so you better take a closer look at your data.

CPPA is coming out swinging, for realz

Y’all been watching the California Privacy Protection Agency? This group is bummed out these days over the American Data Privacy and Protection Act proposals. Just look at the screenshot below! The picture of “down in the mouth.”

The agency, which exists to enforce the CPRA once it’s officially enacted in 2023, is not down with the ADPPA pre-empting California privacy law. After all, California did a whole lot of work before states like Connecticut, Virginia, Colorado, or Utah even put pen to paper on protecting their citizens. The idea that a federal law may sweep in and take over unsettles the board. The board says the federal proposals are weaker than the CPRA, and it doesn’t like that. Not at all.

Here’s what the board executive director, Ashkan Soltani, said recently on the matter: "Privacy is an incredibly complicated issue. While I appreciate suggestions by advocates and others about how the ADPPA may be stronger than California law, I assure you that in my and the staff's expert opinion that it is not. While the rest of the country is getting started (on privacy), California has a great deal more experience in not only legislating but implementing and enforcing privacy protections in our law."

The thing about that is: There are a whole lot of brilliant privacy professionals who disagree.

A school pre-loaded Google with Gaggle & it tattled on teens

Welp, here’s what happened: Lots of schools started using student-monitoring software during COVID-19. The kids aren’t in the classroom, how do you know they’re busy learning? You spy on them.

In one case, a school district pre-loaded Google Chromebook’s with a spyware called Gaggle, and when teens plugged their phones into their laptops to charge them, the Gaggle software kept running and detected which teens were sending each other nudes.

A CDT report says 89 percent of teachers said their schools will continue using the software on school-issued devices even as kids go back to in-person learning. WUT?!

Last week, I wrote to you about the federal proposals on children’s privacy moving through the U.S. Senate. As The Hill reports, the Kids Online Safety Act would regulate how platforms design their sites when they’re geared toward users and would require the most stringent privacy settings as the default. Then there’s the Children’s Online Privacy Protection Act, or COPPA 2.0, which would ban ISPs from collecting personal information onkids 13-to-15 years old without consent, and would allow kids an “eraser button” to delete their data from a site.

Both of them advanced out of the Senate Commerce Committee recently. But it’s getting messy. You may remember Cantwell said recently she’s not even going to entertain redlining the ADPPA, that’s how much she hates it. Similarly, this week, Sen. Roger Wicker from Mississippi did NOT vote for COPPA 2.0 because he’s upset the committee isn’t prioritizing ADPPA.

He said, and these are my words, that the committee should focus on the most likely bill to reach Biden’s desk this year, and we shouldn’t focus on (just) the littles when the grown-ups need protections, too.

As the WIRED report states, U.S. Senators have sent letters to four spyware companies contracted with American schools: Gaggle, GoGuardian, Securly, and Bark for Schools.

Perhaps their responses will push children’s privacy legislation over the edge?

See you next time for more PrivacyTwitter hot takes! And if you see one in the wild you think should make the list, tag it #PrivacyBeatNews so we see it, too!