California Privacy Protection Agency previews draft regulations

On June 8, 2022, less than two months since the California Privacy Protection Agency (“CPPA”) formally took over rulemaking for the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), the CPPA Board moved to (1) approve the draft regulations and (2) initiate the formal rulemaking process. In addition to implementing the CPRA, the draft rules include revisions to the CCPA regulations that were adopted by the California Attorney General.

The draft regulations appear to exceed the language and requirements of the CPRA in key instances and include some new concepts, including limits on dark patterns; a right to correct (similar to the right to “rectification” in the EU); mandatory recognition of global opt-out signals for selling and sharing of personal information; a right to limit use and disclosure of sensitive personal information; required data processing agreements; and CPPA enforcement powers, such as “probable cause proceedings” and audits. Notably, the revisions omit some hot-button issues like automated decision making, privacy risk assessments and cybersecurity audits.

The regulations were addressed at the CCPA’s public meeting on June 8, during which it was announced that a Notice of Proposed Rulemaking would be published, although no specific date was mentioned.

Takeaway: Despite the tortured path of the CCPA regulations, few significant changes were made to the final rules. If the past is prologue, companies can get a jump start now by targeting certain core provisions intended to amplify consumer choice over data processing and downstream uses of their information. With several state privacy laws slated to enter into force in 2023, compliance with the CPRA’s highly prescriptive framework could enable companies to address some universal policy themes in these laws, potentially simplifying compliance under new laws yet to come.

For a more detailed discussion of the CPPA’s draft regulations and practical advice on steps businesses should take in response, see the Dechert OnPoint on this issues.

_____________________________________________________

Twitter agrees to $150 million settlement with FTC/DOJ in case alleging data misuse

On May 25, 2022, the FTC announced that it was taking action against Twitter for allegedly “deceptively using account security data for targeted advertising.” The Department of Justice (“DOJ”) filed a complaint on behalf of the FTC against Twitter, alleging that Twitter violated a 2011 FTC Order that expressly prohibited Twitter from misrepresenting “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users."

The DOJ’s complaint alleged that Twitter violated the 2011 FTC Order by representing, directly or indirectly, to Twitter users that it would “maintain and protect the privacy of users’ telephone numbers and email addresses collected for purposes of account recovery,” while failing to disclose that Twitter was using the telephone numbers and email addresses for “targeted advertising.” The complaint also alleged that, during the period between 2014 and 2019, Twitter collected contact information from more than 104 million users after telling users that the information would be used to help secure their accounts. The government claimed that Twitter failed to disclose to users that the phone numbers and email addresses also would be used for targeted advertising, by allowing advertisers “to target specific groups of Twitter users by matching the telephone numbers and email addresses that Twitter collects to the advertisers’ existing lists of telephone numbers and email addresses."

Without admitting or denying any of the allegations in the DOJ’s complaint, Twitter agreed to a settlement with the DOJ and the FTC that will require the company to pay $150 million in civil penalties and implement “significant new compliance measures intended to ensure that Twitter improves its data privacy practices.” Specifically, Twitter agreed to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards. Twitter will also be required to undergo regular assessments of its data privacy program by an independent assessor.

Takeaway: The FTC continues to target privacy policy disclosures it believes are inaccurate – underscoring the continuing importance of ensuring that privacy policy disclosures are aligned with actual data practices – particularly as the data ecosystem becomes increasingly complex, particularly in the ad tech ecosystem. Now is the time to conduct a comprehensive assessment of practices and update privacy notices as warranted. Do what you say and say what you do is the bottom line.

_____________________________________________________

Schrems sends letter to Trans-Atlantic Data Privacy Framework negotiators, warns of legal challenge

Max Schrems, Honorary Chairman of NOYB, sent an open letter to Commissioner Didier Reynders, and to other EU and U.S. officials on May 23, 2022, raising concerns with the new Trans-Atlantic Data Privacy Framework (“TADPF”). The letter warns that a judicial challenge will follow if the new agreement fails to meet their concerns (“We call on the negotiators to continue working for a long-standing, privacy preserving solution for trans-Atlantic flows to avoid a ‘Schrems III’ decision”).

The TADPF, announced on March 25, 2022 by the European Commission (“EC”) and the United States (U.S.), flows from the cancellation of the Privacy Shield and aims to provide a durable basis for trans-Atlantic data flows and end the uncertainty that followed the 2020 Schrems II ruling of the EU Court of Justice (“ECJ”). The TADPF seeks to remedy the uncertainty that has followed and establish the basis for a new EC adequacy decision. According to authorities, the TADPF will address the concerns raised by the ECJ, and facilitate data flows between the EU and the U.S. The details of the TADPF are still being negotiated and the authorities have only published key principles, but not a draft legal text.

Reduced to its essentials, NOYB’s argument is that the approach to revising the processes broadly outlined in the TADPF does not appear to do enough to remedy the issues raised by the ECJ when it rejected the Privacy Shield mechanism. Among other objections, the letter complains that the TADPF framework does not appear to require the U.S. to change its surveillance practices, and fails to provide EU citizens access to the kinds of judicial redress that would meaningfully address the deficiencies found by the ECJ in Schrems II. The letter also complains that, “the EU and U.S. negotiators do not seem to plan any updates to the Privacy Shield Principles” themselves, which NOYB claims are “hugely problematic” because “[t]hey are not in line with the GDPR requirements.

Takeaway: NOYB made no secret of its intent to challenge the legal framework when the agreement in principle was announced. NOYB’s latest salvo is not surprising. Although the EC and U.S. are committed to bringing a successor to the Privacy Shield to fruition, there are many obstacles that will be encountered during the legislative process, and if approved, likely legal challenges down the road. In addition to monitoring the legislative process, now is the time for companies to weigh the pros and cons of using the new framework for EU – U.S. data transfers versus relying on Standard Contractual Clauses, which remain valid under Schrems II. Willingness to accept some legal uncertainty as the process continues is a factor to be considered.

_____________________________________________________

US DOJ says it won’t prosecute “white hat” hackers under CFAA

On May 19, 2022, the Department of Justice (“DOJ”) announced that it is revising its policy regarding charging violations of the Computer Fraud and Abuse Act (“CFAA”) by directing that “good-faith security research” should not be charged. The CFAA prohibits accessing a computer without authorization or in excess of the authorization given. However, some courts and commentators have raised concerns that CFAA could be used to prosecute “white-hat hackers” who access computer systems for purposes of good-faith testing, investigation, and/or correction of security flaws or vulnerabilities.

The new DOJ policy, which became effective immediately upon release, clarifies the circumstances under which prosecutors should bring charges under CFAA and explicitly states that the government should decline prosecution “if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” “Good-faith security research” is defined under the DOJ policy as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The policy specifically notes that claiming to conduct security research is not exempted under the policy if it is not conducted in good faith. For example, security research conducted for the purpose of “discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services” is research conducted in bad faith and would thus not be excluded from potential CFAA violations under the DOJ policy. The DOJ policy directs prosecutors to consult with the Computer Crime and Intellectual Property Section about the specific application of the “good faith” factor in determining whether the CFAA has been violated.

Takeaway: The new DOJ policy allows organizations to conduct cybersecurity testing and vulnerability assessments without fear of violating CFAA, while still criminalizing unauthorized access and those acting in bad faith. Organizations should continue to conduct cybersecurity risk assessments of their own security systems and engage in vulnerability testing to identify potential security threats.

_____________________________________________________

FTC intensifies its focus on education tech privacy concerns

On May 19, 2022, the Federal Trade Commission (“FTC”) announced that it will “crack down on education technology companies if they illegally surveil children” who learn online. In connection with this announcement, the FTC released a policy statement on the Children’s Online Privacy Protection Act (“COPPA”) and the Agency’s intent to act against education technology companies that violate COPPA (the “Policy Statement”).

In the Policy Statement, the FTC observed that “concerns about data collection are particularly acute in the school context, where children and parents often have to engage with ed tech tools in order to participate in a variety of school-related activities,” including using school-issued devices and educational applications. The FTC announced its intent to investigate potential COPPA violations by ed tech and other providers of online educational services by scrutinizing compliance with “the full breadth” of COPPA’s substantive prohibitions and requirements. Areas of focus will include: (i) prohibiting the mandatory collection or retention of children’s personal information beyond what is reasonably necessary; (ii) prohibiting uses of personal information collected from children for purposes not allowed under COPPA; and (iii) ensuring COPPA-covered companies have procedures to maintain the confidentiality, security, and integrity of children’s personal information.

In a press release, FTC Chairwoman Lina Khan said: “Today’s statement underscores how the substantive protections of the COPPA Rule ensure that children can do their schoolwork without having to surrender to commercial surveillance practices.” In conjunction with the FTC’s announcement, President Biden issued a statement commending the FTC for taking a big step to “strengthen privacy protections, ban targeted advertising to children and demand tech companies stop collecting personal data on our children.”

Takeaways: Given the FTC’s heightened scrutiny in this area, ed tech providers, COPPA covered entities, and entities that are contractually subject to COPPA obligations will want to evaluate their data practices, policies and contracts in light of the FTC’s intention to assess and mitigate risk in this area.

_____________________________________________________

AAG Creates Cyber and Technology Center to Educate State Attorneys General on Cybersecurity and Emerging Technologies

On May 9, 2022, the National Association of Attorneys General (“NAAG”) issued a press release announcing the establishment of the Center on Cyber and Technology (the “Center”). The Center will serve as a centralized platform on which state attorneys general and their staffs may share recommended practices, receive standardized training, and develop strategic partnerships to enforce cybersecurity, data privacy, and consumer protection laws.

NAAG Executive Director Chris Toth stated that the purpose of the Center is to “provide the support attorneys general and their staff need to understand and address technology-related issues that impact the health, safety, and security of their residents.” Only verified attorney general staff will have access to the Center’s information hub; however, the Center will make limited resources available to the public in the form of policy letters and articles authored by state attorney general staff. Current trainings offered by the Center for state attorney general staff cover topics, such as facial recognition technology and cybercrime investigations.

The NAAG tapped former National Attorneys General Training and Research Institute (“NAGTRI”) program counsel, Faisal Sheikh, to lead the Center as its first director.

Takeaway: Increased information sharing among state attorneys general will likely give rise to more robust enforcement from state attorneys general. Although in the past, informal consortiums have formed among states, the establishment of the Center represents a formal, concerted effort to share information and increase the enforcement impact from the state system. It also is consistent with the increased enforcement trend by government regulators more generally. While we wish regulators would focus more on helping businesses and treating them like the victims they most often are with these crimes, we do commend the attorneys general for trying to increase their knowledge in this area. Businesses should monitor publicly available Center resources to glean insight into regulatory agendas and to follow any guidance that is promulgated.

_____________________________________________________

The UK Government Continues to Move on its Online Safety Bill

In the United Kingdom, a committee of MPs is considering the Online Safety Bill (the “Bill”), a new regulatory and enforcement framework that would require online content providers (“OCPs”) to police their services for the posting of illegal and other potentially harmful content. In introducing the Bill, the UK Government characterized the collection of regulatory provisions as “world-leading online safety laws” that “marked a milestone in the fight for a new digital age.” If passed, the Bill would impose a broad range of duties on the providers of social media platforms, online forums and search engines that host user-generated content. The administrative burden on providers subject to the Bill’s provisions is expected to be substantial, both in terms of transition costs and annual costs thereafter. The Bill also will grant the agency charged with enforcing the regulations substantial new investigatory powers and includes provisions that would allow it to seek or impose a range of penalties against users and content providers, including fines and even criminal sanctions in certain instances.

Takeaway: If enacted, the Online Safety Bill will undoubtably challenge the existing regulatory compliance resources of providers subject to its provisions. For a more detailed review of the Bill’s components, the public’s response so far to news of the Bill’s proposed enactment, and the Bill’s relation to similar regulatory efforts being undertaken in the EU and US, please see the Dechert OnPoint prepared by our London and Brussels colleagues who have been following these developments. As they caution, “[I]t is clear that OCP regulation in the near future is a legal certainty, and OCPs need to start preparing quickly."