Pelosi Statement Dims the Lights on ADPPA

The prospects for the nation’s first comprehensive data privacy law, the American Data Privacy and Protection Act (the “ADPPA” or the “Bill”), dimmed after House Speaker Nancy Pelosi raised concerns about the Bill’s preemption of California’s privacy laws. The ADPPA was poised for a vote on the House floor after making it through the House Energy and Commerce Committee in July 2022 with a decisive, bipartisan 53-2 vote. Still, some industry segments, consumer advocates, and members of Congress remain opposed to aspects of the Bill, particularly its preemption provisions.

Speaker Pelosi’s September 1, 2022 statement echoed criticisms raised by the California Privacy Protection Agency (“CPPA”), the California House delegation, and Governor Gavin Newsom: that the ADPPA “does not guarantee the same essential consumer protections as California’s existing privacy laws,” including the California Consumer Privacy Act and California Consumer Privacy Rights Act. The ADPPA’s preemption of state consumer privacy laws was seen by California and consumer advocates as weakening privacy protections and establishing a regulatory “ceiling” rather than a “floor."

Supporters of the Bill argue that the preemption provisions are essential to maintain bipartisan support for the measure, and that they would ease the compliance burden for businesses currently required to comply with a growing patchwork of state laws.

Since Speaker Pelosi’s statement there has been renewed interest in potential compromise solutions that could salvage much of the Bill, such as provisions that would limit the preemption of state privacy laws for only a certain number of years. Notably, President Biden and Vice President Harris expressed last week that they were “encouraged to see bipartisan interest in Congress in passing legislation to protect privacy."

Takeaways: It’s déjà vu all over again. After a decade-long wait for a federal privacy statute, it appears that the wait will continue. In light of the developments above, prospects for passing the ADPPA before a new Congress convenes on January 3 are up in the air. Agility may be required as companies stay abreast of ADPPA’s status, while continuing to focus on state privacy law compliance strategies.

FTC Issues Notice of Proposed Rulemaking on Commercial Surveillance and Data Security

On August 11, 2022, the Federal Trade Commission (“FTC” or the “Commission”) voted 3-2 to file an Advanced Notice of Proposed Rulemaking (“ANPR” or “Notice”) that seeks public comment on the “prevalence of commercial surveillance and data security practices that harm consumers.” Specifically, the Commission seeks comment on whether it should implement new “trade regulation rules or other regulatory alternatives” regarding how companies: “(i) collect, aggregate, protect, use, analyze and retain consumer data, and (ii) transfer, share, sell or otherwise monetize that data in ways that are unfair or deceptive."

The ANPR highlights the FTC’s concerns and signals the Agency’s enforcement priorities. The ANPR contends that companies collect vast amounts of personal information from consumers and may monetize and use it for personalization services in ways that ultimately cause more harm than good for consumers. The ANPR also calls into question whether the consent consumers provide to companies when they directly or indirectly (via automated technologies) provide their personal information to those companies is meaningful or informed. The Notice also discusses risks associated with algorithmic systems that are prone to error, bias, and inaccuracy that may discriminate against consumers based on legally protected characteristics such as race and gender, and the risks to consumers associated with companies’ use of “dark patterns,” allegedly to coerce consumers into sharing their personal information. The ANPR also discusses the risks associated with “lax data security practices."

Commission Chair Lina Khan tweeted that the Commission would review the ANPR in light of Congressional actions, stating “[i]f Congress passes a strong federal privacy law – as I hope it does – then we’d reassess the value-add of this work and whether it remains a sound use of resources.” Two Commissioners issued separate dissenting statements opposing the ANPR, arguing, in part, that the ANPR is an overreach of the Commission’s rulemaking authority, and that it made no sense for the Commission to announce a rulemaking while Congress is, in Commissioner Phillips' words, “seriously considering” privacy legislation.

The Commission hosted a virtual public forum on September 8 for a discussion of the ANPR with industry representatives. Members of the public also may submit written comments to the Commission until October 21, 2022.

Takeaway: A majority of the Commissioners appear to be committed to addressing a broad range of data practices through rulemaking. It is possible that the extent of the FTC’s rulemaking authority will be challenged. Companies may want to participate in the public comment process through their trade associations in order to help shape the final outcome of regulations.

California AG Imposes First Monetary Penalty under the CCPA, Targeting CCPA “Sales”

On August 24, 2022, California Attorney General (“CA AG”) Rob Bonta announced a settlement of its enforcement action against Sephora USA, Inc., that included a $1.2 million fine—the first monetary penalty imposed under the California Consumer Privacy Act ("CCPA"). The CA AG notified Sephora of the alleged violations, but Sephora allegedly failed to remedy them within the 30-day cure period. The settlement was approved by Judge Richard B. Ulmer of the Superior Court of California in San Francisco. In addition to paying the fine, Sephora would be required to implement compliance measures and conduct regular compliance assessments for two years.

According to the Complaint, through its website and mobile applications, Sephora allegedly collected, among other personal information ("PI"), consumers’ geolocation data, information from cookies, and other user identifiers. Sephora also allegedly made consumers’ PI available to third parties, including advertising networks, data analytics providers, and business partners. The company also allegedly allowed for the installation of third-party trackers on its website and mobile applications (e.g., cookies, pixels, software development kits, etc.) that automatically collected and sent consumer data to third parties. The CA AG further contended that the decision to provide third parties with access to customer PI in exchange for services from those entities, including free or discounted analytics and advertising benefits, constituted a CCPA “sale.” The CA AG alleged that Sephora did not appropriately disclose that it engaged in “sales” of PI as required by the CCPA or give consumers the opportunity to opt-out of such sales via a “Do Not Sell My Personal Information” link.

The CA AG also claimed that Sephora failed to honor user-enabled global privacy controls as a valid opt-out of CCPA sales, asserting that businesses must treat opt-out requests made by user-enabled GPCs the same as requests made by users who click the “Do Not Sell My Personal Information” link.

You can read more about the settlement in our OnPoint.

Takeaway: Companies that are subject to the CCPA (and CPRA) can expect that privacy policy assertions that they don’t “sell” PI to be closely scrutinized. Businesses should understand what constitutes a sale, particularly in the active ad tech ecosystem, and comply with the CCPA’s notice and choice regime. If not already deployed, businesses will want to move quickly to honor signals from user-enabled GPCs, particularly since this is an area of heightened regulatory enforcement.

EDPB Rules on Conflict Between Data Protection Authorities

The European Data Protection Board (“EDPB”) issued a final decision last month in a rare exercise of its authority under Article 65 GDPR, to resolve cross-border disputes between different data protection supervisory authorities. The case involved a draft decision by the Commission Nationale de l’Informatique et des Libertés (“CNIL”), the French supervisory authority, to fine Accor S.A., a multinational hospitality company based in France. The CNIL issued the decision as the lead supervisory authority (“LSA”) over Accor in response to eleven complaints received by various supervisory authorities between 2018 and 2019, alleging that Accor prevented consumers from opting out of marketing messages and interfered with their right to access their personal data.

The EDPB’s decision concerned a dispute between the CNIL and the Polish data protection supervisory authority (“PLSA”) on the size of Accor’s fine. In a draft decision, the CNIL had proposed assessing a fine of €100,000, taking into account, among other factors, Accor’s efforts to remedy its GDPR violations, and the effects of the COVID pandemic on Accor’s 2019-20 turnover. The PLSA objected to the fine, arguing that it was too lenient given Accor’s size and the seriousness of the breaches, which the CNIL itself had described as “substantial."

In its binding decision, the EDPB stated tha:

• when issuing a decision under Article 65(6) GDPR, the CNIL should take into account the undertaking’s annual turnover corresponding to the financial year preceding the date of its final (rather than draft) decision, i.e., the turnover of Accor in 2021;
• Accor’s turnover was relevant not only to the determination of the maximum fine but also to the calculation of the fine;
• the turnover of the undertaking concerned constitutes one of the elements to be taken into account to ensure that the fine is effective, proportionate and dissuasive;
• the CNIL should not have considered the drop in Accor’s turnover as a mitigating factor; and
• although the wording of Article 83(1) GDPR provides a certain degree of flexibility to the LSA in determining the elements to be considered to ensure that the fine is effective, proportionate and dissuasive, the mere finding that an undertaking is in an adverse financial situation would not automatically warrant a reduction in the amount of the fine.

Following the EDPB’s decision, the CNIL increased its fine against Accor to €600,000, with the PLSA still of the view that the fine was too low.

Takeaways: The EDPB’s application of its consistency mechanism provides guidance on how the EDPB believes GDPR fines should be calculated. Following this decision, supervisory authorities are likely to be more cautious about issuing lower fines as a result of organizations’ financial difficulties arising from the Covid-19 pandemic or otherwise. A more detailed report on the EDPB’s decision can be found in this Dechert OnPoint.

CISA: Companies Should Act Now to Protect Data Against Threats From Quantum Computing

The US Cybersecurity & Infrastructure Agency (“CISA”) warns that organizations should act now to protect their data and infrastructure from potential risks stemming from quantum computing. In new advice issued late last month, CISA warned that quantum computers in the hands of adversaries could pose threats to current cryptographic standards that keep data confidential and support critical elements of network security. Quantum computers take advantage of the properties of quantum particles to achieve dramatic increases in computing power when compared with classic computers. CISA advised that, “[w]hile quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new postquantum cryptographic standard to defend against future threats."

CISA encourages companies to use a Roadmap (prepared by the Department of Homeland Security (“DHS”) and the Department of Commerce’s National Institute of Standards and Technology (“NIST”)) to prepare for the postquantum cryptographic standard, set to be released by NIST in 2024. The roadmap recommends that organizations:

• keep abreast of the latest recommendations regarding algorithm and dependent protocol changes;
• conduct an inventory of their most sensitive and critical datasets and all systems that use cryptographic technologies, and mark as particularly vulnerable systems that use public key cryptography; and
• identify standards related to acquisition, cybersecurity, and data security that will require updating to reflect post-quantum requirements.

The Roadmap sets out various factors that organizations should consider as they choose which systems to prioritize for cryptographic transition, including whether the system protects particularly sensitive data, with which other systems the system communicates, and how long the data needs to be protected.

Takeaways: CISA is right to sound the alarm now about the threats that quantum computing may pose to the encryption technologies that underpin all modern data privacy systems. The Roadmap provides common-sense preparatory steps that companies can take now to ensure a smooth transition to the post-quantum cryptography standard once it is available.