23 state laws introduced, enforcement changes on the way in EU
The start of 2023 saw lots of movement on U.S. state privacy—both comprehensive and otherwise— and another major fine for Meta out of the EU. A little less frenzied than years past, but there are still important takeaways from Q1 and lots to look forward to.
US State Privacy
Twenty-three states introduced comprehensive privacy legislation this quarter, with Iowa crossing the finish line as the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Iowa Gov. Kim Reynolds signed into law on March 28, and it takes effect Jan. 1, 2025. This should give organizations ample time to comply, especially as it’s considered even more business-friendly than laws in Virginia and Utah. While the law grants many of the standard data subject rights—right to know, access, portability, and deletion—it does not grant the right of rectification. Furthermore, the law provides the right to opt out of the sale of data but does not explicitly provide the right to opt out of targeted advertising and is the only state law not to do so. It also mandates an opt-out for the processing of sensitive personal data, bucking the growing trend of requiring consent for such processing. The law will be enforced by the state Attorney General and carry the routine penalties up to $7,500 per violation, however, entities will be afforded a gracious 90-day cure period which is the longest we’ve seen to date.
Children’s privacy is also top of mind for states, with 19 states proposing online protections for kids, including Utah which passed two laws that regulate minors’ access to, and use of, social media. Combined, the laws limit how children under the age of 18 can use social media and grants parents broad rights to their children’s accounts. Additionally, the laws place restrictions on platforms’ activities as they pertain to minors, including requirements to prohibit targeted advertising, recommending content, and removing minors from search results. The laws will also place time constraints on a minor’s use of social media platforms, a default setting that only a parent or guardian will be able to modify.
US Federal Privacy
Despite robust discussions around the American Data Privacy and Protection Act in 2022, the bill seems to have fallen off the radar with Congress focused largely on banning TikTok. The TikTok craze hit lawmakers this spring as discussion mounted over national security threats related to the Chinese-owned app’s data practices. While a potential solution of protecting Americans through comprehensive privacy protections trickled into the conversation, the attention was focused more on banning the app altogether. Meanwhile, a Consumer Reports study found TikTok is not unique in its data collection and tracking practices. Despite this, 29 states passed legislation banning TikTok from government issued devices.
The Federal Trade Commission is asking for an additional $160 million in funding for 2024 as well as a new Office of Technology. On top of that, the agency now stands as a party of three after its only remaining Republican commissioner, Christine Wilson, announced her resignation over disagreements with Chair, Lina Khan.
The big news of this quarter out of Europe came on February 28, when the European Data Protection Board released its opinion on the EU-U.S. Data Privacy Framework. In it, the EDPB recognized substantial improvements over Privacy Shield, but also called out aspects that need more work. The EDPB noted many principles “remain essentially the same,” and specifically highlighted issues around exemptions to access rights, lack of clarity and specificity regarding the definitions and principles, and the framework’s application to processors. Though the opinion is not legally binding, it will carry influence as the next steps play out. The nonbinding opinion on the EU-U.S. Data Privacy Framework. In it, the EDPB recognized substantial improvements over the previous trans-Atlantic data flow mechanism, Privacy Shield, but also called out aspects that need more work.
The U.K. continued its privacy overhaul this quarter, first by creating a dedicated Department for Science, Innovation and Technology—removing digital and data policy from its former position in the Department for Culture, Media and Sport—and then by introducing the second iteration of proposed reforms to the U.K. GDPR, the Data Protection and Digital Information (No. 2) Bill.
Kicking off 2023, Ireland’s Data Protection Commission issued a €390 million fine against Meta, finding that the company breached transparency obligations under the EU General Data Protection Regulation. The DPC found that Meta did not clearly explain to users the purpose and legal basis for processing their personal data. It also found Meta’s use of consent as a legal basis to process data for personalized ads invalid. The Commission gave the company three months to bring its data processing operations into compliance.
Following a 2022 Q4 “wish list” from the EDPB on procedural law changes to improve enforcement—largely due to cases like the above, which the DPC took four-and-a-half years to settle—a new EU regulation is expected in Q2 of 2023 to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The law “will harmonize some aspects of the administrative procedure” in cross-border cases and “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission wrote.
In the U.S., we saw the FTC deliver a first-of-its-kind enforcement action against online prescription provider and telehealth company GoodRx, fining the company $1.5 million for violating the Health Breach Notification Rule and for failing to notify consumers of its unauthorized disclosure of personal health information to Facebook, Google, and other companies.
The Illinois Supreme Court ruled on a case involving claims under the state’s Biometric Information Privacy Act, deciding that a separate claim accrues each time biometric data is collected and/or disclosed. Previously, it was found that violations occurred at the initial collection. While destined to be challenged, the impact of this ruling will otherwise result in eye-watering damage awards.