Privacy & Information Security Law Blog

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (“DPF”) when compared to Privacy Shield, whilst also stating that a number of aspects of the DPF need to be clarified, developed or further detailed.

On February 24, 2023, following public consultation, the European Data Protection Board (EDPB) published the following three sets of adopted guidelines:

1. Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR (05/2021) (final version);
2. Guidelines on certification as a tool for transfers (07/2022) (final version); and
3. Guidelines on deceptive design patterns in social media platform interfaces (03/2022) (final version).

On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. 

On February 20, 2023, in the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK (the “Tribunal”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian and issued a Substituted Decision Notice, as detailed further below.

On February 14, 2023, the Digital Advertising Alliance (“DAA”) announced the creation of the CMP Complement, billed as a uniform approach for brands and publishers to offer privacy controls on sites and apps through Consent Management Platforms (CMPs) and the AdChoices program. The CMP Complement integrates the AdChoices Icon into participating CMPs’ user flows and provides easier user access to both CMP-specific controls and other interest-based advertising choice tools offered through the DAA’s portals.

On February 21, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on March 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of CPPA subcommittees.

On February 14, 2023, the California Privacy Protection Agency (“CPPA”) announced that it had filed its first substantive rulemaking package for the proposed final draft California Privacy Act of 2020 (“CPRA”) regulations with California’s Office of Administrative Law (“OAL”), beginning a 30-day review period.

On February 17, 2023, the Federal Trade Commission announced the launch of their new Office of Technology. The Office of Technology will assist the FTC by strengthening and supporting law enforcement investigations and actions, advising and engaging with staff and the Commission on policy and research initiatives, and engaging with the public and relevant experts to identify market trends, emerging technologies and best practices. The Office will have dedicated staff and resources and be headed by Chief Technology Officer Stephanie T. Nguyen.

On February 14, 2023, the U.S. Senate Committee on the Judiciary held a hearing titled, “Protecting Our Children Online.” Chaired by Sen. Durbin, the hearing examined the potentially harmful effects of social media use on young people, and represented a renewal of the Committee’s efforts to pass legislation to protect children and teenagers online. In 2022, the Senate Judiciary Committee approved several bills designed to enhance the online safety and wellbeing of children and teenagers, among them the Kids Online Protection Act (“KOSA”), but the bills did not receive a floor vote. During the hearing, Democratic and Republican senators expressed their commitment to pass bills that would limit the immunity of social media companies under Section 230 of the Communications Decency Act, and would require website and app developers to design products that protect young people from cyberbullying, online sexual exploitation, social media addiction, and other harms. 

On February 10, 2023, an Illinois federal district court ordered the dismissal of a putative class action lawsuit alleging that an online tool that allowed users to virtually try on sunglasses violated the Illinois Biometric Privacy Act (“BIPA”).