ADMT & Employment
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: February 17, 2022
Published: February 4, 2022
I don't have earth-shattering news to bring you this week, which in some ways is disappointing because I'm a Scorpio, and I love the drama. I've come to terms with that. But there are a couple of news stories I think you should pay attention to this week because of the potential long-term implications.
First, the Belgian data protection authority's fine levied at IAB Europe (story below). It was a decision we knew was coming, but now that the DPA says the organization's Transparency and Consent Framework doesn't fly under the GDPR, we can all look toward what has to happen for it to remain a viable framework.
Second, the states are starting to get moving this legislative session, and it's anyone's guess how many make it through.
First, on the IAB Europe decision: It isn't the news that the regulator deemed the TCF illegal that's significant this week. We knew the regulator was planning to come down this way based on news from 2021. The DPA gave the IAB a head's-up that it had concluded its findings and would share it with the other DPAs before its final ruling.
But now we have the DPA on record that:
In this Twitter thread, privacy attorney (and my good friend) Cobun Zweifel-Keegan noted that IAB Europe argued it had a legitimate interest in processing the data, and the DPA didn't necessarily disagree. But the DPA did say that the interests of the data subject are stronger. Remember, under the GDPR, you must balance your interests against the individual's. If they wouldn't "reasonably expect" the processing, their interests override the company's interests. In this case, the users can't consent to the cookies deployed under the TCF because they aren't aware it's happening.
Why do data subjects' interests outweigh IAB Europe's legitimate interest here? A few connected reasons:
— Cobun Zweifel-Keegan (@cobun) February 2, 2022
(1) users don't expect the processing and can't reject it (they can't opt-out entirely from the use of the choice mechanism...) pic.twitter.com/YGIkzTtHjI
The question is: What does that mean for the future of the TCF? Companies relying on it for consent wanna know! The good news: The DPA has also ordered IAB Europe to present an action plan that would bring its framework into compliance within two months.
For those of you using TCF: IAB Europe responded to the DPA's findings that the decision "contains no prohibition of the TCF," and rejected part of the DPA's findings. While it will work on a remediation plan, it will also challenge part of the decision. So it could be some time before this fine and agreement are finalized.
Second, if you're watching Twitter, states have started to push forward with privacy legislation now that many of their legislative sessions have resumed. Just this week, there was movement on bills in Washington, Massachusetts and Illinois.
I'll keep you posted when something is close enough to pass that you need to start looking at what you need to do to comply. But for now, know that there are wagers being made that we'll see anywhere from 1-5 new state laws in 2022.
Buckle up!
In the meantime, enjoy this round-up of the big privacy news, and I'll see you next week!
Belgian DPA fines IAB Europe over its consent framework
Bloomberg reports that the Belgian data protection authority (DPA) has fined IAB Europe 250,000 euros for violating the EU GDPR. The DPA said IAB Europe's Transparency and Consent Framework could "for a large group of citizens, lead to a loss of control over their personal data." Along with the penalty, the DPA ordered IAB Europe to put in mechanisms to make the TCF comply with EU rules.
Read Story
UK gov't publishes standard forms to export data from UK to third countries
The U.K. government has finally published the U.K.'s standard form international data transfer agreement, writes Laura White and Marcus Evans for Data Protection Report. The standard form agreement allows companies to transfer personal data outside of the U.K. to countries not deemed to have adequate data protection laws. It also published a standard form "international data transfer addendum," which allows companies to use the revised EU Standard Contractual Clauses to export data from the U.K. The documents come into force in March 2022.
Read Story
Colorado attorney general ready to start making rules under new privacy law
The Colorado Attorney General's Office is set to begin the rulemaking process for the Colorado Privacy Act, Wilson Sonsini reports. The Colorado law doesn't come into effect until July 1, 2023, but the attorney general said he expects to adopt final rules "around a year from now." Under the law, the attorney general is charged with creating rules to operationalize the law for businesses. The attorney general's office will conduct chats among the state's consumers, businesses and other stakeholders in the coming months, ahead of publishing the final rules.
Read Story
Apple's privacy changes hit Facebook's wallet hard
Last week's earnings report from Meta, also known as Facebook, said the privacy changes Apple implemented in the previous year could cost Meta $10 million in lost sales, reports The New York Times. The news dropped Meta's stock price by 26 percent on Thursday. "And the tech industry received a clear notice that a long-planned shift in how people's information may be used online was having a dramatic impact on Madison Avenue and internet companies that have spent years building businesses around selling ads," the report states.
Read Story
Pret A Manger settles class-action over fingerprint scanning its workers
Sandwich chain Pret A Manger has agreed to pay more than $677,000 to resolve a class-action lawsuit in Illinois alleging the company collected and stored nearly 800 employees' fingerprints to track their work hours. The suit contends Pret A Manger violated Illinois' Biometric Information Privacy Act of 2008 by failing to obtain written consent from workers before requiring them to use the fingerprint time clock. It also alleges the shop failed to provide workers and the public with notices about why it was collecting the scans and what it would do with the data, SHRM reports.
Read Story
Leaked draft introduces European Commission's forthcoming 'Data Act'
EURACTIV reports on a leaked European Commission proposal that would create rules around non-personal data for certain manufacturers and digital service providers. The Data Act makes new rules for manufacturers of smart devices and digital service providers and users. The Data Act posits that every user or organization should have access to the data they or it contributed to amassing. It aims to "unleash the potential of data-driven innovation by creating legal obligations for data-sharing when connected devices are starting to be widespread," the report states.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.