Hello all!
It’s an especially notable week in privacy because the UK government has reintroduced their new version of the GDPR, the Data Protection and Digital Information Bill.
Businesses might feel frustrated at the proliferation of yet more data privacy regulations. However, they should take comfort in the fact that the bill is more like a UK version of the GDPR than a complete overhaul. In addition, according to its sponsors, the bill will “reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.”
The bill purports to reduce the burden of compliance on small businesses through a variety of reforms, such as only requiring organizations with high-risk processing activities to keep processing records.
All told, the bill represents a reaction to some of the GDPR’s more burdensome requirements. The biggest criticism of regulation as a whole is that it’s anti-competitive; only large enterprises have the resources to dedicate to compliance, while small businesses are subject to an undue burden. At the same time, consumer rights need to be respected, and there’s just no guarantee they will be without legal protection.
Legislators know this, and each of these new laws can be thought of as experiments to identify the right blend of restrictive and permissive provisions. Eventually, we’ll find the right mix. But until then, the business community will have to contend with a small galaxy of legislation.
The bill still has a long way to go—the UK legislative process involves several stages of readings, debates, and votes—and it may undergo significant changes as it proceeds through the legislature. We’ll be tracking its process and any developments in Privacy Insider.
Best,
Arlo
P.S. The Osano team will be attending the International Association of Privacy Professional’s (IAPP’S) Global Privacy Summit in Washington D.C. this April! If you’ll be attending as well, come by booth 318 to ask questions, talk about all things data privacy, or just say hi.
Texas state representative introduces comprehensive state privacy bill draft
Texas State Representative Giovanni Capriglione has introduced a new comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (VCDPA). If it passes, the bill would make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut.
New U.S. House data privacy bill could limit state insurance regulators' authority
The U.S. House Financial Services Committee is considering a bill that would update the data privacy provisions in the Gramm-Leach-Bliley Act of 1999. The bill, referred to as the Data Privacy Act of 2023, would expand privacy notice requirements, make it easier for consumers to opt out of data-sharing, and let federal data privacy standards preempt state privacy standards, among other provisions.
FTC to ban BetterHelp from sharing mental health data with advertisers
The FTC alleges that BetterHelp, a popular online mental health counseling service, shared email addresses, IP addresses, and information users filled in a preliminary health questionnaire during signup, with Facebook, Snapchat, Criteo, and Pinterest. These third parties then used consumers’ information for advertising and to identify consumers with similar profiles and promote BetterHelp’s counseling services. The FTC is proposing to ban BetterHelp from engaging in this data sharing practice and to pay $7.8 million to its users.
Irish Data Protection Commission publishes 2022 Annual Report
The Irish Data Protection Commission recently published its report on its activities over the course of 2022. Among other findings, the report highlighted the over €1 billion in fines, the closure of over 10,000 cases, and nearly 6,000 data breach notifications.
Privacy bill to move forward in Canadian House of Commons next week as TikTok concerns grow
Partially in response to scrutiny over TikTok’s data collection practices, Canadian representatives are advancing a previously unprioritized privacy bill for debate at a second reading once the House returns from a two-week break Monday. The bill would strengthen requirements around disclosure, data collection consent, and enforcement.
New UK privacy bill introduced
The UK has introduced a new data privacy protection bill to replace the GDPR known as the Data Protection and Digital Information Bill. After Brexit, the UK retained a number of EU laws, including the GDPR. The bill was first introduced last summer and paused in September 2022 to allow time for a co-design period with business leaders and data experts. Should the bill pass, the UK government estimates it will create £4.7 billion in savings for the UK economy over the next 10 years
WhatsApp agrees to be more transparent on policy changes, EU says
Following complaints from consumer bodies across Europe, WhatsApp has agreed to transparently explain changes to users’ contracts, to prominently display the option for users to accept or reject changes, and more.
Osano blog: Making the business case for your data privacy program
Most organizations underestimate the scope needed for a truly functional data privacy program, if they’re willing to dedicate resources to data privacy at all. This blog post provides actionable tips for privacy professionals interested in “selling” the idea of a data privacy program internally.
If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.