There have been several notable changes that will have broad impacts on advertising and adtech in the US, but they’ve received relatively little press. We’re sharing information about these upcoming changes in this week’s newsletter:
FISA and the Data Privacy Framework
First, a quick update on data flows:
In a blow to both business interests and EU privacy concerns, US Congress recently renewed the Foreign Intelligence Surveillance Act of 1987 (FISA) without changes. The controversial law gives U.S. intelligence authorities sweeping powers, including the ability to collect electronic communications of foreigners located outside the US. In recent years, the EU has expressed strong concerns about U.S. surveillance and the lack of redress for its residents. Congress’ decision to renew FISA without reining in its surveillance powers will increase the likelihood of the EU overturning the Data Privacy Framework.
To jog your memory, the Data Privacy Framework (DPF) is a voluntary self-certification framework that allows more streamlined data flows from the EU to the US. (Learn more here.) Participating businesses confirm that they meet EU data protection standards, and in exchange, they can dispense with some of the administrative compliance burdens associated with transferring data from the EU to the US.
Critics already have stated that they don’t believe the DPF goes far enough to protect EU residents from U.S. government spying and have threated to challenge the framework in EU courts. There was some hope that amendments to FISA might stave off a legal challenge, but those hopes have been dashed.
If the DPF is overturned, many US businesses will again be left scrambling as they risk enormous fines from the EU if data flows continue without an adequacy mechanism in place.
The Protecting Americans’ Data from Foreign Adversaries Act
President Biden signed the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) in April, and it comes into effect on June 23, 2024, which is a remarkably short timeline. The law prohibits data brokers from transferring sensitive personal information to named foreign adversary countries or entities controlled by them.
Many of the definitions in the PADFA are quite broad. “Data brokers”, “personally identifiable sensitive data”, and “controlled by a foreign adversary”, for instance, are defined quite broadly, so these laws have the potential to impact a broad range of US businesses.
We suggest that companies review the law to see if it applies, even if you think it may not at first glance. If your company shares data that you did not collect directly, you may be considered a data broker under this law. While the law is not sector-specific, it will likely have the greatest impact on adtech companies since they typically rely on third-party tracking data to tailor ads. PADFA will make this significantly more challenging and may signal an impending shift away from this advertising practice.
Penalties can range up to $50,120 per violation and the law comes into effect on June 23, 2024. So, it’s best to review your existing practices as soon as possible.
The FCC’s Precise Geolocation Crackdown
In April, the Federal Communications Commission (FCC) announced fines against a host of telecommunications providers for illegally sharing their customers’ location information without consent and for failing to take reasonable measures to protect that information against unauthorized disclosure.
You can read the FCC’s media release here for more.
These fines have been levied just months after the Federal Trade Commission (FTC) announced a proposed settlement with InMarket and X-Mode for poor practices relating to the illegal collection and sale of consumers’ precise location information. We covered this earlier.
On top of this, there’s a growing list of US states that have deemed precise geolocation data to be ‘sensitive’ personal information. At present, California, Utah, Virginia, Connecticut, and Colorado all treat precise geolocation data as sensitive.
The collection, use, and storage of sensitive personal information comes with increased risks, and typically increases costs of compliance.
Takeaways for US Companies
- Data flows between countries can be problematic. It is crucial that your company knows and understands where its data flows so it can respond quickly when privacy laws change.
- Precise tracking practices seem to be falling out of favor with regulators and consumers globally. It’s worthwhile reviewing your data collection practices to determine whether the potential risks (financial, legal, and reputational) warrant the collection.
- As always, transparency and choice are key tools in your privacy toolbelt. You should prioritize gaining consent, explaining choices to consumers, and making it easy for individuals to manage their data.
- If you do need to collect sensitive personal information, like geolocation data, for your business purposes, consider adopting privacy-enhancing technologies that allow for business wins and consumer privacy wins. Privacy doesn’t need to be a zero-sum game.
If you need assistance managing the personal information your company collects, reach out. Our privacy attorneys would love to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
