Recent House legislation attempting to force ByteDance to divest TikTok raises constitutional issues and doesn’t address broader privacy concerns, Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., told reporters Thursday, creating a bipartisan roadblock in the upper chamber.
Bills meant to protect kids online advanced in multiple state legislatures this week. On Wednesday, the Vermont Senate unanimously passed a children’s privacy bill (S-289) requiring an age-appropriate design code. It will go to the House. The same day in Illinois, the House Consumer Protection Committee voted 9-0 to advance a kids’ social media bill (HB-5380) that would require large social media platforms to make application programming interfaces (API) available so that third-party software providers can create tools for parents to manage their children’s activity on the platform. And in Alabama, the Senate Judiciary Committee cleared the House-passed HB-164 with a short amendment. The bill would require a reasonable age-verification method to restrict those younger than 18 from accessing pornographic websites. On Tuesday, Alabama’s Senate Fiscal Responsibility Committee cleared a privacy bill (SB-213) that would require data brokers to register with the state. A Pennsylvania House committee that day advanced a social media bill requiring age verification (see 2403190050).
The House on Wednesday unanimously approved TikTok-related legislation that would ban data brokers from transferring “sensitive” U.S. information to “foreign adversaries” such as China. Meanwhile, the Senate Commerce Committee and the Senate Intelligence Committee are planning a joint hearing about their legislative options.
The House voted 352-65 Wednesday to approve legislation that would ban TikTok in the U.S. if Chinese parent company ByteDance doesn’t divest the app in six months (see 2403120062).
Prepare for more California privacy activity in coming months, California Privacy Protection Agency Senior Privacy Counsel Lisa Kim said Wednesday. Kim previewed CPPA enforcement, rulemaking and legislative work at a virtual FCBA privacy symposium Wednesday. A growing patchwork of state privacy laws makes it difficult for businesses to create a good consumer experience for making privacy choices, said corporate privacy practitioners during a later panel.
The House Commerce Committee on Thursday unanimously passed legislation (see 2403050051) that could lead to a U.S. ban on the popular Chinese-owned social media app TikTok. The legislation is poised for floor action after gaining public support from House Speaker Mike Johnson, R-La., on Thursday.
The House Commerce Committee on Thursday will mark up two national security-related bills targeting TikTok, including one from Chair Cathy McMorris Rodgers, R-Wash., and ranking member Frank Pallone, D-N.J.
President Joe Biden on Wednesday signed an executive order directing DOJ to establish rules blocking large-scale transfers of Americans’ personal data to entities in hostile nations.
Avast misrepresented itself and sold user data without consent, the FTC alleged in a $16.5 million settlement announced with the U.K.-based software company Thursday. Since at least 2014, Avast has collected consumer browsing data through its browser extensions and antivirus software, according to the FTC complaint. Until 2020, Avast’s subsidiary Jumpshot sold the browsing information to more than 100 third parties, including “advertising, marketing and data analytics companies and data brokers,” the agency said. The company claimed it used an algorithm that removed identifying information but failed to “sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products,” the agency said. Chair Lina Khan said in a joint statement with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya: “Exposing people’s detailed browsing data in ways that can be traced back to them marks an invasion of privacy and is likely to cause substantial injury. ... Businesses that sell or share browser history data without affirmatively obtaining people’s permission may be in violation of the law.” An attorney for Avast didn't comment.
Connecticut Attorney General William Tong (D) sent more than a dozen violation notices under the state’s comprehensive consumer privacy law in the six months since it took effect July 1, 2023, the AG office reported Thursday. Businesses get 60 days to cure violations upon receiving a notice under the state law. “We have focused on key aspects of the law related to privacy policies, sensitive data and teens’ data,” said the report. “While many companies have taken prompt steps to address issues flagged in cure notices … all matters have resulted in additional follow-up.” The AG office issued 10 cure notices about privacy policy deficiencies, including missing, inadequate or confusing disclosures and missing, burdensome or broken opt-out mechanisms, it said. “Several companies updated privacy policies and/or consumer rights mechanisms quickly upon receiving cure notices.” But some didn’t fully alleviate the AG’s concerns, or their privacy disclosures raised new questions about compliance with other parts of the law, it said. “This process is an iterative one and only time will tell which companies fully satisfy our concerns and which matters will ultimately require more formal enforcement action.” The office received more than 30 consumer complaints, it said. “Many involved consumers’ attempts to exercise new data rights under the CTDPA, and primarily, the ‘right to delete.’” However, about one-third of the complaints involved data or entities exempted by the state privacy law, the AG office said. “A handful of others were exempt for other reasons, including under the CTDPA’s exemption for ‘publicly available information.’” The AG office recommended that legislators revise the law to scale back the number of entity-level exemptions, including one for nonprofits. Also, switch to a data-level rather than entity-level exemption for the federal Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, it said. Among its other recommendations: Enact a “one-stop-shop” deletion mechanism like California’s 2023 Delete Act (see 2309150063); add a right to know specific third parties that receive data from covered businesses; expand biometric data to include data capable of being linked to a consumer like in Oregon’s law; and clarify whether the legislature intended to ban targeted advertising to teens regardless of consent, and review possibly erroneous language on publicly available information.