The California Privacy Protection Agency is “eager to get started,” Chair Jennifer Urban said at the first meeting of the agency created by the California Privacy Rights Act (CPRA). “The CPPA will be an independent agency." Meeting virtually Monday, the board discussed hiring an executive director and other positions, and heard presentations on the Open Meeting and Administrative Procedure acts (see meeting materials). The state law requires the CPPA to complete a rulemaking to develop final regulations for enforcement by July 1, 2022. The other four board members are listed in the personals section of the March 19 issue. More than half of California voters supported CPRA in November's election (see 2011040033).

The Senate will have hearings soon on a federal privacy bill, said Consumer Protection Subcommittee Chairman Richard Blumenthal, D-Conn., during a Politico webinar Thursday. “We will hold hearings on a number of aspects, not only the substance of what should be included, but also enforcement, how to enlist state authorities, especially the states where there are now laws.” Congress doesn’t want to preempt states like California, he said. Blumenthal seeks an FTC rulemaking. “It may be time-consuming, but it will provide additional leverage and impetus for what we will do in Congress,” he said. “We’re way behind the rest of the world.” Blumenthal said he will consult with other members of the Commerce Committee on hearing dates: “This area is really ripe for action.” Subcommittee ranking member Marsha Blackburn, R-Tenn., sees growing consensus. State officials are “perplexed” Congress didn’t move first, she said: “People are waiting for us.” Parents are “turning to us,” she said, “and saying there need to be some stronger rules of the road on online privacy. There need to be some punishments for misuse.” Discussions are further along among members than most people realize, she said. Blumenthal noted Facebook is planning Instagram for kids: “We’ve got to stop it. … It’s a disaster waiting to happen.” Legislation should require people opt in if they want to share data, Blumenthal said. “A strong national standard” should be “imposed across the board on all platforms,” he said. People should be able to transfer their data, he said. It won’t be easy to get anything through the Senate, he said: “The bandwidth here is sometimes limited and there are a lot of competing issues.” Lack of federal privacy rules hampered using data in a “sufficiently agile” way to respond to COVID-19, said Julie Brill, Microsoft chief privacy officer. No one knew “what the guardrails were,” she said. In the absence of a federal law, “states will move forward because policymakers want to address their constituents’ concerns,” she said. Brill hopes agreement can be reached on a federal law. There’s consensus “consumers are shouldering too much of the burden around privacy” and companies need to demonstrate they use data responsibly, she said: There’s understanding consumers need to correct their data and move it to another provider if they want.

Colorado could soon become the third state with a comprehensive privacy law. Senators voted 34-0 Tuesday to concur with House amendments to SB-190. The House passed the bill 57-7 Monday. The Senate kept House changes including language clarifying that nothing in the law provides for a private right of action. The bill goes next to Gov. Jared Polis (D), whose office didn’t comment now. Polis is widely expected to sign, particularly given the wide voting margins in the House and Senate, said Ballard Spahr privacy attorney Greg Szewczyk in an interview. SB-190 follows Virginia’s model with much of the same terminology and big-picture requirements, so having Colorado as the third state law probably won’t significantly complicate U.S. privacy rules, he said. Unlike Virginia, but as in California, Colorado’s attorney general would have to make rules implementing the bill, he said: “As to how difficult compliance is going to be, that may have a significant impact.” One big difference with Virginia is that Colorado would allow enforcement by district attorneys in addition to the AG, Szewczyk noted. Colorado’s law is “a mixed bag” that lawmakers should seek to strengthen in future years, Common Sense Media Director-State Advocacy Joseph Jerome told us: “I don’t think it’s anybody’s dream privacy law, but ... it’s certainly a marked improvement over what was able to pass out of Virginia earlier this year.” DAs joining enforcement could be useful, he said. SB-190 has good parts, including requiring companies to honor browser privacy signals as an opt-out, but “the bill needs to be stronger to fully protect consumers, including by tightening up potential loopholes for targeted advertising, and clarifying that consumers can’t be charged for exercising their privacy rights,” emailed Consumer Reports Senior Policy Analyst Maureen Mahoney. Computer and Communications Industry Association Privacy Counsel Keir Lamont said “the prospect of an increasingly divergent set of state-level compliance obligations further underscores the need for federal action to establish baseline privacy rules.”

Some Amazon and Microsoft contracts with EU institutions are under investigation for compliance with privacy law, the European Data Protection Supervisor said. It's considering whether the use of cloud services provided by Amazon Web Services and Microsoft under contract to EU agencies, and the European Commission's use of Microsoft Office 365, meet general data protection regulation requirements. The probes are intended to ensure that EU institutions comply with the European Court of Justice decision in Schrems II. In October, the watchdog ordered EU bodies to report on their data transfers to non-EU countries; findings confirmed that institutions increasingly rely on cloud-based software and infrastructure or platform services from large providers, some of which are in the U.S. and subject to law deemed to allow disproportionate surveillance activities by authorities. The EDPS acknowledged that some cloud contracts were signed before the judgment, and that Amazon and Microsoft implemented new systems to align themselves with it. Nevertheless, it said, “these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.” The goal of the investigation into the use of Microsoft Office 365 is to verify compliance with prior EDPS recommendations on the use of the company's products and services. Microsoft told us it will “actively support the EU institutions to answer questions raised” by the EDPS and is “confident to address any concerns swiftly.” Amazon didn't comment.

A New York privacy bill has “strong teeth,” Consumer Reports said Monday. The Senate Consumer Protection Committee advanced the bill by Chairman Kevin Thomas (D) to the floor last week (see 2105180028). “Unlike other industry-supported bills that have been introduced this year, this bill protects consumers’ privacy by default,” said CR Senior Policy Analyst Maureen Mahoney.

New York state privacy and robocalls bills advanced to the Senate floor Tuesday. One Consumer Protection Committee member voted against the privacy bill (S-6701) by Chairman Kevin Thomas (D). Sen. Jim Tedisco (R) said he was voting no due to nonprofits' concerns. Three voted yes, while two voted aye without recommendation, meaning they wanted to move it to the House floor while reserving their full support. The comprehensive privacy measure “creates transparency, control and oversight,” said Thomas at the livestreamed hearing. It would require companies to get consumer opt-in consent, and authorizes attorney general enforcement, private rights of action and class actions. The panel voted unanimously for the robocalls bill (S-6267), which would require that telecoms block calls from subscribers who requested blocking of their own numbers. Providers would have to block calls from numbers that aren't valid North American numbering plan numbers, that are valid but not allocated to a provider, or that are allocated but unused.

The Supreme Court declined to hear a cellphone privacy case about when it’s OK for police to require someone to unlock an encrypted device. SCOTUS said Monday it denied a petition for writ of certiorari in Andrews v. New Jersey (see 2104020029), an appeal of the New Jersey Supreme Court decision that the state didn’t violate the Fifth Amendment when it required Robert Andrews to turn over passwords for two cellphones. The federal high court turned down a similar Pennsylvania case in October (see 2010050042). The New Jersey attorney general’s office declined comment. Representing Andrews as counsel of record, the American Civil Liberties Union didn’t comment.

A Colorado privacy bill is going to the Senate. The Appropriations Committee voted 7-0 Friday for SB-190. This “appears to be an even more business-friendly version” of Virginia’s law, Husch Blackwell lawyers blogged Wednesday.

Facebook should stop “intimidating WhatsApp users to accept extended data collection,” 28 advocacy groups wrote the company Friday. Led by Public Citizen, they claim the platform is manipulating users into accepting weakened privacy policies, which were to have taken effect Saturday (see 2105030058). Electronic Privacy Information Center, Fight for the Future, Access Now and Center for Digital Democracy signed. The intended business model “relies on extended data integration between WhatsApp and Facebook to benefit its own bottom line at the expense of user privacy,” they wrote. Facebook didn't comment.

Facebook should stop reversing WhatsApp privacy protections and not collect payment and transaction data from users, said about three dozen advocacy groups, announcing a campaign Monday. “This latest move to encroach upon the privacy of WhatsApp users is further proof that Facebook is using exploitative practices and abusing its dominant market power,” said Public Citizen Digital Rights Program Director Burcu Kilic. Facebook is scheduled to make the change May 15. PC, the Center for Digital Democracy, Electronic Privacy Information Center and Fight for the Future signed. They cited Facebook CEO Mark Zuckerberg’s promises in 2014 not to “change plans around WhatsApp and the way it uses user data.” The company didn’t comment.