The California Privacy Protection Agency set an Aug. 24-25 hearing on proposed rules to implement the 2020 California Privacy Rights Act (CPRA). Written comments on the draft regulations will be due Aug. 23, the agency said in a Friday notice of proposed rulemaking. The CPPA board greenlit the CPRA rulemaking and released draft rules last month (see 2206080042).

Senate Intelligence Committee Chairman Mark Warner, D-Va., and Vice Chairman Marco Rubio, R-Fla., urged the FTC Tuesday to "immediately initiate" an FTC Act "Section 5 investigation on the basis of apparent deception by TikTok" and parent company ByteDance about whether China-based employees have access to U.S. users' data on the app. They noted recent "public reports" that individuals in China have been accessing data on U.S. users. TikTok said last month amid scrutiny from FCC Commissioner Brendan Carr and Senate Republicans that it has always given company engineers, including those in China, access to U.S. user data on an “as-needed basis” under “strict controls" (see 2206280064). Those actions contradict "several public representations" by TikTok executives, "including sworn testimony" at an October Senate Consumer Protection Subcommittee hearing (see 2110260070), Warner and Rubio said in a letter to FTC Chair Lina Khan. They believe a Section 5 probe is necessary since "TikTok’s privacy practices are already subject to" a 2019 consent decree (see 1902270059) "based on its improper collection and processing of personal information from children." Recent "updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled" by the Chinese Communist Party, the senators said. TikTok said it "has never shared U.S. user data with the Chinese government, nor would we if asked." The FTC confirmed it received the letter.

Federal agencies, particularly those in law enforcement, need to better assess privacy risks and protections for facial recognition technology, GAO Director-Science, Technology Assessment and Analytics Candice Wright told the House Oversight Subcommittee Wednesday. GAO shared results with the subcommittee showing 13 of 14 agencies that reported using nonfederal, face-scanning technologies didn’t have “complete, up-to-date information on what non-federal systems were used by employees because they did not track this information.” Agency headquarters often didn’t have a good understanding of what was happening in regional and local offices, said Wright: Using face-scanning systems without assessing privacy risks and protections can result in agencies running afoul of state and federal regulations, she said. The most common use of the technology within agencies is unlocking smartphones. Other uses include domestic law enforcement generating leads for investigations and agencies monitoring access to buildings and facilities, she said.

Bipartisan draft discussions on privacy are encouraging, but the bill being circulated needs more work, tech industry groups wrote Congress Monday (see 2206100061). The Computer & Communications Industry Association, Software & Information Industry Association and TechNet can’t support the bill in its “current form,” the groups wrote. They raised issues with the bill’s inclusion of a private right of action and duty of loyalty, as well as an “untailored, burdensome requirement to submit assessments of virtually all computer-based activities involving algorithms.”

A state privacy bill cleared New Jersey’s Senate Commerce Committee in a 3-2 partisan vote Thursday. The panel's Democrats voted for S-332, but Republicans said no at the livestreamed hearing. Chair Nellie Pou (D) said she had a commitment from sponsor Sen. Troy Singleton (D) that the bill won't go to the floor until he can review all comments on the bill and speak to anyone who wants to discuss it. The New Jersey Business & Industry Association is still analyzing the bill, said Vice President-Government Affairs Ray Cantor. The association hopes a bipartisan federal bill proposed last week (see 2206070062) might mean a “breakthrough” in Congress, he said. The New Jersey bill would require websites to notify consumers about -- and allow them to opt out of -- collection and disclosure of personally identifiable information. It would give the state attorney general exclusive enforcement authority.

The House Consumer Protection Subcommittee scheduled a hearing on bipartisan draft privacy legislation June 14, the House Commerce Committee announced Tuesday (see 2206030058). The hybrid hearing on the American Data Privacy and Protection Act is set for 10:30 a.m. in 2123 Rayburn. “We look forward to hearing from consumer privacy leaders as we work to finalize this important legislation that holds Big Tech accountable, puts consumers back in control of their data, and protects their privacy,” Chairman Frank Pallone, D-N.J., said in a joint statement with House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill.

Louisiana’s privacy bill might be dead after not getting a House vote Tuesday. The House had thrice delayed voting on HB-987 (see 2205250032) but this time didn’t set a new date to call the bill. Louisiana legislators are to adjourn Monday. Sponsor Rep. Daryl Deshotel (R) didn’t comment Wednesday.

Three-quarters of the world’s population by the end of 2024 will have its personal data covered under “modern privacy regulations,” predicted Gartner Tuesday. Since most organizations lack a “dedicated privacy practice,” the responsibility for “operationalizing” these requirements will be passed onto chief information security officers, said Gartner: “With the expansion of privacy regulation efforts across dozens of jurisdictions in the next two years, many organizations will see the need to start their privacy program efforts now.” Gartner predicts that large organizations’ average annual budgets for privacy will exceed $2.5 million by 2024, it said

California Privacy Rights Act (CPRA) draft rules are “now mostly complete,” said California Privacy Protection Agency Executive Director Ashkan Soltani at a CPPA board meeting livestreamed Thursday. CPRA is set to take effect Jan. 1 despite rulemaking delays (see 2202280040). California privacy rulemaking authority formally transferred to the CPPA from the state attorney general April 21 pursuant to the 2020 law, which succeeded 2018’s California Consumer Privacy Act (CCPA). On May 5, the California Office of Administrative Law approved transfer of CCPA regulations to the privacy agency. The renumbered rules “represent the beginning of the Agency’s rulemaking role,” the CPPA said Monday. As part of a pre-rulemaking process, the privacy agency held stakeholder and informational sessions and received written comments (see 2205040043, 2203300064 and 2203290062). The CPPA meeting continued after our deadline.

Electronics recycler ERI said Tuesday it completed the Service Organization Control (SOC) 2 Type 1 audit and received a compliance certification showing the company is “recognized globally for its rigor in the review of organizations’ systems and controls." It affirms that ERI’s practices, policies, procedures and operations meet the SOC 2 standards for security and data protection, the company said. ERI is also embarking on SOC 2 Type II compliance, which would assert that its internal systems and controls are effective at meeting audit standards on a continuous basis while ensuring that the personal assets of the organization’s potential and existing customers are protected, said CEO John Shegerian.