Before drafting rules for Colorado’s privacy law, the attorney general’s office will seek comments “over the next few months,” said AG Phil Weiser (D) in prepared remarks Friday. “During this time, we will post a series of topics for informal input on our website and solicit responses in writing and at scheduled events.” The office will post an NPRM by fall with proposed rules and seek more comments, Weiser said. “We expect to be in a position to adopt final rules around a year from now.” Colorado’s law “makes plain that consumers deserve the right to access and control the use of their data,” Weiser said. “Consumers have a right to know what information companies collect about them and how that information will be used, enabling them to reject the sale and use of their private data by third parties.” The process must “be conducted fairly, free from what some have called ‘dark patterns,’ which can unfairly mislead consumers on this issue,” the AG said. “We will need to consider what the process will be for consumers to engage and learn about their data profiles as well as to correct inaccurate data,” and the office might provide guidance on company auditing and data protection assessment procedures, he said. The Colorado law takes effect July 1, 2023.

The FTC should ban surveillance advertising due to its “overwhelming” societal harm, Rep. Anna Eshoo, D-Calif., and Sen. Cory Booker, D-N.J., wrote the agency Wednesday, supporting a petition for rulemaking from Accountable Tech (see 2112280054). The petition requests a rule banning “surveillance advertising” as an “unfair method of competition.” Harms “vastly outweigh” the benefits, Eshoo and Booker wrote: “Surveillance advertising has been called the Internet’s Original Sin and a ‘time bomb at the heart of the Internet’ that could harm society on the scale of the subprime mortgage crisis.” The FTC confirms it received the letter, emailed a spokesperson Friday, declining further comment.

The Washington House Judiciary Committee delayed a vote scheduled for Friday on HB-1850, a privacy bill by Rep. Vandana Slatter (D) that got support and concerns at a hearing earlier in the week. It might be rescheduled to Wednesday, a House Democrats spokesperson told us. In Virginia, a proposed edit to the state’s 2021 privacy law moved to the House General Laws Committee after clearing a subcommittee by an 8-0 vote Thursday. HB-381 would allow a data controller to treat a consumer request to delete obtained by a third party as an opt-out for targeted advertising, personal data sale and from "profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer."

A hypothetical 50-state privacy law patchwork could cost more than $1 trillion over 10 years, estimated an Information Technology and Innovation Foundation report Monday. California, Virginia and Colorado have comprehensive privacy laws; 15-plus states are considering bills this year (see 2201120021). ITIF estimated California’s privacy law will cost $78 billion annually. The think tank modeled a scenario where all 50 states enacted privacy laws over 15 years, and the report assumes “not all states would implement identical laws and early adopters would likely favor stricter policies, whereas laggard states would expectedly favor less-stringent consumer privacy laws.” ITIF’s “intention is to estimate the costs if the U.S. continues down this path of state-led privacy laws” and isn’t “trying (or claiming) to predict the future in terms of what states might do,” emailed ITIF Vice President Daniel Castro. Compliance “is almost always a moving target,” he said. “Even similar laws often have some differences and businesses must hire lawyers or other professionals to resolve those differences and ensure they are in compliance.” For example, even though California’s law and Europe’s Global Data Protection Act are similar, “many U.S. businesses will have separate rules (and terms in their privacy policies) for users in California versus those in the European Union,” he said.

The European Parliament wants tougher controls on online profiling and targeting, it said Thursday, approving its negotiating position on the Digital Services Act. The DSA proposal contains measures to tackle illegal content and requirements for very large platforms to prevent abuse of their systems (see 2012150022). Lawmakers changed the original European Commission proposal, including bans on targeting the data of minors to show them advertisements, and on profiling people on the basis of special categories of data that allow vulnerable groups to be targeted. Lawmakers wanted more transparent and informed choice on targeted ads, saying refusing consent to such marketing shouldn't be harder or more time-consuming than giving it. They said online platforms shouldn't be able to use deceiving or nudging techniques to influence user behavior through "dark patterns." The vote paves the way for "trilogue" talks with EU governments, which approved their negotiating stance in November (see 2111260016), and the EC. The parliamentary version got guarded support from some groups. "Parliament has done a mixed job," said the European Consumer Organisation: It failed to create a "clear liability regime" for online marketplaces to ensure consumers are protected and compensated if they're harmed by illegal practices on platforms; and it should have supported a full ban on surveillance ads. The Computer & Communications Industry Association urged negotiators to "consider the impact of proposed new obligations such as restrictions to personalized ads, broad 'know-your-business-consumer' obligations, user redress, and data disclosure to law enforcement and researchers." European Digital Rights said banning surveillance ads altogether "would have been a more effective strategy," but nixing the use of sensitive data and outlawing dark patterns "is certainly the next-best thing." EDRi criticized lawmakers for refusing to give users the right to choose the ranking and recommendation algorithms they prefer. The Information Technology Industry Council welcomed the decision to maintain the EU e-commerce directive's limited liability rules for online intermediaries, saying policymakers should stay focused on the measure's original intent of creating a level playing field for businesses with proportionate rules on removing illegal online content: Issue-specific provisions such as the ban on dark patterns and regulating targeted ads "are missing nuances regarding the technicality and feasibility of these issues." Asked which provisions are likely to be controversial, a spokesperson from the lead Internal Market and Consumer Protection Committee said that's for the rapporteur to announce in coming days, since determining the sticking points is strategic for the negotiation.

The House Science Committee passed legislation by voice vote Wednesday that would promote federal research on “privacy enhancing technologies.” Sponsored by Reps. Haley Stevens, D-Mich., and Anthony Gonzalez, R-Ohio, the Promoting Digital Privacy Technologies Act (HR-847) would direct the National Science Foundation to develop “standards for integration of PETs into public and private sector data use.” Sens. Catherine Cortez Masto, D-Nev., and Deb Fischer, R-Neb., introduced companion legislation.

The U.S. and EU treat Big Tech and China differently in the debate on data flows, speakers said at a virtual Progressive Policy Institute event Wednesday. From a privacy and diplomacy standpoint, Europe has painted itself into a corner, said European Centre for International Political Economy Director Hosuk Lee-Makiyama: It addressed U.S. platforms while ignoring that many people use TikTok, Zoom and similar companies, and that some personal data is going to China. While the EU and U.S. squabble, they're losing ground for future economic competitiveness, said Kristian Stout, International Center for Law & Economics innovation policy director. When the scale of NSA's Prism data collection was revealed, Europe and the U.S. demanded negotiations to scale back the practice (see 1307080059), said Lee-Makiyama: But neither party sought relief when China enacted its privacy law, so does that mean they trust President Xi Jinping? It's also inexplicable that Max Schrems has brought around 100 lawsuits, mostly against Google and Facebook, but has never sued any Chinese entity subject to that country's national security law, Lee-Makiyama said. Since the European Court of Justice struck down transfer mechanism Privacy Shield in Schrems II (see 2009100001), there's concern not only about a replacement but also about whether an alternative mechanism, standard contractual clauses (SCCs), will also be invalidated, said PPI Chief Economist Michael Mandel. The parties are essentially friendly trade partners, but the sticky question is where the EU is willing to give ground and whether the U.S. is likely to change its national security apparatus, said Stout. He said he's optimistic the EU will give some ground based on its trade commitments, because under EU law, privacy can't entirely trump national security. And if Europe has to give something, so does the U.S., he said: Overbroad surveillance data collection processes could be changed to enable the EU to grant an adequacy ruling; the lack of redress by European citizens for data misuse could come through proportional analyses in lawsuits that show that China, EU countries and other governments also engage in U.S.-like surveillance. If SCCs are invalided and there's no agreement on a revised PS, Lee-Makiyama said, he's pessimistic the EU general data protection regulation could be reversed because of its normative effect globally on cross-border data flows. The debate isn't whether there should be a GDPR, but whether it's being intertwined with trade and national security policies in a way that could lead to no trade if the discussion follows its natural conclusion, said Stout. The U.S. won't necessarily come closer to the EU position on privacy, but everyone wants a "reasonable compromise," said Lee-Makiyama.

Legislation introduced Tuesday would ban the use of personal data for targeted advertisements. Introduced by Rep. Anna Eshoo, D-Calif.; Rep. Jan Schakowsky, D-Ill.; and Sen. Cory Booker, D-N.J., the Banning Surveillance Advertising Act allows contextual ads, or “advertising based on the content a user is engaging with.” The bill targets “the unseemly collection and hoarding of personal data to enable ad targeting,” said Eshoo. “Broad location targeting to a recognized place, such as a municipality” would be allowed.

Google and Facebook breached French data protection laws on cookies, the Commission Nationale de l'Informatique et des Libertes (CNIL) said Thursday. It fined Google 150 million euros ($170.2 million), Facebook 60 million euros ($68.1 million). The data protection authority said it received "many complaints" from users about the difficulty of refusing cookies on the companies' websites. Investigations found google.fr, youtube.com and facebook.com offered buttons allowing users immediately to accept cookies, but the process for refusing them required several clicks. Making the refusal mechanism more complex discourages cookie refusals and encourages users to opt into them, negatively affecting users' freedom to consent, CNIL said. Google emailed that it understands its responsibility to protect users' trust and is "committing to further changes and active work with the CNIL "in light of the decision. Facebook parent Meta emailed it's reviewing the decision and remains "committed to working with relevant authorities" to improve its cookie controls. Data protection is among key priorities of the EU French Presidency, which took office Jan.1. Its work program for the six-month term includes several digital technology areas, including personal data protection in electronic communications that will complement the general data protection regulation. Other priorities: Development of "human-centred artificial intelligence," boosting cybersecurity, and beginning work on a data act as part of a framework to enable data exchange while ensuring secure sharing mechanisms.

Ohio legislators amended a comprehensive privacy bill by unanimous voice vote at a House Government Oversight Committee hearing Wednesday. Rep. Rick Carfagna (R) said the new version of HB-376 is “more nuanced” about how it classifies businesses, differentiating between data controller at the front end and processors in the backend. The amended bill would preempt local privacy rules, give consumers a right to opt out of targeted advertisements and align various definitions more closely with other states’ bills, Carfagna said. Businesses wouldn’t have to respond to requests for pseudonymous data, he said. The lawmaker said he worked on the amendment with industry groups including the State Privacy and Security Coalition and BSA|The Software Alliance. The Ohio Association for Justice (OAJ), a trial lawyers group, and the American Civil Liberties Union Ohio opposed HB-376. Enforcement only by the state attorney general isn’t enough to protect Ohioans, said OAJ Trustee Curtis Fifner: The bill should allow private lawsuits, at least when the AG decides not to prosecute a claim. The measure is full of “exploitable loopholes” allowing businesses to “circumvent” privacy protections, said ACLU Ohio Chief Lobbyist Gary Daniels: it gives consumers a “right to know” but not to act, he said. Ohio bills typically get three hearings in committee before going to the floor; Wednesday’s was the third.