It’s been a rather eventful week in the world of privacy and transparency law. Surely, after the past few months I think we can safely say that online platforms in traditionally non-regulated industries are about to enter Age of Compliance. Below, we’ll briefly discuss three laws which had updates this week and finish with some musings on what this may mean for businesses.
Note: I am not a lawyer – and nothing below should be taken as legal advice. I advise of anything concerns you to speak your respective legal team.
Rulemaking begins in California
The California Privacy Protection Agency commenced formal rulemaking this past week to further the adoption of the Consumer Privacy Rights Act of 2020 (CPRA).
As part of this effort they updated the May 8th draft regulations with mostly grammatical changes. My thoughts on the draft still seem to be relevant after running the new draft through a diff checker with the previous version.
The rulemaking process will take public comment until 5 PM PDT on August 23,2022. You can file public comment in the following ways:
E-mail to regulations@cppa.ca.gov. Please include “CPPA Public Comment” in the subject line and include your comments as an attachment to the email. This will help ensure that personal information is not posted to the Agency’s website.
or
Mail to: California Privacy Protection Agency
https://cppa.ca.gov/regulations/consumer_privacy_act.html
Attn: Brian Soublet
2101 Arena Blvd., Sacramento, CA 95834
Alternatively, you can attend or speak at the public hearings to be held on August 24th and 25th.
So, given the above, the draft is the best heading to align to in the short term, as we are unlikely to get an updated regulation draft until late August or early September. Remember, as of right now the Agency has yet to delay the enforcement date, which remains January 1st, 2023.
New Laws in Europe
The European Commission issued a statement about the Digital Services Act and Digital Markets Act, collectively known as the Digital Service Package – which was adopted in the first reading by the European Parliament.
The final text of both laws is still not public, but the Commission has handy fact sheets (linked in each section) which can be referenced for each of the bills. As such, the below analysis is based on the fact sheets, and not the final legal text, and as such – may ultimately be different upon final text review.
Digital Services Act
The Digital Services Act seeks to make what is illegal offline, illegal online. The requirements vary by both industry and platform size.
Common to the various intermediary, hosting, and online platforms are requirements around transparency, requirements on Terms of Service, requirements to cooperate with national authorities and establishing requirements for points of contact and where required, legal representation.
Hosting providers and online platforms additionally need to have mechanisms for notice, action and obligation to provide information to users, as well as are required to report criminal offenses.
Online platforms have additional requirements, and this is where I feel the most impact will be felt to businesses operating in the European market. Such requirements include: Having a compliant and redress mechanism and out of court dispute settlement mechanic, They must have trusted flaggers of illegal content, have measures against abusive notices and counter-notices, bans on targeted advertising to children and targeting special characteristics (such as religion or political views), transparency of recommender systems, transparency of online advertising and for marketplaces – requirements to vet credentials of third party suppliers, which includes random checks.
Lastly, very large platforms (10% of 450 million consumers in Europe) are subject to even more requirements. They are required to address risk management obligations and crisis response actions. They are subject to external and independent auditing, required to have a internal compliance function and subject to public accountability. They are required to offer users to opt out of profiling for generation of recommendations. The firms are also required to allow data sharing with authorities and researchers. Finally they must have a code of conduct and are subject to cooperation for crisis response.
Enforcement Date
The law will begin enforcement 15 months after entry into force or from January 1st, 2024, whichever is later for most businesses. For very large online platforms, and very large online search engines, the DSA will apply four months after they have been designated as entering the category of very large online platform or search engine.
Fines
The law (again based on draft information) has a multiple fine structure. Very large online platforms may face upwards of 6% global turnover of the previous financial year and may further fine upwards of 1% of global turnover of the previous year for supplying false information, failure to rectify with-in the time period set or refusal to submit to a on site inspection.
Digital Markets Act
The other part of the Digital Services Package, was the Digital Markets Act which seeks to reign in large tech companies operating across Europe. It does so by subjecting ‘Gatekeepers’ to additional requirements beyond the Digital Services Act and the General Data Protection Regulation.
A Gatekeeper may be defined if:
1: Has a strong economic position, significant impact on the internal market and is active in multiple EU countries
2: Has a strong intermediation position, meaning that it links a large user base to a large number of businesses
Has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years
https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en
Such Gatekeepers must allow:
They must allow third parties to inter-operate with the gatekeeper’s services under specific situations. An example of which would likely allowing of third party payment processors on the App Store and Google Play Store.
They must allow their business users to have access to the data that they generate in their use of the platform and additionally provide companies whom may be advertising on the platform with the tools and information required to carry out independent verification of their advertisements hosted by the gatekeeper.
They must allow business users to promote their offer and establish contracts with end users outside of the gatekeeper platform.
Such Gatekeepers are forbidden from:
Such Gatekeepers can not rank their own offerings more favorable then third party offerings on the gatekeeper’s platform.
They are now allowed to prevent consumers from establishing contracts with businesses outside of their platform, nor are they allowed to prevent users from un-installing any pre-installed software.
Lastly, and this is transformative for the advertising industry – they can not track end users outside of the gatekeeper’s core platform for the purpose of targeting advertising without effective consent having been granted.
Enforcement Date
The law will begin enforcement six months after entry into force.
Fines
Fines are extensive, and may range from 10% of worldwide annual turnover on the first offense, all the way up to 20% of turnover for repeated offenses. Should the commission levy periodic penalty payments, those could be upwards of 5% average daily turnover.
Finally, the fact sheet notes that additional remedies may be imposed after an investigation and that if necessary, as a last resort option, non-financial remedies may be imposed which could include behavioral or structural changes.
The Bottom Line
We’re entering into a period of tremendous uncertainty on both sides of the Atlantic. In America we have the addition of five state laws (California, Virginia, Colorado, Connecticut and Utah) entering into effect in 2023. Also, since the fall of Roe vs. Wade data privacy has taken a more prominent stage in Washington and it’s anyone’s guess what Congress (or failing them, perhaps the Federal Trade Commission) will do to address data privacy.
Then in Europe, depending on the size of your business and what you may be classified as – you may have to handle requirements for the General Data Protection Regulation, the Digital Services Act and perhaps the Digital Markets Act.
Even if your org itself doesn’t have massive changes to make internally to comply the Digital Services Package – know that the advertising, social and ecommerce industries are in for a period of notable flux between now and 2024. It is very possible that things you can do today, will no longer be allowed and vice versa as the platforms move into compliance.
This is to say nothing of the possible fines which may be issued under the Digital Services Package. It forces me to wonder if we’ll see more businesses cease operations in Europe as a result. It’s hard to say without knowing which brands get classified with what designations, but it’s clear the cost of doing business in Europe just got dramatically more expensive for many businesses. It would not surprise me to see multiple brands go on feature lock as they devote all available development resources to compliance activities in medium term.
In short – regardless of which side of the ocean you’re on we’re entering a period of massive change to multiple digital industries. Data Privacy and Transparency are becoming key functions of how a business must operate. How it will shake out is impossible to predict, but what I can say with confidence is that the Internet in the next 18 months will look nothing like it does today and neither will the brands that survive the impending shakeup.
The Age of Compliance is definitely upon us.