A lot has happened in privacy law in 2022 . . . which is actually nothing new because so much happens every year. I have thought about which 5 developments are the most notable, and here’s my list.
Have a moment? I’m running a short survey to see what other privacy professionals think.
5. ADPPA. The American Data Privacy and Protection Act (ADPPA) was introduced in the House of Representatives on June 21, 2022. It has gone further than most attempts at a comprehensive privacy law. My sense now is that the passage of the ADPPA is a longshot, hung up on the fact that it preempts state privacy laws, a difficult hurdle because California is so committed to regulating in this area.
My Writings and Resources on ADPPA:
- Webinar on ADPPA – Bill for a Federal Comprehensive Privacy Law
- A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law?
- Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill
4. California Age-Appropriate Design Code Act. I originally was going to cheat and lump all state privacy law developments together, but I decided it wouldn’t be fair. I therefore choose the California Age-Appropriate Design Code Act, passed in September 2022. The Act has a broader scope than COPPA, and it requires configuring defaults to a high level of privacy, focusing on children’s best interests, completing a data protection impact assessment for the launch of services or products, and many other things.
Had I cheated and lumped state law developments together, I would have included the consumer privacy laws of Connecticut and Utah, the first jury trial verdict under the Illinois Biometric Information Privacy Act (BIPA) for $228 million, and Colorado’s draft Privacy Act regulations, and the first enforcement action under the CCPA. Plus the CPRA changes to the CCPA go into effect on January 1, 2023, and employee data will be covered. But I’ll save that one for next year!
Of Potential Interest: Updated CCPA Whiteboard Is Just Released!
3. EU Digital Services Act. In July 2022, the EU Parliament approved the Digital Services Act. This is a bold law that imposes many duties on large online platforms and search engines. The Digital Services Act includes requirements for mitigating risks such as disinformation and online harassment; bans targeted ads by profiling children or based on sensitive data; andrequires independent auditing.
2. Transatlantic Data Transfer Framework. A new agreement has been reached to patch cross-border data transfer after Schrems II. This new arrangement makes changes in the U.S. surveillance regime via executive order, and it revives the EU-US Privacy Shield.
1. Dobbs. In Dobbs v. Jackson Women’s Health Organization (U.S. 2022), the U.S. Supreme Court eliminated the right to abortion. Although not about information privacy, the Dobbs case has profound effects for information privacy. As Professor Elizabeth Joh aptly writes: “Dobbs has been called a turning back the clock for abortion rights and women’s rights. But that is not quite accurate. The Court has decided Dobbs at a time when unprecedented amounts of digital data about us now exist thanks to an enormous surveillance infrastructure.”
Honorable Mention: FTC Commercial Surveillance and Data Security Rulemaking (because the process has just begun). On August 11, 2022, the FTC began a rulemaking under the onerous procedures of the Magnuson-Moss Warranty Act. The FTC is focusing on secret commercial surveillance practices, the use of algorithms and automated systems to analyze data, discrimination, and dark patterns, among other things. This is a bold move for the FTC, and the Magnusson-Moss process presents a mountain to climb. If the FTC can pull this off, it will be quite an achievement.
Daniel J. Solove is John Marshall Harlan Research Professor of Law at George Washington University Law School. He is the founder of TeachPrivacy, a company that provides computer-based privacy and data security training. His most recent book is Breached! Why Data Security Law Fails and How to Improve It, published by Oxford University Press 2022.