This week has been invigorating and exhausting in equal measure as D.C. hosted more than 4,000 privacy professionals for a whirlwind of learning, networking and catching up with old friends (not to mention a bit of dancing). The IAPP’s incredible events and programming teams have pulled off a conference for the record books! The vibrancy of the privacy community was on display in many ways, including the IAPP announcement that it would donate $10 per attendee to World Central Kitchen, a crisis food charity founded by Washington’s adopted son José Andrés, which has been responding to the war in Ukraine. IAPP President and CEO J. Trevor Hughes, CIPP, challenged all privacy professionals to match the donation on this page. Here's what’s happened since the last roundup:
- The CFPB showed its teeth on “digital dark patterns.” As part of a legal action against TransUnion, one of three major consumer credit reporting companies in the U.S., the Consumer Financial Protection Bureau focused attention on the company's alleged use of an “array of dark patterns to trick people into recurring payments and to make it difficult to cancel them.” What is a dark pattern? The CFPB gives us two definitions. In plain English, “Dark patterns are hidden tricks or trapdoors companies build into their websites to get consumers to inadvertently click links, sign up for subscriptions, or purchase products or services. Dark patterns can complicate or hide information, such as making it difficult for consumers to cancel a subscription service.” And in legalese, dark patterns are a form of misrepresentation. The CFPB alleges in its complaint that TransUnion violated a prior order prohibiting it from “misrepresenting, expressly or impliedly, in connection with the advertising or marketing of a Credit-Related Product, any material fact about ‘any ... conditions of the product or service, or any material aspect of its performance ... nature, or central characteristics.’”
- Negotiators offered a few more details about the future of EU-U.S. data transfers. On the keynote stage, European Commissioner for Justice Didier Reynders said the Trans-Atlantic Data Privacy Framework could be finalized on both sides “by the end of this year.” U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, explained the U.S. will be acting first on the agreement, with an executive order from the White House and implementing regulations from the Office of the Attorney General in the U.S. Department of Justice. Notably, once these pieces carry the force of law on the U.S. side, they will immediately stabilize valid transfer mechanisms such as Standard Contractual Clauses, even before the EU Commission grants an adequacy decision.
- Tech leaders made waves on the Summit stage. Both Apple’s CEO, Tim Cook, and Microsoft’s President, Brad Smith, called on U.S. legislators to pass comprehensive privacy legislation. In addition, Cook defended Apple’s centrally managed application store as an essential structure for uniform privacy and safety policies, a structure he claims is threatened by antitrust proposals in both the U.S. and EU. Smith instead focused on the need for more “thoughtful” regulation, proposing the idea of an overarching digital agency in the U.S. with rulemaking authority to craft standards that respond to technological changes. One key theme across these speeches? Privacy professionals need to continue preparing for what comes next: new technologies, new regulatory tools and new laws.
- U.S. privacy enforcers also made their voices heard. With the observation that the digital economy has given rise to the “most highly surveilled environment in the history of humanity,” the chair of the Federal Trade Commission, Lina Khan, focused her keynote address on the need for the FTC to use its limited resources in a targeted manner that maximizes impact by focusing on dominant firms as well as “intermediaries that may facilitate bad conduct on a massive scale.” Khan promised that the FTC will use all its enforcement tools to take “swift and bold action,” while designing effective remedies that “fully cure the underlying harm and, where necessary, deprive lawbreakers of the fruits of their misconduct.” Meanwhile, Colorado Attorney General Phil Weiser unveiled his office’s Pre-Rulemaking Considerations for the Colorado Privacy Act. In his remarks, Weiser asked for robust stakeholder engagement: “We want your ideas now.”
- April 25 at noon EDT, R Street will host Beyond the Basics: The Many Pillars of a U.S. Privacy Law (in-person and online).
Please send feedback, updates and dance videos to firstname.lastname@example.org.
If you want to comment on this post, you need to login.