US Federal and Stateside Privacy News Roundup - June 29, 2022

US Federal

Comprehensive federal privacy bill released

The US House of Representatives and Senate have released a bipartisan draft discussion of a comprehensive data privacy bill, the American Data Privacy and Protection Act (ADPPA).

The ADPPA is the first comprehensive federal privacy bill to gain bipartisan and bicameral support. This bill has 4 main parts:

Duty of loyalty
Consumer data rights
Corporate accountability
Enforcement, applicability, and any other miscellaneous provisions.

ADPPA would include a private right of action and would preempt most state laws, with some exclusions. The State Attorneys General and FTC would have enforcement rights, and the FTC would have authorized rulemaking powers.

Growing bi-partisan consensus for increased regulation of children’s data

The FTC has signaled increased Children’s Online Privacy Protection Act (COPPA) enforcement against EdTech companies. The commission issued a Policy Statement highlighting raised scrutiny of compliance, and COPPA restrictions such as mandatory collection, use, and retention prohibitions as well as security requirements. This comes after the COVID-19 pandemic closed schools and forced remote learning, resulting in EdTech tools becoming necessary for participation.

FTC Fines Twitter for granting access for third parties to users’ personal information

The FTC fined Twitter $150 million after Twitter required users to submit phone numbers and email addresses to protect their accounts, then granted third parties access to the information. The complaint alleged Twitter obtained this data under the pretext of using it for security purposes, but then used it for the purpose to target users with ads.

US States

Maryland student data privacy law aims to increase student data protection

Maryland’s new student data privacy law, SB 325, took effect June 1, 2022. The law will increase student data protections by altering the definitions of covered information, operator, persistent unique identifier, and targeted advertising.

CPPA will discuss CPRA draft regulations

The California Consumer Privacy Agency (CPPA) announced its plans to discuss California Privacy Rights Act (CPRA) draft regulations during its board meeting on June 8. Draft rules cover making recognition of global opt-out signals mandatory (rather than optional per the CPRA’s text) and the CPPA’s noted problem of consumer choice via cookie management tools not meeting standards to constitute an opt-out request or request to limit the use of sensitive personal data.

New state privacy laws could leave big holes for security issues

Some state consumer privacy laws, such as Connecticut and Virginia’s laws, have been criticized for leaving personal data without security coverage by excluding cybersecurity requirements from large areas of data. Their use of exceptions language could make it so that much is left excluded from security requirements.

Cookie	Duration	Description
__cfruid	session	Set by Cloudflare. Cookie associated with sites using CloudFlare, used to identify trusted web traffic. Learn more about Cloudflare cookies.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
cf_clearance	session	Set by Cloudflare. Used to verify user is not a bot. Learn more about Cloudflare cookies.
hubspotutk	1 year	Set by HubSpot. This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
__hssc	30 minutes	Set by HubSpot. This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrc	session	Set by HubSpot. Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__hstc	13 months	Set by HubSpot. The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
_ga	2 years	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.
_ga_RJQRHRDJNC	2 years	Set by Google. Used to persist session state. Google’s policies can be viewed here.
_gat_gtag	1 minute	Set by Google. Used to analyze visitor browsing habits, flow, source and other information. Google’s policies can be viewed here.
_gid	24 hours	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.

US Federal and Stateside Privacy News Roundup – June 29, 2022