Does the GDPR Need Fixing? The European Commission Weighs In
The European Commission published its second Report on the General Data Protection Regulation (GDPR) on July 25, 2024, assessing the progress of its impact and effectiveness of application since the Commission’s first Report published in June 2020. The second Report acknowledges relative success of the GDPR in protecting individuals and supporting businesses, while also highlighting areas for improvement, with further progress being called for in supporting stakeholders’ compliance efforts, clearer and more actionable guidance from data protection authorities (DPAs), and achieving more consistent interpretation and enforcement of the GDPR across EU Member States.
This blog surfaces key takeaways from the Commission’s second Report on the GDPR, with an overview and analysis of the findings from various stakeholders, including DPAs. The Report draws conclusions following the past years of GDPR enforcement and applicability, exploring enforcement and the use of cooperation and consistency mechanisms; implementation of the GDPR by Member States and an overview of the exercise of the data subject rights; the GDPR as a cornerstone of the EU’s new legislative rulebook; and international transfers and global cooperation.
1. Enforcement and the use of cooperation and consistency mechanisms are on a growth trend, bringing total fines of 4.2 billion EUR and increased use of corrective measures
In 2020, the Commission’s first Report highlighted the need for a more efficient and harmonized handling of cross-border cases across the EU, resulting in the 2023 Commission proposal for a Regulation on additional procedural rules currently being negotiated by EU legislators.
In its second Report, the Commission assessed recent enforcement activity under the GDPR, highlighting a trend of increased cooperation between DPAs, increased use of the GDPR consistency mechanism and the growing intervention of the European Data Protection Board (EDPB) via its Opinions, with the following highlights:
Almost 2400 case entries were registered in the EDPB’s information exchange system as of 3 November 2023;
Lead DPAs issued approximately 1500 draft decisions with over 990 resulting in final decisions finding GDPR infringements (as of 3 November 2023); and
DPAs from 7 Member States participated in 5 joint operations;
DPAs from 18 Member States raised 289 relevant and reasoned objections, 101 of which were raised by German authorities, with a success rate in reaching consensus varying from 15% (German authorities) to 100% (Polish DPA).
The cases submitted to dispute resolution addressed the legal bases for processing data for behavioral advertising on social media and processing children’s data online.
Regarding the consistency mechanism, the report notes that:
The EDPB has adopted 190 consistency opinions;
9 binding decisions were adopted in dispute resolution, with all instructing the lead DPA to amend its draft decision and others resulting in significant fines;
5 DPAs adopted provisional measures under the urgency procedure (Germany, Finland, Italy, Norway and Spain); and
2 DPAs requested an urgent binding decision by the EDPB under Article 66(2) GDPR, and the EDPB ordered urgent final measures in one case.
The Commission pointed to more robust enforcement activity by DPAs in recent years. DPAs use corrective measures and adopt infringement decisions in complaint-based and own initiative cases. The Report stated that DPAs have imposed “substantial fines in landmark cases against ‘big tech’”. For instance, DPAs have imposed over 6680 fines amounting to approximately EUR 4.2 billion, with Ireland accounting for the highest total fines (EUR 2.8 billion) followed by Luxembourg (EUR 746 million) and France (EUR 131 million). Liechtenstein, Estonia, and Lithuania were reported to have imposed the lowest fines, 9600 EUR, 201000 EUR, and 435000 EUR, respectively. The highest number of fines were imposed in Germany (2106) and Spain (1596). The fewest fines were imposed in Liechtenstein (3), Iceland (15) and Finland (20). Most fines were imposed for (i) infringement of the principles of lawfulness and security of processing, (ii) infringement of the provisions related to processing of special categories of personal data, and (iii) failure to comply with individuals’ rights (Chapter III of the GDPR).
The Report showed that DPAs effectively used “amicable settlement” procedures, with over 20,000 complaints resolved, even though such procedures are unavailable in all Member States. This procedure was commonly used in Austria, Hungary, Luxembourg, and Ireland.
Furthermore, DPAs launched over 20,000 own-initiative investigations and collectively received over 100,000 complaints yearly. In 2022, nine DPAs received over 2000 complaints. Germany (32300), Italy (30880), Spain (15128), the Netherlands (13133), and France (12193) registered the highest number of complaints, while Liechtenstein (40), Iceland (140), and Croatia (271) registered the lowest number. The median time to handle complaints from receipt to closure ranges from 1 to 12 months.
The Report notes that German DPAs launched the highest number of own-initiative investigations, 7647 investigations, followed by Hungary with 3332, Austria with 1681 and France with 1571 investigations.
Besides fines, DPAs used corrective measures such as warnings, reprimands, and orders to comply with the GDPR. In 2022, German DPAs adopted the highest number of decisions imposing corrective measures (3261), followed by Spain (774), Lithuania (308) and Estonia (332). The lowest number of corrective measures was imposed in Liechtenstein (8), Czechia (8), Iceland (10), the Netherlands (17) and Luxembourg (22). Controllers and processors frequently challenge decisions in national courts, most commonly on procedural grounds. For instance, in Romania, all 26 decisions finding an infringement were challenged before the national court, while in the Netherlands, the rate of challenge was reported to be 23%.
2.Implementation of the GDPR by Member States continues to be fragmented
Similar to the 2020 Report, stakeholders still reported fragmentation in the national application of the GDPR, from national legislation to diverging interpretations of the GDPR by DPAs. The concerns regard in particular:
The minimum age for a child’s consent in relation to the offer of information society services to the child;
Introduction by Member States of further conditions concerning the processing of genetic data, biometric data or data concerning health; and
Processing of personal data relating to criminal convictions and offenses.
However, the Report mentions that Member States consider that a limited degree of fragmentation may be acceptable. The specification clauses provided by the GDPR remain beneficial, particularly for processing by public authorities (the Council position states that “the margins left for national legislation to define specific framework for certain type of processing activities, for example when it comes to article 85 and 86 of the GDPR regarding the freedom of expression and information and the right of public access to official documents, remain beneficial and relevant notably for public authorities given the specificity of their processing activities”).
Notably, the Report points out that the interpretation of the GDPR by national DPAs remains fragmented as DPAs continue to adopt diverging interpretations of key data protection concepts, creating legal uncertainty and disrupting the free movement of personal data. Some of the specific issues raised by stakeholders include different views on the appropriate legal basis for processing personal data, diverging opinions on whether an entity is a controller or processor, and, in some cases, DPAs not following the EDPB guidelines or publishing conflicting national guidelines. Some stakeholders also consider that certain DPAs and the EDPB adopt interpretations that deviate from the risk-based approach of the GDPR, mentioning areas such as the interpretation of anonymization, the legal bases of legitimate interest and consent, and the exceptions to the prohibition of automated individual decision-making.
The Commission highlights that it monitors the implementation of the GDPR on an ongoing basis, having launched infringement procedures against Member States on issues concerning the independence of DPAs (e.g., Belgium) or the right to an effective judicial remedy where the DPA does not handle a complaint (e.g., Finland and Sweden). The Commission also regularly requests confidential updates from DPAs on significant cross-border cases, particularly those involving large tech companies.
3. Two-thirds of Europeans have heard of the GDPR, and they are increasingly exercising their Data Subject Rights
A noteworthy mention is that individuals are increasingly familiar with and actively exercise their rights under the GDPR: 72% have heard of the GDPR, with 40% knowing what it is. Awareness is highest in Sweden (92%) and lowest in Bulgaria (59%). Additionally, 68% are aware of a DPA responsible for data protection, with 24% knowing which authority it is. Awareness of DPAs is highest in the Netherlands (82%) and lowest in Austria (56%) and Spain (58%) (2024 Eurobarometer survey as referenced by the Commission’s report). While these statistics show an increased awareness of the existence of data protection rights, understanding of the GDPR still needs to be improved, as evidenced by many trivial or unfounded complaints received by DPAs.
Nonetheless, several user-friendly digital tools have been developed to make it easier for data subjects to exercise their rights. Additionally, by adopting the Data Governance Act the Commission hopes to increase the number of such tools. Industry stakeholders have stated that the right to erasure is increasingly used, while the right to rectification and the right to object are rarely used.
Right of access: The most frequently invoked is the right to access (Art. 15 GDPR). Controllers report that they are challenged with “unfounded or excessive requests”, managing high volumes of requests, and dealing with requests unrelated to data protection. Civil society organizations note that responses to access requests are often delayed or incomplete, while the data received is not always in a readable format. Public authorities claim to have difficulties with resolving the interaction between the right of access and rules on public access to documents.
Right to portability: The Commission has adopted initiatives that facilitate easier switching between services, supporting competition, innovation, and user choice on the right to data portability. The Report makes reference to the role of the Data Act in enhancing data portability for users of smart devices, requiring products or servers to support this technically, and to the Digital Markets Act, which mandates effective data portability for users of core platform services, particularly those provided by “gatekeepers”. Other initiatives, such as the Platform Work Directive, the European Health Data Space Regulation, and the Framework for Financial Data Access Regulation, aim to bolster portability rights in specific sectors. Interestingly, the Report does not include any data on portability-related requests under the GDPR or complaints related to portability.
Right to lodge a complaint: The large number of complaints received shows that there is broad awareness of the right to lodge complaints with DPAs. However, civil society organizations continue to point out inconsistencies in how complaints are handled across Member States. The Commission maintains that its legislative proposal on procedural rules should address these issues. Regarding collective redress, although few Member States have allowed non-profit bodies to take independent action under GDPR Article 80(2), the Representative Actions Directive, effective from June 2023, is expected to harmonize this process by facilitating collective actions for GDPR breaches.
Protection of children’s data: The EU and national authorities have increasingly implemented measures to safeguard children online, notably with the introduction of the Digital Services Act and its provisions to enhance children’s privacy and safety on online platforms. This policy priority has equally reflected in the data protection field, with DPAs working together to promote child protection in advertising and recently fining social media companies for GDPR violations when processing children’s data. Other key developments include the upcoming EDPB guidelines on children’s data processing, and the creation of a task force on age verification to support the development of an EU-wide approach to age verification, under the auspices of the Digital Services Act Board. Age verification will be included in the European Digital Identity Wallet, which should be available to all EU citizens and residents in 2026.
4. The position of DPOs and the availability of soft law tools need improvement
The Commission’s Report focuses on the GDPR’s role in establishing a level playing field, noting how companies have embraced an internal data protection culture, recognizing it as a key competitive factor, thanks to its flexible compliance framework through soft law tools such as Codes of Conduct, certification mechanisms, and standard contractual clauses (SCCs). However, several shortcomings are identified, both from the perspective of stakeholders and regulators. From companies, it is noted that the use of soft law tools needs improvement, arguing that the development of Codes of Conduct has been limited due to bureaucracy and lack of engagement from DPAs. In particular, SMEs report that, despite the benefits of tailored support by DPAs, they still perceive compliance as complex and fear enforcement, as inconsistent approaches remain across Member States. The report calls on DPAs to proactively engage more and provide practical tools and guidance.
EU data protection officers (DPOs) are also addressed by the Commission’s Report: despite being well-regarded as independent experts, several challenges are mentioned, such as difficulties in their appointment, lack of resources, additional non-data protection tasks, and insufficient seniority, with the EDPB calling for enhanced awareness-raising and support from DPAs to ensure that DPOs can effectively perform their duties under the GDPR.
5.The GDPR is described as a cornerstone for the EU’s new legislative rulebook in the digital sphere
Since the 2020 Report, several EU legislative initiatives have complemented or specified GDPR rules to address emerging areas, some of them being proposed specifically to enhance data sharing. The Commission highlights several files, some completed, some still under legislative action: the Digital Services Act, the Digital Markets Act, the AI Act, the Directive on Platform Work, the Political Advertising Regulation, the Interoperable Europe Act, the anti-money laundering package, the Data Governance Act, the Data Act, and the European Health Data Space. Notably, the Commission includes the proposed e-Privacy regulation among the digital policy initiatives building on the GDPR. The report highlights that all new legislation must align with the GDPR and the Court of Justice case law interpreting it.
With multiple digital rules on the horizon, cooperation across various regulatory areas, such as data protection, competition law, consumer law, and cybersecurity, is needed. In its Report, the Commission notes that close cooperation is crucial when addressing issues such as the compatibility of “pay or OK” models with EU law.
New digital regulations often establish specialized structures, such as the Digital Markets Act high-level group and the European Data Innovation Board, to coordinate enforcement. DPAs actively engage with other regulatory bodies through groups and task forces to ensure coherent and complementary actions. However, there is a need for more structured and efficient cooperation, especially for cross-border issues affecting many individuals, while ensuring that each authority remains responsible for compliance within their jurisdiction. The Report highlights that Member States should enhance national-level collaboration to support this.
6.Global ambitions continue with new adequacy decisions, trade agreements featuring data protection provisions, and enforcement cooperation agreements with third countries
The Commission assesses that, since 2020, the concept of “international transfers” under the GDPR has been updated to reflect the CJEU Schrems II ruling, which further clarified the level of protection provided by different transfer instruments to ensure that the GDPR is not undermined, as well as the assessment of the level of protection, with data exporters having to consider both the safeguards set out in the transfer instrument, as well as the relevant aspects of the legal system where the data importer is located. The Report also notes that the Schrems II ruling has also been reflected in the guidance of the EDPB, which updated its “adequacy referential”.
The Commission, therefore, provides a comprehensive update of the next steps in its global cooperation efforts since the Schrems II ruling. Following the invalidation of the adequacy decision for the EU-US Privacy Shield, the EU and the US developed the EU-US Data Privacy Framework: introduced by an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, the Commission followed suit, adopting an adequacy decision, with a first review set to take place in 2024.
New adequacy decisions in conformity with the latest interpretation have also been adopted, while others are expected soon: The Commission has adopted adequacy decisions for South Korea and the UK (with a “sunset clause” expiring in 2025). Adequacy talks are ongoing with Brazil, Kenya, and international organizations such as the European Patent Organisation. The Commission is also engaging with various countries globally to expand the network of adequacy decisions. Periodic reviews of existing decisions are also taking place, the most recent being Japan in 2024. The Commission also highlights the role played by these decisions as a strategic tool for improving EU relations and promoting regulatory convergence with third countries.
The Report calls for streamlining of the BCR approval process
The Report also praises the development of additional instruments beyond adequacy decisions, such as new SCCs, which introduce updated safeguards aligning with GDPR requirements, a modular approach offering a single entry-point covering various transfer scenarios, increased flexibility for the use by multiple parties, and a practical toolbox to comply with the Schrems II decision. The SCCs were welcomed by stakeholders, with feedback indicating that the SCCs remain the most used tool for transfers by EU data exporters.
The stakeholder feedback points out that model clauses are increasingly central to global data flows, with several jurisdictions having endorsed the EU SCCs as a transfer mechanism under their own data protection laws, with limited formal adaptations to their domestic legal order (for instance, the UK and Switzerland). Other countries have also adopted model clauses that share important common features with the EU SCCs (for example, New Zealand and Argentina). Moreover, the report exemplifies the creation of model clauses by other international and regional organizations or networks, such as the Council of Europe Consultative Committee of Convention 108, the Ibero-American Data Protection Network and the Association of Southeast Asian Nations (ASEAN), noting that this opens up new opportunities to facilitate data flows between different regions based on model clauses and providing the EU-ASEAN Guide on the EU SCCs and ASEAN model clauses as a concrete example.
In addition to SCCs, binding corporate rules (BCRs) remain prominent for data transfers between members of corporate groups or among enterprises engaged in a joint economic activity: since the adoption of the GDPR, the EDPB adopted 80 positive opinions on national decisions approving BCRs. However, the report calls on DPAs to streamline the BCR approval process, which stakeholders describe as long, complex, and detrimental to their broader adoption.
Privacy and Data Protection will Continue to be Featured in Trade Agreements
Highlighting the successful inclusion of data protection safeguards in recent EU agreements with, for example, the UK and Canada, the Report argues that integrating data protection safeguards within international agreements for ensuring effective and secure data flows will continue to be featured in further agreements, highlighting the Second Additional Protocol to the Cybercrime Convention, and the EU-U.S. bilateral negotiations on an agreement on cross-border access to electronic evidence for criminal matters.
The position of the Commission as a proponent of strong provisions to protect privacy and boost digital trade at the World Trade Organization in the ongoing negotiations on the Joint Statement Initiative on electronic commerce is also highlighted, noting that since the GDPR came into force, privacy and data flow provisions have been consistently included in EU free trade agreements, notably in the EU-UK Trade and Cooperation Agreement, in the agreements with Chile, Japan and New Zealand. At the same time, discussions are ongoing with Singapore and South Korea.
The Commission plans to negotiate enforcement cooperation agreements with third countries, such as the G7 members
The Report also details that the Commission has maintained an active role in global privacy discussions on a bilateral (i.e. national governments, regulators, international organizations and especially with EU candidate countries) and multilateral level (i.e., contributing to the Consultative Committee on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)), engaging in discussions at G20 and G7, and with regional organizations like ASEAN and the African Union). Over the following years, it remains to be seen how the Commission takes such engagement further, particularly with regard to negotiating enforcement cooperation agreements.
7. Concluding Reflections: next steps for the GDPR?
The report concludes that to achieve the twin goals of GDPR – strong protection for individuals while ensuring the free flow of personal data within the EU and safe data flows outside the EU – there needs to be a focus on:
Robust enforcement: accelerate the adoption of GDPR procedural rules;
Support: proactive support from DPAs to assist SMEs and stakeholders in GDPR compliance;
Consistency: ensure uniform GDPR interpretation and application across the EU;
Effective cooperation: enhance collaboration among regulators;
Global action: advance the Commission’s international strategy on data protection.
The Report notes that EDPB and DPAs are invited to fully use cooperation tools under the GDPR so that dispute resolution is used only as a last resort, and Member States are called to ensure that DPAs maintain full independence and receive adequate resources, including technical expertise, to address emerging technologies and new responsibilities in the context of a growing body of digital legislation. Within this ecosystem, the Commission will address the need for effective cross-regulatory cooperation to ensure consistent application of EU digital rules while respecting DPAs’ roles in the supervision of personal data processing.
Notably, after counting its successes and shortcomings in this second Report, the Commission is not calling for the reopening and updating of the GDPR.
Editors: Dr. Gabriela Zanfir-Fortuna, Bianca-Ioana Marcu
Privacy Roundup from Summer Developer Conference Season 2024
Ahh, summer. A time for hot dogs, swimming pools, and software developer conferences. For third-party application developers to deliver new tools with the best features for the lucrative fall quarter, they must have access to all the APIs and tools by the summer before. This has meant that early summer has become known as a time for announcements from the major big tech platforms.
Anyone even remotely adjacent to the tech industry can probably tell you the main takeaway emphasized by Google, Microsoft, and Apple in their respective developer conferences using just two words: Artificial Intelligence. If the last couple of years have been building hype for AI, this summer’s developer conference season may be seen as a turning point from research to reality, as all three companies emphasized significant investments to bring AI to practically every platform. Google, Microsoft, and Apple all announced major new developments and initiatives around AI that impact privacy.
Taken holistically, three main takeaways emerge for privacy professionals from the announcements made this summer, and we’re going to cover each of them. First, every platform will have some AI integrations that require privacy risk analysis. Second, privacy risks from AI are more likely to be realized because AI will be an integrated system-level feature rather than an application-level or user-level add-on. Third, major privacy-relevant announcements were not limited to AI, but include changes to password management and advertising on Apple systems.
AI is front and center for all platforms, with a significant focus on hardware advancements that can limit privacy risks
Google, Microsoft, and Apple each advanced a vision of multi-model AI as a central focus for developers and users of their platforms, including through deep integrations of AI into existing software and hardware. As the platforms prioritize AI, these updates will also impact the shape of privacy protections that users expect in years to come. For example, smaller AI models that can be executed locally and hardware advancements that enable on-device processing can limit privacy risks by eliminating the need to share data with cloud providers or third parties to take advantage of AI capabilities.
Google’s vision presented at I/O emphasized their development of LLMs at a variety of sizes, from Gemini Ultra (a large but slow model capable of handling inputs with multiple millions of tokens) to Gemini Flash (a lightweight, fast, and efficient model that is only capable of handling more limited inputs). Google also announced a series of LLM-based AI models designed to fill the gap between these two, including a general purpose model (Gemini Pro); an embeddable model that will be built directly into Google’s Chrome browser and could allow web developers to perform queries without requiring a network connection (Gemini Nano); a text-to-video generation model (Veo); and a new iteration on their text-to-image generation model (Imagen 3). Google engineers have also announced several open models (Gemma 2B and 7B; CodeGemma; and PaliGemma). The privacy tradeoff of model size is this: the smaller the model, the easier it is to operate locally. Large models are more efficiently operated in a cloud environment as a service, requiring data to be transferred to a third-party.
Google also emphasized the capabilities for each of their models. With the exception of Veo and Imagen 3, Google’s models are natively multi-modal. Multi-modality means that each tool will have the capacity to interact in text, images, audio, or other input modalities. This shift is part of a larger trend of integrating AI into a variety of form factors, that also brings new challenges related to transparency and accuracy. Google also emphasized context size for each model. Context size refers to the amount data that can be provided to an AI model, with a larger context size generally leading to more coherent and responsive results. Sissie Hsiao said during the Google I/O Keynote that this large context window will allow people to “tackle complex problems that were previously unimaginable.” The more capable the model, the more data privacy concerns are implicated because a more capable model can treat a wider range of data as valid inputs.
Each company made this clear and outlined the implications of this for developers using their tools. For example, any cloud-based approach to AI highlights the fundamental privacy tension at the core of AI-based computing: the more data the AI has access to, the better the results it can provide. On-device processing limits the personal data sent to third parties to produce AI-based results. However, an on-device approach is limited by the model size and computational capabilities of the hardware, but it can handle less complex queries with fewer privacy and security implications. Based on the announcements and developer tool lineups, all three companies understand and are attempting to account for these tradeoffs.
More AI tools being integrated as system-level features will bring novel privacy challenges for platforms
Google, Microsoft, and Apple have laid out a vision of AI that is deeply integrated into many products and features, including many system-level integrations. System-level integration, whether done with embedded AI models, hardware-supported AI, or operating system integrations, may bring benefits to both developers and users. Users may benefit from system-level summarization or re-writing tools, for example. Developers unfamiliar with AI but using system-provided software developer kits may be able to incorporate these integrations with minimal configuration and coding. At the same time, system-level AI integrations add challenges for platforms seeking to navigate how to communicate and record consent preferences for the flow of information needed to power such features, particularly in the context of workplace-assigned or government-assigned devices.
Microsoft’s hardware integrations and Windows integrations were central to their pitch to developers on their support for AI. Let’s start with hardware integration because more AI-capable local hardware means less data would have to leave the device for third party AI services. Microsoft is using the Snapdragon X Elite and Snapdragon X Pro line of chips on their newly-announced CoPilot Plus PCs and Surface Pro devices. For comparison, Apple’s M4 Neural Engine is capable of 38 trillion operations per second, whereas the neural processing unit in the Snapdragon X Elite is capable of 45 trillion operations per second. Microsoft’s support for and inclusion of this line of chips in their upcoming products signals both their seriousness about hardware integration for AI tasks and their recognition that on-device processing is a win for privacy and security.
The other clear focus of Microsoft’s announcements is Windows integration. Building AI into the operating system makes it easier for developers to take advantage of the technology and easier for users to have consistent expectations about how their data will be used. Nadella compared their announcement of the Windows Copilot Runtime, which is a system-level set of libraries that software developers can use to integrate AI into their native Windows applications, to the Win32 libraries that have been core to Windows application development since the mid 1990s. Better integration of AI leads to more use of AI, raising the stakes of AI-focused privacy risk analysis.
Similarly, Apple’s on-device processing can be seen in a handful of tools, including Image Playground, a tool for generating images in a restricted set of styles that is available system-wide and accessible anywhere that an image could serve as a valid input, including Messages. Apple also introduced on-device, system-wide, text tools for language, including proofreading, rewriting, and summarizing text. On-device photo and video editing and curation tools round out their consumer-facing take on AI. Note that these on-device AI examples are less open-ended and more task- or use case-oriented, making privacy tradeoffs clearer.
Apple’s changes to Siri are perhaps the clearest example of Apple’s focus on system integration. First released in 2011, Apple has announced major changes to Siri to support a more integrated user experience with two clear privacy protections for cloud-based AI. Apple’s first privacy protection is called Private Cloud Compute, which isolates computation to provide data protection during cloud-based computations. The details of this architecture are complex, but the goal is simple: to provide the most trustworthy “Apple Intelligence” experience possible. Apple’s second cloud-based AI privacy protection relates to their announced partnership with OpenAI to handle queries that cannot be performed within the Apple Intelligence ecosystem. Siri will prompt users before sending any data or queries to OpenAI, making users aware of any OpenAI processing before it happens.
Key data privacy principles, including data minimization, purpose limitation, and respect for data context (i.e., recognition of data as sensitive or non-sensitive) can sometimes be in direct tension with always-accessible AI services, particularly those that would send input information to third-party servers as context for an AI prompt. In some cases, AI features being announced will rely on strictly on-device processing or processing within a trusted execution environment. In others, however, the data may be sent to the platform to process queries or requests, but that transfer may not always be obvious with respect to basic system-level integrations, even if the transfer may contain confidential or personal information that would implicate data protection laws.
As AI services are more widely used, the amount and scope of data provided to them in the form of user queries from the products and systems that support them will grow, raising overall organizational risk while simultaneously making on-device processing a more valuable risk mitigation tool. Privacy professionals will have to consider carefully whether and how to enable these services for their organizations, especially with respect to workplace and government-assigned devices, while individuals will have to be cognizant of what data is required for their interactions with AI interfaces, particularly when working on a business-owned computer.
Major privacy announcements aren’t limited to AI
Amongst so much AI-related news, there were two significant announcements from Apple unrelated to AI but that directly impact privacy: Apple Passwords, and AdAttributionKit.
Apple introduced a new Passwords application, which replaced iCloud Keychain and competes more directly with third-party applications like LastPass and 1Password. Anyone interested in locking or hiding applications on their iOS device, will soon have the ability to hand their phone to someone else and be assured that sensitive data and applications will remain protected. Passkeys will get another opportunity to replace passwords as Apple will enable by default a new feature to automatically transition from passwords to passkeys on iOS and macOS.
Finally, an Apple announcement with serious impact for privacy professionals: Apple introduced AdAttributionKit, which introduces a new approach for advertising attribution on both iOS and the web. It can be configured to work with SKAdNetwork but it has been received as a replacement for all attribution functions. All data involved is subject to “crowd anonymity,” which is Apple’s approach to privacy protection by adding statistical noise to potentially identifiable data. Apple has also made this framework app store agnostic, which means that it should allow attributions for advertisements on apps installed via alternative app marketplaces. This aligns with efforts from other large platforms to navigate new solutions for advertising that are less reliant on sharing third-party data across the advertising ecosystem. At the same time, it solidifies some of the differences between Apple’s approach and that taken by Google, which recently announced a shift in direction for deprecation of third party cookies.
Summary
Major developer conferences showcased AI as the dominant theme this summer, with Google, Microsoft, and Apple each announcing significant AI integrations across their platforms. Privacy professionals face challenges in assessing AI-related privacy risks, and those challenges must be addressed as AI transitions from isolated applications into deeply embedded system functions.
FPF Highlights Intersection of AI, Privacy, and Civil Rights in Response to California’s Proposed Employment Regulations
On July 18, the Future of Privacy Forum submitted comments to the California Civil Rights Council (Council) in response to their proposed modifications to the state Fair Employment and Housing Act (FEHA) regarding automated-decision systems (ADS). As one of the first state agencies in the U.S. to advance modernized employment regulations to account for automated-decision systems, the Council is likely to influence how other states, regulators, and policymakers consider how existing civil rights and data privacy laws apply to artificial intelligence.
In order for these regulations to provide clarity and constructive guidance within existing laws and frameworks for organizations and individuals alike, including California’s consumer privacy laws, FPF provided four recommendations to the Council:
1. Definition Alignment: The Council’s definition of “automated decision system” should align with similar regulations at the state and federal levels to facilitate greater clarity and compliance.
2. Role-Specific Responsibilities: The Council should create legal standards for when a developer of an AI system becomes an agent or employment agency, accounting for role-specific responsibilities and capabilities in the AI system lifecycle.
3. Data Retention and Privacy: Data retention and record-keeping requirements should be reasonable and align with California consumers’ rights to data privacy and data minimization.
4. Additional AI Governance Measures: The Council should conduct additional inquiries about the use of ADS and existing civil rights laws, including assessing whether automated systems are fit for purpose.
Each is summarized below in brief. For more information, you can read FPF’s full comments to the Council here.
Definition Alignment
With at least four California state governing bodies—the Council, California Privacy Protection Agency, California Government Operations Agency, and the California Legislature—considering regulatory actions on automated decision-making technology, consistent terminology across regulations enhances AI governance and prevents conflicts that could arise from divergent definitions. To ensure focus and regulatory efforts are targeted toward technologies that play an impactful role in individuals’ rights, FPF recommended alignment with definitions from Government Code § 11546.45.51, the CPPA Draft Regulations, and Assembly Bill 2930 that require the ADS role be “substantial” to the decision-making process.
A computational process that screens, evaluates, categorizes, recommends, or otherwise makes a decision or facilitates human decisionmaking that impacts applicants or employees.
Any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decisionmaking.
“High-risk automated decision system” means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.
A system or service that uses artificial intelligence and has been specifically developed to, or specifically modified to, make, or be a substantial factor in making, consequential decisions.
Role-Specific Responsibilities
ADS governance structures and corresponding accountability mechanisms should account for developers’ and deployers’ role-specific responsibilities. As explained in FPF’s Best Practices for AI and Workplace Assessment Technologies, “Developers and Deployers each have important roles in ensuring that Individuals understand when — and to what extent — AI tools have Consequential Impacts…[and p]articular disclosures should be provided by the entity that is best positioned to develop the content of the disclosure and communicate it to Individuals.” Establishing a legal standard in the proposed modifications would help clarify the degree of involvement, control, and influence required for an AI developer to become accountable for discriminatory outcomes based on the role and capability-specific responsibilities of developers and deployers and their relationship with one another.
Data Retention and Privacy
To minimize the risk of individuals’ personal data being misused or breached and uphold California citizens’ privacy rights, FPF recommends the Council should align and clarify the proposed regulations’ record and data retention requirements with existing privacy rights and obligations under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and regulations set forth by the CPPA. As proposed, the modifications’ retention requirements for employers and developers may not only violate California data minimization principles, but they also raise questions about whether they are meant to override or cede to existing California privacy rights to delete such data or opt-out of automated decisionmaking technology.
Additional AI Governance Measures
Finally, ADS should not perpetuate discrimination or exacerbate harm, but updates to existing employment regulations may not be enough to mitigate all forms of discriminatory conduct or provide sufficient guidance. We recommend that the Council make additional inquiries to understand the use of ADS and the impact of existing civil rights laws. To prevent discriminatory effects and overall harm, AI tools must be validated and tested to ensure they solve the problems they are designed for. FPF acknowledges that discrimination can arise not only from faulty or inaccurate systems but simply because an AI system is not fit for its intended purpose. Accordingly, the Council should consider existing AI governance measures, such as “fit for purpose” tests, that further support civil rights protections and account for the limitations of AI.
FPF Responds to the Federal Election Commission Decision on the use of AI in Political Campaign Advertising
The Federal Election Commission’s (FEC) abandoned rulemaking presented an opportunity to better protect the integrity of elections and campaigns, as well as to preserve and increase public trust in the growing use of AI by candidates and in campaigns. When generative AI is used carefully and responsibly, it can reach different segments of the population and address the needs and concerns of specific groups and populations. However, generative AI also carries the potential to erode public trust and damage the integrity of campaigns, elections, and campaign communications. The FEC must consider opportunities to encourage the responsible use of generative AI to mitigate the risks that it may pose to democracy, including its potential to amplify pre-existing discrimination and inequitable practices.
– Amie Stepanovich, VP for U.S. Policy, Future of Privacy Forum
FPF previously submitted comments to the FEC on the use of AI in campaign ads, drawing from an op-ed by FPF’s VP for U.S. Policy, Amie Stepanovich & Policy Counsel for AI, Amber Ezzell, in which they explained how generative AI can be used to manipulate voters and election outcomes, and the benefits to voters and candidates when generative AI tools are deployed ethically and responsibly.
Singapore’s PDP Week 2024: FPF highlights include a hands-on workshop on practical Generative AI governance and a panel on India’s DPDPA
From July 15 to 18, 2024, the Future of Privacy Forum (FPF) participated in Personal Data Protection Week 2024 (PDP Week), an event organized and hosted by the Personal Data Protection Commission of Singapore (PDPC) at the Marina Bay Sands Expo and Convention Centre in Singapore.
As with PDP Weeks of previous years, programming during PDP Week 2024 combined PDPC events with the International Association of Privacy Professionals (IAPP)’s annual Asia Privacy Forum. However, for the first time, the PDPC also scheduled its annual Summit on Privacy-Enhancing Technologies (PETs) in the Asia-Pacific (APAC) region during PDP Week.
Throughout the week’s events, FPF fostered robust discussions on data protection issues arising from new and emerging technologies, including generative AI. Below is a comprehensive summary of our participation and key takeaways from these significant engagements.
1. FPF, with the support of PDPC, hosted a hands-on workshop to equip regional privacy professionals with practical knowledge on the complexities of generative AI governance in the APAC region.
On July 15, 2024, with the support of PDPC, FPF hosted a hands-on workshop titled “Governance Frameworks for Generative AI: Navigating the Complexities in Practice.” This event aimed to equip members of the regional data protection community with practical knowledge on the operational and implementation complexities of generative AI governance. It drew upon the findings from FPF APAC’s year-long research project, “Navigating Governance Frameworks for Generative AI Systems in the Asia-Pacific,” (FPF’s GenAI Report) which explored emerging governance frameworks for generative AI in APAC.
With a full house of 70 attendees, the workshop addressed rising concerns surrounding generative AI deployment risks, particularly in AI governance and data protection, highlighting guidelines and frameworks issued by data protection regulators across the APAC region. Participants engaged in dynamic discussions regarding AI and participated in a practical exercise, gaining invaluable insights into navigating the intricate landscape of generative AI governance.
Josh Lee Kok Thong, Managing Director of FPF APAC, hosted the entire event, which began with an introduction to FPF’s Center for AI by Anne J. Flanagan, FPF’s Vice President for AI. The event was structured in two parts: (1) an informational segment featuring presentations and a panel discussion; followed by (2) a practical, hands-on workshop.
1.1 The informational segment featured presentations by FPF and IMDA, as well as insights from industry and practice.
The informational segment included two presentations:
Dominic Paulger, Policy Manager for APAC at FPF, shared key findings and takeaways from FPF’s GenAI Report.
Darshini Ramiah, Manager (AI & Data Innovation) at the Infocomm Media Development Authority of Singapore (IMDA), provided an overview of Singapore’s Model AI Governance Framework for Generative AI, released in May 2024.
The industry sharing session that followed focused on key aspects of generative AI governance and deployment. The experts featured in this segment included:
Barbara Cosgrove, Vice President, Chief Privacy Officer at Workday;
David N. Alfred, Director and Co-Head of Data Protection, Privacy, and Cybersecurity at Drew & Napier; and
Lee Matheson, Senior Counsel for Global Privacy at FPF.
The experts discussed strategies for selecting AI service providers, emphasizing the importance of internal policies and risk assessment. The panelists argued that while AI introduces new technologies and applications, it ultimately functions similarly to other systems and services, allowing companies to leverage existing frameworks for compliance and risk management. The panelists additionally noted that many existing laws and regulations will remain applicable to AI systems, including those governing the professional liabilities of users of AI systems.
A key theme from the discussion was identifying red flags when engaging with AI service providers. A major red flag raised by one panelist was when a buyer or seller lacks a thorough understanding of the AI system they are discussing. The panelists agreed that it is crucial for both sides to be well-informed about the technology and its implications, and to beware potential AI vendors that could not provide in-depth explanations of their products.
The discussion emphasized the need for transparency and communication between companies and their vendors. Companies should seek vendors willing to engage in open conversations about their practices, rather than those claiming 100% compliance without discussion. Instead of relying solely on standard certifications, companies should request detailed information, such as data sheets or labeling, to understand the specific practices of their AI service providers.
Further, panelists considered transparency and communication crucial at multiple levels within the AI ecosystem. When AI service providers purchase hardware to run AI models, both buyer and provider need to be aware of the data sources and datasets involved, as these factors could impact their liability.
For effective use of generative AI products, the panelists agreed on the importance of establishing a governance framework within an organization. This includes having clear guidelines for the responsible use of AI, such as for managing confidential and personal information. If a company has an acceptable use policy, it should ensure that its communication strategies are consistent with such a policy. Panelists also noted that managing vendor relationships can be complex, necessitating clear contractual agreements and governance structures.
Panelists highlighted early-stage considerations for companies developing or deploying AI systems. They considered that security-by-design and privacy-by-design should be starting points for AI development and deployment. Engaging legal, regulatory, and compliance teams early in the process is essential for comprehensive risk management.
The discussion highlighted the similarities between data protection principles and AI governance. Key data protection concepts, such as accuracy, minimization, and purpose limitation, are also relevant to AI data governance. Panelists emphasized that while data scientists and analysts may not always view their work through a legal lens, their activities often fall within data protection requirements.
The discussion concluded with insights on managing training data and model improvement while balancing innovation with ethical and regulatory compliance across international jurisdictions.
Photo: Industry sharing segment of the workshop on key aspects of generative AI governance and deployment, July 15, 2024. (L-R) Barbara Cosgrove, Lee Matheson and David N. Alfred.
1.2 The hands-on portion of the workshop engaged participants in a group exercise based on a realistic hypothetical scenario.
The final segment of the workshop engaged participants in a practical group exercise exploring the implementation of a hypothetical generative AI application modeled after ChatGPT by a fictitious private education services provider. Participants were divided into groups representing specific stakeholders relevant to the AI deployment lifecycle, such as the developer, deployer and user of the application, or a regulator, employee or in-house legal counsel. Each group was tasked with identifying and addressing potential concerns and risk areas from the perspective of their stakeholder. These discussions fostered a comprehensive understanding of the challenges posed by generative AI applications and provided valuable insights and a hands-on experience for organizations aiming to develop or deploy generative AI responsibly and in compliance with regulatory frameworks in the APAC region.
Photo: Participants presenting major takeaways from their table discussions, July 15, 2024.
Photo: Closing the workshop with a group photo of the FPF team, July 15, 2024. (L-R) First row: Bilal Mohamed, Anne J. Flanagan, Josh Lee, Sakshi Shivhare, Brendan Tan. (L-R) Second row: Lee Matheson and Dominic Paulger.
2. At the IAPP Asia Privacy Forum, FPF organized a panel to examine India’s landmark data protection legislation, and also participated in a panel on data sovereignty.
2.1. On July 18, FPF organized a panel titled “Demystifying India’s Digital Personal Data Protection Act”.
This panel was moderated Bilal Mohamed, Policy Analyst for FPF’s Global Privacy Team, and featured as panelists:
Rakesh Maheshwari, formerly Senior Director and Group Coordinator (Cyber Laws and Data Governance), Ministry of Electronics and IT of India (MeitY), providing a regulator’s perspective;
Nehaa Chaudhari, Partner and head of the advisory and public policy practice at Ikigai Law, providing perspectives from the legal sector; and
Ashish Aggarwal, Vice President, Public Policy at nasscom, providing industry perspectives.
The panelists examined India’s landmark legislation, the Digital Personal Data Protection Act 2023 (DPDPA), covering familiar concepts like notice and consent, data subject rights, data breaches, and cross-border data transfers, as well as new features of the law like significant data fiduciaries and consent managers.
Rakesh Maheshwari provided insights into MeitY’s thinking behind several key provisions of the DPDPA. On children’s privacy, he explained that the Government was concerned with ensuring the safety of children who access online platforms and so set the threshold for parental consent at 18 by default. However, he also highlighted that the DPDPA’s children’s privacy provisions are flexible: if platforms demonstrate that they process children’s personal data safely, then the age threshold could potentially be lowered. Rakesh also explained that consent managers are intended to centralize management of consent across multiple, fragmented sources of data, such as health data from various sources like labs, hospitals, and clinics, while ensuring data protection and providing data subjects with control over how their data is processed. He further addressed the relationship between MeitY and theData Protection Board, clarifying that while the Government will establish subordinate rules to the DPDPA, the Board will act independently as an adjudicator. He emphasized the importance of close cooperation and harmonized operations between the Board and the Government.
Nehaa Chaudhari discussed the industry’s proactive approach to compliance, noting that many businesses in India have already started the compliance process, focusing on data mapping and proactively obtaining consent from data subjects. She highlighted the industry’s hope for clarity on certain aspects of the DPDPA, particularly concerning children’s data and verifiable parental consent. She described two key aspects for verifying parental consent: obtaining the parent’s consent and establishing the parent-child relationship. Businesses are exploring various models and technological tools to address these requirements, such as the adequacy of using checkboxes for consent. She also pointed out that the DPDPA does not impose explicit duties on data processors and instead, allows data controllers and processors to determine their respective responsibilities through contractual arrangements. While the DPDPA provides a baseline for compliance, Nehaa emphasized that sector-specific regulations might impose heightened obligations.
Ashish Aggarwal provided insights into how ready nasscom’s 3,000+ member companies are to comply with the DPDPA. He explained that business-to-business (B2B) companies that already comply with the GDPR could become DPDPA-compliant in around six months as such companies should already have completed data mapping. However, he noted that for business-to-consumer (B2C) companies, GDPR compliance alone may not be sufficient as there are significant differences between the GDPR and DPDPA. He highlighted that some provisions of the DPDPA (especially breach notifications) still require clarification under forthcoming subordinate rules to the DPDPA. However, he did not expect that these rules would be as comprehensive as GDPR.
Overall, the panel provided substantial insights into the challenges and opportunities presented by the DPDPA, offering actionable advice for navigating this new regulatory landscape.
Photo: FPF Panel on Demystifying India’s Digital Personal Data Protection Act, July 18, 2024. (L-R) Bilal Mohamed, Ashish Aggarwal, Rakesh Maheshwari, and Nehaa Chaudhari.
2.2 On July 17, FPF APAC Managing Director Josh Lee Kok Thong contributed to a panel on “Data Sovereignty: Nebulous and Evolving, But Here to Stay in 2024?”.
This panel delved into the complexities of data residency, data sovereignty, data localization, and cross-border data transfers within APAC’s evolving governance structures. The speakers explored the impact of data and privacy laws, noting the complexities added by data localization requirements and the diverse approaches of countries like China, Indonesia, India, and Vietnam.
Josh provided an overview of cross-border data flows in the APAC region, highlighting the concept of data sovereignty. He drew a distinction between “data sovereignty” – a conceptual framework for looking at data transfers – and “data localization” – a set of requirements rooted in laws or policies.
Photo: FPF APAC represented by Josh Lee on a panel on Data Sovereignty: Nebulous and Evolving, But Here to Stay in 2024? July 17, 2024. (L-R) Charmian Aw, Josh Lee, Darren Grayson Chng, Wei Loong Siow, and Denise Wong.
3. FPF was represented in two sessions at the PETs Summit held on July 16, 2024.
3.1. FPF Vice President for AI, Anne J. Flanagan, spoke on the panel “Architecting New Real-World Products and Solutions with PETs.”
The panel discussed how companies have leveraged PETs for various use cases to innovate and create new products and solutions by participating in the IMDA’s PET Sandbox – a regulatory sandbox initiative set up by the PDPC to offer companies the opportunity to collaborate with PET digital solution providers to develop use cases and pilot PETs. Panelists offered valuable insights into the business cases for integrating PETs and how it contributed to sustained success in an increasingly data-driven business environment.
Anne discussed the integration of PETs in AI product development, highlighting their potential to balance innovation with privacy protection. She emphasized that PETs are not a one-size-fits-all solution but rather a tool to address various privacy challenges. Anne stressed the importance of incorporating PETs within a comprehensive company framework to effectively tackle these issues. She also announced the launch of FPF’s recent report on Confidential Computing. This report offers an in-depth analysis of the technology’s role in data protection policy, detailing its fundamental aspects, applications across various sectors, and crucial policy considerations.
3.2. FPF APAC Managing Director Josh Lee Kok Thong chaired a roundtable titled “Unleashing The Data Economy: Identifying Challenges, Building Use Cases & How PETs Help Address Generative AI Concerns.”
This session focused on exploring privacy challenges in specific use cases and the application of PETs to mitigate these concerns. The roundtable delved into the data economy, individual use cases, privacy challenges, and the intersection of PETs with generative AI. Key highlights included building an AI toolbox, identifying challenges and use cases, choosing and implementing PETs, and using PETs to balance innovation with privacy.
4. FPF organized exclusive side events to foster deeper engagements with key stakeholders on July 18, 2024.
4.1 FPF hosted an invite-only Privacy Leaders’ Luncheon at Marina One West Tower.
This closed-door event also provided a platform for around 30 senior stakeholders of FPF APAC to discuss pressing challenges at the intersection of AI and privacy, with a particular focus on the APAC region. During the session, FPF Vice President for Artificial Intelligence Anne J. Flanagan introduced FPF’s new Center for AI to APAC stakeholders, highlighting our ongoing commitment to advancing AI governance.
4.2 FPF co-hosted a networking cocktail event with Rajah & Tann at Marina Bay Sands Expo and Convention Centre.
Later in the evening, on July 18, FPF APAC toasted with old and new friends and discussed the challenges and opportunities in AI and privacy. At the event, we were privileged to have the following distinguished speakers share brief remarks:
Denise Wong, Deputy Commissioner, Personal Data Protection Commission of Singapore.
Steve Tan, Deputy Head, Technology, Media & Telecommunications and Partner at Rajah & Tann.
Anne J. Flanagan, Vice President for AI at FPF.
Josh Lee Kok Thong, Managing Director of FPF APAC.
This event facilitated meaningful connections and discussions among the attendees, further strengthening FPF’s partnerships and friendships within the data protection community.
5. Conclusion
FPF is proud to showcase our significant participation in PDP Week 2024, the IAPP Asia Privacy Forum 2024, and the PETs APAC Summit, driving forward discussions on data protection and AI governance in the APAC region. FPF’s workshop on generative AI governance, insightful panel discussions, and exclusive networking events underscored our commitment to fostering collaboration and knowledge-sharing among industry, academia, regulators, and civil society.
As we look ahead, FPF remains dedicated to advancing the discourse on privacy and emerging technologies, ensuring that we continue to navigate the complexities of the digital age with a balanced and informed approach. We are grateful for the support of the PDPC, IAPP, and all our members, partners and participants who contributed to the success of these events.
Consumer Health Data Privacy Notices by the Numbers
Today, FPF is releasing an infographic that provides insights into how organizations are responding to the transparency requirements of recently enacted U.S. state health privacy laws. The infographic reflects a survey of privacy notices on the websites of 180+ companies across a variety of industries and sectors, from pharmaceutical to apparel.
Two key laws enacted on March 31, 2024 formed the basis for the survey, Washington’s My Health, My Data Act, and Nevada’s SB370. Both laws create specific obligations for online transparency notices on websites requiring detail about what health information is collected, although each law has a slightly different definition of health information (including reproductive and gender-affirming care information).
The Washington ‘My Health, My Data’ Act (“MHMDA”) establishes a duty for regulated entities to maintain and adhere to a “consumer health data privacy policy” that makes a specific set of disclosures and to “prominently publish” a link to this policy on its homepage. WA MHMDA defines health information as “personally identifiable information that is linked or reasonably capable of being linked to a consumer” and “identifies the consumer’s past, present, or future physical or mental health status.”
Chapter 603A of the Nevada Revised Statutes (“NV SB 370”) establishes a duty for regulated entities to develop and maintain a consumer health data privacy policy that “clearly and conspicuously” makes a specific set of disclosures. The law defines a use-based range of “consumer health data” that applies to information that a regulated entity “uses to identify the past, present or future health status of the consumer,” excluding certain personal information concerning consumer shopping habits and interests.
Of the 180+ companies surveyed, 40% of the websites surveyed had a consumer health data notice or policy. When consulting the general privacy notice or policy, 62% of organizations provided notice that some form of health data was collected within the relevant statutory definitions. Several policies explicitly stated that no health data was collected, used, or sold per “as defined by state laws”. Although many consider WA MHMDA to require a standalone notice, 40% of the websites that had a notice bundled information related to MHMDA and NV SB 370 into the same text (ex. MHMDA “and similar laws”.)
Other findings:
All industries, when taken separately, reflected an even or nearly even split in having a notice or not (ex: In a subsample of ten retailers, 50% would have a notice and 50% would not.) The exception to this was pharmaceutical and life sciences companies, where 90% of surveyed websites had notices.
For 70% of surveyed websites that included notices, those notices were linked in the homepage footer; with two websites also linked notices from the consent or cookie banners
15% of websites with notices had entirely separate and explicit policies for WA MHMDA and NV SB 370.
87% of companies surveyed that are headquartered in Washington State had notices on their websites.
This data provides a birds-eye view of the landscape of approaches to transparency around consumer health data. Privacy leaders may use these metrics to compare their approaches in publishing privacy notices to broader industry norms, or to initiate discussion in their organizations, including on decisions to either create bundled or standalone notices, standalone notice webpages, or to link to notices on homepages.
The data in this survey were collected April 12-17, shortly after the enactment of the two relevant laws. The sampled organizations represent a highly diverse range of companies, with an emphasis on companies with a health focus or a wellness component. Many thanks to Niharika Vattikonda, Angela Guo, and Jeter Sison for the tireless data work on this project!
Limitations: Data was limited to websites accessed via desktop. App interfaces were not included in the survey. No virtual personal networks (VPNs) were used (ex. a VPN based in Washington state.)
Please reach out Jordan Wrigley, Data and Policy Analyst for Health & Wellness ([email protected]) to discuss these findings or to learn more about FPF Health & Wellness projects!
CPDP LatAm 2024: What is Top of Mind in Latin American Data Protection and Privacy? From data sovereignty, to PETs
On July 17-18, the fourth edition of the Computers, Privacy, and Data Protection Conference Latin America (CPDP LatAm) was held in Rio de Janeiro, Brazil. This year’s theme was on “Data Governance: From Latin America to the G20,” highlighting Brazil’s current presidency of the international cooperation forum. As in previous years, FPF participated on the ground – this year, FPF organized a panel on the adoption and deployment of privacy-enhancing technologies in the region. This blog will cover highlights from both the plenary sessions and FPF’s panel.
During the opening plenary session, panelists discussed the relevance of data governance for informational self-determination and the sustainable development of technology. The panel argued that data sovereignty and data governance should be central values in the development and regulation of technologies in a way that empowers both nations and individuals. Panelists cautioned that in recent years some technologies have been developed without data governance frameworks and limited accountability, leaving self-determination to individuals and without a sustainable development future. As a result, panelists agreed data governance is likely to remain a recurring theme in G20 debates, and regulators will play an increasingly critical role in monitoring the sustainable and ethical development of technology.
During the closing plenary session, panelists reminded the audience that approving laws and regulations is just the first step in the regulatory journey. For instance, while discussing Brazil’s AI Bill (PL 2338/2023), panelists commented that the proposal provides a strong framework to regulate and monitor the deployment of AI technologies. Regardless of potential amendments to the current proposal, regulators must be aware that active implementation is the most relevant aspect of the regulatory journey.
On a separate note, panelists also discussed data governance as an essential component of digital public infrastructures (DPIs)1. For instance, they noted DPIs became relevant after India included them as a priority during its G20 presidency. Although digital public infrastructure is still an evolving concept, it can be explored as an alternative to develop and deploy technology, while keeping a critical approach and understanding the normative values embedded in this concept. The introduction of this concept offers a reminder that other jurisdictions and regions, including Latin America, can benefit from the knowledge and experience shared by other regions like the Asia-Pacific. At the same time, panelists agreed that these references should not prevent policymakers in Latin America from thinking, analyzing, and deciding standards and mechanisms for data governance in consideration of the region’s unique social, economic, and cultural dynamics.
FPF’s Panel: Exploring the Potential of PETs in Latin America
FPF’s panel focused on the potential of privacy-enhancing technologies (PETs) to advance privacy and data protection in Latin America. During the discussion, the goal was to cover three main points: i) the state of deployment of some of these technologies; ii) policymaking and regulatory priorities; and iii) opportunities and potential limitations.
First, panelists discussed the growing popularity of PETs in recent years as a result of progress in research and computational capacity. Global policy efforts for the adoption of PETs have included the release of guidance, the creation of sandboxes, and increased investment in PETs research and development. Latin America has not been the exception, as regulators have begun to discuss the potential of PETs to help mitigate privacy risks and reduce the identifiability of data.
For instance, Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) recently conducted technical studies on anonymization and pseudonymization as a basis for its forthcoming guidance. The ANPD also acted as an observer of OpenLoop, Meta’s global initiative connecting policymakers and companies to develop policies around emerging technologies and AI, a project developed separately in Brazil and Uruguay. One of the project’s findings in Brazil identifies a gap in most data protection laws (including the LGPD): a lack of an express provision covering PETs. In some cases, the connection between the law and these technologies relies on achieving data protection principles such as data minimization or complying with anonymization obligations. Panelists agreed that the need to define clear standards for anonymization is an important step for PETs adoption.
[Photo description: Pedro Sydenstricker (Nym Technologies, Brazil); Pedro Martins (Data Privacy Brasil); Maria Badillo (FPF); Thiago Moraes (ANPD); Camila Nagano (iFood)]
Relatedly, panelists discussed use cases where PETs can help with business development while preserving the privacy and utility of the data. For instance, in the food delivery service industry, panelists discussed how different techniques help obscure or eliminate personal data retrieved from customer interactions. If properly implemented, businesses can keep relevant data for analysis and improvement of services while preserving the privacy of their customers. Panelists agreed that organizations investing time and resources to integrate these types of tools not only open up new opportunities to improve user engagement and drive strategic decision-making, but also build trust, an essential component in digital transactions.
Finally, panelists briefly addressed the relevance of PETs in addressing privacy risks generated by AI. Acknowledging that AI can bring new ethical and legal challenges, they agreed on the importance of exploring the potential of different tools and techniques when adopting or developing AI models. Panelists agreed that organizations should make efforts to approve internal governance programs and guidance, invest in education and training for staff, and keep track of regulation. This, however, must be complemented with more legal certainty and guidance from regulators on how to implement PETs and AI governance more generally.
To foster dialogue and collaboration around PETs and policymaking, FPF supports the Global PETs Network for Regulators, a forum that exclusively convenes regulators worldwide. If you are interested in participating in the Network, please reach out to [email protected] or [email protected]. You can also learn more about FPF’s PETs-related work here.
According to the United Nations Development Programme, there is growing consensus on defining DPIs as “a combination of (i) networked open technology standards built for public interest, (ii) enabling governance, and (iii) a community of innovative and competitive market players working to drive innovation, especially across public programmes.” Digital public infrastructure | United Nations Development Programme (visited July, 2024). ↩︎
FERPA Exceptions: A Study in Studies
The Family Educational Rights and Privacy Act, or FERPA, protects personally identifiable information from education records from unauthorized disclosure. The Law has been affording parents privacy rights over their children’s education records for almost half a century now; indeed, the fiftieth anniversary of FERPA’s passage is this August 2024. As FERPA’s golden birthday approaches, FPF is taking a closer look at some of its finer points and how they are functioning in practice fifty years later. This blog post examines one of FERPA’s exceptions to the requirement to obtain parental consent before disclosing student personally identifiable information, the “studies exception”. [1]
Schools and Research Data Access
Given the wording of the phrase “studies exception” and that the exception allows for sharing student data with researchers under certain conditions, conflation of the studies exception with the idea of a general “research” exception is not uncommon. Perhaps this blog post even reached your attention following a search for school research laws or how research operates under FERPA. Some may be surprised to learn that there is no research exception under FERPA at all: no provision of the law allows for the general sharing of student information for research purposes without parental consent.
Though no general research exception exists under FERPA, varying types of student data remains imperative for a number of research objectives. Researchers may be interested in original data created and collected specific to a particular research project (primary research), such as interviews, focus groups, observations, and surveys,[2] or data collection through third-party applications. They may also be interested in using existing datasets (secondary research) collected as the byproduct of natural educational processes, such as administrative records or assessment records. Using primary or secondary research to inform longitudinal or correlative studies may be the first that comes to mind when thinking about using student data for research; however, an incredibly broad range of uses exists beyond the purely academic purposes often associated with researchers. Any role in the process of improving instruction may handle student data research. Studentdata can help inform the effectiveness of a particular assessment product. It can help EDTech vendors or community partners determine whether learning objectives are met using their product or program. It is even important for teachers conducting action research as a requirement for Masters in Education degree or writing dissertations. School employees may be responsible for designing or approving extracts of data that researchers use. A broad range of research uses for student data all benefit from access to it; we will examine the requirements for security and privacy necessary to reap the benefits.
FERPA and the Studies Exception
In order to access the education record data needed for research purposes, a researcher must meet the requirements of FERPA, any state-specific laws, and district and state policies. The general rule under FERPA is that parental consent is required prior to disclosing personally identifiable information from a student’s education record unless an exception applies. Written parental consent must specify the records that may be disclosed, state the purpose of the disclosure, and identify to whom the disclosure may be made. If a researcher would like to collect new data from students, more detailed consent may be appropriate, even if an exception applies. [3]
FERPA exceptions refer to conditions or situations where it is not necessary to first obtain parental consent before disclosing personally identifiable information from a student’s education record. Parental consent is not needed to share student data under the studies exception, given that specific requirements are met. Personally identifiable information from education records may be disclosed in connection with certain studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions. In order for the FERPA studies exception to apply, those studies must be for specific purposes:
the purpose of developing, validating, or administering predictive tests;
the purpose of administering student aid programs;
or the purpose of improving instruction.
Furthermore, there must also be a written agreement between the school and the researcher performing the study. The written agreements must do several things, including:
specify the purpose, scope, and duration of the study and the information to be disclosed;
and require the receiving organization (or researcher) to:
use personally identifiable information only to meet the purpose(s) of the study;
conduct the study in a manner that doesn’t permit the identification of parents or students by anyone other than representatives of the organization with legitimate interests; and
destroy the personally identifiable information upon completion of the study and specify the time period in which the information must be destroyed.
Compliance with these requirements is imperative, and noncompliance can come with repercussions. For example, if the Department of Education determines that the researcher improperly re-disclosed personally identifiable information from education records, the educational institution from which the personally identifiable information originated may not allow that researcher to access personally identifiable information from education records for at least five years. [4]
Even if requirements for the FERPA studies exception are met, researchers are not entitled to a right to access student data. The FERPA studies exception does not function in the way that a public data request or Freedom of Information Act (FOIA) request does: there is no absolute public right for an aspiring student data researcher (or anyone, for that matter) to demand the student information they need from a school. A public data or FOIA request would not require a school to generate data not already in existence – which would even include creating new reports for existing data – that many proposed studies would necessitate. The FERPA studies exception makes clear that the educational institution authorizing the study is not required to initiate a study, meaning the school can respond to a researcher’s request and/or approve it. However, they are not required to approve all research requests: the school may also deny them. And even if a school authorized the use of student data for a study, the school is not required to agree with or endorse the conclusions of the study.[5]
Written Agreements
School districts tasked with creating a written agreement that complies with the FERPA studies exception requirements need not start entirely from scratch: excellent resources exist to help with this task. The United States Department of Education has provided guidance on best practices for the written agreements required under the studies exception to FERPA. Their guidance includes a number of recommendations for navigating these agreements, such as recommending that the written agreement bind not only an organization conducting the research, but also individuals; include an agreement not to redisclose data collected or used for the relevant study; and specify data custodians or stewards [6]who are directly responsible for managing the relevant student data. Other best practices include clarifying ownership of the personally identifiable information from education records, identifying clear penalties for misuse or breach of contract, setting responsible and appropriate terms for data destruction, and allowing the school to review and approve reported results. Informing the public about written agreements related to school studies is also a best practice, as it promotes transparency and builds trust. The Student Data Privacy Consortium’s National Research Data Privacy Agreement (NRDPA) is a model written agreement specifically designed to standardize the various required components for the studies exception, for secondary research. The NRDPA is intended to be part of, not a replacement for, a district’s broader research data approval policy. Before simply adopting the NRDPA, districts should review it with their general counsel to see how it will support their existing research policies.
School District Research Policies
Administrative procedures already exist in many cases to support compliance with FERPA for research data requests. Most schools already have policies in place for research approval. Though researchers may be versed in research ethics, they may not know the basics of student privacy. They may not be fully aware of the student privacy and security risks, or of the potential for harm of misusing or improperly sharing student data. And though a university study will likely be guided by an Institutional Review Board (IRB) policy to ensure that the research conducted is legally compliant, ethical, and protective of its participants, this may not be enough to protect student privacy. IRBs may interpret FERPA narrowly [7], and some types of research, such as big data research, may be exempt from IRB approval and nearly impossible to acquire informed consent. Robust school district research policies are one way to help protect student data privacy while still benefiting from student data research.
Research policies may include guidelines for conducting primary research data, requesting secondary data, creating strong definitions, and providing applicable legal frameworks, such as in Chicago Public School District’s Guidelines for External Research and Data Collection. Policies may also indicate who may conduct research, what to do in the case of a conflict of interest, and how the research proposal and approval process works, such as in Boston Public Schools’ Policy and Guidelines for Conducting Educational Research. As the risks of harm from misusing student data are high, some districts’ policies – such as Palm Beach County Schools’ research policy – even require researchers who will be collecting or accessing students’ personally identifiable information to undergo background screening and provide evidence of good moral character.
Researchers hoping to work with a specific school district should search for or inquire after the district’s research policy. School districts without existing research policies should strongly consider creating one, paying close attention to FERPA requirements and to supporting student data privacy and security: the National Forum on Education Statistics has guides for supporting data access for researchers, both from a Local Education Agency Perspective and from a State Education Agency Perspective.
In Conclusion
Research conducted using student data is done for a wide range of purposes and, when done well and safely, can provide an equally wide range of benefits. Research can support individual learners and student success, and better inform decision-making, such as building a curriculum or developing a new instructional program. Before working with a school to collect new or use existing data, researchers should think critically about the type of data they want, and more importantly, the type of data they really need. Is student personally identifiable information really necessary for the study, or would aggregate data be sufficient? Would de-identified data? [8]. Researchers should work closely with schools to support student data privacy, strictly abide by school research policies, and implement recommended best practices under the FERPA studies exception. School districts that agree to share student data with researchers should develop and maintain strong research policies developed with both FERPA compliance and student data privacy and security in mind. Fifty years of FERPA has taught us that commitment to these practices from both participating schools and researchers can help support student data privacy for the next fifty years, as well.
Contextualizing the Kids Online Safety and Privacy Act: A Deep Dive into the Federal Kids Bill
Co-authored by Nick Alereza, FPF Policy Intern and student Boston University School of Law. With contributions from Jordan Francis.
On July 30, 2024, the U.S. Senate passed the Kids Online Safety and Privacy Act (KOSPA) by a vote of 91-3. KOSPA is a legislative package that includes two bills that gained significant traction in the Senate in recent years—the Kids Online Safety Act (KOSA), which was first introduced in 2022, and the Children and Teens Online Privacy Protection Act (“COPPA 2.0”), which was first introduced in 2019. KOSPA contains new provisions and a variety of provisions that would amend, and in some cases augment, the United States’ well-established existing federal children’s privacy law, the Children’s Online Privacy Protection Act (COPPA).
KOSPA’s passage in the Senate marks the most substantial advancement in federal privacy legislation in decades. In just the last two years, the children and teens’ privacy and online safety landscape has seen a flurry of activity. The federal executive branch has been active through efforts such as significant FTC enforcement actions and a report released just two weeks ago from the Biden-Harris Administration’s interagency Task Force on Kids Online Health and Safety. Most notably, many states have passed laws providing heightened protections for kids and teens online, some of which have been the subject of litigation.
Amongst all this activity, the Kids Online Safety and Privacy Act takes a new approach that is unlike much of what we have seen before. Like other proposals, the bill would create heightened protections for teens, and new protections for design and safety. However, KOSPA also contains a novel knowledge standard, limited preemption, and a novel “duty of care,” along with requiring particular design safeguards and prohibiting targeted advertising to children and teens.
1. A novel knowledge standard
Similarly to COPPA, the Kids Online Safety and Privacy Act (KOSPA) would establish a two-part threshold for when companies are required to comply with various data protection obligations, such as access, deletion, and parental consent, for when a service is “directed to children” or when services have “actual knowledge” that an individual is a child. However, KOSPA would modify the standard in a novel way: its protections for minors would apply when a business has “actual knowledge or knowledge fairly implied on the basis of objective circumstances.”
This language is based on the FTC’s trade regulation rules, which use the “knowledge fairly implied” standard to determine if a company knew it violated a trade rule. While the FTC is experienced in using this standard, it is new when applied to children’s privacy and online safety. Currently, there is little guidance or comparable laws to help understand how “knowledge fairly implied on the basis of objective circumstances” applies specifically to the narrow question of whether a user on a website is a minor. This standard is arguably closer to constructive knowledge and may even be broader than the “willful disregard” standard used in state comprehensive laws.
COPPA’s knowledge standard, or the question of what obligation a business has to figure out who on their website is a child, has long been debated. On one hand, critics of the existing standard argue that it is too narrow and that needing actual knowledge incentivizes companies to avoid evidence that might suggest children are on their websites. On the other hand, proponents of keeping the existing standard argue that broadening the threshold would require companies to engage in too much data collection, creating an unintended result of age-gating even general audience, age-appropriate websites. In recent years, most state comprehensive laws have taken the approach of using actual knowledge or willfully disregards,” which attempts to strike a balance between the two sides of this debate.
2. Narrow preemption of state laws
Preemption, or the question of which state privacy laws will be superseded by a federal standard, is one of the biggest sticking points in federal privacy debates. Under KOSPA, preemption is narrow and would explicitly supersede only state laws that directly conflict with the Act. Additionally, the Act includes a savings clause explicitly allowing states to enact laws and regulations that provide “greater protection” to minors than those under KOSPA.
While any federal law is likely to have some uncertainty when it comes to preemption of state laws, this language bodes well for states who have enacted heightened privacy and online safety protections for children and teenagers in recent years, such as Maryland, Connecticut, and New York. Some of the thinking with a federal privacy law is that it would afford one national standard for privacy rather than a “patchwork” state-by-state approach. However, with KOSA and COPPA 2.0, these would be additional protections layered on top of existing state compliance obligations.
3. A novel “duty of care” to prevent and mitigate harms to children and teens
One of the most discussed new provisions in KOSPA (arising from KOSA) is its duty of care. The proposal would require covered platforms to exercise “reasonable care” in the “creation and implementation of any design feature to prevent and mitigate [harms] to minors.” Specifically, KOSPA identifies six categories of harm, including explicitly stated mental health disorders, violence and online bullying, and deceptive marketing practices. (See Table 1)
Online services owing a duty of care to minors is a novel aspect of child-focused privacy laws a trend that has popped up in recent years – seen in the currently-enjoined California Age-Appropriate Design Code, Maryland Age-Appropriate Design Code, and recent amendments to Colorado and Connecticut’s comprehensive consumer privacy laws. Design codes require an affirmative duty to act in the best interests of children, whereas KOSA, Connecticut, and Colorado require a duty to avoid harm.
Overall, KOSPA/KOSA’s approach to a duty of care is both broader in scope, and at the same time more specific in its enumeration of specific harms, compared to existing state approaches. As comprehensive consumer privacy laws, Connecticut and Colorado are focused on how processing personal data may be used to facilitate harms whereas KOSA applies broadly to preventing and mitigating harms. Connecticut and Colorado also require an assessment of any service, product, or feature, while KOSA is focused only on “design features.” Lastly, Connecticut and Colorado’s list of harms is shorter and more narrowly focused on more traditional privacy harms, while KOSA enumerates specific concrete harms related to modern kids’ and teens’ well-being, such as anxiety, bullying, and abuse.
None of the state laws with duties of care are yet in force, so it remains to be seen how these provisions will be implemented by companies or enforced by regulators. However, the alignment of KOSA with the specificity and narrower scope of Colorado and Connecticut, could mitigate risks of legal challenges over restrictions on content, like those seen in the California AADC litigation.
KOSA’s duty of care
Connecticut & Colorado’s duty of care
A covered platform shall exercise reasonable care in the creation and implementation of any design feature to prevent and mitigate the following harms to minors:
Controllers shall use reasonable care to avoid any heightened risk of harm to minors caused by such online service, product, or feature.
(1) Consistent with evidence-informed medical information, the following mental health disorders: anxiety, depression, eating disorders, substance use disorders, and suicidal behaviors. (2) Patterns of use that indicate or encourage addiction-like behaviors by minors.
(3) Physical violence, online bullying, and harassment of the minor.
(4) Sexual exploitation and abuse of minors.
(5) Promotion and marketing of narcotic drugs (as defined in section 102 of the Controlled Substances Act (21 U.S.C. 802)), tobacco products, gambling, or alcohol. (6) Predatory, unfair, or deceptive marketing practices, or other financial harms.
Heightened risk of harm to minors means processing minors personal data in a manner that presents any reasonably foreseeable risk of: (A) any unfair or deceptive treatment of, or any unlawful disparate impact on, minors (B) any financial, physical or reputational injury to minors, or (C) any physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if such intrusion would be offensive to a reasonable person (D) unauthorized disclosure of the personal data of minors as a result of a security breach [note: this fourth harm is in CO, but not CT]
4. Changes to Verifiable Parental Consent (VPC)
KOSPA would expand the existing requirements for verifiable parental consent (VPC), requiring companies to collect it at an earlier stage than might often be obtained under COPPA. Interestingly, both provisions of KOSPA (the COPPA 2.0 and KOSA parts of the bill) address VPC separately. KOSA would require a covered platform to obtain verifiable parental consent (VPC) before a known child’s initial use of the service. While a covered platform may consolidate this process with its process to obtain VPC for COPPA, KOSA’s VPC requirement seems to still apply even if a covered platform’s personal information practices do not necessitate VPC under COPPA.
KOSA may also differ in its approach to children who already use a covered platform. Because KOSA requires VPC prior to a known child’s “initial use”, it is unclear whether a covered platform must obtain VPC from a child whose initial use happened before the bill’s effective date or when the platform knew they were a child. Comparable state social media laws include provisions that prevent a minor from holding an account they could not create: Florida’s HB 3 would require a social media service to terminate all accounts that likely belong to minors younger than 16, and Tennessee’s Social Media Act would require age-verification of an unverified account holder when they attempt to access their account.
5. Other Privacy and Safety Safeguards
KOSPA includes a number of requirements for companies to establish safeguards aimed at addressing “the frequency, time spent, or activity of minors” on platforms, including the ability to opt out of personalized recommendation systems. The proposal would also establish a flat ban on personalized advertising to kids and teens under the age of 17.
Design Safeguards for Time Spent and Recommendations
KOSPA requires covered platforms to “provide readily-accessible and easy-to-use safeguards” to any user or visitor that the platform knows is a minor. These safeguards must be on the most protective setting by default. KOSA requires a covered platform to make parental tools available, although a minor can change their own account settings without VPC.
Two of KOSPA’s safeguards have key differences compared to state social media laws with similar provisions. KOSA requires a covered platform to limit by default “design features that encourage or increase the frequency, time spent, or activity of minors.” State social media laws which regulate design features tend to do so narrowly such as Utah’s SB 196, which would prohibit the use of infinite scroll, autoplay, and push notifications for minors, or New York’s SAFE for Kids Act, which would require VPC to enable overnight notifications for minors. Once again, KOSA’s scope more closely resembles state privacy laws: Colorado and Connecticut both have a broader prohibition against the use of any “system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature” without a child’s VPC or a minor’s consent. But unlike all of these laws, KOSPA would allow minors, including children, to change any of these settings without VPC.
The second notable safeguard is a requirement for a covered platform to include controls to adjust or opt-out of any personalized recommendation systems, which are suggestion or ranking algorithms that incorporate a user’s personal information as defined in COPPA. This category appears to be narrower than New York’s SAFE for Kids Act, which would limit feeds which rank or suggest content based on any information associated with a user or user’s device.
Prohibition on Targeted Advertising
Finally, the COPPA 2.0 portion of the bill creates a flat prohibition on targeted advertising to children and teens 16 and under. While comparable state laws have moved in the direction of creating additional restrictions on advertising to minors, the federal approach goes the furthest by creating a ban rather than allowing for opt-in consent. Notably, the bill takes the approach of creating and defining the term “individual-specific advertising.” The combination of the targeted advertising ban and the broader, constructive knowledge standard used is likely to have significant impacts for the adtech ecosystem.
Reporting Mechanism
KOSPA requires a covered platform to incorporate a reporting mechanism, through which minors, parents, or schools can report harms to minors. The platform must have an electronic point of contact specific to these matters, and the platform must substantively respond to a report within at most 10 or 21 days, depending on the size of the platform and the imminence of harm to the minor. KOSPA’s attention to detail regarding reporting mechanisms stands out when compared to the Maryland AADC’s single requirement that a service’s reporting tools be “prominent, accessible, and responsive.”
Looking ahead
While KOSPA passed the Senate by an overwhelming vote of 91-3, its future in the House of Representatives is uncertain. The House started its August recess just days before the Senate vote, and the earliest KOSPA could be taken up in the House is September 9, which will be just under two months until the November election. Whether that helps or hurts the bill’s chances is subject to speculation. No matter Congress’s next move, states are poised to keep forging ahead on youth privacy and online safety.
School Fundraising in the Digital Age: Policy, Privacy, and Pitfalls
Fundraising is deeply rooted in school communities, serving as a vital means to supplement limited budgets. These efforts are often led by parent organizations, athletic boosters, student groups, or the school itself. Traditionally, fundraisers were dominated by product sales – cookie dough, candy bars, and kitchenware – often involving students soliciting support door-to-door or from family and friends. In recent years, however, the rise of online platforms has significantly transformed how schools fundraise. Fundraising campaigns now include crowdfunding, peer-to-peer giving, online product sales, and online sweepstakes and raffles. Solicitation has shifted from face-to-face to social media, personalized webpages, email and text messaging. This shift introduces new considerations related to student safety, data privacy, and regulatory compliance.
Legal and Compliance Considerations
As fundraising increasingly leverages digital tools and online engagement, school leaders must navigate a new set of risks and responsibilities. Digital campaigns often collect and share student images, names, grade levels, and performance metrics to personalize appeals. Some platforms encourage or enable the use of student text messaging or personal social media accounts for promotion, heightening the risk of disclosing sensitive information such as phone numbers or private profiles. These practices raise significant concerns about consent, exposure, and data sharing. In addition, the use of third-party vendors introduces complexities about data ownership, security practices, and compliance with federal and state regulations, including the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Act (PPRA), the Children’s Online Privacy Protection Act (COPPA), and various state consumer protection regulations.
Fundraising initiatives must align with existing district policies, particularly those governing the use of student information in marketing or promotional contexts. School leaders should clearly determine whether any data shared falls under the definition of a student education record or directory information as defined by FERPA, and ensure that proper consent and opt-out mechanisms are in place. Even directory information – such as names, grade levels, or photos – used in digital campaigns may pose privacy concerns when aggregated or used for public appeals.
In addition, schools must comply with the Protection of Pupil Rights Amendment (PPRA, 20 U.S.C. §1232h), which requires that parents be notified and given the opportunity to opt out when student information is collected for certain purposes, including marketing. While PPRA does not prohibit the use of student data for school-related fundraising, it does restrict the collection, disclosure, or use of personal information from students for the purpose of commercial marketing or selling that information, or providing it to others for that purpose. Districts should carefully review platform agreements to ensure student data is not repurposed for commercial targeting or sold to third parties, and that appropriate privacy protections are in place.
Data security remains a critical concern. Schools should assess vendor practices around data collection, storage, and breach response. A 2024 data breach involving a student-focused fundraising platform, exposed over 700,000 student records—including names, photos, and contact details—underscoring the importance of due diligence before approving any digital fundraising tool (VPNMentor Report). [Updated]
Equity, Access, and Reputational Considerations
Beyond regulatory compliance, digital fundraising introduces challenges related to equity, access, and public perception. For example, crowdfunding campaigns that highlight individual student needs can inadvertently pressure families, create competition among students, or draw unwanted attention to a student’s circumstances. Some campaigns may exaggerate school deficiencies or portray only negative conditions to attract donations, potentially harming the school’s public image and stakeholder trust. Additionally, digital campaigns often rely on access to social media, mobile phones, or internet-connected devices, which may disadvantage students without consistent access to these tools, further widening participation gaps. Campaigns driven by incentives, such as prize-based competitions for top fundraisers, can also reinforce inequities by rewarding students based on personal networks or family resources. In light of these challenges, district leaders are increasingly called to evaluate platform terms, develop internal review protocols, and ensure fundraising practices align with data governance, equity, and communications policies.
Establishing Guardrails: Policy and Oversight Considerations
To responsibly manage evolving fundraising practices, school systems should establish clear policies that define permissible tools, set expectations for data handling, and outline approval procedures. When planning or evaluating digital fundraising efforts, district leaders can reference the Fundraising Tool Implementation Checklist to ensure alignment with privacy, equity, and compliance priorities. Districts are encouraged to:
Implement a Fundraising Policy: Develop and adopt a comprehensive policy that outlines roles, approval processes, data use expectations, and safeguards to ensure compliance, transparency, and equity across all fundraising efforts. Refer to the Fundraising Policy & Procedure Development Checklist to guide this process and ensure consistency with district priorities and legal requirements.
Require Administrative Review: Implement a review process for any fundraising initiative involving student data, likeness, or participation, regardless of who initiates the campaign.
Vet Third-Party Platforms: Ensure all fundraising vendors meet district data privacy standards, including adherence to FERPA, PPRA and provide transparent terms of service. Determine if parental consent is required under COPPA.
Clarify Consent Protocols: Develop procedures to obtain informed consent from parents or guardians when student information is used in promotional materials or shared online.
Provide Staff and Volunteer Training: Educate stakeholders, including parent organizations and booster clubs, on legal obligations and ethical considerations related to digital fundraising.
Document and Monitor Activity: Maintain centralized records of all fundraising campaigns, platforms used, and data shared, and periodically audit for compliance.
As fundraising tools and technologies continue to evolve, schools have an opportunity to harness innovation in ways that strengthen community engagement and expand support for students. However, this progress must be guided by thoughtful oversight, inclusive practices, and a commitment to safeguarding student well-being. By establishing clear expectations for fundraising activities and proactively addressing risks, district leaders can foster a culture of responsible innovation, one that empowers communities without compromising privacy, equity, or trust.
Fundraising Tool Implementation Checklist
Planning and Alignment
Does the fundraising activity align with the district’s mission, values, and equity goals?
Has the purpose of the fundraiser been clearly defined and communicated?
Are there established district policies governing fundraising, and does this effort comply with them?
Has leadership approved the use of the digital tool(s) or third-party vendor?
Platform Evaluation
Has the fundraising platform been vetted for data privacy and security practices?
Does the platform comply with FERPA, PPRA and relevant state privacy laws?
Do contracts confirm that the district retains ownership and control over student data, with limitations on vendor use?
Are the platform’s terms of service and privacy policy transparent and acceptable?
Is there a process for assessing potential reputational risks associated with the platform?
Equity and Accessibility
Will all students have equitable opportunities to participate regardless of access to devices, internet, or social media? Are there alternative ways for students or families without digital access to support or engage? Does the campaign avoid highlighting individual student needs in a way that may cause harm or embarrassment?
Student Data and Consent
Is any student data (e.g., name, photo, grade, performance) being collected or shared?
Have parents/guardians provided informed consent for any student-identifying information used?
Is student participation voluntary, and are opt-out options clearly provided?
Oversight and Documentation
Is there a designated staff member responsible for reviewing and approving fundraising campaigns?
Are all fundraising efforts logged, including platform used, data shared, and campaign duration?
Has the campaign been reviewed for compliance with procurement policies?
Are digital records (e.g., campaign pages, communications, data shared) archived according to district records retention policies?
Communication and Transparency
Have school leaders, staff, and parent groups been informed of expectations and safeguards?
Are families clearly informed about their rights, including how to opt out of data use or participation, how student data will be used, and how to ask questions or raise concerns?
Is the fundraising impact reported transparently to the school community?
Download the Fundraising Policy & Procedure Development Checklist
