Parents should have more control over what children and teens are exposed to on social media, legislators in Connecticut said during a hearing Tuesday. The General Law Committee, a joint panel with members from the Senate and House, heard testimony on a number of social media proposals. Connecticut should consider age-appropriate design concepts similar to those passed in California, said co-Chair James Maroney, a Senate Democrat. NetChoice is suing to block California’s AB-2273, the Age-Appropriate Design Code Act, on First Amendment grounds. Maroney referenced a similar law in the U.K. Rep. Tami Zawistowski (R) said she's happy to consider the concepts. She spoke in favor of legislation she co-sponsored, HB-5429, which would ban the “collection and commercial use of certain digital information concerning minors.” The 24/7 nature of social media drives the need for legislators to step in, she said: Parents are in the best position to decide what’s appropriate activity for young users. She said parents should have control over their kids’ accounts up to the age of 18 or 20, but the bill sets the age at 16 because that’s “more achievable.” There should be federal legislation, but state legislators do what they need to do to “get people talking,” she said. Maroney said he wants to explore the concept of product testing to identify harms when services target children. Sen. Saud Anwar (D) spoke in support of his SB-395, which would require website and app operators to “obtain parental consent before allowing a child under” 16 to open an account with the operator. “If we wait for the federal government to act, we’ll be waiting for a long time,” he said. Rep. Vincent Candelora (R) spoke in support of SB-1103, which was introduced by the committee at large. SB-1103 would establish an office of artificial intelligence and contemplates data collection restrictions for government agencies. The government should be held to the same standard as private entities because it’s collecting proprietary data and actively using algorithms, said Candelora.

Registries and registrars may refrain from canceling expired domain names in Turkey and Syria in earthquake-affected areas, ICANN said Monday. It's concerned the emergency might prevent people from renewing their domains on time and lose them due to circumstances beyond their control. ICANN urged domain name sellers "to support this action when reviewing domain name renewal delinquencies in the affected areas," and said it's monitoring the situation to see if further relief is warranted.

Vermont legislators should consider privacy bill exemptions for companies and organizations already subject to federal privacy regulations, representatives from the financial and health sectors told the House Commerce Committee during a hearing Thursday on H-121, a consumer privacy bill introduced by Chairman Michael Marcotte (R). Vermont legislators announced plans to pursue a privacy bill last year (see 2203160053). H-121 includes data minimization requirements like those in the California Consumer Protection Act and requires businesses to respect do-not-track signals like those in Colorado’s law. The proposal would expand Vermont’s data broker law to allow consumers to opt out of the processing of personal information for targeted advertising, predictive analytics, tracking and/or the sale of personal information. The law would take effect July 1. The 32-page bill doesn’t scratch the surface of what’s passed in California and the EU, but it would enhance consumer privacy in Vermont, said Legislative Counsel David Hall. Europe has much more robust privacy laws, said Assistant Attorney General Sarah Aceves. She said she’s more concerned about inaction on the privacy front than about moving forward with a state patchwork of privacy laws. She said the AG’s office, which would be responsible for enforcement, is comfortable with what’s in the bill but open to organically changing elements. VPIRG Communications and Technology Director Zachary Tomanelli encouraged passage of the bill but said he anticipates further changes. Vermont Bankers Association President Chris D'Elia, Association of Vermont Credit Unions President Joseph Bergeron and Devon Green, Vermont Association of Hospitals and Health Systems vice president-government relations, all spoke of the need for exemptions for organizations already subject to federal laws on financial- and health-related privacy, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Colorado’s latest privacy regulation proposal is more burdensome than the EU’s general data protection regulation in its requirement for companies obtaining informed consumer consent for data processing, Google commented Friday (see 2302060037). The proposed regulation’s consent standards require “so much information to be presented in such a scripted manner that it may undermine rather than improve consumer understanding” of how data is processed, said Google. This “prescriptive” approach could result in “consent fatigue” and “checkbox exercises,” the company said. Google suggested Colorado Attorney General Phil Weiser (D) remove the proposal’s internal documentation requirements, which are separate from requirements for data protection assessments. The draft rules require companies to analyze and document data minimization and secondary use decisions, “seemingly untethered from any potential risk of harm to consumers or the statute’s data protection assessment requirements,” said Google. This would result in companies accumulating “enormous paper trails” with little consumer benefit, the company said.

Education technology company Chegg will implement a comprehensive data security program as part of a finalized, non-monetary settlement the FTC announced Friday (see 2210310051). Chegg failed to establish basic security measures, exposing sensitive data of about 40 million customers and employees, the agency alleged in its complaint. The commission voted 4-0 to finalize the order with Chegg. As part of the order, the company must limit the data it collects and retains, offer users multifactor authentication and allow users to “request access to and deletion of their data.” Attorneys for the company didn’t comment Friday.

The FTC finalized a $3 million settlement Monday with Credit Karma, alleging the company used “dark patterns” to mislead and entice consumers to apply for credit card offers they often didn’t qualify for (see 2209010036). The commission voted 4-0 approving the final order and letters to commenters.

Comments are due March 6 for an NTIA study on data privacy harms inflicted on marginalized communities, the agency said Friday (see 2301180031).

WhatsApp Ireland owes $6 million (5.5 million euros) for data processing violations, the Irish Data Protection Commission said Thursday. The investigation arose from a 2018 German complaint. Before the EU general data protection regulation (GDPR) took effect May 25, 2018, the company updated its terms of service to tell users that if they wanted to have continued access to the service under the GDPR, they would have to click "agree and continue" to accept the revised terms. WhatsApp contended that once the terms of service were accepted, a company-user contract existed and the processing of user data in connection with the delivery of WhatsApp services was necessary for performance of the contract, making its processing operations legal under the GDPR's "contract" legal basis. The complainant argued that WhatsApp Ireland was trying to rely on consent as the legal basis for processing, and that by forcing users to consent to having their data processed for service improvement and security, the company breached the GDPR. The DPC said WhatsApp breached its obligation for transparency by not making its legal basis clear to users, leaving them uncertain about what processing operations were being carried out on their personal data, for what purposes and under what GDPR legal basis. That lack of transparency violated the regulation, but the DPC, having imposed a fine of 225 million euros on the company earlier, didn't suggest another penalty. The regulator also found, however, that in principle, the GDPR didn't preclude WhatsApp from relying on the contract legal basis. Several other data protection authorities objected to the conclusions, so the DPC referred the disputed points to the European Data Protection Board. It backed Ireland's findings of a breach of transparency obligations but rejected its view that WhatsApp could rely on the contract legal basis for processing people's personal data. The board's decision is binding, and WhatsApp now has six months to comply with the GDPR. The EDPB also ordered the DPC to look into all of WhatsApp Ireland's processing operations, but the DPC said the board doesn't have jurisdiction to order an "open-ended and speculative investigation." If the order amounts to EDPB overreach, the DPC said, it could appropriately ask the European Court of Justice to annul it. A similar dispute between the EDPB and DPC arose earlier this month involving Meta Ireland (see 2301040014). WhatsApp said it will appeal the decision. The company believes "the way the service operates is both technically and legally compliant," a spokesperson emailed.

The National Institute of Standards and Technology’s Information Security and Privacy Advisory Board will meet March 1 and 2, starting at 10 a.m. each day, said a Thursday Federal Register notice. The meeting will be at the Grand Hyatt Washington, Quarter Penn A, 1000 H St. NW. Discussion topics include “Risk Framework Uses by U.S. Federal Agencies” and Office of Management and Budget Memo M–22–18 on “Enhancing the Security of the Software Supply Chain Through Secure Software,” the notice said.

Wisconsin became the latest state to ban the use of TikTok on government devices (see 2212280048). Gov. Tony Evers (D) announced an executive order Thursday banning the Chinese-owned app on state-issued devices. TikTok has been banned on federal government devices (see 2212270051) and government devices in more than 20 states. The list includes Alabama, Florida, Georgia, Idaho, Louisiana, New Jersey, New Hampshire, Maryland, Ohio, Pennsylvania, South Carolina, Texas, Utah and Virginia.