Registries and registrars may refrain from canceling expired domain names in Turkey and Syria in earthquake-affected areas, ICANN said Monday. It's concerned the emergency might prevent people from renewing their domains on time and lose them due to circumstances beyond their control. ICANN urged domain name sellers "to support this action when reviewing domain name renewal delinquencies in the affected areas," and said it's monitoring the situation to see if further relief is warranted.

Vermont legislators should consider privacy bill exemptions for companies and organizations already subject to federal privacy regulations, representatives from the financial and health sectors told the House Commerce Committee during a hearing Thursday on H-121, a consumer privacy bill introduced by Chairman Michael Marcotte (R). Vermont legislators announced plans to pursue a privacy bill last year (see 2203160053). H-121 includes data minimization requirements like those in the California Consumer Protection Act and requires businesses to respect do-not-track signals like those in Colorado’s law. The proposal would expand Vermont’s data broker law to allow consumers to opt out of the processing of personal information for targeted advertising, predictive analytics, tracking and/or the sale of personal information. The law would take effect July 1. The 32-page bill doesn’t scratch the surface of what’s passed in California and the EU, but it would enhance consumer privacy in Vermont, said Legislative Counsel David Hall. Europe has much more robust privacy laws, said Assistant Attorney General Sarah Aceves. She said she’s more concerned about inaction on the privacy front than about moving forward with a state patchwork of privacy laws. She said the AG’s office, which would be responsible for enforcement, is comfortable with what’s in the bill but open to organically changing elements. VPIRG Communications and Technology Director Zachary Tomanelli encouraged passage of the bill but said he anticipates further changes. Vermont Bankers Association President Chris D'Elia, Association of Vermont Credit Unions President Joseph Bergeron and Devon Green, Vermont Association of Hospitals and Health Systems vice president-government relations, all spoke of the need for exemptions for organizations already subject to federal laws on financial- and health-related privacy, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Colorado’s latest privacy regulation proposal is more burdensome than the EU’s general data protection regulation in its requirement for companies obtaining informed consumer consent for data processing, Google commented Friday (see 2302060037). The proposed regulation’s consent standards require “so much information to be presented in such a scripted manner that it may undermine rather than improve consumer understanding” of how data is processed, said Google. This “prescriptive” approach could result in “consent fatigue” and “checkbox exercises,” the company said. Google suggested Colorado Attorney General Phil Weiser (D) remove the proposal’s internal documentation requirements, which are separate from requirements for data protection assessments. The draft rules require companies to analyze and document data minimization and secondary use decisions, “seemingly untethered from any potential risk of harm to consumers or the statute’s data protection assessment requirements,” said Google. This would result in companies accumulating “enormous paper trails” with little consumer benefit, the company said.

Education technology company Chegg will implement a comprehensive data security program as part of a finalized, non-monetary settlement the FTC announced Friday (see 2210310051). Chegg failed to establish basic security measures, exposing sensitive data of about 40 million customers and employees, the agency alleged in its complaint. The commission voted 4-0 to finalize the order with Chegg. As part of the order, the company must limit the data it collects and retains, offer users multifactor authentication and allow users to “request access to and deletion of their data.” Attorneys for the company didn’t comment Friday.

The FTC finalized a $3 million settlement Monday with Credit Karma, alleging the company used “dark patterns” to mislead and entice consumers to apply for credit card offers they often didn’t qualify for (see 2209010036). The commission voted 4-0 approving the final order and letters to commenters.

Comments are due March 6 for an NTIA study on data privacy harms inflicted on marginalized communities, the agency said Friday (see 2301180031).

WhatsApp Ireland owes $6 million (5.5 million euros) for data processing violations, the Irish Data Protection Commission said Thursday. The investigation arose from a 2018 German complaint. Before the EU general data protection regulation (GDPR) took effect May 25, 2018, the company updated its terms of service to tell users that if they wanted to have continued access to the service under the GDPR, they would have to click "agree and continue" to accept the revised terms. WhatsApp contended that once the terms of service were accepted, a company-user contract existed and the processing of user data in connection with the delivery of WhatsApp services was necessary for performance of the contract, making its processing operations legal under the GDPR's "contract" legal basis. The complainant argued that WhatsApp Ireland was trying to rely on consent as the legal basis for processing, and that by forcing users to consent to having their data processed for service improvement and security, the company breached the GDPR. The DPC said WhatsApp breached its obligation for transparency by not making its legal basis clear to users, leaving them uncertain about what processing operations were being carried out on their personal data, for what purposes and under what GDPR legal basis. That lack of transparency violated the regulation, but the DPC, having imposed a fine of 225 million euros on the company earlier, didn't suggest another penalty. The regulator also found, however, that in principle, the GDPR didn't preclude WhatsApp from relying on the contract legal basis. Several other data protection authorities objected to the conclusions, so the DPC referred the disputed points to the European Data Protection Board. It backed Ireland's findings of a breach of transparency obligations but rejected its view that WhatsApp could rely on the contract legal basis for processing people's personal data. The board's decision is binding, and WhatsApp now has six months to comply with the GDPR. The EDPB also ordered the DPC to look into all of WhatsApp Ireland's processing operations, but the DPC said the board doesn't have jurisdiction to order an "open-ended and speculative investigation." If the order amounts to EDPB overreach, the DPC said, it could appropriately ask the European Court of Justice to annul it. A similar dispute between the EDPB and DPC arose earlier this month involving Meta Ireland (see 2301040014). WhatsApp said it will appeal the decision. The company believes "the way the service operates is both technically and legally compliant," a spokesperson emailed.

The National Institute of Standards and Technology’s Information Security and Privacy Advisory Board will meet March 1 and 2, starting at 10 a.m. each day, said a Thursday Federal Register notice. The meeting will be at the Grand Hyatt Washington, Quarter Penn A, 1000 H St. NW. Discussion topics include “Risk Framework Uses by U.S. Federal Agencies” and Office of Management and Budget Memo M–22–18 on “Enhancing the Security of the Software Supply Chain Through Secure Software,” the notice said.

Wisconsin became the latest state to ban the use of TikTok on government devices (see 2212280048). Gov. Tony Evers (D) announced an executive order Thursday banning the Chinese-owned app on state-issued devices. TikTok has been banned on federal government devices (see 2212270051) and government devices in more than 20 states. The list includes Alabama, Florida, Georgia, Idaho, Louisiana, New Jersey, New Hampshire, Maryland, Ohio, Pennsylvania, South Carolina, Texas, Utah and Virginia.

Antitrust enforcers should “redouble” efforts to ensure competitive markets as Big Tech companies look to “entrench” themselves in the auto industry, more than 20 advocacy groups wrote FTC Chair Lina Khan and DOJ Antitrust Division Chief Jonathan Kanter Wednesday. Demand Progress, Fight for the Future, Media Alliance, Open Markets Institute, Our Revolution, Progress America, Public Citizen and Tech Oversight Project signed the letter. Google, Apple, Meta and Amazon are expanding into auto markets, the letter said, and “will ignore plain-language laws and regulations designed to protect competition, circumvent consumer privacy laws, and use their considerable market weight to disadvantage smaller competitors.”