Topic

  • Government Relations
  • Labor
  • Privacy Law
  • Taxation

In this issue we provide analysis of new draft regulations implementing the California Privacy Right Act, a bipartisan, a bicameral federal privacy bill making its way through Congress, a new federal independent contractor rule under development, and MORE. 

With most state legislatures coming to a close at the end of June, we also saw a flurry of last minute legislative activity in New York; this included the enactment of a new law extending wage theft protection for freelancers statewide and a bill providing new labor protections for models and creative production workers defeated in the eleventh hour.

More details on policy updates covering April to June 2022 are below.


California Privacy Protection Agency Votes to Begin Rulemaking Process

On June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27. The first set of draft rules covers specific topics including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement, and privacy notice requirements. The new draft rules represent only a small number of the 22 regulatory topics that the CPPA has been tasked with regulating in Cal. Civ. Code § 1798.185(a). Details on what’s currently in the draft regulations can be found here. The initial statement of reasons for the draft regulations outline was also published in late May, providing a rationale from CPPA board and staff on why they’ve decided to implement specific areas within the draft regulations as they did. 

The next step in the process is for the CPPA staff to initiate the formal notice and comment period, where public stakeholders will have an opportunity to comment on the proposed rules. Agencies wishing to submit written comments to the draft rules can do so on the CPPA’s website, once the draft rules are published in the California Regulatory Notice Register. The initial comment period will last for at least 45 days, and the CPPA will hold a public hearing. The 4As will be submitting comments on several areas of concern within the regulations in partnership with the other advertising trades.

Should the CPPA make edits to the initial draft regulations, a subsequent comment period will run for 15+ days for public feedback on the revisions. The CPPA will then issue its Final Statement of Reasons and final regulations. The CPPA’s next meeting has yet to be scheduled.

The CPPA has previously said it will likely miss an initial July 1 statutory deadline to adopt regulations but has not discussed whether that deadline, and thus enforcement, will be delayed. The California Hispanic Chambers of Commerce Assistant Deputy Chief of Staff Luis Lopez called on the agency to commit to extending the enforcement deadline by six months “to give businesses time to comply.” The board indicated the delayed enforcement date topic would be placed on an upcoming meeting agenda. In February, CPPA Executive Director Ashkan Soltani said the rulemaking schedule would go “somewhat past” the July 1 deadline, with completion anticipated “in Q3 or Q4.”

The CPPA has indicated that the initial set of draft rules are not the only rules that the CPPA will issue. A second round of rulemaking may focus on automated decisionmaking, cybersecurity audits, and privacy risk assessments.  The timeline for issuance of additional rules is currently unknown.

 

New York Fashion Workers Act Defeated in 2022 Legislative Session

New York State’s legislative session ended for the year in the early hours of June 3, without the passage of the troublesome New York Fashion Workers Act ( S.8638-A / A.9762-A). The bill advanced out the Senate Labor committee but failed to receive a final floor vote in the final days of the session.

Despite agencies being a middleman between a brand client and a creative management company, the bill imposed a blanket requirement that agencies render payment to creatives (hair stylists, makeup artists, casting directors, etc.) or their representative management companies no later than 30 days after the completion of services. It did not provide exceptions in the event of non-payment by an agency’s client. Many agencies well know that some clients do not remit payment to their agencies within  a 30-day time frame, which could result in agencies having to “float” those talent costs while they await payment from their own clients. Other areas of concern in the bill include generous contract transparency requirements for creatives and models, which could potentially violate client confidentiality agreements.

The 4As submitted written comments to New York Assembly members urging them against advancing the bill in the 2022 session. Our letter also expressed a willingness to work with the bills’ authors and relevant committee members to address our concerns with the legislation. Our advocacy efforts were closely coordinated with other big players in the advertising and production industries including the Association of National Advertisers (ANA) and the Artist Management Association (AMA).

 

New Bicameral, Bipartisan Data Privacy Bill Attempts to Break Through Congressional Stalemate

Recently, bipartisan privacy leaders in Congress unveiled a new bicameral federal privacy bill discussion draft that they hope to enact before year’s end. The bill draft, which has since been updated on June 21, is titled the American Data Privacy and Protection Act (ADPPA). The bill is being led by House Energy and Commerce leadership Frank Pallone (D-NJ) and Cathy McMorris Rogers (R-WA) and Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS). The original version of the ADPPA had a hearing in the House Energy and Commerce Subcommittee on Consumer Protection on June 14, 2022. A subcommittee markup of the latest version of the bill is scheduled for June 23, 2022..

Noticeably absent from this committee leadership list for the ADPPA is Senate Commerce, Science, and Transportation Committee Chairwoman Maria Cantwell (D-WA) who is supporting an updated version of her previous 2019 bill, the Consumer Online Privacy Rights Act (COPRA), as a starting point for Senate negotiations. Her bill would define a “substantial privacy harm” as an alleged financial harm to an individual of $1,000 or more, or an alleged physical, mental or reputational harm. Cantwell’s draft bill would prevent companies from using user-agreements to force individuals to go through arbitration to settle disputes rather than sue in court. By contrast, the ADPPA does not block companies from forcing customers to use arbitration, except when it comes to children. Businesses regularly include such clauses in user agreements and have pushed to maintain that right.

The most notable and much-discussed inclusions in the bipartisan ADPPA is federal preemption of most state privacy laws and a four-year delayed implementation of a private right of action (PRA). Rather than solely relying on a “notice and consent” framework that we’ve seen in existing state privacy laws, the ADPPA tries to avoid placing the burden for privacy on the consumer; instead, it utilizes “duty of loyalty” provisions, barring covered entities from collecting, processing or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services.The ADPPA authorizes the Federal Trade Commission (FTC) to issue guidance and promulgate rules, including on data minimization and consumer request requirements. The effective date would begin 180 days after enactment.

The 4As has joined many in the business community and the Privacy for America coalition in trying to amend the ADPPA to protect responsible data for advertising. We are committed to working with other partners in the advertising community and members of both parties to enact a reasonable, preemptive, federal data privacy law.

Key provisions in the latest ADPPA version include:

  •  Scope; Covered Entity:
    •  Applies to “covered entities” which is defined as “any entity or person that collects, processes, or transfers covered data and — (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or (iii) is an organization not organized to carry on business for their own profit or that of their members. It also includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
    • The ADPPA contains numerous exemptions, including an exemption for small businesses. It appears that there are data-level exemptions for entities subject to GLBA, HIPAA, FERPA, and other federal statutes, although the FTC would need to provide guidance.
    • Covered Data: The bill includes an exception for pseudonymised data and publicly available information.
  • Federal and State Enforcement:The FTC and State Attorneys General would enforce the ADPPA.
  • Limited private right of action: A PRA becomes active four years after the ADPPA’s effective date. It would require individuals to first notify the Federal Trade Commission and their state attorney general of their intent to bring action, and give the agencies 60 days to make a determination.The PRA is limited in that it does not provide for statutory damages, only compensatory damages, attorney’s fees, etc.
  • Right to Cure: There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal of a demand for injunctive relief.
  • Federal preemption with some exceptions: Preempts most state privacy laws, although there are a list of noted exceptions including the Illinois Biometric Information Privacy Act and the California Privacy Rights Act’s (CPRA) personal information security breach section.
  • Definition of “Sensitive” Data: Defines sensitive data broadly and gives the FTC rulemaking authority to add new categories. The definition of sensitive data includes health, financial, biometric, genetic, and precise geolocation data; a person’s private communications, and calendar information; data revealing race, religion, (if such data isn’t public); video viewing data, and information about an individual when the covered entity knows that the individual is under the age of 17.
  • Rights to Consent & Object:
    • Affirmative, express opt-in consent is required before a covered entity can process, collect, or transfer sensitive data.
    • Opt-out consent is required for data transfers to third parties (called “sales” in State laws) and targeted advertising (defined to exclude contextual advertising, ad reporting and measurement, and certain first party marketing).
  • Global Privacy Control: Within 18 months of enactment, tasks the FTC with establishing one or more acceptable privacy protective centralized mechanisms including GPC signals, such as browser or device privacy setting, to allow individuals to exercise opt-out rights.
  • Service Providers & Third Parties: Service providers may only use data to perform services on behalf of covered entities, must promptly delete it thereafter, and may only transfer data to third parties with the affirmative express consent of the relevant individual (obtained via the covered entity). Third parties may not process data obtained from another entity contrary to individuals’ reasonable expectations.
  • Targeted Advertising:
    • Requires that businesses allow consumer opt-outs from targeted advertising, including intra-corporate family targeted marketing.
    • Allows users to opt-out of targeted advertising using universal opt-out mechanisms.
  • Children & Teens:
    • Bans targeted advertising to individuals under the age of 17 as well as data transfers without consent. The determination of whether an individual is under 17 shall be based on the covered data collected directly from an individual or a proxy thereof that the covered entity would otherwise collect in the normal course of business.
    • Requires the FTC to create a division for Youth Privacy and Marketing and implores the FTC’s Inspector General to survey COPPA’s safe harbor provisions for their effectiveness.
  • Algorithmic Fairness:
    • Restricts collecting, processing, or transferring data in a manner that is discriminatory or that makes unavailable equal enjoyment of goods or services on the basis of race, religion, disability, or other protected categories.
    • Starting two years after enactment, requires “large data holders” to conduct annual algorithmic impact assessments, and other entities to do design evaluations of their algorithms.
  • Data Minimization:
    • Requires businesses to limit their collection, processing and transferring activities to certain activities and purposes.
    • Provides limited exceptions to allow covered entities to provide first party marketing or advertising of products or services provided by the covered entity, to use data to perform system maintenance or diagnostics, to maintain a product or service for which such data was collected, to conduct internal research or analytics, to improve a product or service for which such data was collected and to perform inventory management or reasonable network management, to protect against spam, to debug or repair errors that impair the functionality of a service or product for which such data was collected, to protect against a cybersecurity incident, etc.
    • Requires opt-in consent for a covered entity to collect, process, or transfer an individual’s aggregated internet search or browsing history, except pursuant to one of the permissible purposes enumerated above.
  • Privacy by Design: Covered entities would need to implement privacy by design policies and procedures.
  • Data Brokers:
    • Requires data brokers to register with the FTC.
    • The FTC will establish and maintain an online, searchable, central public registry of all registered data brokers, and a “Do Not Collect” registry, which will allow individuals to request that all data brokers delete their data within 30 days

The timeline for action on ADPPA is limited due to expected Republican committee leadership changes next year and the election year’s shortened legislative calendar. Congress also has several other priorities to address this year that could make getting adequate floor time to debate a bipartisan privacy bill difficult; these include funding the federal government, defense spending authorization, bipartisan gun control reform, tech company antitrust reform, a scaled back “Build Back Better” package, and others. Recent amendments to the bill, however, make it more likely that such a bill could pass both chambers.

 

DOL Announces Plan to Solicit Input for New Independent Contractor Rule

On June 3, the Department of Labor (DOL) announced its intention to issue a new independent contractor (IC) rule via a blog post from Jessica Looman, Acting Director of the DOL’s Wage and Hour Division. The IC rule clarifies the employee-vs.-independent contractor analysis criteria under the Fair Labor Standards Act (FLSA). Under FLSA, employees are entitled to minimum wage, overtime pay and other benefits. Independent contractors are not entitled to such benefits

Due to the advertising industry’s continued reliance on freelance talent for flexible project-based staffing solutions, agencies may be interested in following these developments to help them understand possible changes to federal labor laws and liability concerning proper worker classification.

The current IC final rule was issued during the Trump Administration. It had been slated to go into effect in March 2021, was initially delayed, and then ultimately was withdrawn by the Biden DOL in May 2021. However, in March 2022, a federal court in Texas held that the Biden DOL’s delay and withdrawal of the Trump IC rule was unlawful, and that the current final rule from the Trump Administration has been in effect since its original March 2021 date. The DOL recently appealed that ruling, and the appeal is pending in the U.S. Court of Appeals for the Fifth Circuit.

Over the years, both the courts and the DOL had developed similar, yet somewhat varying, standards for determining whether an individual is an employee or an independent contractor. The Trump IC rule applies a more-limited economic-realities test to determine whether workers are independent contractors or employees.

Worker classification standards were derived from six, non-exclusive factors originally presented by the Supreme Court. The factors include:

  • The employer’s versus the individual’s degree of control over the work;
  • The individual’s opportunity for profit or loss;
  • The individual’s investment in facilities and equipment;
  • The permanency of the relationship between the parties;
  • The skill or expertise required by the individual; and
  • Whether the work is “part of an integrated unit of production.”

As the agency considers developing a new IC rule, the Biden Department of Labor is hosting public listening sessions to solicit feedback from workers on June 29 and employers on June 24 respectively.

On behalf of our members, the 4As Government Relations team will be monitoring ongoing regulatory developments concerning the independent contractor rule. Through the formal public comment process and other employer-friendly labor coalitions, we will ensure that the concerns of the agency community are communicated to relevant policymakers and regulators as this rule is developed and finalized.

 

“Freelance Isn’t Free” Act Passes NY Legislature, Expanding NYC Freelancer Law Statewide

On June 2, the New York General Assembly passed the Freelance Isn’t Free Act (S8369), which provides new contract and wage theft protections to workers employed as independent contractors. Although the law does provide exceptions for contractors in the building and medical fields, it will cover the creative freelance talent used by agencies.This new state-wide law matches the requirements of a 2017 New York City law of the same moniker. 

S8369 takes effect in December 2022 and mandates that any company hiring a freelancer for services valued at $250 or more must provide them with a written contract and timely payment in full. If the contact doesn’t specify a payment date, then the freelancer must be paid within 30 days after the work is completed. A written contract with a freelancer must include:

  • The name and address of both the hiring party and the freelance worker;
  • An itemization of the services to be provided by the freelance worker;
  • The value of the services to be provided;
  • The rate and method of compensation;
  • The date on which the hiring party must pay the contracted compensation of the mechanism by which such date will be determined; and
  • The date the freelance worker must submit a list of services rendered to meet any internal processing deadlines for the hiring party to render timely compensation. 

Agencies will be required to keep any contract with a freelancer for at least six years.The law establishes penalties for violations of these freelancer rights, including statutory damages, double damages, injunctive relief, and attorney’s fees. Individual causes of action will be adjudicated in state court. The New York attorney general can also bring a civil action on behalf of the state against a hiring party that is engaged in a pattern or practice of violations of the act of up to $25,000.

 

Chances of Federal Paid Leave Bill Fade as Progressive States Carry on the Responsibility

As Congressional Democrats continue to struggle to deliver on their campaign promise to pass a federal paid family leave bill, state legislators are taking it into their own hands to create state-mandated, paid family leave programs. 

As of June 2022, eleven states and the District of Columbia have enacted paid family leave (PFL) programs. These programs are active in California, Massachusetts, New Jersey, New York, Rhode Island, Washington, the District of Columbia, and Connecticut, while the programs in Oregon (2023), Colorado (2024), Maryland (2025), and Delaware (2025) have yet to go into effect or begin allowing distributions. All state programs are funded through employee-paid payroll taxes, and some are also partially funded by employer-paid payroll taxes. Agencies should review the paid family leave laws in the states where their employees are located in order to determine how these programs might fit into their existing company-wide paid leave programs. 

The federal Family and Medical Leave Act (FMLA) guarantees most workers at companies with at least 50 employees access to up to 12 weeks of unpaid, job-protected parental, family caregiver, personal medical, and military exigency leave. While these protections cover 60 percent of the workforce, evidence suggests that many eligible employees do not take leave when they need it because they cannot afford it. Some states expanded job protection as part of their PFL program while others left job protection for leave-takers as it is under FMLA. 

For details on specific state laws, read this guidance from the National Conference of State Legislatures.

 

New 4As Guidance Explains Florida’s “Stop WOKE” Act

Effective July 1, 2022, Florida’s the Stop WOKE Act (“Act”) places strict limitations on the topics that employers with a presence in Florida that have 15 or more employees can discuss at mandatory diversity, equity, and inclusion (“DEI”) workplace trainings and seminars. The Act could have potentially significant implications for employers wishing to cover topics like structural racism, white/male privilege, and unconscious bias in workplace anti-discrimination and diversity and inclusion trainings

As such, covered agencies will want to review any employee-mandatory DEI trainings in anticipation of the law’s effective date for prohibited content in consultation with their legal counsel. They should monitor any developments impacting the law’s application and implementation, including a pending legal challenge to the constitutionality of the Act, filed the same day the Act was signed by Governor DeSantis.

In order to help agencies better understand the specifics of the law and how it might apply to their DEI training policies and goals, the 4As Government Relations team in consultation with the 4As Professional and Organizational Development team has put together a helpful guidance document.

 

Joining CA, CO, VA, and UT, CT Enacts New Comprehensive State Privacy Law

And then there were five. On May 5, Connecticut Governor Ned Lamont (D) enacted Connecticut’s new privacy law, the Connecticut Data Privacy Act (CTDPA). Effective July 1, 2023, the CTDPA is very similar to existing privacy laws in Virginia (VCDPA) and Colorado (CPA), with a few significant differences that make it unique.

Potentially one of the most significant differences between the CTDPA and other states’ privacy is its triggering threshold requirements. Notably absent any specific annual revenue requirements, the CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:

  • 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or
  • 25,000 or more Connecticut residents, where the business derives more than 25% of its gross revenue from the sale of personal data.

Connecticut is also the first state law to explicitly carve out payment transaction data from its applicability threshold; this provision was added to alleviate concerns of restaurants, small convenience stores, and similar businesses that process the personal information of many customers for the sole purpose of completing a transaction.

Consistent with other state privacy bills, the CTDPA is a rights-based bill. It offers Connecticut consumers the rights to access, delete, correct, and confirm information collected about them by covered entities. The law also grants consumers data portability and includes a non-discrimination clause. Like Virginia’s and Colorado’s laws, consumers have the right to “opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, or automated decision making. Unlike Virginia and Utah — where a sale occurs when personal data is exchanged for monetary consideration only — the law adopts the broader CCPA– and Colorado-like definition that considers an exchange for “other valuable consideration” to also constitute a sale. The statute also excludes any deidentified data or publicly available information from consumer opt-out requests.

Like the CA and CO laws, the CTDPA permits its state’s consumers to designate an authorized agent (i,e. use of a global privacy control) to act on their behalf and opt out of data processing, Data controllers must accept universal opt-out signals by 2025. Unlike CO’s law, however, the CT statute does not require controllers to authenticate opt-out requests, which in theory will make it easier for consumers to opt out. It also requires data controllers to practice data minimization and purpose limitation, implement technical safeguards, and conduct data protection assessments, making them available to the Attorney General upon request.

Like all other state privacy laws before it, the CTDPA limits enforcement to the states’ attorney general instead of a private right of action.The CTDPA includes a 60-day cure period which sunsets in 2025. Violations of the CTDPA will constitute an unfair trade practice, which carries civil penalties of up to $5,000 per violation.

Finally, the CTDPA, similar to the VCPDA, requires a general assembly appointed task force to study various topics concerning data privacy. The task force must submit a report of its findings and recommendations to amend the law to the joint standing committee by January 1, 2023.

Our updated state privacy law chart shows more details on how Connecticut’s law compares to other states.

If you have any questions about the policy updates in this newsletter, please contact Alison Pepper, Executive Vice President of Government Relations and Sustainability.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts