May Roundup: Bedoya confirmed, Conn. Law Passed, UK Data Reform Bill, EU Digital Markets Act Agreed on 

By Molly Hulefeld

While May tends to feel somewhat nostalgic for privacy professionals with the anniversary of GDPR, in many ways it also signals what to expect in the summer ahead. And once again, it seems we’re in for a busy one. We’ve selected our favorite highlights from the past month to keep you in the know.  


The past month saw Alvaro Bedoya take his seat as the fifth and final Commissioner at the Federal Trade Commission, Twitter was issued a $150 million fine for allegedly misrepresenting its privacy and security practices, children’s privacy took center stage, and Connecticut’s governor signed the fifth state privacy law. 

  • While there was little doubt to its passage, Connecticut governor Ned Lamont officially signed the state’s comprehensive privacy law into fruition on May 10, turning Senate Bill 6 into the Connecticut Data Privacy Act. In doing so, Connecticut became the fifth state to enact comprehensive privacy law. Considered to be in order with its predecessors, CDPA includes data subject rights, provisions for “dark patterns,” and provides businesses with an opportunity to cure. (Find our CDPA fact sheet here.) 
  • On May 11, the Senate voted 51-50 to confirm Alvaro Bedoya as the fifth and final member of the Federal Trade Commission. As the founding director of the Center on Privacy and Technology at Georgetown Law, Bedoya offers deep privacy policy expertise and is revered by consumer and privacy advocates. While the FTC has had largely unanimous votes in the past months, his addition empowers FTC Chair Lina Khan with the partisan majority she may need to advance on multiple fronts, including consumer privacy. 
  • While no one can steal the day from GDPR on May 25, the FTC and DOJ announced a $150 million civil penalty against Twitter. The complaint filed by the Department of Justice on behalf of the FTC, alleges that the company violated the FTC Act and the 2011 Commission order, which explicitly prohibited the company from misrepresenting its privacy and security practices.  
  • While the outlook for comprehensive federal privacy remains dim, children’s privacy has received renewed attention this year, and this May in particular. On May 25, researchers with Human Rights Watch released a report in which 164 educational technologies were analyzed. Researchers found that nearly 90 percent were designed to send the information they collected to ad-tech companies without the consent of the children or their parents. Earlier in the month, the FTC adopted a new policy statement, warning that under the Children’s Online Privacy Protection Act, it is against the law for companies to force parents and schools to surrender their children’s privacy rights in order to do schoolwork online or attend class remotely. 


In an effort to standardize enforcement, the European Data Protection Board announced new guidelines for calculating EU General Data Protection Regulation fines. Under the new guidelines, the EDPB introduces a five-step methodology for calculating administrative fines in addition to the requirements under Art. 83 — that fines should be effective, proportional, and dissuasive. The announcement comes ahead of a conference titled ‘The future of data protection: effective enforcement in the digital world,’ held by the European Data Protection Supervisor where alternative models of enforcing GDPR will be discussed. 

Additionally, Parliament’s Internal Market Committee voted to approve the provisional agreement on the proposed Digital Markets Act. Together with the Digital Services Act, which was agreed upon in April, the parallel proposals are part of Europe’s digital strategy mandate aiming to curb illegal and harmful content and ensure a competitive marketplace. The two proposals now await a final parliamentary vote in July.  


On May 11, the U.K. government declared its intentions to reform the country’s data protection regime by way of the Data Reform Bill. The announcement was made during the Queen’s Speech and follows the strategic focus of the 2021 Department for Digital, Culture, Media and Sport Consultation, “Data: A New Direction.” The reform aims to create a “trusted U.K. data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the U.K.” It would take steps to modernize the Information Commissioner’s Office and would increase industry participation in Smart Data Schemes. The announcement was closely followed by concern that the U.K. could risk its adequacy standing with the EU and threaten the data transfer flow between the two. 

Areas to watch as we enter June 

U.S. lawmakers, particularly those on the U.S. Senate Committee on Commerce, Science, and Transportation, are likely to feel the squeeze this summer. Not only have the EU-U.S. talks signaled a need for federal privacy legislation on some level, but internal politics could create a sense of urgency to progress privacy ahead of the midterm elections. A recent IAPP piece explains the contentious shift expected to follow the midterms here 

With California’s CPRA rulemaking deadline fast approaching, text of draft regulations hit the press just ahead of the holiday weekend on May 27. Setting aside the timing of the release, many privacy pros will be delving into the draft text and anxiously awaiting the next California Privacy Protection Agency Board meeting on June 6.  

And lastly, all eyes are on the June 16 EDPS conference and discussions around reimagining GDPR enforcement, which has the potential for major impacts for businesses worldwide. 

Photo by Biegun Wschodni on Unsplash

Get started today

Ensuring digital security and compliance for your future.