1. Is Facebook frustrating EU research partners with vague data related to privacy and elections? Public statement sheds light

Philanthropic funders of a Europe-based data-privacy research effort have begun to withdraw support and the researchers have gone public with a statement implying Facebook has continuously delayed for more than 18 months release of aggregate URL data on privacy and politics which it had promised, the researchers say.

“The current situation is untenable,” says a statement posted in December and signed by 10 participants in the Social Science One initiative which is studying the effect of social media on democracies and elections. “Heated public and political discussions are waged over the role and responsibilities of platforms in today’s societies and yet researchers cannot make fully informed contributions to these discussions. We are mostly left in the dark, lacking appropriate data to assess potential risks and benefits. This is not an acceptable situation for scientific knowledge. It is not an acceptable situation for our societies.”

The statement credits Facebook with being the first platform to explore an academic partnership model, but asserts Facebook is not yet providing a promised URLs dataset, or access to Facebook APIs. “Delays in these matters can no longer be tolerated,” the statement says. 

Signers of the post include researchers on the European Advisory Committee of Social Science One, along with academicians at George Washington University, Harvard University and Stanford University.

CCPA: WEEK ONE

As the CCPA took effect this week, there were these developments:

• The office of California Attorney General Xavier Becerra developed and made public a three-page fact-sheet about the law aimed at consumers.

• A GitHub contributor created an alphabetical list of “opt-out” links consumers can use and invited contributions to expand it. The list is at: CAPrivacy.me 

• One Twitter user posted screen captures which appeared to show Facebook was giving its users an either-or option — allow the company to retain personal data, or delete your entire Facebook account. 

Political compromise in Sacramento means CCPA doesn’t go far enough, says co-author now working in DC; implementation forces visiting dozens of sites; what is Facebook doing?

The CCPA doesn’t go far enough, says Mary Stone Ross, one of three principal authors of the original proposal that was amended into law in 2018. She now works for the Electronic Privacy Information Center (EPIC) in Washington D.C. “Regulation must shine a light on what data is collected and grant consumers control over its use and remedies for its misuse,” she writes in a opinion piece on FastCompany.com.

The CCPA co-author, Stone Ross, says that removed from CCPA in a political compromise was a provision allowing to directly sue, rather than leaving enforcement up to the California attorney general’s office alone.  And the law watered down language which prohibited companies from charging more or providing less service to people who “opt-out” of sharing their personal data.

“Although the legislative deal was struck in good faith, industry has relentlessly lobbied for legislation that will fundamentally undermine the CCPA, while simultaneously attempting to preempt it with equally aggressive lobbying campaigns in Washington,” Stone Ross writes, adding: “Weakened enforcement is one of the most egregious mistakes that was made in the legislative compromise in California.”

Increasingly, privacy advocates feel the idea of “notice and consent” which undergirds both the CCPA and the EU’s General Data Protection Regulation (GDPR) will be circumvented by companies. They are looking to Washington, D.C., and to a new California ballot initiative to instead make specific uses of data presumptively illegal without consumer permission.

In the meantime, the CCPA  is “more of a right to request and hope for deletion,” says Joseph Jerome, a policy director at privacy group Common Sense Media/Kids Action.

Another challenge for consumers under the CCPA is the sheer logistics of going to potentially hundreds of individual web sites to express privacy preferences and “opt-out” of their use of personal data.  Instead, new law could require that all data acquirers be forced to respect “do not track” (DNT) flags set within the user’s web browser or application no matter where the consumer is visiting.

“If you need a case study in why @AGBecerra needs to make certain DNT universal opt-out signals are clearly honored by all parties and Google/Facebook need to stop tracking across websites under CCPA, take a look at LA Times roll-out today,” tweeted Jason Kint, head of Digital Content Next, the trade association of large, legacy digital publishers. He added in another tweet: “All eyes now on the California Attorney General office as Facebook plays chicken.”  

Kint, the publishing-industry representative, says the current approach to CCPA compliance “makes it easiest to opt out of individual sites you visit and trust and near impossible to opt out of hundreds/thousands of trackers you have no idea exist and actually track you across the web…it mostly hurts $ of sites who make it easiest to opt out.”

Former ad-agency executive turned privacy champion “Doc” Searls tweeted that tracking-based advertising “should be opt-in, not opt-out” and that browser software should be equipped for that purpose.

RELATED LINKS

• LA Times: Notice of right to opt out  | Los Angeles Times website

• What does CCPA mean? Nobody agrees | Natasha Singer, NY Times

• No one is ready for CCPA, or clear about compliance | Kim Lyons, The Verge

• Companies aren’t ready for CCPA compliance | John Hughes, Bloomberg Law

• The chaos of California’s new privacy law has begun | Whitney Kimball, GizModo

• California expands digital privacy rules — will people use them? | Rachel Lerman, KCRA 3-NBC

• CCPA — What your need to know | Lydia O’Connor, HuffPost 

• Los Angeles Times’ main story about CCPA and consumers | Times Staff 

• USA Today’s take on CCPA — you have to take action | Arlene Martinez, USA Today

• California’s privacy law arrives to confusion and costs for businesses | Hannah Murphy, FT.com

• GDPR was a warmup; CCPA arrives with a bang | Tim Peterson, DigiDay

• U.S. retailers rush to comply with CCPA, adding “do not sell” to websites | Nandita Bose, Reuters

• OPINION: Surviving surveillance — demand online privacy | Geoffrey Fowler, Washington Post 

• VIDEO: Ten-minute video on what consumers need to know re CCPA | Nick Espinosa, YouTube 

• VIDEO: CNET / CBSN 90-second overview: What does CCPA actually do? | CBS News via YouTube 

• What about CCPA and access for those with disabilities? | Angela Matney, Loeb & Loeb LLP 

IMPLEMENTING CCPA: EXAMPLES

Unlike LA Times, Mozilla joins Microsoft in extending CCPA protection globally to all browser users  

Mozilla, the nonprofit maker of the Firefox browser, reported in a Dec. 31 corporate blog post that it is extending new settings and privacy rights to all of its browser users globally, regardless of where they live.  This approach is similar to that announced by Microsoft and Amazon, but in contrasts to sites such as the Los Angeles Times, which depend heavily upon advertising revenues.

“Much of what the CCPA requires companies to do moving forward is in line with how Firefox already operates and handles data,” says the Mozilla policy blog post. “Changes we are making in the browser will apply to every Firefox user, not just those in California.” 

Mozilla allows browser users to create a profile for storing links and personal preferences.  It also gathers what it calls “telemetry data” about open tabs and session times. Now, Mozilla said, it will allow users to demand deletion of telemetry data, even though CCPA does not define such data as “personal data.”

The LA Times “notice of opt out” lists five different websites a user “must utilize” to opt out of the paper’s personal data tracking, and adds: “Your choices for this browser do not apply to our mobile app” and “if we reasonably believe that you are not a California resident, you may not exercise these rights.”

Most U.S. companies not ready for CCPA, Gizmodo wrapup story quotes security researcher as saying; ambiguity over “sale” flummoxes advertisers, others

In the first week under the California Consumer Privacy Act (CCPA), there are challenges around implementation and meaning.

“Most U.S. companies are far from CCPA ready,” Altaz Valani, director of research at the software security company Security Compass, told Gizmodo in an email. “U.S. companies with operations in the EU that have proactively made changes to their privacy practices when the GDPR [Europe’s General Data Protection Regulation] came into effect are ahead of the compliance curve, but the majority of companies are still in preparation-mode [and] are not expected to be compliant by the January 1, 2020 deadline.”

“The law has created an enormous challenge for the [advertising] industry as well as others that are information-based industries,” Michael Hahn, senior vice-president of the Interactive Advertising Bureau (IAB), told The Financial Times. “There’s no issue that has posed more of a problem to lawyers in the privacy and ad tech space than what does the definition of ‘sale’ mean in a digital advertising context.”

The “sale” has left companies like Facebook able to argue they do not “sell” consumer personal information, even though the company makes money selling advertising targeted based on that data. The question seems destined to end up in court once CCPA enforcement begins June 1.

Mozilla’s Don Marti, appeared to spend part of Jan. 1 testing implementations of CCPA.  He credited big consumer-data aggregator Experian with a “very slick” interface, tweeting: “I was able to opt out of having my personal info used for #surveillance #marketing without affecting the credit-reporting side.” Marti also created a generic opt-out request letter that he then posted for anyone to use. “Don’t know how well it works because I just started sending them today,” he added.

Over at Oracle, Marti noted the company had split its databases of user data into multiple pieces, require an individual opt-out submission at each one.  “Were in #CCPA does it say that you’re allowed to shard your database of people’s personal info and make people opt out of every shard individually?” Marti tweeted.

Axios’ Kia Kokalitcheva’s piece on the first day of CCPA includes links to pages at Google, Facebook, Apple and Amazon that show what information they gather. She also includes links to a typical hospital privacy implementation, the financial-service firm Intuit and the car-maker Tesla. She also links back to an April Axios story, “What the internet knows about you,” explaining how to opt out of data-gathering by a variety of Internet people-search services.

RELATED LINKS:

• Digital Advertising Alliance opt-out tool goes live | Odia Kagan, Fox Rothschild LLP 

• The DAA opt-out tool | PrivacyRights.info explained  

• Telcom AT&T’s Do Not Sell opt-out page | AT&T Website

• What consumer data aggregator Experience offers | Experian website

• Oracle access to consumer data rights | Oracle website 

• What about hotel loyalty programs? | Robert E. Braun, Jefer Mangels law firm via HospitalityNet.org

• Example of retail site which ignores Do Not Track signal | New Seasons Markets

• Are you collecting geolocation data but don’t know it? | Joseph Lazzarotti, WorplacePrivacyReport

• CCP and hardware makers — what are implications? | Dean Takahashi, VentureBeat.com

• LINK: View/adjust “ad preferences” guesses by Facebook | Facebook