1.  Albany, N.Y., new battlefront over privacy regulation: big tech pans Balkan’s “information fiduciary” concept and doesn’t want the public to sue or be “opted out” by default

A new front in the battle among privacy advocates, business and tech platforms emerged this week in Albany, N.Y.  Two New York Senate committees heard nearly three hours of testimony on two legislative proposals on Tuesday (June 4).

Spokesmen for retailers, for the big tech platforms and other technology groups all registered opposition to Senate Bill 5642, which would allow any state resident to bring suit against companies that violate privacy rights enshrined the proposed law.

They also said the didn’t like a provision of the bill required a user to affirmatively “opt-in” to sharing of their data with a website before the sharing can begin. The California Consumer Privacy Act works the other way around — consumers are presumed to OK with data tracking unless the affirmatively “opt-out.”

The principal sponsor of both bills, New York Sen. Kevin M. Thomas, pushed back in questions and the measure is left pending in committee for the moment. Privacy advocates, in testimony, generally support SB 5642. The other bill heard, Senate Bill 5575, would require public notification when there are leaks of personal data. It was seen as non-controversial by witnesses.

On SB 5642, business and tech opponents said they were opposed to a novel provision inspired by the writings of Yale Law School Prof. Jack Balkin — the so-called “information fiduciary.”

“Fiduciaries, like an attorney or a doctor, hold onto your information. They don’t share it, unless there is a need for the purpose for which they collected it,” Sen. Thomas says. “That’s not what’s going on here with these data companies and these data brokers. They’re sharing it, and we’re getting targeted.”

The opponents said they were concerned that being asked to act in behalf of the public on privacy matters could conflict with a corporation’s “fiduciary obligations” to stockholders.

In addition, the four business witnesses each said they would prefer federal privacy legislation rather than a state law.

The four opponents were representing the Retail Council of New York, TechNet, Tech New York as well as the Internet Association, which represents Amazon, Google, Facebook and other data-tech companies.

READ MORE:

https://www.wired.com/story/new-york-privacy-act-bolder/

https://gizmodo.com/new-york-state-is-pushing-one-of-the-strictest-privac-1835243364

2.  Nevada beats California by three months in giving citizens the right to opt-out of online data collection; bill signed May 29 becomes effective Oct. 1

Nevada has managed to get a jump on its next-door neighbor in adopting Internet privacy legislation. Gov. Steve Sisolak signed Senate Bill 220, which amends a 2017 Nevada data-privacy statute to add a new requirement. As of Oct.1, websites will have to give Nevada residents a right to “opt-out” of having their data sold.

The 2017 law already required websites to disclose any categories of personally identifiable information they collect and categories of third-parties they share it with. Legal observers characterized the newly enacted provision has having been much-watered-down from the initial proposal, including removal of a private-right-of-action section, and a requirement that “sale” of data must include “monetary consideration” for it to be covered by the law.  

MORE BACKGROUND:

https://www.infolawgroup.com/blog/2019/6/4/nevada-enacts-new-online-privacy-law-requiring-opt-out-rights-for-data-sales

https://www.hldataprotection.com/2019/06/articles/consumer-privacy/new-nevada-privacy-law-with-sale-opt-out-right-will-take-effect-before-the-ccpa/

3. California lawmakers sidetrack CCPA amendments sought by privacy advocates; but advance amendments to ease restrictions on “de-identified” aggregate data; and allow charging non-sharing users

In Sacramento, the California Legislature has until the end of September to advance or kill a series of amendments to the California Consumer Privacy Act, before it becomes effective on Jan. 1, 2020.  One pending proposal important to publishers could permit charging users for content if they won’t hand over personal data. A second exempts from privacy regulation consumer data which has been “de-identified” or aggregated.

The upstart search engine Duck Duck Go, which touts the fact it doesn’t collect information about individual’s search activity, joined the Electronic Frontier Foundation and Californians for Consumer Privacy on a bill to add a “private right of action” to the CCPA and make other pro-privacy changes. But lawmakers in May decided to bottle up the bill in committee, from which it is unlikely to emerge. Meanwhile, a set of amendments backed by big-tech are advancing.

For publishers, the most interesting is AB 1355, which has already passed the Assembly and is now in a Senate Committee. It would appear to allow a publisher to charge more for content if they refuse to provide personal data so long as such “differential treatment is reasonably related to the value provided to the business by the consumer’s data.”  

Another Assembly-passed bill now in the Senate, AB 846, would prohibit a website’s “premium features” from “using a financial incentive practice that is unjust, unreasonable, coercive, or usurious in nature.” The effect of these amendments, if enacted, could be to encourage the establishment of a marketplace for valuing personal information.

AB1355 also removes from the definition of  personal information “consumer information that is deidentified or in the aggregate consumer information.”  The effect of the provision would be to exempt from regulation such aggregate deidentified information. The act, sponsored by Chau, defines “deidentified” as information “that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided the data’s controller “has implemented technical safeguards that prohibit reidentification of the consumer…implemented business processes that specifically prohibit reidentification…[and has] business processes to prevent inadvertent release of deidentified information…[and] makes no attempt to reidentify the information.”

A second amendment to CCPA which has cleared the Assembly and is in Senate committee makes it clear that any personal information obtained from a public-records type source may be used in any way by whoever obtains it.

The other thing happening sometime in the early fall will be release of regulations interpreting many aspects of the CCPA by California Attorney General Xavier Becerra.

4. Apple jumps into SSO market with a privacy-claiming competitor to Facebook Connect and Google Accounts

Back in 2011, Eric Schmidt, the then-CEO of Google Inc. observed that Facebook Connect was a problem. He said no single company should have a dominant control position over the sharing of identity across the web. Soon, it became clear Google was beginning to use Google Accounts for the same purpose — a web-wide federated login using the OAuth authentication standard.

Now, Apple has joined the parade, but with a twist. This week it announced “Sign In with Apple”, and began pushing App Store developers to feature it over Google/Facebook rivals when it moves from beta to production in the fall. The twist — Apple promises that it would not use the federated sign-on to track what people are doing across the web. And, it says it will allow users of the Apple sign on to create a hashed, anonymous email address — similar to what Craig’s List does — so that you can “sign on” to every website with a different, obscure email address.  When the site wants to reach you by email, it sends a message to Apple, which relays it to your real address. Now one thing that means is Apple still will know all the places where you have accounts. The question is what promises they key keep about what to do with that knowledge.

RELATED LINKS:

• https://developer.apple.com/sign-in-with-apple/

• https://developer.apple.com/sign-in-with-apple/get-started/

• https://developer.apple.com/documentation/signinwithapplejs/configuring_your_webpage_for_sign_in_with_apple

• https://developer.apple.com/documentation/signinwithapplerestapi

5. In browser privacy wars, latest Firefox version tightens up ability of user to block all tracking by Facebook — and add blocking of other tracking — by default

Users of the Firefox browser can now completely block tracking of their activity by Facebook when they aren’t within Facebook itself.  The feature comes as an update to an existing Firefox extension called “Facebook Container” that was initially rolled out a year ago. Facebook pages are loaded in a container to make it more difficult for Facebook to generate user profiles using third-party data.  (WATCH VIDEO). The year-old version would still let Facebook scripts track you, but their data was separated from your account on the main Facebook site, so Facebook could still make a “shadow profile” on a non-user who never went to Facebook. Facebook Container 2.0 blocks (breaks) Facebook scripts on non-FB sites.

“Today, we’re releasing the latest update for Facebook Container which prevents Facebook from tracking you on other sites that have embedded Facebook capabilities such as the Share and Like buttons on their site,” Firefox owner Mozilla wrote in a June 4 blog post. Mozilla said it’s been installed more than 2 million times since its March 2018 debut.

The Firefox release also contains a new feature, “Enhanced Tracking Protection”, that is turned on by default. “Over the past year, Mozilla has seen tech companies talk a big game about privacy, as people feel increasingly vulnerable to privacy issues after several global scandals,” the company wrote in a news release. “ It’s unfortunate that this shift had to happen in order for tech companies to take notice. In order to truly protect people, Mozilla needs to establish a new standard that puts people’s privacy first.”

Writing at Tom’s Hardware, Nathaniel Mott said the feature will rely on a list of known trackers maintained by Disconnect and that, “if everything works as expected, it should result in Firefox automatically blocking thousands of the technological creeps without user intervention. Sites can also be white-listed in case something breaks.”

The blog Search Engine Journal reported that the gathering of data for Google Analytics might be affected by Enhanced Tracking Protection in Firefox, but Mozilla seemed to reply that would not be the case where GA is using a first-party cookie.