Privacy Beat

Your weekly privacy news update.

1. Internet Association launches PR website asking California residents to support “ad fix” to the CCPA

The Internet Association, a trade group that counts Google, Facebook, Microsoft, Amazon and eBay among its membership, has posted a website in a lobbying effort to propose an unspecified “ad fix” to the California Consumer Privacy Act (CCPA) before it takes effect Jan. 1. 

The site, with the headline “Keep the Internet Free” asserts that as it stands the CCPA will inhibit the sale of advertising which helps support free internet services. To emphasize the claim, the site includes a continuously rising “pay meter” off to one side. 

“The CCPA was never intended to prohibit the use of tailored online ads, since these ads do not require personally identifiable information — such as your name, address, social security number, email, etc. — in order to be delivered to you,” the site says. 

Jason Kint, executive director of Digital Content Next, an online publisher trade group, responded to the new site with a Tweet saying: “… Google and Facebook’s reps (called the Internet Association), just launched a propaganda site intended to undermine new California privacy law (CCPA) by confusing public into thinking their surveillance advertising is necessary to fund free content. Lies.”

At the heart of the controversy is the CCPA’s definition of “personal information,” how it may be used and the extent to which a consumer needs to give consent for that use. The website makes the claim that the CCPA was passed in a few weeks without much deliberation. The law was proposed by big tech because otherwise, a far-tougher proposal would have gone on the California ballot amid polls showing it had overwhelming public support.

2. Warner-Hawley bipartisan bill asks government to assess value of consumer data; Is it $20/month or $5/month?

Another step toward a marketplace for users’ personal data is embodied in bipartisan legislation proposed last week in the U.S. Senate by John Warner, D-Virginia, and Josh Hawley, R-Missouri. The two senators said SIL 19759, nicknamed the ”DASHBOARD” act  would ask the Securities and Exchange Commission to “develop methodologies for calculating data value, while encouraging the agency to facilitate flexibility to enable businesses to adopt methodologies that reflect the different uses, sectors, and business models.”  

It would also: 

  • Require commercial data operators (defined as services with over 100 million monthly active users) to disclose types of data collected as well as regularly provide their users with an assessment of the value of that data.

  • Require commercial data operators to file an annual report on the aggregate value of user data they’ve collected, as well as contracts with third parties involving data collection.

  • Require commercial data operators to allow users to delete all, or individual fields, of data collected – and disclose to users all the ways in which their data is being used, including any uses not directly related to the online service for which the data was originally collected.

In its story on the bill, The New York Times quoted Robert Shapiro, chairman of the economic advisory firm Sonecon, as saying that valuing user data was difficult. As someone who has tried to do it himself, “His approach: Determine advertising revenue for some of the biggest American data collectors, work out the proportion attributed to targeted ads (about half, one recent study said, based on 2015 data), and divide by the number of users. Using that approach, he found that in 2018, an average American’s data was worth about $240, or $20 a month, to big tech companies, data brokers and other firms.” Senator Warner is more cautious, The Times wrote. In an interview with Axios, he pegged the figure at $5 a month.

Bloomberg Opinion editorialized that the DASHBOARD act was a worthwhile initiative, but said it also encouraged adoption of a “fiduciary” standard for data gatherers and processors, similar to the ideas of Yale Law School Prof. Jack Balkin. 


3. Ad-tech association releases “data transparency” standard and proposes compliance process

The Interactive Advertising Bureau’s technology laboratory posted last week a near-final version of a “Data Transparency Standard Compliance Program.”  It seeks to get the programmatic advertising industry to agree to a standard taxonomy of “user segments” for advertising targeting, along with transparency standards to follow.  It also proposes a nutrition-like label that can be used by advertisers to determine the source of user profile data. Hearst Magazines and Meredith among publishers who are IAB members pushing the standards, along with a host of ad-tech companies. Google is also a member of IAB. 


IAB Tech Lab said the initiative, begun in May 2018, would “introduce ID-level transparency into a largely opaque marketplace where data segment composition is difficult to evaluate — and collection and usage practices are increasingly scrutinized via legislation such as the EU’s General Data Protection Regulation (GDPR).”  It also released a compliance guide.

It said the framework establishes

  • ID-level labeling requirements for data sellers

  • Standard audience taxonomy/data segment naming convention that’s incorporated as one of the labeling requirements

  • Open-source API to structure and communicate machine-readable label data between supply chain participants

  • Compliance program to acknowledge transparent data sellers

4. Status of amendments to CCPA murky; most are sitting in the California Senate Judiciary Committee

The status of proposed amendments to the California Consumer Privacy Act is murky.  Only seven measures cleared the Assembly, and they are sitting in a Senate Judiciary Committee with no hearing scheduled, according to a summary prepared by Monder “Mike” Khoury, an attorney with the law firm of Davis Wright Tremain LLP.  This raises the possibility that they could become vehicles for one or more negotiated amendments among the tech industry and privacy advocates as the deadline nears for legislative action.   

In a blog posted June 27, Khoury said the California Legislature’s deadline to pass any bill is Sept. 13, with the governor’s deadline to sign or veto bills a month later, Oct. 13. California Attorney General Xavier Becerra is set to release the first draft of CCPA regulations via a Notice of Proposed Regulatory Action in early fall 2019, Khoury added. 


5. Companies purchasing additional cyber insurance ahead of CCPA

Insurance Journal reported this week on an increasing sense of urgency by companies to review the language and coverage of their cyber insurance policies before CCPA goes into effect in 2020. Corporate attorneys are predicting an increase in class-action litigation soon after.

All parties are closely watching numerous bills that have been introduced that could potentially alter CCPA. In the current version of the CCPA individuals have a limited private right of action for a data breach that occurred when a company hadn’t been using reasonable data protection security measures. SB 561, which has already been killed, would have expanded a consumer’s rights so that they could bring a civil action for damages for any CCPA violation.

There are concerns of rate increases once insurance companies start paying out large settlements for violations. Many companies have already set up task forces to find ways to proactively address compliance and legal matters.

READ MORE: Anxiety, Policy Limits Rising Ahead of California’s Sweeping Data Privacy Law


Lawyers and reporters are suggesting that bipartisan privacy legislation may not emerge from Congress this year despite some optimism a couple of months ago. The problem: Democrats want a private right of action and no pre-emption of California’s tough CCPA. The tech industry and some Republicans want a federal law that weakens and pre-empts California’s. Either party needs some bipartisan support to get a bill out of either the House or Senate. 

The subscription-only Bloomberg Law service is reporting a potential fracture in the group of six senators who formed a working group on data privacy.  

CQ-Roll Call reporter Gopal Ratnam wrote after interviewing lawmakers: “The key challenges confronting lawmakers are crafting a law that not only would set a federal standard on how tech companies must safeguard consumers’ data but also provide enough remedies for consumers, and have such a bill win the backing of a plurality of lawmakers in both chambers.”

Meanwhile, there’s a fresh proposal from two California Democrats in the House — Reps. Anna Eshoo and Zoe Lofgren — whose districts include Silicon Valley.  The duo are seeking feedback on their draft “Online Privacy Act of 2019” by July 12. The measure would not tamper with or pre-empt the CCPA, and would create a “Consumer Financial Protection Bureau” rather than leave enforcement to the Federal Trade Commission. Highlights of the bill are included in a blog post by attorneys Galen Roehl and Taylor Daly at the New York law firm of Akin Gump Strauss Hauer & Field LLP.


NY data-privacy bill appears dead this session; but breach law toughening OK’d

An effort in New York (Privacy Beat, June 7) to advance a tough Internet consumer privacy law appears to have died when the measure did not emerge from committee before the June 21 end of the legislative session. The proposed New York Privacy Act (SB5642) would have provided a broad private right of action for consumers — something opposed by business and tech interests.  It also adopted Yale Law School Prof. Jack Balkin’s idea of a “data fiduciary.” (bill details) The bill would require companies to obtain consent from consumers before they share and/or sell their information by acting as fiduciary entities. New York lawmakers, however, sent to Gov. Andrew Cuomo a toughening of the state’s data-breach law.

Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements. Nevada adopted a CCPA-like measure a few weeks ago. 


“Data transparency is table-stakes requirement to ensure responsible and effective use of audience data — and companies that provide consistent access to detailed information about their data will attract more business. Taking part in the corresponding compliance program will further differentiate an organization, affirming their full commitment to the highest standards.”

Dennis Buchheim, executive VP and general manager, IAB Tech Lab, in a June 27, statement introducing its “Data Transparency Standard & Compliance Program.”



Circling closer to a federal privacy law, Congress has introduced 7 privacy bills this year (Digiday)

‘Only enforcement will bring change’: Ad tech responds to regulator’s GDPR warning (Digiday)

Internet Providers Look to Cash In on Your Web Habits (The Wall Street Journal)

How Media Buyers Are Downsizing Their Number of Ad-Tech Partners (Adweek)

Why younger consumers aren’t concerned about their data privacy (Axios)

Why focus on “cookies” — there are other ways of storing personal data  (Data Protection Report)

Countries back plan to create ‘free flow’ of data across borders (Engadget)


Like what you see? Then recommend to a friend.

Follow ITEGA’s Facebook page for additional links and insights:

Subscribe to Privacy Beat




Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.

Our mailing address is:

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.