Privacy Beat

Your weekly privacy news update.

1. Data mapping and compliance vendor lands $200M investment as market for privacy services appears to heat up

OneTrust, an Atlanta-based data-mapping and privacy-compliance services company reported last week it had received a $200-million equity infusion at an implied valuation of $1.3 billion for a five-year-old company with 1,000 employees and about 3,000 clients in 100 countries. Half the employees are in R&D. 

It was the best valuation yet reported for a young company in the data-privacy marketplace. New York-based Insight Partners, a $23-billion-managed-assets venture and private-equity firm, made the investment. 

OneTrust Chairman Alan Dabbiere has two other Atlanta tech startups under his belt. He says OneTrust works as a dashboard for a company’s privacy department, helping to ensure against inappropriate use of customer data and comply with privacy laws.  He said Atlanta is a center for “global privacy innovation.” 

“Data-privacy compliance companies are enjoying a surge of interest,” reporter Paul Sawers wrote in a July 11 story about the OneTrust stake. “The privacy laws being implemented around the world differ in terms of their requirements, but their purpose is the same: to formalize how companies manage and track personal data.” 

On July 10, the privacy compliance firm TrustArc said it had raised $70 million in a Series D round from private-equity firm Bregal Sagemount. Accel Partners, DAG Ventures, Baseline Ventures, Industry Ventures, and Icon Ventures are previous investors. The company helps organizations be compliant with GDPR, CCPA, and other laws, including Fortune 500 companies such as AT&T, IBM, and Alibaba. 

RELATED LINK: BigID Launches Privacy Certification Program to Train the Next Generation of Data Privacy … Business Wire (press release)

So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.


2. Washington Post preparing for life after the “cookie” for ad targeting — can other publishers join?

The Washington Post is working on technology that will watch readers on its website and use AI to figure out their interests in order to serve relevant advertising, according to a July 16 story by DigiDay ad-tech reporter Jessica Davies. The Post calls the project “Zeus Insights” and it says it is designed to help adjust to a world in which third-party-cookie-driven ad-targeting goes away. 

“This is about how we build the media businesses of tomorrow,” Jarrod Dicker, VP of commercial technology and development at The Post, told Davies. “It would give publishers a more collective understanding of [being part of] a network, and that then starts to become the opportunity to really challenge the platforms and not feel so closed off because the opportunities are happening on individual platforms.”

The Post plans to license its platform to other publishers, the account said, by integrating it with its Arc technology platform.  It was not clear in the article how Zeus Insights would be networked among publishers.

3. California Senate committee OKs bill that privacy advocates say weakens CCPA’s handling of “deidentified” data; watch Aug. 12; premium-services charge apparently maintained

A California Senate Committee reversed itself and unanimously approved a proposed amendment to the California Consumer Privacy Act.  The amendment would weaken handling of “deidentified data,” say privacy proponents.  

The move comes as Aug. 12 emerges as the next key date for observers to figure out whether the CCPA will be amended before it takes effect Jan. 1.  The California Senate was to adjourn for summer recess on July 12 and return Aug. 12. On that date, multiple CCPA-amending bills are scheduled for committee hearings. 

On July 9, the Senate Judiciary Committee, meeting for nearly 12 hours in Sacramento, approved and rejected various amendments to the CCPA that had already been through the California Assembly. One of them, AB 873, proposes to change the definition of “deidentified” information. First, the committee deadlocked 3-3-3 on the measure, but then on a move to reconsider, approved it 9-0. 

The amendment would also add the word “reasonably” in two places where “personal information” is defined, making it easier for data companies to argue they aren’t responsible for a data hack exposing personal information in an “unreasonable” way. 

The “deidentification” issue is important for advertisers, publishers and other data aggregators, who are seeking ways to continue to personalize ads and content to individuals’ interests without having to know each individual’s unique attributes.  The proposed amending language would substantially lighten the burden on data-tech companies handling deidentified information. 

Here is how the CCPA defines “deidentified” (emphasis added): 

(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(2) Has implemented business processes that specifically prohibit reidentification of the information.

(3) Has implemented business processes to prevent inadvertent release of deidentified information.

(4) Makes no attempt to reidentify the information.

Here is how AB 873, in the form passed 9-0 in committee last week, defines “deidentified”:

(h) “Deidentified” means information that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:

(1) Ensure that the data is deidentified.

(2) Publicly commit to maintain and use the data in a deidentified form.

(3) Contractually prohibit recipients of the data from trying to reidentify the data.

Another CCPA amendment that would confirm the right of publishers to charge for “premium services” after a consumer refuses to share personal data appeared to survive and was sent to the California Senate Appropriations Committee on an 8-0 vote. AB 846, if it becomes law, would state that a publisher or other entity is permitted to charge a different price, rate, level, or quality of goods or services,” if a consumer declines “participation in a loyalty, rewards, premium features, discount, or club-card program.”

4. The clock is ticking for Congress to act on data privacy; failures happening on the state level

Congress goes on recess in August, and they don’t seem any closer to passing data privacy legislation. Politico reported that Sen. John Kennedy (R-La.) called the situation “embarrassing”. The issue of state versus federal laws is particularly contentious with California democrats holding firm against any legislation that would weaken CCPA. Meanwhile, the White House hasn’t weighed in heavily on the issue.

While some states are making progress on their own legislation, others are struggling as well. The New York Privacy Act failed to make it very far in the 2019 legislative session, facing strong opposition from the business community and getting no co-sponsors in the assembly. In Hawaii last week, Gov. David Ige vetoed a bill that would prohibit telecommunications companies from selling customer location data without first obtaining explicit consent.


5. $5 Billion Fine Against Facebook

Last week the Federal Trade Commission voted 3-2 to fine Facebook $5 billion for data privacy violations or roughly one month of revenue. While it is a record-setting amount, critics think the penalty should have been harsher. Following the announcement Facebook stock jumped 1.8% the same day, hitting the highest price in nearly a year.

The fine won’t end the scrutiny that Facebook is under, and while the details are not known — sources told The Wall Street Journal that other legal requirements were also imposed as part of the settlement. A formal announcement is expected in coming weeks.


“There is highly likely to be a shift to context and environment for advertising as data becomes less commercially available in the coming months . . . If that directs more money to publishers rather than intermediaries, then that is probably a good thing for the health of the media ecosystem as a whole.”

– Richard Dance, chief digital officer, Spark Foundry and Blue 449. 

Quoted at DigiDay. 


“Outrage is profitable. Most of the outrage I’ve seen in the online world – I would guess 80% – someone’s faking it for profit . . . I’m mostly concerned about the way social media platforms can be weaponized, that they sometimes forget to provide informed consent regarding the uses of your personal data . . . I do feel that any site should tell you what it would like to collect and what it would like to share with others and then ask your permission.”

– CraigsList founder/owner Craig Newmark 

Quoted July 14, in The Guardian.


A fresh (July 17) wrapup on the ICO fines against British Airways and Marriott International (JD Supra)

Democrats find unity in trashing big tech (CNN)

Facebook Embeds ‘Hidden Codes’ To Track Who Sees And Shares Your Photos (Forbes)

Don’t Count on Government to Protect Your Privacy (The New York Times)

Data Flows: What’s Really at Stake in the “Schrems II Case” (Disruptive Competition Project)

United States: Dealing With An Investigation: Data Collection And Management (Mondaq News Alerts)

German privacy commissioners ban Windows 10 and Office 365 in schools (MSPoweruser)

Data security a priority, experts say (Newsday)

How much is your data worth to tech companies? Turns out, it’s hard to say (USA TODAY)

Like what you see? Then recommend to a friend.

Follow ITEGA’s Facebook page for additional links and insights:

Subscribe to Privacy Beat




Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.

Our mailing address is:

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.