PRIVACY BEAT: Privacy and web browsers — should publishers be looking to create an independent single-sign-on system? | Information Trust Exchange Governing Association

Privacy Beat

Your weekly privacy news update.

1. Privacy and web browsers — should publishers be looking to create an independent single-sign-on system?

California and European privacy-law changes — and moves by major browser software makers — might encourage publishers to create an alternative to Facebook Connect and Google Accounts if they want a role in helping users, says a Mozilla strategy advisor.

In a personal blog post, “The new browser consensus and SSO” — and a Q-and-A on the ITEGA website — Mozilla open-source strategist Don Marti says the laws, and browsers will stop hidden tracking of users. That creates opportunity for publishers, he says. “Could be good for the relative market power of sites that people trust more, if it turns out that people are more willing to “sign in with” (and obviously share info about themselves) on their trusted sites,” Marti writes.

Marti says that as laws and browsers make opaque user tracking either illegal or impractical, news organizations are faced with the choice of asking their users to either register locally or be part of an independent federated single-sign-on (SSO) service tuned to the needs of users and publishers.

In the Q-and-A he continues: “If the publishers established an SSO system where the user data lived inside that SSO — and is only available to the publishers of the sites where publishers chose to use that SSO — the publishers then end up with access to a bunch of user data that is attractive and is a complement to search, intent and contextual data sources.”

Publishers are looking for ways to capture ad revenue from Google and Facebook (the “duopoly”), says an article in USA Today this week about the decline in newspapers’ fortunes.

“For advertisers, the reality is the duopoly offers great scale, they offer great targeting, they offer great measurement,” USA Today quoted Lauren Fisher, principal analyst at eMarketer, as saying, “But sometimes that’s not enough. And it’s often not enough when advertisers are looking for very specific audiences. They’re looking for very specific types of branding opportunities and branding associations, which I do believe some of the newspapers still can provide.”

Google’s New Chrome Makes It Easier to Bypass Newspaper Paywalls (Slate.com)

Chrome 76 is out, making it easy to get past paywalls (TheNextWeb.com)

Circumvent those paywalls: Chrome 76 is here: Flash blocked by default, incognito mode can’t be detected (TechSpot.com)

Chrome 76 arrives with Flash blocked by default, detecting Incognito mode disabled (VentureBeat.com)

Google seeks to force identification of “cookie” purpose so they can be blocked (Chromium Blog, Ben Galbraith – Director, Chrome Product Management)

“Just four dudes”: Inside EasyList, the community-run ad-blocking list disrupting the Internet (DigiDay)

British magazine trade group says print-digital combo can flourishing (FIPP/UPM website | FULL REPORT)

So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.

Donate

2. Proposed amendment to CCPA could affirm variable pricing of content for user data — but shut a door on selling user data acquired in the process

The California Consumer Privacy Act (CCPA) is adding workload to the nation’s privacy lawyers as they try to advise corporate clients on what they have to do to comply. In the latest online webinar, the firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C provided this week its overview.

“It is very clear the law is going to drastically affect how businesses present themselves to consumers,” said Mintz lawyer Esteban Morales. A Mintz colleague also said companies that are based in California should assume they must comply with the law if their web sites serve California residents.

One CCPA proposed amendment, AB846, which cleared a California Senate committee and appears poised to pass the full legislature next month, clarifies that websites can vary pricing and offers to induce users to join loyalty or “premium” programs — but they have to agree not to sell the consumer’s data, said Mintz lawyer Esteban Morales. The law already says a program “cannot be unjust, unreasonable, coercive or usurious in nature.”

The word “premium” presumably would apply to a publisher seeking to charge for online content. The CCPA as enacted last year has been viewed as ambiguous on the question of variable pricing in exchange for user data. AB846, if enacted, could clarify.

“This bill allows a business to offer discounts and other benefits to consumers in the context of a voluntary loyalty/rewards program, so long as the business does not sell consumer personal information collected through the program,” attorneys Taylor Bloom and Melinda McLellan wrote in a separate summary of AB846 for their Baker Hostetler firm.

AB 846 clarifies that the CCPA’s anti-discrimination provision does not prohibit a business from running a loyalty or rewards program, said John L. Landolfi, Christopher L. Ingram and Christopher A. LaRocco of the law firm of Vorys Sater Semour and Pease LLP in another summary of CCPA pending amendments. Because of the prohibition on data sales, the firm said the amendment, if approved, would have a significant impact on loyalty or rewards programs.

3. EU Court rules website owners liable for transfer of data from Facebook ‘Like’ button widget on their website because “analytics” cookies require specific consent

On July 29, the Court of Justice of the European Union released a press release stating, “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website . . . By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.”

The ruling comes from a case involving the German online retailer Fashion ID and a complaint that, “criticizes Fashion ID for transmitting to Facebook Ireland personal data of visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data.”

The release goes on to say websites using the button must obtain consent, letting site visitors know the identity of who is receiving their data and purposes of the processing.

The court’s opinion is endorsed by attorney Christian M. Auty, a privacy lawyer at the firm Bryan Cave Leighton Paisner in Chicago. Writing on the firm’s blog, says “analytics cookies” of the type that are behind Facebook ‘Like’ button and other advertising-management technologies, require specific user consent before being deployed.

Conversely, Auty says in another blog post, session cookies don’t require specific user permission. She says: “First-party “session” cookies can be exempted from the consent requirement when they are “strictly necessary” for the functioning of the web site. Such functions can include user input features (like remembering shopping basket contents or the contact details in a form), authentication and security features (such as detecting repeated, failed login attempts), and network management cookies (to help the site run properly).”

Top European Court Rules Companies Using Facebook “Like” (Electronic Privacy Information Center)

Europe’s Privacy Rules Hurt Small Firms, Not Tech Giants (Yahoo Finance)

4. Big tech investing in data compliance technology startups

This week, data-privacy compliance startup DataGrail announced it raised an additional $5 million in funding from investors including Cloud Apps Capital Partners and Okta Ventures — while Microsoft announced its acquisition of Blue Talon, a provider of Unified Data Access Control solutions. Microsoft’s goal is to make “data discovery, access and use simple, secure, compliant and trustworthy,” across their Azure Cloud Computing products.

Meanwhile, Ethyca, a startup focused on helping companies comply with the GDPR, announced a $4.2 million investment led by IA Ventures and Founders Collective, TechCrunch reported. Ethyca’s software allows companies to discover sensitive data and then provide users tools to see, edit, or delete their data from the system. Co-founder Cillian Kieran said Ethyca tackles compliance by “managing privacy by design at the infrastructure level.” He also noted, “I think the investment represents the growing awareness fundamentally from both with the investor community, and also in the tech world, that data privacy as a regulatory constraint is real and will compound itself.” READ MORE

Microsoft acquires data privacy and governance service BlueTalon (TechCrunch)

Microsoft is acquiring a startup that will help its cloud customers control how their data is being used (Business Insider)

5. Will moves towards transparency make consumers more comfortable with sharing their data?

One-year after GDPR becoming effective, only 8% of consumers feel they have a better idea of how their data is being used and 37% didn’t even know what GDPR is, according to the results of a survey of over 250,000 global consumers by Ogury, a technology company specialized in mobile journey marketing.

A recent article for Kellogg Insight spotlighting Associate Professor of Marketing Jennifer Cutler stated, “One reason why we don’t see more consumer demand for privacy protections is that often consumers are not aware of their role as “participants” in both formal and informal studies involving giant data sets.” The article asserts that if people understood the implications of how their data could potentially be used, “they might value their personal data differently.”

In recent interviews, Facebook COO Sheryl Sandberg has continued to reiterate that the tech industry hasn’t done a good job at educating users on how their data is being used. Her statements, along with a recent campaign by Facebook to inform people about how data is used for ad targeting, indicate that the company thinks a better understanding will actually make consumers more comfortable. The Ogury survey backs this up, finding that 71% of people would share their data if they understand how it will be used, in order to be able to access apps and websites for free.

While it will be up to individuals to decide how they feel about how their data is being used, they deserve the right to an informed choice, privacy advocates say. A big part of the problem is the current state of privacy policies. “People use the apps they need for work and to stay on pace with life—they don’t read through a hundred-page terms-of-service agreement to find the one clause that’s unacceptable,” said Professor Cutler. The GDPR makes at least seven references to “clear and plain language”.

RELATED:

Google’s Chetna Bindra on importance of digital-ad transparency
AUDIO: How Tech Companies Track Your Every Move And Put Your Data Up For Sale (The Washington Post’s Geoffrey Fowler on “Fresh Air”)

WASHINGTON BEAT:

Missouri GOP senator proposes to regulate consent process as part of social-media regulation

“Companies would no longer be allowed to manipulate people into consenting by making it difficult to decline consent, and would have to design “accept” and “decline” boxes using the same formats, fonts, and sizes,” says Sen. Josh Hawley, R-Mo., in describing his Senate bill. That’s just part of Hawley’s bill, which is designed to rein in social media and require consents.

On his website, Sen. Hawley says his bill:

Requires choice parity for consent
- Companies would no longer be allowed to manipulate people into consenting by making it difficult to decline consent
- Companies would have to design “accept” and “decline” boxes using the same formats, fonts, and sizes
Gives the FTC and HHS authority to ban other similar practices
- Rules would expire after 3 years unless ratified by Congress

Public Knowledge says CapOne breach proves need for federal privacy law (Public Knowledge website)

STATE ROUNDUP:

A bill similar to CCPA is still in the Pennsylvania legislature and it would take effect immediately if passed

Son of CCPA may be brewing in Harrisburg. A Philadelphia state senator introduced earlier this year HB 1049, the “Consumer Data Privacy Act.” (TEXT) Most of its language is similar to the California Consumer Privacy Act and if passed it would take effect immediately upon the governor’s signature. But so far it hasn’t been referred to a committee for a hearing.

Pennsylvania state Rep. Ed Neilson wrote that his bill would require all businesses to provide notice to consumers on what personal information is being collected and if it will be sold. Businesses would also be required to allow consumers to opt-out of having their information sold to third parties or even have the information deleted entirely.

Meanwhile, a three-member team of lawyers from the Baker & McKenzie law firm have produced a handy chart comparing state privacy laws. Here is a printable version.

RELATED:

States Battle Big Tech Over Data Privacy Laws (The Pew Charitable Trusts)

Abortion, Data Privacy And Clean Energy Among States’ Top Legislative Topics, Stateline Finds (WABE 90.1 FM)

New York Expands Data Privacy Protections (JD Supra)

NYC Moves to Prohibit Sharing of Location Data (Womble Bond Dickinson (US) LLP)

QUOTE OF THE WEEK

“We are living in a world where our personal information is collected by businesses through our interactions and transactions. The problem is we never know what personal information is being collected and what information may be sold to a third party. Everyone deserves the right to know what personal information is being collected and sold and has a right to keep this information private. I ask that you support this legislation and join me in protecting Pennsylvania consumers by ensuring everyone can maintain their right to privacy.”

– Pennsylvania state Rep. Ed Neilson, introducing the Consumer Data Privacy Act.