1. EPIC looks at multiple privacy proposals in Congress and gives only one a bill — Markey’s — its “A” grade

Recent developments, key characteristics and assessments of pending privacy legislation in the U.S. Congress are covered in a white paper — “Grading on a  Curve” — released this week by the nonprofit Electronic Privacy Information Center (EPIC.org).

Using a “grading curve” created by European regulators, EPIC’s paper rates various legislative proposals based on such features as the definition of personal data, individual rights to access/control/delete, obligations of data controllers, algorithmic transparency obligations, data minimization requirements, take-it-or-leave-it terms, private right of action, limiting government access to data, and no pre-emption of state laws.

The highest rating went to proposals from U.S. Sen. Edward Markey, D-Mass. Markey’s Privacy Bill of Rights Act, S. 1214, is comprehensive and responds directly to many of the current privacy threats Americans face, EPIC writes. 

“The EPIC Report finds that all of the bills lack the basic elements of comprehensive privacy law, such as a federal baseline for privacy protection, an opportunity for individuals to enforce their rights, and an independent data protection agency,” EPIC concludes. 

MORE PRIVACY LINKS

• Google’s ‘Right to Be Forgotten’ Approach Wins Nod From EU Court (Richard Adhikari, ECommerce Times and New York Times)
• Future of Privacy statement on EU Court of Justice “right-to-be-forgotten” decision (FPF.org)
• Google is said to have blocked World Wide Web Consortium privacy initiative (Gerrit De Vynck, Bloomberg Business)
• Share, trade, sell: How to win consumer trust with responsible data partnerships (Alex Springer, PerformanceIN)
• Establishing a Robust Law School Educational Program for Privacy Law – TeachPrivacy (Daniel Solove, TeachPrivacy.com)
• WHITE PAPER: Artificial intelligence: Impact on privacy and security (Brenda Leong, FPF.org)
• Facebook’s suspension of thousands of apps reveals wider privacy issues (Kate Conger, NYTimes)
• Preparing for data breaches: Advice and checklist from the British regulator (ICO.org)
• AccessNow calls on EU to end data sharing deal that benefits 5,000 U.S. companies (Jennifer Baker, CPO Magazine)
• Bezos says Amazon is drafting proposed legislation governing facial recognition (Jason Del Rey, Vox.com)

2. CCPA: NOW WHAT?

California AG plans to publish CCPA rulemaking during October; meanwhile, stay tuned for CCPA, the sequel 

The dust is settling around the legislative process that produced the California Consumer Privacy Act (CCPA), but there are now two things to be keeping an eye on. 

FIRST, although the law is effective Jan. 1, enforcement of its provisions must be done by the office of California Attorney General Xavier Becerra. Bloomberg Business reports that Becerra told reporters he’ll issue draft regulations for public comment during October and plans to make them final and effective by Jan. 1. That means compliance will have to begin by July 1. 

On the AG’s plate for clarification is more detail on what constitutes personal information, what constitutes a “unique identifier”,  and making rules for the format of various consumer notices and incentives.

Attorney Deborah George of the Robinson & Cole law firm, asked in a blog summary the question: What might the regulations address? She says Becerra will likely:

• Establish rules and procedures for the consumer opt-out process; 

• Develop a recognizable and uniform opt-out logo or button for the implementation of the ‘do not sell my personal information’ link; 

• Establish rules for consumer notices that are required by the CCPA so they are easily understood by the average consumer and are accessible to people with disabilities; 

• Establish rules and procedures regarding verifiable consumer requests to facilitate a consumer’s request for information.

SECOND, it’s not over for regulating privacy in California. This week the group that originally sought a version of the CCPA as an initiative ballot petition said it was starting a campaign to amend and strengthen — from its perspective of consumer privacy — the new law. 

Read the draft California Privacy Rights and Enforcement Act of 2020.

“People are waking up to the fact that they’ve lost control of their information and are trying to take that control back,”  the New York Times quoted Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy, as saying. The group’s website includes six bullet points Mactaggart says he is seeking in the initiative. 

Brave browser executive Johnny Ryan took to Twitter to comment on the CPREA draft, saying it appears to apply the GDPR standard regarding what constitutes data “pseudonymization” and de-identification, and proposed to make the definition of “personal information” as broad as GDPR and also introduces a legal definition of “third party.”

RELATED LINKS: 

• Blog post provides links to earlier CCPA testimony  at AG’s hearings (Husch Blackwell LLP)

• Law firm develops “CCPA Scope Advisor” (Fox Rothschild LL)

• Must you display “do-not-sell” link on all subsequent website visits? Yes, says lawyer (Goli Mahdavi, Byan Cave Leighton Paisner BCLP)

3. ADVERTISING TECH:

Lawyers say IAB  previewed solution plans for interest-based ads; CCPA “do not sell” right

The ad-tech industry will be publishing during October a first effort at finding a way for the current third-party cookie and Real-Time Bidding ecosystem to comply with the CCPA, and will offer a 14-day-public comment period in what it is suggesting. 

Four attorneys with the BakerHostetler law firm have summarized a meeting of digital-advertising stakeholders hosted Sept. 17 by the Interactive Advertising Bureau to preview its “CCPA Industry Compliance Framework.” 

The CCPA requires that a third party cannot resell personal data it has received unless the consumer has received explicit notice, write attorneys Kyle R. Fath, Gerald J. Ferguson, Alan L. Friel and Linda A. Godstein write. That’s something that is bound to be happening in the present third-party cookie ad-tech ecosystem. 

IAB’s proposed solution, the lawyers write, is to include the sending of a variety of signals by the publisher to downstream participants in the ad-tech/interest-based advertising ecosystem.

“They also seek to address the lack of a contractual relationship between the publisher and downstream participants (such as the buy-side ad server),” the lawyers write. “To do so, IAB is developing a limited service provider contract, with which downstream participants must enter into with an IAB entity.”

As of this week, there doesn’t appear to be anything obvious on the IAB website about the “CCPA Industry Compliance Framework,” other than this general comment: “IAB is in the middle of the most critical conversations about the convergence of privacy policy, consumer preferences, identifiers, and the resulting technology solutions necessary.”

ADVERTISING LINKS:

• Publishers asked to help provide new way to serve ads without “cookies” (Garett Sloan, AdAge.com)

• Ad tech execs brace for Apple to scrap in-app ad tracking (Jessica Davies, DigiDay)

• How Safari’s ITP 2.3 update is cracking down on link-decoration (URL-append)  abuses (Allison Schiff, AdExchanger.com)

• MailOnline tests ID5 /  IAB-DigiTrust ID as replacement for Safari-blocked third-party cookies (Lucinda Southern, DigiDay)

• A Simple Way to Make It Harder for Mobile Ads to Track You (Lily Hay Newman, Wired.com)

• SEC charges Comscore, former CEO with fraud and falsifying key metrics (The Drum)

• SEC charges media-analytics firm Comscore Inc. and former CEO with $50M fraudulent revenue overstatement (SEC Website)

• Comscore charged with fraudulent accounting, agrees to $5 million settlement with SEC (AdAge.com)