PRIVACY BEAT: EPIC looks at multiple privacy proposals in Congress and gives only one bill — Markey’s — its “A” grade

Privacy Beat

Your weekly privacy news update.

1. EPIC looks at multiple privacy proposals in Congress and gives only one a bill — Markey’s — its “A” grade

Recent developments, key characteristics and assessments of pending privacy legislation in the U.S. Congress are covered in a white paper — “Grading on a  Curve” — released this week by the nonprofit Electronic Privacy Information Center (

Using a “grading curve” created by European regulators, EPIC’s paper rates various legislative proposals based on such features as the definition of personal data, individual rights to access/control/delete, obligations of data controllers, algorithmic transparency obligations, data minimization requirements, take-it-or-leave-it terms, private right of action, limiting government access to data, and no pre-emption of state laws.

The highest rating went to proposals from U.S. Sen. Edward Markey, D-Mass. Markey’s Privacy Bill of Rights Act, S. 1214, is comprehensive and responds directly to many of the current privacy threats Americans face, EPIC writes. 

“The EPIC Report finds that all of the bills lack the basic elements of comprehensive privacy law, such as a federal baseline for privacy protection, an opportunity for individuals to enforce their rights, and an independent data protection agency,” EPIC concludes. 


So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.



California AG plans to publish CCPA rulemaking during October; meanwhile, stay tuned for CCPA, the sequel 

The dust is settling around the legislative process that produced the California Consumer Privacy Act (CCPA), but there are now two things to be keeping an eye on. 

FIRST, although the law is effective Jan. 1, enforcement of its provisions must be done by the office of California Attorney General Xavier Becerra. Bloomberg Business reports that Becerra told reporters he’ll issue draft regulations for public comment during October and plans to make them final and effective by Jan. 1. That means compliance will have to begin by July 1. 

On the AG’s plate for clarification is more detail on what constitutes personal information, what constitutes a “unique identifier”,  and making rules for the format of various consumer notices and incentives.

Attorney Deborah George of the Robinson & Cole law firm, asked in a blog summary the question: What might the regulations address? She says Becerra will likely:

  • Establish rules and procedures for the consumer opt-out process; 

  • Develop a recognizable and uniform opt-out logo or button for the implementation of the ‘do not sell my personal information’ link; 

  • Establish rules for consumer notices that are required by the CCPA so they are easily understood by the average consumer and are accessible to people with disabilities; 

  • Establish rules and procedures regarding verifiable consumer requests to facilitate a consumer’s request for information.

SECOND, it’s not over for regulating privacy in California. This week the group that originally sought a version of the CCPA as an initiative ballot petition said it was starting a campaign to amend and strengthen — from its perspective of consumer privacy — the new law. 

Read the draft California Privacy Rights and Enforcement Act of 2020.

“People are waking up to the fact that they’ve lost control of their information and are trying to take that control back,”  the New York Times quoted Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy, as saying. The group’s website includes six bullet points Mactaggart says he is seeking in the initiative. 

Brave browser executive Johnny Ryan took to Twitter to comment on the CPREA draft, saying it appears to apply the GDPR standard regarding what constitutes data “pseudonymization” and de-identification, and proposed to make the definition of “personal information” as broad as GDPR and also introduces a legal definition of “third party.”



Lawyers say IAB  previewed solution plans for interest-based ads; CCPA “do not sell” right

The ad-tech industry will be publishing during October a first effort at finding a way for the current third-party cookie and Real-Time Bidding ecosystem to comply with the CCPA, and will offer a 14-day-public comment period in what it is suggesting. 

Four attorneys with the BakerHostetler law firm have summarized a meeting of digital-advertising stakeholders hosted Sept. 17 by the Interactive Advertising Bureau to preview its “CCPA Industry Compliance Framework.” 

The CCPA requires that a third party cannot resell personal data it has received unless the consumer has received explicit notice, write attorneys Kyle R. Fath, Gerald J. Ferguson, Alan L. Friel and Linda A. Godstein write. That’s something that is bound to be happening in the present third-party cookie ad-tech ecosystem. 

IAB’s proposed solution, the lawyers write, is to include the sending of a variety of signals by the publisher to downstream participants in the ad-tech/interest-based advertising ecosystem.

“They also seek to address the lack of a contractual relationship between the publisher and downstream participants (such as the buy-side ad server),” the lawyers write. “To do so, IAB is developing a limited service provider contract, with which downstream participants must enter into with an IAB entity.”

As of this week, there doesn’t appear to be anything obvious on the IAB website about the “CCPA Industry Compliance Framework,” other than this general comment: “IAB is in the middle of the most critical conversations about the convergence of privacy policy, consumer preferences, identifiers, and the resulting technology solutions necessary.”


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

4. Report asserts Google is largest supporter of advertising on ‘misinformation’ sites — despite 2016 fix efforts

A report this week by a British-based nonprofit tracker finds that, because it looms so large in the digital advertising world, Google is also by far the largest revenue source for so-called “disinformation” web sites. It asks ad exchanges to become more open about their placements in disinformation sites. 

“Just like with corruption, a lot of this stuff happens in the dark,” said Craig Fagan, program director at The Global Disinformation Index was quoted by as saying.  “There’s a risk involved for brands by being next to risky content. Disinformation is risky content just like pornography is.” “It’s not about pointing fingers at Google or any one company,” Fagan added. “It’s about pointing fingers toward change. If we’re able to undo the financial incentive, then we’re able to break the system,” Fagan was quoted by Vice as saying.

Only the ad exchanges know the amount that they have paid disinformation domains,” said GDI in its report. “GDI invites them to work with us to effectively scope and stop the funding of disinformation.”

Vice said that Google says it removes billions of ads each year for violating its policies, some of which target certain deceptive content. But it has no rule for “fake news” per se, partly because it sees accuracy as a publisher’s responsibility, and partly because of the difficulty of defining the problem. “The lines between hyper-partisan content, state-backed propaganda, and stories concocted purely for financial gain are blurry at best,” wrote Vice’s David Uberti. also referenced the GDI’s study and noted it was based on a sample of about 20,000 websites found by (Poynter-owned) PolitiFact and others to publish misinformation. The GDI report estimates that ad technology companies spend about $235 million annually running ads on such sites. 

“Our estimates show that ad tech and brands are unwittingly funding disinformation domains. These findings clearly demonstrate that this is a whole-of-industry problem that requires a whole-of-industry solution,” said Clare Melford, co-founder and executive director of the GDI, in a news release. It found ads from big brands like Amazon and Office Max on the suspect sites. 

According to the GDI study, Google served about 70% of the websites sampled. It also provided about 37%, or $86 million annually, of their revenue. The next few companies didn’t even come close in their support for misinforming sources.

“Based on our sample, Google provides programmatic adverts to the largest portion (70 percent) of domains that we assessed,” GDI reported, adding: “It was followed by AppNexus (8 percent), Amazon (4 percent), Criteo (4 percent) and Taboola (4 percent), respectively.  Among our sample of disinformation domains, companies like Google, Taboola, and Revcontent are over-represented when compared to their overall market dominance on the open web.

After the 2016 election, Google said it would restrict ads on sites that “misrepresent, misstate, or conceal information about the publisher, the publisher’s content, or the primary purpose of the web property.” It has no rules explicitly against misinformation, Poynter wrote. 

The Global Disinformation Index is a UK-based not-for-profit that operates on the three principles of neutrality, independence, and transparency. 




Unlike for-profit social media, public social media would be explicitly noncommercial — no brand accounts allowed. In fact, there would be no accounts for any organizations — this network is for people only. An account on a public media platform would be tied to a real-world, local identity, like a driver’s license or library card. Anonymity online has real benefits, and a user name doesn’t have to be your real name. The public social media network could keep this information hashed, unscrambled only when action against a user is required, which would make it easier to crack down on fake and troll accounts.

–  Former Tumblr director Mark Coatney in a Sept. 24, 2019, New York Times op-ed proposing that U.S. public-media create a nonprofit social network.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp