PRIVACY BEAT: After Senate Commerce hearing, what are the key negotiating points between Dems and GOP?

Privacy Beat

Your weekly privacy news update.

1. After Senate Commerce hearing, is “private right of action” moving in direction of compromise?

The hint of a possible compromise that could remove one of two big obstacles to federal digital-privacy legislation appeared during a Senate Commerce Commmittee hearing this week. Republicans, advertisers and the tech industry generally oppose giving citizens the right to sue over privacy violations other than data breaches. Democrats support doing so.

In testimony, Michelle Richardson, director of privacy and data at the Center for Democracy and Technology urged a middle ground. “We’d like to propose that the solution lies somewhere in between allowing consumers to sue about everything and suing about nothing,” she testified.

Senator Roger Wicker, R-Miss., the committee chairman, noted recently that while his proposal does not contain a private right of action, he would consider including one in legislation if it was sufficiently narrow. Wicker’s bill proposal  l (DRAFT COPY HERE)  is called the “United States Consumer Data Privacy Act of 2019.”

“Private right of action for marginalized communities is really critical,” Dylan Gilbert, policy counsel at Public Knowledge, told The Verge’s Makena Kelly in her story on the hearing.  “Marginalized communities historically haven’t been able to rely on the government to protect their interests. It’s really important that individuals can have their own day in court.”

On the other key partisan dispute over privacy — whether federal law should pre-empt stricter state laws — there appears no clear compromise possibility yet.  The California Consumer Privacy Act and European regulations focus heavily on regulating when consumers must be offered notice, and the chance to give or withhold consent for use of personal data. 

But in Wednesday’s hearing, the testimony suggested more thought should be given to specifying what data companies can use or process, how and when.  And testimony also challenged whether defining “third-party” vs. “first-party” use was as important as when and how the data is used. 

Other important issues surfaced in testimony: 

  • Where to draw the line beween what is “sensitive” personal information vs. non-sensitive information, and the different treatment for each.  One witness, Maureen Ohlhausen, attorney representing the cable and telcom industry’s 21st Century Privacy Coalition, said, “I don’t think the coalition has a position” on whether facial-recognition data is “sensitive.”
  • Where regulation should be focused on “notice and consent” or on how data is used once a company has it — or both. 
  • How to resolve thorny definitional questions such as “what is a data broker”?  The leading bipartisan propsals appear to want to leave this up to Federal Trade Commission (FTC) rulemaking.
  • Former FTC commissioner Julie Bill, who is now a corporate attorney and privacy executive at Microsoft Inc., testified that emerging laws are putting an “unintentional thumb on the scale favoring big companies who can serve ads.”

The last comment prompted Sen. Maria Cantwell, the committee’s ranking Democrat, to observe: We are not going to have a free media in this country if we are not willing to persist on this . . . they will have all of the money and all of the advertising.” 

MORE FROM WASHINGTON:

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

2. Ad industry’s 41-page framework distinguishes between “sensitive” and “non-sensitive” data

A lobbying coalition of the biggest U.S. advertisers delivered its 41-page “comprehensive privacy principles” to members of Congress this week. (DOWNLOAD DOCUMENT

It downplays the idea of “notice and consent” which is prominent in European and California privacy laws, calling instead for “clearly defined and prohibited practices that put personal data at risk or undermine accountability, while preserving the benefits to individuals and our economy that result from the responsible use of data.” 

Privacy for America’s 41-page proposed framework largely mirrors current self-regulatory codes — but with a few tweaks, writes Wendy Davis at DigitalNewsDaily. She says that code has long called for companies to allow the use of “non-sensitive” data unless the user specifically opts-out — says “no.” It requires an affirmative “OK” — an opt-in — before so-called “sensitive” data can be collected or used. “Sensitive data” includes health, financial, biometric, and geolocation information, call records, private emails, and device recording and photos.

Commenting in AdAge’s story on the framework, digital ad consultant Ana Milicevic said the document doesn’t even mention the word advertising until page 33, and appears focused only on digital data, not on the collection of data by off-line brokers. Earlier, the Privacy for America coalition proposed in a Nov. 21 letter that Congress should require companies to obtain people’s opt-in consent before obtaining “sensitive” data.

3. Gartner research asserts 80% of marketers will abandon “personalization” by 2025; a move toward mood sensing?

An estimated 80 percent of marketers will move away from ad-tech’s pervasive attempts at “personalized” advertising by 2025, experimenting instead with artificial-intelligence-driven efforts to sense the emotions buyers,  a Gartner Inc. study predicted this week. 

The research report, “Predicts 2020: Marketers, They’re Just Not That Into You,” is offered only to clients of Gartner, a major research and advisory company.  But Gartner summarizes its findings in a news release.  It doesn’t say “personalization” as a strategy will go away, it just says it will be applied more methodically with user data consent-management at its core.

“By 2024, artificial intelligence identification of emotions will influence more than half of the online advertisements you see,” Gartner says.  It says by 2022, a quarter of marketing departments will have a dedicated behavioral scientist or ethnographer on full time. And by 2023, “one-third of all brand public-relations disasters will result from data-ethics failures,” the news release adds.

The Gartner assertions buttress the findings of a May academic study from researchers at the University of Minnesota, UC-irvine and Carnegie Mellon University, cited at the time by Jason Kint, CEO of Digital Content Next, the trade-group for branded digital publishers. It found the currrent approach to behavioral advertising did not clearly demonstrate that it works for marketers. 

In a June 6 post, “Behavioral advertising: The mirage built by Google,”  Kint said the study team “found that behavioral advertising, as measured and delivered based on third party cookies, increased publisher revenues by a mere four percent” in an ecosystem that largely benefits the finances of intermediaries, including Google, not publishers. 

RELATED LINKS:

4. Google will respect CCPA user opt-out, following IAB Tech Lab specification; crippling TP bidding for competitors?

Google has decided it will go along effective Jan. 1 with a key initiative of the ad-tech industry and block some third-party targetting — and do so using specifications published by the Interactive Advertising Bureau (IAB) tech affiliate. The company’s decision came in an undated blog post about its plans to comply with the California Consumer Privacy Act (CCPA). 

“Google intends to read the Interactive Advertising Bureau’s (IAB) Tech Lab’s v1.0 technical compliance specifications for passing the us_privacy string in our publisher ad products and apply restricted data processing when the string indicates a user has opted out,” the post says. 

AdExchanger reporter Allison Schiff scooped others with a report on Wednesday about the Google decision. She explained how Google will manage programmatic ad serving when a consumer has “opted out” under the CCPA from having their personal data used or shared.  The IAB published its consent-string compliance specifications in mid-November.

Google’s decision is a win for the IAB, the ad-tech industry’s lobby and technical-specifications body (which includes some publishers as members, as well), because it tends to set up the IAB as arbiter of how ad-tech will evolve in an era of increasing personal privacy and data regulation. It’s impact, however, may be to make it much harder for Google’s competitors to target advertising when they rely upon their own or third-party data.

In mid-November, Google had said it would allow sites and apps to disable some aspects of personalized targetting if they wished. But the new position suggests Google will involve itself actively in such efforts. One impact could be to enshrine Google’s own “first-party” user data collection efforts as more valuable, Google critics assert.

Ad tech vendors — such as those that operate in the programmatic space — don’t have a direct relationship with consumers who visit websites, explains AdAge writer George P. Slefo in a story this week on the changes wrought by CCPA.  As a result, Slefo writes, vendors won’t know whether certain information was shown to the consumer and, whether that consumer opted out from having their data sold. 

“It is going to have a real impact on the digital ad ecosystem,” Michael Hahn, senior VP and general counsel at the IAB, told Slefo. “It is a reflection of the consumer’s desire in how their personal info is used, and the parameters that the Legislature included in CCPA is going to fundamentally change that.”

MORE ADVERTISING TECH: 

4. GDPR: Finally, a clear Q-and-A about whether EU privacy affects your outside-the-EU business operations

If you are a publisher or company outside Europe trying to figure out if your operations need to comply with EU law, a legal expert has provided a helpful Q-and-A roadmap

The Q-and-A is a dissection of the European Data Protection Board’s GDPR guidance, which has been in draft form for over a year but just became final. It’s authored by Renzo Marchini, a partner with the European law firm of Fieldfisher who focuses on privacy, security and information. 

Among key points, Marchini covers how to figure out if your business is “established” in the EU, what constitutes “targeting” under the EDPB’s guidance, and the differing rules that apply whether your operation is a “processor” or “controller” of user data. 

MORE ABOUT GDPR:

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

QUOTE OF THE WEEK

Personal data has long been the fuel that fires marketing at every stage of the customer journey, and the drive to find new forms of fuel and devise new ways to leverage them seems to be boundless,” said Charles Golvin, senior director analyst in the Gartner for Marketers practice. “However, this quest has failed to meet marketers’ ambitions and, in some cases, has backfired, as consumers both directly and indirectly reject brands’ overtures.

– Charles Golvin, senior director analyst in the Gartner for Marketers practice, in a Dec. 2 report on personalization.

LINKS OF THE WEEK

CALIFORNIA (CCPA) WATCH

RESEARCH AND INSIGHTS

PRIVACY BUSINESS

EVENTS:

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp