PRIVACY BEAT: New York Times turns spotlight on phone location data surveillance in start of series termed a “must read” scoop

Privacy Beat

Your weekly privacy news update.

1. New York Times turns spotlight on phone location data surveillance in start of series termed a “must read” scoop

The New York Times turned a spotlight on the phone location data ecosystem this week in the start of a series of reports stemming from its receipt of 50 billion location pings from the phones of more than 12 million Americans moving about major cities.

Jason Kint, executive director of Digital Content Next, the association of major digital publishers, Tweeted that The Times series was “a must read for the year” adding that the paper “through diligence, management support and a brave whistleblower source, may have officially broken the ad-tech lobby complex.”

The series is part of The Times‘ Privacy Project a unique undertaking of the Editorial/Opinion department of the paper. Hence the reporting is tinged to a degree with a point of view.  But the reporting is still deep — including a lot of leg work to track down real people that writers Stuart A. Thompson and Charlie Warzel were able to identify from the ping data — and then ask how they felt. 

In the writers’ opinion: “The companies profiting from our every move can’t be expected to voluntarily limit their practices. Congress has to step in to protect Americans’ needs as consumers and rights as citizens…Until then, one thing is certain: We are living in the world’s most advanced surveillance system. This system wasn’t created deliberately. It was built through the interplay of technological advances and the profit motive. It was built to make money. The greatest trick technology companies ever played was persuading society to surveil itself.

Warzel and Thompson say the data trove was given to The Times months ago by a data location company they don’t name,  not from a telco or big tech company or from the government. 

“Within America’s own representative democracy, citizens would surely rise up in outrage if the government attempted to mandate that every person above the age of 12 carry a tracking device that revealed their location 24 hours a day,” they write. “Yet, in the decade since Apple’s App Store was created, Americans have, app by app, consented to just such a system run by private companies. Now, as the decade ends, tens of millions of Americans, including many children, find themselves carrying spies in their pockets during the day and leaving them beside their beds at night — even though the corporations that control their data are far less accountable than the government would be.”

The location data can be merged by data companies with a 30-digit advertising ID, a supposedly anonymous identifier, to re-identify people by linking it to home address, email, phone number or your network IP number. The data then changes hands in milliseconds, making it possible to see where you are and push you a geo-relevant advertisement in seconds to your phone. 

Roger McNamee, a prominent Silicon Valley venture capitalist who was an early investor in Facebook — and has now written critically of its business — called the series in another Tweet a “scoop on location surveillance.”  He added: “Consumers are not to blame. Surveillance capitalists (esp Google, FB, Amazon, MS) and data collectors/brokers are responsible. Surveillance capitalism depends on deceit and misdirection. Consumers have no idea what is going on. Ditto for most policymakers.”

McNamee said the article only scratched the surface.  He said the Trump campaign is tracking fundamentalists for ad targeting, often with ads containing falsehoods. “Fingers crossed that follow-on stories will place blame where it belongs.”

RELATED LINKS 

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

CCPA COUNTDOWN

Law firm estimates 94 out of 100 websites don’t show “Do Not Track” notice yet; and it doesn’t work; Zetoony says IAB framework is also no guarantee of legality

Among law firms with data-privacy practices, the firm of Bryan Cave Leighton and Paisner has done a good job of following the legislative and regulatory story of the California Consumer Privacy Act (CCPA).  Its three blog posts this week offer a credible snapshot of how much business needs to do to get ready for the CCPA’s Jan. 1 effective date. They are written by the firm’s Boulder, Colorado privacy-law partner, David A. Zetoony.

  • Based on the law firm’s study sample, only six percent of websites had installed a “Do Not Sell My Personal Information” link as of Dec. 13.  And none have in place yet a working mechanism for responding to an opt-out request — a potential deceptive practice. Of websites that have already updated their privacy policy to comply with CCPA, about one third have the “Do Not Sell” link visible.

  • Also in the law firm’s random sampling of Fortune 500 company web sites, as of Dec. 13, 80 percent had yet to update their privacy notices to be CCPA compliant.

Zetoony, in a third blog post, provides this important legal opinion: Companies that follow the draft “CCPA Compliance Framework for Publishers & Technology Companies” (the IAB “Do Not Sell” Framework) cannot be sure they are in compliance with the CCPA. That’s because the IAB Tech Lab was unwilling, Zetoony says, to provide that warranty.  The IAB framework is now final.

His view is consistent with the nonprofit Californians for Consumer Privacy, originator of the CCPA law, which wrote the IAB in November stating that  “certain of the framework’s conclusions are so contrary to the letter and spirit of the California Consumer Privacy Act, that we are uncertain as to the rationale for their inclusion in the Framework, and we expect a  revised draft to be published.”

CCPA — LAW AND COMPLIANCE

More to come: Mactaggert cleared to gather signatures to put “CCPA 2.0” on November ballot in California 

Even as publishers and other companies struggle to get  into compliance with CCPA, a new policy initiative is gearing up.  On Tuesday, California Attorney General Xavier Becerra approved as to form the language of a proposed the California Privacy Rights Act (CPRA), clearing the way for proponent Alastair Mactaggert to gather a required 623,212 signatures to get “Initiative 19-0021” on the November ballot. It would substantively amend and essentially replace the CCPA.

The language of the new proposed law would add provisions which were negotiated out of the CCPA in last-minute Sacramento lobbying in 2018 and would seek to clear up some definitional uncertainty in some CCPA terms. The initiative proposal includes privacy suggestions made in October by the Electronic Frontier Foundation and 10 other privacy groups. 

The attorney general’s initiative summary highlights that the proposed law would grant consumers the rights to “(1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information” — such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information.”  

The summary also notes that it “changes criteria” for privacy-law compliance, prohibits retention of personal information for longer than reasonably necessary, triples maximum penalties for violations of minors’ privacy rights, and establishes a new — and the first in the United States — regulator dedicated solely to privacy issues:  the California Privacy Protection Agency.

Mactaggart’s initiative would prohibit tracking devices more precisely than within a circle of about 250 acres, according to Michael Hiltzik’s analysis of it in the Los Angeles Times. (A football field is about 1.3 acres.) “So you won’t be able to track how long I’ve been at the gym, or when I arrived at work, or whether I went to a rehab clinic,” Hiltzik quoted Mactaggart as saying.

CCPA 2.0 NEXT IN CALIFORNIA 

PERSONAL PRIVACY 

Only health care worries Americans more than their data privacy, new survey for advertising brands finds

A survey by Wunderman Thompson Data  finds some 58 percent of 1,500 U.S. respondents are “very concerned” about the privacy and security of their personal information and data. Only health care registers a higher level of concern, the company’s “2019 Data Privacy and Security Study” finds.

“The only issue more concerning than data privacy to Americans is health care,” the study authors wrote, adding: “Fifty-eight of respondents are very concerned about the privacy and security of their personal information and data, surpassing key societal issues including political leadership, gun violence and more.”

They survey of 1,500 Americans was done for some of the company’s brand-advertising clients. It was released Dec. 16. “Our teams are focused on supporting our clients with education to better prepare them on data privacy and security matters given these resounding statistics on the issues,” said Rachel Glasser, the data-research firm’s chief privacy officer.

MediaPost columnist Richard Whiteman cited these additional findings:

  • 68% find Terms & Conditions and Privacy Policies “difficult to understand” and as a result, 72% only read them sometimes (25%), rarely (35%) or never (12%).

  • 53% strongly agree: “It seems a little sneaky to me the way companies go about getting this data and using it”

  • Only 15% strongly agree: “I feel like I have a good understanding of how my data is used by the company I do business with and the services I use” 

The survey also found that data protection regulations and legislation are barely registering with consumers. Awareness levels of the General Data Protection Regulation (GDPR), Children’s Online Privacy Protection Act, and California Consumer Privacy Act (CCPA) are 13%, 12% and 10%, respectively.

“Hoping to  provide insights to better understand the consumer perspective and how to best meet the needs of customers, as part of their overall engagement with brands,” said Jacques van Niekerk, CEO, Wunderman Thompson Data.

MORE ON PERSONAL PRIVACY

CONGRESS WATCH

GOP and Dem staffers craft consensus federal privacy bill, but still punt on pre-emption and private-suit right 

In a season of goodwill toward men (and women) U.S. Senate Commerce Committee staffers have this week unveiled language for a bipartisan federal data-privacy law — what was described as an “unfinished draft” — that nonetheless leaves unsettled whether a consensus can be found on pre-empting state regulation or allowing citizens to sue for privacy rights.

“Committee staff have circulated a bipartisan staff discussion draft of comprehensive federal privacy legislation,” an Energy and Commerce spokesperson was quoted by The Hill and LexBlog as saying. “This draft seeks to protect consumers while also giving data collectors clear rules of the road…”we welcome input from all interested stakeholders and look forward to working with them going forward,” the Hill quoted the spokesman as saying. (See: draft key elements)

MORE…WASHINGTON

ADVERTISING TECH

PRIVACY BUSINESS

EURO WATCH

PRIVACY TECH

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

QUOTE OF THE WEEK

“[Under CCPA] Businesses can charge customers who opt out of data collection more for their services, but the price difference has to be related to the value of the information. That should place a tight limit on the price differences because estimates of the cash value of individuals’ data are low.

“For example, according to a study this summer by Berkeley Economic Advising and Research for Atty. Gen. Xavier Becerra, “general information about a person such as their age and gender were found to be worth $0.0005 per person.” Information that a woman was pregnant was pegged at about 11 cents per person.

“The Berkeley figures were based on estimates compiled by the Financial Times, which concluded that the total value of 61 basic information nuggets often sought by data buyers was about $4.83 on average. Most individuals, of course, don’t evaluate their personal information strictly in dollars and cents. Data-collecting companies, however, value the information in the aggregate, in which it’s worth billions.”

Excerpt from the Michael Hiltzik’s column posted Dec. 19, 2019 to the Los Angeles Times website, and entitled:  “California becomes a leader on privacy rights, but the battle is just beginning”

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp