1. New York Times turns spotlight on phone location data surveillance in start of series termed a “must read” scoop

The New York Times turned a spotlight on the phone location data ecosystem this week in the start of a series of reports stemming from its receipt of 50 billion location pings from the phones of more than 12 million Americans moving about major cities.

Jason Kint, executive director of Digital Content Next, the association of major digital publishers, Tweeted that The Times series was “a must read for the year” adding that the paper “through diligence, management support and a brave whistleblower source, may have officially broken the ad-tech lobby complex.”

The series is part of The Times‘ Privacy Project a unique undertaking of the Editorial/Opinion department of the paper. Hence the reporting is tinged to a degree with a point of view.  But the reporting is still deep — including a lot of leg work to track down real people that writers Stuart A. Thompson and Charlie Warzel were able to identify from the ping data — and then ask how they felt. 

In the writers’ opinion: “The companies profiting from our every move can’t be expected to voluntarily limit their practices. Congress has to step in to protect Americans’ needs as consumers and rights as citizens…Until then, one thing is certain: We are living in the world’s most advanced surveillance system. This system wasn’t created deliberately. It was built through the interplay of technological advances and the profit motive. It was built to make money. The greatest trick technology companies ever played was persuading society to surveil itself.

Warzel and Thompson say the data trove was given to The Times months ago by a data location company they don’t name,  not from a telco or big tech company or from the government. 

“Within America’s own representative democracy, citizens would surely rise up in outrage if the government attempted to mandate that every person above the age of 12 carry a tracking device that revealed their location 24 hours a day,” they write. “Yet, in the decade since Apple’s App Store was created, Americans have, app by app, consented to just such a system run by private companies. Now, as the decade ends, tens of millions of Americans, including many children, find themselves carrying spies in their pockets during the day and leaving them beside their beds at night — even though the corporations that control their data are far less accountable than the government would be.”

The location data can be merged by data companies with a 30-digit advertising ID, a supposedly anonymous identifier, to re-identify people by linking it to home address, email, phone number or your network IP number. The data then changes hands in milliseconds, making it possible to see where you are and push you a geo-relevant advertisement in seconds to your phone. 

Roger McNamee, a prominent Silicon Valley venture capitalist who was an early investor in Facebook — and has now written critically of its business — called the series in another Tweet a “scoop on location surveillance.”  He added: “Consumers are not to blame. Surveillance capitalists (esp Google, FB, Amazon, MS) and data collectors/brokers are responsible. Surveillance capitalism depends on deceit and misdirection. Consumers have no idea what is going on. Ditto for most policymakers.”

McNamee said the article only scratched the surface.  He said the Trump campaign is tracking fundamentalists for ad targeting, often with ads containing falsehoods. “Fingers crossed that follow-on stories will place blame where it belongs.”

RELATED LINKS 

• Surveillance is a fact of life so make privacy a human right | Lawrence Capello, The Economist

• How retail stores use your phone to follow and tell you what you want | Sara Morrison, ReCode/Vox
• Over 267 million Facebook users’ names, phones leaked on dark web? | Nicolas Vega, New York Post
• Facebook fails to convince lawmakers it needs to constantly track you | Lauren Feiner, CNBC

CCPA COUNTDOWN

Law firm estimates 94 out of 100 websites don’t show “Do Not Track” notice yet; and it doesn’t work; Zetoony says IAB framework is also no guarantee of legality

Among law firms with data-privacy practices, the firm of Bryan Cave Leighton and Paisner has done a good job of following the legislative and regulatory story of the California Consumer Privacy Act (CCPA).  Its three blog posts this week offer a credible snapshot of how much business needs to do to get ready for the CCPA’s Jan. 1 effective date. They are written by the firm’s Boulder, Colorado privacy-law partner, David A. Zetoony.

• Based on the law firm’s study sample, only six percent of websites had installed a “Do Not Sell My Personal Information” link as of Dec. 13.  And none have in place yet a working mechanism for responding to an opt-out request — a potential deceptive practice. Of websites that have already updated their privacy policy to comply with CCPA, about one third have the “Do Not Sell” link visible.

• Also in the law firm’s random sampling of Fortune 500 company web sites, as of Dec. 13, 80 percent had yet to update their privacy notices to be CCPA compliant.

Zetoony, in a third blog post, provides this important legal opinion: Companies that follow the draft “CCPA Compliance Framework for Publishers & Technology Companies” (the IAB “Do Not Sell” Framework) cannot be sure they are in compliance with the CCPA. That’s because the IAB Tech Lab was unwilling, Zetoony says, to provide that warranty.  The IAB framework is now final.

His view is consistent with the nonprofit Californians for Consumer Privacy, originator of the CCPA law, which wrote the IAB in November stating that  “certain of the framework’s conclusions are so contrary to the letter and spirit of the California Consumer Privacy Act, that we are uncertain as to the rationale for their inclusion in the Framework, and we expect a  revised draft to be published.”

CCPA — LAW AND COMPLIANCE

• Becerra promises aggressive watchdogging of CCPA even before June 1 | Alexei Koseff, San Francisco Chronicle

• Bloomberg Law quotes Becerra: Major changes in regulation draft unlikely | Husch Blackwell LLP

• Overviewing concerns about CCPA enforcement rules from Becerra | Akin Gump Strauss Hauer & Field LLP

• Range of implementation worries at CCPA rulemaking hearing in LA | Aaron Burstein, Kelley Drye law firm

• Facebook says CCPA doesn’t apply to its trackers | Sarah Morison, Recode-Vox

• CCPA brings U.S. closer to GDPR and fines could add up | Dimitri Sirota, Tech Crunch

• Potential constitutional challenges to the CCPA; ‘dormant commerce’?  | Alysa Zeltzer, Kelley Drye law firm

• Data aggregators, banks, credit cards offer comments on CCPA | Better Identity Coalition

• CCPA compliance: A guide to doing business in California | Foley & Lardner LLP law firm

• Implications for business websites in bullet points | Tal Grinblat & Taylor Vernon, Lewitt Hackman law firm

• Interpreting the CCPA’s “private right of action” provision | Casie Collignon & Matthew Pearson, BakerHostetler law firm

• CHECKLIST: Are you ready for the CCPA? | Patrick Dalvinck, PrivacyRadius blog

More to come: Mactaggert cleared to gather signatures to put “CCPA 2.0” on November ballot in California 

Even as publishers and other companies struggle to get  into compliance with CCPA, a new policy initiative is gearing up.  On Tuesday, California Attorney General Xavier Becerra approved as to form the language of a proposed the California Privacy Rights Act (CPRA), clearing the way for proponent Alastair Mactaggert to gather a required 623,212 signatures to get “Initiative 19-0021” on the November ballot. It would substantively amend and essentially replace the CCPA.

The language of the new proposed law would add provisions which were negotiated out of the CCPA in last-minute Sacramento lobbying in 2018 and would seek to clear up some definitional uncertainty in some CCPA terms. The initiative proposal includes privacy suggestions made in October by the Electronic Frontier Foundation and 10 other privacy groups. 

The attorney general’s initiative summary highlights that the proposed law would grant consumers the rights to “(1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information” — such as precise geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information.”  

The summary also notes that it “changes criteria” for privacy-law compliance, prohibits retention of personal information for longer than reasonably necessary, triples maximum penalties for violations of minors’ privacy rights, and establishes a new — and the first in the United States — regulator dedicated solely to privacy issues:  the California Privacy Protection Agency.

Mactaggart’s initiative would prohibit tracking devices more precisely than within a circle of about 250 acres, according to Michael Hiltzik’s analysis of it in the Los Angeles Times. (A football field is about 1.3 acres.) “So you won’t be able to track how long I’ve been at the gym, or when I arrived at work, or whether I went to a rehab clinic,” Hiltzik quoted Mactaggart as saying.

CCPA 2.0 NEXT IN CALIFORNIA 

• What CCPA 2.0 includes: Language and intent | Alastair Mactaggert, CAPrivacy.org

• The top 10 proposals within CPRA | Eric P. Mandel, Driven Inc.

• Alastair Mactaggert’s next big push — CCPA 2.0 | Eric J. Savitz, Barron’s 

• CCPA 2.0: What’s new in the revised CPRA proposal? | Odia Kagan, Fox Rothschild LLP

• How California is rewriting the law on online privacy | Laurel Rosenhall, CalMatters via KQED

• First real effort to regulate tech: It could get messy | Eric J. Savitz, Barron’s

PERSONAL PRIVACY 

Only health care worries Americans more than their data privacy, new survey for advertising brands finds

A survey by Wunderman Thompson Data  finds some 58 percent of 1,500 U.S. respondents are “very concerned” about the privacy and security of their personal information and data. Only health care registers a higher level of concern, the company’s “2019 Data Privacy and Security Study” finds.

“The only issue more concerning than data privacy to Americans is health care,” the study authors wrote, adding: “Fifty-eight of respondents are very concerned about the privacy and security of their personal information and data, surpassing key societal issues including political leadership, gun violence and more.”

They survey of 1,500 Americans was done for some of the company’s brand-advertising clients. It was released Dec. 16. “Our teams are focused on supporting our clients with education to better prepare them on data privacy and security matters given these resounding statistics on the issues,” said Rachel Glasser, the data-research firm’s chief privacy officer.

MediaPost columnist Richard Whiteman cited these additional findings:

• 68% find Terms & Conditions and Privacy Policies “difficult to understand” and as a result, 72% only read them sometimes (25%), rarely (35%) or never (12%).

• 53% strongly agree: “It seems a little sneaky to me the way companies go about getting this data and using it”

• Only 15% strongly agree: “I feel like I have a good understanding of how my data is used by the company I do business with and the services I use” 

The survey also found that data protection regulations and legislation are barely registering with consumers. Awareness levels of the General Data Protection Regulation (GDPR), Children’s Online Privacy Protection Act, and California Consumer Privacy Act (CCPA) are 13%, 12% and 10%, respectively.

“Hoping to  provide insights to better understand the consumer perspective and how to best meet the needs of customers, as part of their overall engagement with brands,” said Jacques van Niekerk, CEO, Wunderman Thompson Data.

MORE ON PERSONAL PRIVACY

• Federal study confirms racial bias in facial-recognition systems | Drew Harwell, Washington Post

• Context critical in managing privacy tech, law | Elizabeth Renieris, Harvard Berkman-Klein Center via Medium

• Companies, not people, should bear the burden of protecting data | David Medine & Gayatri Murthy, Brookings Institution 

• Privacy is a human right — It shouldn’t be bought or sold | Susan Grant, Consumer Federation of America 

• Data Privacy Day | Stay Safe Online

• Internet of Things Makes it Easier to Steal your Data | Sergei Vardomatski ,ReadWrite

• Australian HR commission seeks facial-recognition moratorium | Julian Bajkowski, ITNews

• Smart speakers and privacy: They gather data on you | Marc Montgomery, Radio Canada Int’l