VIEW IN YOUR BROWSER

STATEHOUSE WATCH

State privacy proposals focus on private right, controller obligations and biometric rules, attorneys suggest 

A trio of attorneys from the law firm of McDermott Will & Emery has published a blog report outlining the three major trends they see in state legislative proposals to follow California’s lead on consumer online data privacy. The lawyers, Laura E. Jehl, Mark E. Schreiber and Kari Prochaska see:

• An increased push to give individuals the right to bring private suits to enforce their privacy rights. 

• Increased responsibility for data controllers to assess and document the risks of acquiring, holding and processing personal data. 

• More regulation of the use of biometric information use for facial recognition and other purposes.

RELATED LINKS:  

• Deep dive: Assessing two version of Washington state privacy bills | Christopher W. Savage & Kara R. Trowell, Davis Wright Tremaine LLP

• Washington state takes lead in CCPA copycat race; trends emerge | Laura e. Jehl et. al, OfDigitalInterest.com

• Legal Alert: Maryland’s digital advertising tax bill passes out of committee with amendments | Eversheds Sutherland

• ‘Consumer Privacy Protection Act’ Introduced in the Ocean State | Eric Rosenkoetter, Maurice Wutscher

• Data Privacy Act Sponsors Seek to Bring GDPR Requirements to Wisconsin | Jesse Dill, Ogletree Deakins

• Proposed Illinois Data Transparency and Privacy Act Referred to State Senate Judiciary Committee | Mark Bradford, Duane Morris Insurance Law

• Vermont sues Clearview AI for violating state privacy laws | Cal Jeffrey, TechSpot

An IAB rep appears to join discussion about how browser software will allow access to personal data

Judging by call attendance, interest in the work of a World Wide Web Consortium (W3C) “Privacy Community Group” is growing.  Some 35 people voluntarily signed in as attendees on on a public webinar this week (Thursday, March 12). For the first time, a person saying they represented the Interactive Advertising Bureau (IAB) or its IAB Lab also spoke up during the call-in, but did not sign the public attendee log.

The IAB participation, if consistent, would important because the W3C privacy group is focused on tightening the way web browser software deals with user privacy, including how advertisers can “track” user activity across sites. One of IAB’s key members is Google, which controls the web-dominant Chrome browser and a large percentage of web advertising.

But an active proposal within the W3C group is something called Storage Access API, an idea advanced by Apple engineer John Wilander. Apple controls the second-most-dominant browser software, Safari, but is not a major force in web advertising.  The list of other companies represented on Thursday’s W3C call, according to the minutes, include browser makers Mozilla, Microsoft, Apple and Brave.  Also Akamai, Salesforce, PING Identity, Admiral, Scroll, Samsung, Amazon, Axel Springer Verizon Media, Adobe, The Washington Post and the BBC, among others.

Wikander describes the API as a privacy-enhancing mechanism, “not intended to grant arbitrary third-parties’ cookie access.” He continues: “It is only intended to grant cookie access to third parties that the user actively uses as a first party, too, i.e., websites the user recognizes and uses.

Such an approach, for example, would appear to mean that a user who has a direct relationship with one publisher or identity-service provider — an “information fiduciary” — would be able to tell their web browser to allow that trusted provider access to data about them stored by third parties within the web-browser’s memory.  But if, say, an advertiser or ad-tech company with whom the user had no direct relationship sought the same data, they would be denied access.

The minutes of the March 12 meeting are available HERE.

RELATED TO AD TECH

• Adtech giant Criteo is being investigated by France’s data watchdog | Natasha Lomas, TechCrunch

• Uninstall These VPN and Ad-Blocking Apps That Spied on Your iPhone or Android | Brenden Hesse, Life Hacker

• How the Ad-Tech Industry Is Trying to Resurrect Targeted Advertising | Ronan Shields, AdWeek

• Ad Industry Split on Cookies and CCPA | Alan L. Friel, Taylor A. Bloom, Kyle R. Fath and Catrina Wang, Data Privacy Monitor

• Digiday Research: Publishers prioritize direct-sold ads heading into the second quarter | Shareen Pathak, Digiday

• Q-and-A: Cookies and AdTech | Karin Ross et. al, Bryan Cave Leighton Paisner 

• Ad tech: The Traffic Merchant | Craig Silverman, BuzzFeed News 

• What percentage of websites utilize a banner that seeks opt-in consent before deploying cookies? | David Zetoony, Bryan Cave Leighton Paisner

• 3 Tips for Thriving in the New Data Landscape | Jessica Lee, Adweek

IDENTITY AND AI TECH

• Identity management 101: How digital identity works in 2020 | Scott Fulton, ZDNet

• The new passport: Digital identity on the blockchain | Debbie Hoffman, HousingWire

• Why is identity and access management so important in preventing data breaches? | Archit Lohokare, Security Boulevard

• Ring’s new Video Doorbell 3 Plus can capture footage up to four seconds before movement is detected | Zach Laidlaw, Android Police

• Ring’s latest doorbells feature a three-camera array | Marc DeAngelis, Engadget

• Microsoft researchers create AI ethics checklist with ML practitioners from a dozen tech companies | Khari Johnson, Venture Beat

• Magnas David Cohen joins IAB as president | Adage

• DoNotPay now lets you share online subscriptions without divulging your password | Paul Sawers, Venture Beat

PRIVACY BUSINESS

• Ex-presidential Candidate Andrew Yang Launches Data Privacy Nonprofit | Helen Partz, CoinTelegraph

• How ‘Smart Tech’ Masks an Emerging Era of Corporate Control | Jathan Sadowski, One Zero

• Brave deemed most private browser in terms of ‘phoning home | Catalin Cimpanu, ZDNet

• Brave browser to block web fingerprinting with randomisation | John Dunn, Naked Security

• What’s the best approach for ethical data use? | Adlina AR, Techwire Asia

PERSONAL PRIVACY

• Free Speech Isn’t a Free Pass for Privacy Violations | Margot E. Kaminski and Scott Skinner-Thompson, Slate

• New Data Rules Could Empower Patients but Undermine Their Privacy | Natasha Singer, New York Times

• Expect Increased Privacy Regulatory Enforcement in 2020 | Ruth E. Promislow, Katherine Rusk Katherine Rusk and Pavan Virdee Pavan Virdee, Bennett Jones

• Is This Google Chrome Problem A New Reason To Switch To Firefox? | Kate O’Flaherty, Forbes

• ACLU sues government for facial recognition records at borders, airports | Drew Harwell, WashingtonPost.com

• How to stop your smart home spying on you | Davey Winder, The Observer/The Guardian

• Comcast accidentally publishes 200,000 ‘unlisted’ phone numbers | Jon Brodkin, ArtsTechnica

• Firefox 74 slams Facebook in solitary confinement: Browser add-on stops social network stalking users across the web | Tim Anderson, The Register

• This free service shows who has your data—and helps you delete it | Steven Melendez, Fast Company

STATEHOUSE WATCH

• Legal Alert: Maryland’s digital advertising tax bill passes out of committee with amendments | Eversheds Sutherland

• ‘Consumer Privacy Protection Act’ Introduced in the Ocean State | Eric Rosenkoetter, Maurice Wutscher

• Data Privacy Act Sponsors Seek to Bring GDPR Requirements to Wisconsin | Jesse Dill, Ogletree Deakins

• Proposed Illinois Data Transparency and Privacy Act Referred to State Senate Judiciary Committee | Mark Bradford, Duane Morris Insurance Law

• Vermont sues Clearview AI for violating state privacy laws | Cal Jeffrey, TechSpot

GDPR, EU AND THE WORLD

• White Paper – 2020 Global Legislative Predictions | IAPP

• Austria, EU privacy and the ongoing Schrems v Facebook case | Sharon Schmidt, International Law Office

• Why the GDPR investigation into Criteo could be a ‘line in the sand’ for ad tech | Lara O’Reilly, Digiday

• Facebook sued by the Australian Information Commissioner | Ray Shaw, Gadget Guy

• Facebook Could Be Fined Upto $529bn In Australia; It’s 8x Their 2019 Revenue | Anmol Sachdeva, Foss Bytes

• Sweden fines Google $7.9M for GDPR violation | Jason Aycock, Seeking Alpha

• International technology, business groups seek changes to India’s PDPB | IAPP

• Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments | Paul Sawers, Venture Beat

QUOTE OF THE WEEK

Under the CCPA, is it going to be legal to charge users for privacy? Here’s an example from music streaming 

“(a) A financial incentive or a price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125, if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations. (b) Notwithstanding subsection (a) of this section, a A business may offer a financial incentive or price or service difference if it is reasonably related to the value of the consumer’s data as that term is defined in section 999.337. If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or
price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference. (c) A business’s denial of a consumer’s request to know, request to delete, or request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory . . .  (1) Example 1: A music streaming business offers a free service as well as a premium service that costs $5-per-month. If only the consumers who pay for the music streaming service are allowed to opt out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

– Excerpted from Section 999.336, “Discriminatory Practices,” of the California Attorney General’s proposed regulations governing the California Consumer Privacy Act (at Pages 30-31).