PRIVACY BEAT: COVID-19 and Privacy

Privacy Beat

Your weekly privacy news update.


Identity innovator Sovrin shifts to volunteer staff; its digital token sale is victim of COVID-19-induced investor snub

The Sovrin Foundation, a pioneering effort to introduce methods for consumers to take direct control of their privacy and identity on the web, is an apparent victim of COVID-19. It has converted to all-volunteer operations.

In an email sent Friday to its constituencies and website post, Sovrin Executive Director & CEO Heather Dahl said Sovrin attempted in recent days to conduct a pre-sale of digital tokens but Wall Street investors balked and then the stock market plunged on COVID-19 fears. She emphasized, however, that the Sovrin Network will continue to be operational, in part because its architecture is de-centralized and therefore not overly dependent on the foundation’s operations.

“For many of you, with whom we have built good working relationships, this will be difficult news,” Dahl wrote, adding: “We encourage you to keep doing…important work for the good of the network and future so together we can achieve Identity for All.” 

The Sovrin Foundation is a private-sector, international non-profit established to govern the world’s first self-sovereign identity (SSI) network. Sovrin governs the network and the open-source code that makes it work, but doesn’t own or control people’s identities. The Sovrin code was developed by a for-profit company, Evernym, and given to the foundation. 

The Sovrin Community comprises volunteers who develop code, staff committees, and working groups, and promote Sovrin, Dahl said. She said the community is strong, with hundreds of volunteers from around the world promoting the Sovrin Mission


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


AG releases third set modifications to CCPA regulations in ‘red line’ markup; seeks comments through March 27

A third set of revisions to regulations that will govern the California Consumer Privacy Act were made public this week by the state’s attorney general. Both reporters and lawyers are closely following the regs, which will be enforced starting June 1. The state released a “red-line” version showing the new language, as well as a “clean” version and invited comments until 5 p.m. on March 27.  The latest tweaks follow more than 100 comments submitted in an earlier public-comment round.

Among the enforcement-language tweaks noted (see links below for details): 

  • Regulation of financial incentives offered in exchange for personal data is triggered when the incentives are merely “related to” collection, retention or sale of the information, whether or not the incentive is offered “as compensation for disclosure, deletion or sale.” 
  • Elimination of a uniform logo inviting a consumer to choose to “opt-out” of the sale of their personal information.  A Carnegie Mellon researcher, Lorrie Cranor, had questioned the logo suggested, on grounds its design and red color could be confusing.  The AG appears to drop the idea of specifying any uniform button. 
  • Clarification that a service provider can collect information “about a consumer” on behalf of another business, even if that information is not collected directly from the consumer.  This would permit acquiring information from, say, consumer credit bureaus. 
  • But also narrows the way the service provider can use such remotely  information to only “in behalf of the business that provided the [initial] personal information.” 
  • Dropped any guidance about whether an IP number constitutes “personal information”. Also dropped was a statement that in order to be considered personal information subject to regulation, data “must be reasonably capable of being associated with a consumer or household.” 


Key GOP committee chairman proposes data privacy bill; but it would preempt CCPA and bare private suits

The partisan split over federal privacy law continues. 

Bloomberg Government reporters Rebecca Kern and Daniel Stoller elegantly cover the implications of a bill introduced this week by GOP Sen. Jerry Moran, of Kansas, who is chairman of the Commerce subcommittee on consumer protection. 

His bill takes the business-and-advertising-industry position of attempting to pre-empt state laws such as the California Consumer Privacy Act (CCPA).  It also would largely forbid individual consumers to sue over privacy violations. These features are opposed by leading Democratic negotiators, including U.S. Sen. Richard Blumenthal, D-Conn. Back in July, Moran and Blumenthal had tried a bipartisan approach.

The likely result is that efforts in multiple states (see STATEHOUSE BEAT, below) will be ongoing, and the CCPA regulatory framework, (see above), will drive the state of privacy regulation in the United States for the foreseeable future.

In his news release about his bill, Moran decried a “patchwork of confusing state laws.”  It would rely on a beefed-up U.S. Federal Trade Commission to enforce a set of new privacy regulations around digital data sharing and use. 

By contrast, U.S. Sen. Kirsten Gillibrand, D-N.Y., introduced a measure several weeks ago which would establish a new federal agency to enforce digital privacy laws. She, like other Democrats, would allow individual lawsuits and would allow state’s to adopt more-stringent laws.

It’s not clear how the partisan impasse — basically amounting to a business vs. consumer fight — will be resolved.



State privacy proposals focus on private right, controller obligations and biometric rules, attorneys suggest 

A trio of attorneys from the law firm of McDermott Will & Emery has published a blog report outlining the three major trends they see in state legislative proposals to follow California’s lead on consumer online data privacy. The lawyers, Laura E. Jehl, Mark E. Schreiber and Kari Prochaska see:

  • An increased push to give individuals the right to bring private suits to enforce their privacy rights. 

  • Increased responsibility for data controllers to assess and document the risks of acquiring, holding and processing personal data. 

  • More regulation of the use of biometric information use for facial recognition and other purposes.


An IAB rep appears to join discussion about how browser software will allow access to personal data

Judging by call attendance, interest in the work of a World Wide Web Consortium (W3C) “Privacy Community Group” is growing.  Some 35 people voluntarily signed in as attendees on on a public webinar this week (Thursday, March 12). For the first time, a person saying they represented the Interactive Advertising Bureau (IAB) or its IAB Lab also spoke up during the call-in, but did not sign the public attendee log.

The IAB participation, if consistent, would important because the W3C privacy group is focused on tightening the way web browser software deals with user privacy, including how advertisers can “track” user activity across sites. One of IAB’s key members is Google, which controls the web-dominant Chrome browser and a large percentage of web advertising.

But an active proposal within the W3C group is something called Storage Access API, an idea advanced by Apple engineer John Wilander. Apple controls the second-most-dominant browser software, Safari, but is not a major force in web advertising.  The list of other companies represented on Thursday’s W3C call, according to the minutes, include browser makers Mozilla, Microsoft, Apple and Brave.  Also Akamai, Salesforce, PING Identity, Admiral, Scroll, Samsung, Amazon, Axel Springer Verizon Media, Adobe, The Washington Post and the BBC, among others.

Wikander describes the API as a privacy-enhancing mechanism, “not intended to grant arbitrary third-parties’ cookie access.” He continues: “It is only intended to grant cookie access to third parties that the user actively uses as a first party, too, i.e., websites the user recognizes and uses.

Such an approach, for example, would appear to mean that a user who has a direct relationship with one publisher or identity-service provider — an “information fiduciary” — would be able to tell their web browser to allow that trusted provider access to data about them stored by third parties within the web-browser’s memory.  But if, say, an advertiser or ad-tech company with whom the user had no direct relationship sought the same data, they would be denied access.

The minutes of the March 12 meeting are available HERE.







Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Under the CCPA, is it going to be legal to charge users for privacy? Here’s an example from music streaming 

“(a) A financial incentive or a price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125, if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations. (b) Notwithstanding subsection (a) of this section, a A business may offer a financial incentive or price or service difference if it is reasonably related to the value of the consumer’s data as that term is defined in section 999.337. If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or
price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference. (c) A business’s denial of a consumer’s request to know, request to delete, or request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory . . .  (1) Example 1: A music streaming business offers a free service as well as a premium service that costs $5-per-month. If only the consumers who pay for the music streaming service are allowed to opt out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

– Excerpted from Section 999.336, “Discriminatory Practices,” of the California Attorney General’s proposed regulations governing the California Consumer Privacy Act (at Pages 30-31). 


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp