Amid CCPA confusion, consumer law and antitrust law need common privacy ground, says key attorney

Creating a better understood environment for privacy in cyberspace is going to end up involving elements of both antitrust law and consumer trade regulation and it would be useful for practitioners and advocates of both to begin coordinating their efforts, a prominent privacy and antitrust attorney says.

Alysa Z. Hutnik, a partner with the DC law firm of Kelley Drye & Warren LLP spoke by phone with Privacy  Beat after moderating a panel last week. (See: “In a word — conundrum — as ad-tech, agency and publisher lawyers consider terms, enforcement of CCPA”).

“There are different principles for consumer antitrust vs. consumer privacy,” said Hutnik. “It is just that they affect one and the other…privacy and antitrust concerns meet in the middle.”

Hutnik has major brand publishing clients, as well as ad-tech companies, but neither Facebook nor Google, she said. She chairs her firm’s digital-privacy and security practice and is the consumer-protection officer of the American Bar Association’s antitrust section.

The COVID-19 epidemic has largely shut down efforts by other states to adopt digital privacy laws similar to California’s, said Hutnik. However, if the California situation gets murkier this fall with a new ballot initiative and continuing regulatory uncertainty, it could rekindle efforts on Capitol Hill toward superseding federal law. Right how, however, she sees no likely DC action.

In a phone discussion, Hutnik made these additional points:

• Publishers, advertisers, platforms and others who deal with the personal information and privacy preferences of the public are stuck with a period of uncertainty that could go on for years because of evolving law in California — yet little movement in Washington.

• The California Consumer Privacy Act (CCPA) and emerging regulations are so fluid that it is impossible to be certain what business practices will be outlawed or subject to enforcement.  Thus, privacy officers should behave with good faith and follow emerging industry practices.

• Draft CCPA regulations won’t be final until Oct. 1 at the earliest, and possibly not for months thereafter.

• If Alastair Mactaggart’s new California new privacy initiative qualifies in the next few weeks for California’s November ballot, Mactaggart is unlikely to negotiate away the initiative in exchange for legislative action as he did with CCPA.  If voters pass it, the new law will add potentially years of new complications.

• One of the most ambiguous parts of the CCPA is the question of when it is illegal to “discriminate” against an online user who chooses not to share personal information. That’s because it is not always clear what constitutes “sale” of data, nor how to value the data in an exchange for services.

• Hutnik believes publishers are OK to maintain adjustable paywalls, although she says a service such as Scroll, which provides multi-site, ad-free content viewing (and thus reduced tracking) for $5/month, may raise CCPA issues. But she said draft CCPA regulations “add more confusion that clarity” to the discrimination question.

• There is no common understanding yet of how to value consumer data, even though the idea of a “data dividend” was broached by California Gov. Gavin Newsome in 2019. 

“So for a publisher who is exercising good faith and efforts on the entire risk spectrum, what is the likelihood the attorney general’s office is going to enforce?” Hutnik asks. She thinks the likelihood is low, and adds: “That gives some breathing room.”  She continued: “[With CCPA] you have an omnibus type of law that has a whole lot of moving parts to it with a lot of ambiguity.”

CCPA — WEEK TWENTY-ONE

• Five things a big law firm is tracking as CCPA nears | McDermott Will and Emery

• Trump’s Twitter order riles staffers and tech reformers | Issie Lapowsky & Emily Birnhaum, Protocol.com

• Operationalizing the California Consumer Privacy Act (CCPA) | Tara Marciano, Carmen Hinebaugh, and Alex Schneider, Ad Law Access

• CCPA Genius — Overview | IAPP

• Key Issues We’re Tracking as CCPA Enforcement Nears | Laura Jehl, Austin Mooney and Amy Pimentel, JD Supra

• Better Never Than Late? A CCPA Meditation | Ted Claypoole, Hey Data Data

FOR THE RECORD — TRUMP, TWITTER AND 230

• Donald Trump to Issue Social Media Executive Order After Twitter Fact-Checks Tweets | Elizabeth Crisp, Newsweek  (ORDER TEXT)

• What is Section 230 and how does it work? | Rachel Lerman, The Washington Post 

• Everything you Need to Know about Section 230 | Casey Newton, The Verg

• FB, Twitter: Trump order will restrict, not free, speech | J. Clara Chan, The Wrap

• Zuckerberg dismisses fact checking after bragging about it | Kate Cox, Ars Technica

WASHINGTON WATCH

• House effort to pass surveillance overhaul collapses after Trump tweets and pushback from DOJ | Ellen Nakashima and Mike DeBonis, Washington Post

• Trump Is Officially a Bigger Privacy Supporter Than Either of These People | Dell Cameron, Gizmodo

• Government surveillance bill pulled after Trump veto threat, privacy concerns | Alfred Ng, CNET

• EARLIER: House was to vote on whether the FBI can access internet history without a warrant: Act now to Save Internet Privacy | Caleb Chen, Private Internet Access

• Rep. Eshoo Introduces Bill to Ban Microtargeted Political Ads | Rep. Anna Eshoo

• Sen. Hawley Writes Twitter CEO: Twitter Should Lose Immunity If Editorializing On Political Speech | Senator Josh Hawley

• The FBI is mad because it keeps getting into locked iPhones without Apple’s help | Riana Pfefferkorn, Yahoo

AT AGE TWO — ASSESSING GDPR 

Privacy activist claims GDPR collaboration is ineffective, asks European Commission for sanctions

Hailed as a consumer-privacy breakthrough, Europe’s General Data Protection Regulation (GDPR) has growing pains as it reached two years of age this week, prompting a plea from the region’s most aggressive data-privacy advocate to get moving on complaints about Facebook and other platforms.

The activist and lawyer Max Schrems called on European authorities to push the Irish data-protection regulator to speed up its handling of cases he brought against Facebook. But regulators are plagued by too few regulators and too much business, others say, leaving them vulnerable to being swayed by big tech.  And there are those who question a premise of GDPR that “consent” is a key way to frame privacy protection.

In his 16-page, May 25, GDPR-second-birthday open letter, Schrems says lack of cooperation among data-protection commissions in the various European Union nations is making the GDPR “fundamentally dysfunctional.” He says French authorities were able to swiftly investigate and fine Google 50-million Euros in a few months, while, he alleges, his cases filed two years ago against Facebook, Instagram and WhatsApp are stalled in Ireland.

In his letter he makes these claims:

• There have been “no penalties” under GDPR for two years, despite more than 7,125 complaints in 2019 alone.

• Facebook fails to properly obtain consent to use consumer data which it collects, employing what he calls a “consent bypass.” He says authorities in Ireland, where Facebook has its main EU office, are engaging in “secret cooperation” with the company, something the authorities dispute.

• An optional investigative phase has added more than a year to the process, demonstrating “poor procedure management” by the Irish authorities and uncovering lack of cooperation with equivalent authorities in Austria, where Schrems’ European Center for Digital Rights — “noyb.eu” — is based. 

Schrems asks the European Commission to sanction nations which are not promoting “effective application of the GDPR.” 

RELATED LINKS

• Under GDPR, life not much different for consumers | Joseph Zappa, StreetFight.com

• EU: GDPR Survey: Benefits Beyond Compliance | Magalie Dansac Le Clerc, Global Compliance News

• Top EU data protection agency under pressure to act against Internet giants as GDPR turns 2 years old | Glynn Moody, Private Internet Access

• As the GDPR turns 2, Big Tech should watch out for big sanctions | Katie Collins, CNET

• GDPR shows fixing online privacy will take longer than two years | Joseph Brookes, Which 50

• GDPR at two: How far we’ve come, how far we still have to go | Alex Scroxton, Computer Weekly

• On the second anniversary of GDPR, Covid-19 brings new data protection challenges | Ellen Daniel, Verdict

• Belgian DPA Releases Report for Second Anniversary of the GDPR | Hunton Privacy Blog

• We need to fix GDPR’s biggest failure: broken cookie notices | Matt Burgess, Wired

GDPR ENFORCEMENT

• Vestager’s next big fight will be with Europe | Mark Scott, Politico

• Key GDPR decision on “lawful” data transfer anticipated from Euro court | Henrik Hanseen, Laur Badi & Julian Flamant, Higan Lovells law firm 

• First major GDPR decisions looming on Twitter and Facebook | Natasha Lomas, Yahoo

• Ireland’s data protection boss questions Apple over Siri privacy | Luke Dormehl, Cult of Mac

• EU privacy enforcer hits make-or-break moment | Mark Scott, Politico

• Facebook German privacy case referred to European Court | WHBL News Radio

• Irish regulator reaches preliminary decision in Twitter privacy probe | Euractiv

• Google accused of using GDPR to impose unfair terms on publishers | Natasha Lomas, TechCrunch

• What are common examples of “legitimate interests” that are relied upon by controllers? | David Zetoony, Bryan Cave Leighton Paisner LLP

• (How) will the EU shape the platform economy? | Bernd Meyring, Tech Insights

• ANALYSIS: EU courts’ antitrust challenge to Google “shopping” is assessed | Lesley Hannah and Claus Wenzler, Hausfeld law firm

• Norwegian DPA creating regulatory sandbox for AI | IAPP

• Dutch grandmother’s Refusal to Remove Photos From Facebook Tests Privacy Law | Adam Satariano and Claire Moses, New York Times

•  An oversharing grandma’s court case offers lessons on setting boundaries for kids’ online privacy | Stacey Steinberg, My San Antonio

COVID-19 AND PRIVACY

• ‘Privacy has taken a back seat’ as governments pursue digital contact tracing | Derek du Preez, Diginomica

• Apple and Google roll out their new exposure notification tool. Interest seems limited. | Sara Morrison, Vox

• The world’s first contact-tracing app using Google and Apple’s API goes live |  Daphne Leprince-Ringuet, ZDNet

• AI can battle coronavirus, but privacy shouldn’t be a casualty | Philip Howard and Lisa-Maria Neudert, TechCrunch

• Singapore’s contact-tracing app tops privacy study | Aaron Tan, TechTarget.com

• North Dakota Microsoft Developer For COVID Tracing App Refutes Data-Sharing Allegations | Laurie Sullivan, Media Post

• Contact Tracing Is Harder Than It Sounds | Kate Murphy, New York Times

• Fever-checking technology is a danger to privacy and may not be accurate, ACLU says | Simone Jasper, Miami Herald

• Coronavirus: French Privacy Watchdog Okays Contact Tracing App | Agence France-Presse, Gadgets 360

IDENTITY AND PRIVACY

• ‘Decentralized ID at All Costs’: Reneiris Quits ID2020 Over Blockchain Fixation | Benjamin Powers, Coin Desk

• Mastercard joins ID2020 Alliance to advance digital identity as a fundamental human right | Chris Burt, Biometric Update

• Who’s who in the identity resolution vendor landscape? | Pamela Parker, Marketing Land

• Why Identity Resolution Platforms are so relevant today | Karen Burka, Marketing Land

• Understanding the “World of Geolocation Data” | Stacey Gray, FPF

PERSONAL PRIVACY

• Consumer Reports’ Digital Lab Releases Two Studies on Digital Privacy and Online Tracking | Justin Brookman and Katie McInnis, Consumer Reports

• Could Google’s ‘federated analytics’  analyze end-user data without invading privacy? | Kyle Wiggers, VentureBeat.com

• Arizona sues Google over allegations it illegally tracked Android smartphone users’ locations | Tony Romm, Washington Post

• U.S. state of Arizona files consumer fraud lawsuit against Google | Reuters

• Arizona sues Google over claims it illegally collected location data from smartphone users even after they opted out | Tyler Sonnemaker, Business Insider

• Arizona sues Google over claims it illegally tracked location of Android users | Nick Statt, The Verge

• I tried to delete myself from the internet. Here’s what I learned |  Seth Fiegerman, CNN

• Look to Design, Not Laws, to Protect Privacy in the Surveillance Age | Raullen Chai, Coin Desk

• Brave’s browser now includes a privacy-focused video calling app | Rachel England, Engadget

• How Can We Take Back Control Of Our Data? | Dell Cameron, IB Times

• Privacy flaws in security and doorbell cameras discovered by Florida Tech Student | Adam Lowenstein, Science Magazine

• 2020 Ends a Decade of 62 New Data Privacy Laws | Graham Greenleaf and Bertil Cottier, SSRN

• APAC consumers have concerns about online privacy, but let it go for freebies | ZD Net

ADVERTISING TECHNOLOGY

The IAB Tech Lab is moving ahead on its “Project Rearc” effort to find a replacement for the third-party cookie — a mainstay of web advertising that browser makers, including Google, are determined to gobble up and eliminate in response to consumer privacy concerns.

Third-party cookies continue to be the principal way that advertising networks “tag” and identify users across multiple independent websites to support real-time bidding (RTB) advertising. The problem is that the process is tech-and-bandwidth intensive, slows down websites, and results in data about users being stored opaquely all over the internet. And for publishers, it introduces a whole infrastructure of technology middlemen between the advertising and the publisher who must be paid.

The initiative began at IAB’s annual meeting over the winter in California and kickoff webinars on March 26 and 31 were designed to tell a “how did we get here and where are we today” story.  At least two more webinars are planned, the first sometime during June, entitled “What does the removal of identifiers mean for publishers?”  A third webinar will be entitled, “What does it mean for agencies and brands?”

IAB Tech Lab has also set up a task force and a series of working groups, some of which are open to the public. 

MORE AD TECH

• Digital ad-spend up 16%; CPMs down 16% in QT1 | Laurie Sullivan, MediaPost.com 

• Here’s Why LiveRamp Holdings Is Soaring Today | Chris Neiger, The Motley Fool

• More intuitive privacy and security controls in Chrome | AbdelKarim Mardini, Google

• Contextually Aligned Ads Drive a 93% Increase in Brand Awareness, USC and Channel Factory Find | Exchange Wire

• California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative | Mark Brennan, Bret Cohen, Timothy Tobin and Julian Flamant, HL Data Protection

• Are Publishers Finding Alternatives to Third-Party Cookies? | Video Ad News

• What changes (and accelerates) in ad tech during a recession | Seb Joseph, Digiday

• Google Begins Trialling Privacy Sandbox || Grace Dillon, Exchange Wire

• Most Google searches don’t result in commerce, Searchmetrics study finds | Laurie Sullivan, MediaPost