PRIVACY BEAT: Brookings report suggests pre-empting “inconsistent” state laws for eight years

Privacy Beat

Your weekly privacy news update.


Brookings report suggests pre-empting “inconsistent” state laws for eight years, and limits to private lawsuits, as elements of effort to advance federal privacy legislation

Narrowing the definition of sensitive data, pre-empting inconsistent state privacy laws for at least eight years, and limiting private lawsuits to actual damages as a result of knowing or reckless activity by data handlers are among a report’s recommendations to “unfreeze the privacy debate” for federal legislation.

The ideas are contained in an 84-page Brookings Institution-released report written by four co-authors, including two prominent former U.S. Dept. of Commerce administrators. The report, entitled, “Bridging the gaps: A path toward federal privacy legislation,” was released this week (June 3) along with a short document detailing its seven key recommendations.

The report does not offer any wording for defining “sensitive data.” But the authors suggest narrowing any such definition because of what they call  “consent fatigue” — a perceived concern that consumers asked repeatedly for permission to use broad swatches of data might grow tired of the process and “allow” all uses.

Current laws examined by researchers include things like an email address, phone number and metadata as “sensitive data”. What’s important, they say in a discussion on page 32 of the report, is to avoid requiring consent for “some routine and innocuous uses…”

One of the two authors, former Commerce Dept. general counsel and acting secretary Cameron F. Kerry, also penned a backgrounder setting context for stalled bipartisan legislative attempts at federal privacy law — even as California moves aggressively ahead at enforcing and enhancing state law with de facto national impact in the federal void.

“Our report presents detailed recommendations — not only on preemption and private rights of action, but also on many issues that compose comprehensive privacy legislation,” Kerry writes in the backgrounder, saying the report follows discussions with congressional staffers, civil-liberties advocates, members of civil society and industry representatives. “Our recommendations show ways to align these legislative proposals and, where they are far [apart], to find a middle ground that addresses key interests on both sides of the debate.”

Among the report’s other key recommendations:

  • The civil-rights implications of algorithmic decision making that is based on private data analysis should be independently regulated — and its general impact required to be assessed and audited.

  • Adopt an “adaptive” approach to regulation which defines and imposes general duties of loyalty and care on all data users, focuses on outcomes rather than processes, and exempts some small- and medium-sized entities from costly compliance mechanisms.

Joining Kerry in writing the report were Brookings senior fellow John B. Morris Jr., who worked in a non-political job in the commerce department on the Consumer Privacy Bill of Rights during the Obama administration and until 2019 under the Trump administration. Earlier he was general counsel to the Center for Democracy and Technology. Kerry, also a Brookings fellow, lead the Obama administration’s work on consumer privacy, is a regulatory lawyer and a visiting scholar at the MIT Media Lab. The other two Brookings co-authors are researcher Caitlin T. Chin and fellow Nicol E. Turner Lee.  (Also see Quote of the Week, below)




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

Law firms urge clients to start preparing for July 1 compliance with CCPA after Becerra seeks urgent approval of March 11 regs

It’s official — enforcement of the landmark California Consumer Privacy Act (CCPA) will begin July 1.

After four public hearings, 1,000 public comments and more than 300 letters — including concerns from publishers, advertising and technology companies — in two comment periods totaling over two months Becerra this week asked the state’s Office of Administrative Law (OAL) to expedite approval of his March 11 CCPA enabling regulations.

Becerra’s June 1 announcement included a revised State of Reasons  that explains the basis for the regulations and outlines textual changes from the initial draft regulations published on October 11, 2019. The rulemaking process has gone on for months.

“There have been no statements from the AG that would suggest any intention to delay enforcement despite the hardships caused by COVID-19 or the potential lack of final and effective regulations,” attorney Sandra A. Jeskie, of the Duane Morris law firm, wrote on her firm’s blog. “As such, companies should prepare for enforcement to start July 1st.”

The privacy lawyers at the Hogans Lovell law firm, which has also followed the law closely, also advised clients to update their CCPA compliance programs on the assumption enforcement would begin July 1. It added: The final text is unchanged from the most recent draft published on March 11, which we previously summarized.”



WashPost Zeus ad-tech initiative: Could it grow to 600-million plus users, challenging FB and Google? How would user privacy be handled? Is Amazon a part?

A report on the news website Axios is adding potential strategic detail to two announcements by The Washington Post involving advertising technology and U.S. local news organizations.  One possibility — a network that can address commercial messages to millions of news readers and viewers. Not clear yet — how the privacy and identity of those users would be handled.

The two announcements:

  • The Local Media Consortium, an alliance of more than 3,500 local media outlines from more than 90 media companies (print, web, TV, radio), said May 21 it had reached an agreement under which The Post would offer special pricing to LMC members who want to use The Post’s ad creation, inventory and buying system, called “Zeus Performance.” The Post said Zeus Performance “will optimize site architecture, improve viewability and page load speed, increase CPMs and overall revenue, and enhance reader UX.”

  • McClatchy, the California-based newspaper chain, joined June 2 with The Post to say it would roll out Zeus Performance across its more than 30 local news sites. The Post called it “a first step of a deeper relationship between McClatchy and Zeus. One goal: Make it easier for national advertisers to execute multi-market campaigns. 

In her Axios story, entitled: “Washington Post makes major move into local news,” reporter Sarah Fischer wrote “by adding more local news outlets, The Post can start to build a local-news ecosystem within its tech stack.”  She added: “One idea that’s been floated could potentially be a single sign-in mechanism for a bunch of local sites.” 

The Post website includes a July 2019 “By WashPostPR” page (headline: “Digiday: The Washington Post is preparing for post-cookie ad targeting”) that republished portions of a DigiDay story saying The Post’s plans then to license Zeus to publishers would include integration with its Arc technology platform that “reaches a combined 600 million unique users globally…” The quoted DigiDay story went on to say: “The theory is that in doing so, publishers can compete more effectively with the scale and data-targeting opportunities provided by Facebook and Google.”

Zeus might also be aiming to offer a replacement for the “Real Time Bidding” (RTB) programmatic advertising system who’s hundreds of ad-tech company middle-men take almost half of ad revenues before they reach publishers.

The Washington Post is owned personally by Jeff Bezos, the founder-chairman of Amazon Inc., which in the last few years has grown to be the No. 3 digital advertising platform after Facebook and Google. Facebook and Google rely upon gathering data and insights about their users through facilities that “log-in” those users for tracking across millions of websites — with resulting privacy implications.  The Zeus initiative, if combined with a single-sign on (SSO)  log-in might enable WashPost to develop related capabilities among the cited 600 million unique users.

“Zeus, in theory, could own the data,” a knowledgeable former mid-sized daily newspaper digital executive observed in a discussion with Privacy Beat. “Whoever owns Zeus would own that data. They are driving toward the SSO concept out of an ad system, not a subscription system. It is pretty clear they are selling this to publishers on the grounds they are not going to take a big slice of the pie that all of ad-tech has done.”










Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Framing the compromises necessary for U.S. federal privacy legislation: Unfreezing the debate

“The recommendations and analysis in this report frame the kinds of compromises it will take to pass federal privacy legislation that would give individuals stronger, more consistent expectations for how organizations use personal information, while also giving industry clear national guidance on what it needs to do to protect privacy and security. Last year’s gridlock on the Washington Privacy Act (WPA) shows that state legislation is no slam dunk for either side of the debate and that bipartisan federal privacy legislation will take compromise. In Washington State—a fairly liberal state with a Democrat-controlled state house—efforts to resolve the private right of action failed, and WPA ultimately went down to defeat after both business interests and advocacy groups dug in. If the same thing happens in Washington, D.C., any window of opportunity to pass federal privacy legislation is likely to reach a similar end. Thus, for the federal privacy debate to move forward, stakeholders will need to find middle ground on a range of issues…Our report, available for download here, seeks to unfreeze the privacy debate by exploring and offering a middle ground. It proposes solutions on preemption and private lawsuits that depart from the maximalist approaches shaping the current debate. Our recommendations aim to prompt a clearer shift in regulatory paradigm by setting boundaries on how covered entities collect, process, and share personal information; establishing organizational accountability mechanisms; and graduating obligations according to the scale of the covered entity, covered data, and privacy risks involved.”

– Excerpts from the conclusion of a Brookings Institution report released June 3, “Bridging the Gaps: A path forward to federal privacy legislation,” by four co-authors (see story, above)


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp