Brookings report suggests pre-empting “inconsistent” state laws for eight years, and limits to private lawsuits, as elements of effort to advance federal privacy legislation

Narrowing the definition of sensitive data, pre-empting inconsistent state privacy laws for at least eight years, and limiting private lawsuits to actual damages as a result of knowing or reckless activity by data handlers are among a report’s recommendations to “unfreeze the privacy debate” for federal legislation.

The ideas are contained in an 84-page Brookings Institution-released report written by four co-authors, including two prominent former U.S. Dept. of Commerce administrators. The report, entitled, “Bridging the gaps: A path toward federal privacy legislation,” was released this week (June 3) along with a short document detailing its seven key recommendations.

The report does not offer any wording for defining “sensitive data.” But the authors suggest narrowing any such definition because of what they call  “consent fatigue” — a perceived concern that consumers asked repeatedly for permission to use broad swatches of data might grow tired of the process and “allow” all uses.

Current laws examined by researchers include things like an email address, phone number and metadata as “sensitive data”. What’s important, they say in a discussion on page 32 of the report, is to avoid requiring consent for “some routine and innocuous uses…”

One of the two authors, former Commerce Dept. general counsel and acting secretary Cameron F. Kerry, also penned a backgrounder setting context for stalled bipartisan legislative attempts at federal privacy law — even as California moves aggressively ahead at enforcing and enhancing state law with de facto national impact in the federal void.

“Our report presents detailed recommendations — not only on preemption and private rights of action, but also on many issues that compose comprehensive privacy legislation,” Kerry writes in the backgrounder, saying the report follows discussions with congressional staffers, civil-liberties advocates, members of civil society and industry representatives. “Our recommendations show ways to align these legislative proposals and, where they are far [apart], to find a middle ground that addresses key interests on both sides of the debate.”

Among the report’s other key recommendations:

• The civil-rights implications of algorithmic decision making that is based on private data analysis should be independently regulated — and its general impact required to be assessed and audited.

• Adopt an “adaptive” approach to regulation which defines and imposes general duties of loyalty and care on all data users, focuses on outcomes rather than processes, and exempts some small- and medium-sized entities from costly compliance mechanisms.

Joining Kerry in writing the report were Brookings senior fellow John B. Morris Jr., who worked in a non-political job in the commerce department on the Consumer Privacy Bill of Rights during the Obama administration and until 2019 under the Trump administration. Earlier he was general counsel to the Center for Democracy and Technology. Kerry, also a Brookings fellow, lead the Obama administration’s work on consumer privacy, is a regulatory lawyer and a visiting scholar at the MIT Media Lab. The other two Brookings co-authors are researcher Caitlin T. Chin and fellow Nicol E. Turner Lee.  (Also see Quote of the Week, below)

WASHINGTON WATCH

• Members of Congress to unveil bipartisan bill to regulate contact-tracing apps, fearing potential privacy abuses | Tony Romm, The Washington Post

• Bipartisan group of senators introduce contact-tracing privacy bill | Ben Lovejoy, 9 to 5 Mac

• Bipartisan Group Of Senators Proposes Privacy Bill For COVID-19 Contact-Tracing Apps | David Stauss, Husch Blackwell LLP, JD Supra

• Republicans and Democrats Introduce COVID-19 Privacy Bills |  Rebecca Spence, The Rodman Law Group, JDSupra  

• Federal Privacy Legislation More Crucial Than Ever, Says Federal Trade Commissioner Christine Wilson | Elijah Labby, Broadband Breakfast

• Trump app keys on phone number | David Pierce, Protocol

• Google Search a Target of U.S. Antitrust Probes, DuckDuckGo says | Gerrit De Vynck, Bloomberg Business 

• This Is What The DOJ Is Thinking As It Preps Its Antitrust Case Against Google | Allison Schiff, AdExchanger

• Marketers Bring Antitrust Suit Against Google | Wendy Davis, MediaPost

SURVEILLANCE, PROTEST AND PRIVACY

• Debate on surveillance and privacy heats up as U.S. protests rage | Umberto Bacchi and Avi Asher-Schapiro, Reuters

• U.S. police have attacked journalists more than 100 times in the past four days | Laura Hazard Owen, Nieman Lab

• Want to participate in a protest? You may want to do this with your tech before you go | Jennifer Jolly, USA Today

• DEA Can Secretly Surveil George Floyd Protesters | Jason Leopold and Anthony Cormier, Buzzfeed News

• Protect Phone Privacy & Security During a Protest | Thomas Germain, Consumer Reports

• Edward Snowden, the Surveillance State, and the ‘Dark Mirror’ Still Watching Us All | Nick Gillespie, Reason

• How to Protest Without Sacrificing Your Digital Privacy | Joseph Cox and Lorenzo Franceschi-Bicchierai, Vice

TRUMP AND SECTION 230

• Lawsuit Says Trump’s Social Media Crackdown Violates Free Speech | Kate Conger, New York Times

• Ron Wyden worried about what would happen if Section 230 is repealed | Alexis Keenan, Yahoo Finance

• VIDEO: Section 230 considered — a digital panel (with Wyden) | Vivian Schiller, Aspen Digital 

• Tech advocacy group’s lawsuit says Trump’s order on social media is unconstitutional | Alison Frankel and Nandita Bose, Reuters

• FCC commissioner says Trump’s Section 230 plan ‘does not work’ |  Makena Kelly, The Verge

• Brookings: Why Trump’s online platform executive order is misguided | Niam Yaraghi, Brookings

• As Trump Targets Twitter’s Legal Shield, Experts Have A Warning | Bobby Allyn, NPR

Law firms urge clients to start preparing for July 1 compliance with CCPA after Becerra seeks urgent approval of March 11 regs

It’s official — enforcement of the landmark California Consumer Privacy Act (CCPA) will begin July 1.

After four public hearings, 1,000 public comments and more than 300 letters — including concerns from publishers, advertising and technology companies — in two comment periods totaling over two months Becerra this week asked the state’s Office of Administrative Law (OAL) to expedite approval of his March 11 CCPA enabling regulations.

Becerra’s June 1 announcement included a revised State of Reasons  that explains the basis for the regulations and outlines textual changes from the initial draft regulations published on October 11, 2019. The rulemaking process has gone on for months.

“There have been no statements from the AG that would suggest any intention to delay enforcement despite the hardships caused by COVID-19 or the potential lack of final and effective regulations,” attorney Sandra A. Jeskie, of the Duane Morris law firm, wrote on her firm’s blog. “As such, companies should prepare for enforcement to start July 1st.”

The privacy lawyers at the Hogans Lovell law firm, which has also followed the law closely, also advised clients to update their CCPA compliance programs on the assumption enforcement would begin July 1. It added: The final text is unchanged from the most recent draft published on March 11, which we previously summarized.”

IMPLEMENTING CCPA 

• CCPA 2.0 – More Privacy Legislation in the Golden State? | Rachel E. Ehlers, LexBlog

• More Privacy Legislation in the Golden State? | Workplace Privacy, Data Management & Security Report  

• As CCPA Pressure Heats Up, Here’s What Should Be on Your Summer To-Do List | Faegre Drinker Biddle & Reath LLP, JDSupra

• Video Blog Series: Helping Corporate Leaders Understand and Explain the CCPA in 3 Minutes | Natalie Prescott, Mintz 

• Consumer Rights and an Organization’s Responsibilities Under the CCPA | Brooke Penrose, Lex Indicium

• Lawyers React to California Attorney General’s Submission for Final CCPA Regulations | Dan Clark, The Recorder

STATEHOUSE WATCH

• Dakotas Slip in COVID-19 Contact Tracing Privacy Protection | Dominic Dhil Panakalm Womble Bond Dickinson, JD Supra

• Access Now and partners defend Maine broadband privacy law | Access Now

• Maine Broadband Privacy Law Doesn’t Violate First Amendment, Free Speech Advocates Say | Wendy Davis, MediaPost

• California’s statehouse is considering a controversial facial recognition bill |  Russell Brandom, The Verge

WashPost Zeus ad-tech initiative: Could it grow to 600-million plus users, challenging FB and Google? How would user privacy be handled? Is Amazon a part?

A report on the news website Axios is adding potential strategic detail to two announcements by The Washington Post involving advertising technology and U.S. local news organizations.  One possibility — a network that can address commercial messages to millions of news readers and viewers. Not clear yet — how the privacy and identity of those users would be handled.

The two announcements:

• The Local Media Consortium, an alliance of more than 3,500 local media outlines from more than 90 media companies (print, web, TV, radio), said May 21 it had reached an agreement under which The Post would offer special pricing to LMC members who want to use The Post’s ad creation, inventory and buying system, called “Zeus Performance.” The Post said Zeus Performance “will optimize site architecture, improve viewability and page load speed, increase CPMs and overall revenue, and enhance reader UX.”

• McClatchy, the California-based newspaper chain, joined June 2 with The Post to say it would roll out Zeus Performance across its more than 30 local news sites. The Post called it “a first step of a deeper relationship between McClatchy and Zeus. One goal: Make it easier for national advertisers to execute multi-market campaigns. 

In her Axios story, entitled: “Washington Post makes major move into local news,” reporter Sarah Fischer wrote “by adding more local news outlets, The Post can start to build a local-news ecosystem within its tech stack.”  She added: “One idea that’s been floated could potentially be a single sign-in mechanism for a bunch of local sites.” 

The Post website includes a July 2019 “By WashPostPR” page (headline: “Digiday: The Washington Post is preparing for post-cookie ad targeting”) that republished portions of a DigiDay story saying The Post’s plans then to license Zeus to publishers would include integration with its Arc technology platform that “reaches a combined 600 million unique users globally…” The quoted DigiDay story went on to say: “The theory is that in doing so, publishers can compete more effectively with the scale and data-targeting opportunities provided by Facebook and Google.”

Zeus might also be aiming to offer a replacement for the “Real Time Bidding” (RTB) programmatic advertising system who’s hundreds of ad-tech company middle-men take almost half of ad revenues before they reach publishers.

The Washington Post is owned personally by Jeff Bezos, the founder-chairman of Amazon Inc., which in the last few years has grown to be the No. 3 digital advertising platform after Facebook and Google. Facebook and Google rely upon gathering data and insights about their users through facilities that “log-in” those users for tracking across millions of websites — with resulting privacy implications.  The Zeus initiative, if combined with a single-sign on (SSO)  log-in might enable WashPost to develop related capabilities among the cited 600 million unique users.

“Zeus, in theory, could own the data,” a knowledgeable former mid-sized daily newspaper digital executive observed in a discussion with Privacy Beat. “Whoever owns Zeus would own that data. They are driving toward the SSO concept out of an ad system, not a subscription system. It is pretty clear they are selling this to publishers on the grounds they are not going to take a big slice of the pie that all of ad-tech has done.”

ADVERTISING TECHNOLOGY

• What Are The Economics Of Digital Ad Fraud | Augustine Fou, Forbes

• Libra Will Allow Facebook to Spike Ad Prices, Zuckerberg Says | Stephen O’Neal, CoinTelegraph

• What’s Behind Ad Tech’s Unexpected Stock Price Jump? | Ronan Shields, AdWeek

• MediaMath explores a possible sale | Lara O’Reilly, Digiday

• Criteo Provides An Interim Update On Financial Performance For Q2 2020 | Yahoo Finance

• South China Morning Post Went All In on First-Party Data | Sarah Sluis, AdExchanger

• New ‘Post Third-Party Cookie’ Taskforce for IAB Europe & National IAB Members  | IAB Europe

• How digital media can get serious about building transparency, privacy and neutrality in a post-cookie world  | Sigvart Voss Eriksen, Ad Age

INCOGNITO – REALLY?

• Suit Claims Google’s Tracking Violates Federal Wiretap Law | Daisuke Wakabayashi, New York Times

• We thought Incognito mode on Chrome browser was private. It’s no where close to it. $5 Bn Class Action lawsuit filed against Google | Abhinav Singh, TFI Post

• Google sued for at least $5 billion over claimed ‘Incognito mode’ grab of ‘potentially embarrassing’ browsing data | Ethan Baron, Mercury News

• Google is being sued for tracking users even when they’re browsing in incognito mode | Isobel Asher Hamilton, Business Insider

• Google faces $5 billion lawsuit in U.S. for tracking ‘private’ internet use | Jonathan Stempel, Reuters

• $5 Billion Lawsuit Accuses Google of Tracking Chrome Users in Incognito Mode | Tim Hardwick, Mac Rumors

COVID AND PRIVACY

• Privacy Experts Say Responsible Coronavirus Surveillance Is Possible | Sam Biddle, The Intercept

• As schooling rapidly moves online across the country, concerns rise about student data privacy | The Washington Post

• Documents Show Clearview Is Selling Facial Recognition Tech To Retailers, Fitness Centers, And Human Rights Violators | Tim Cushing, Tech Dirt

PERSONAL PRIVACY

• RESEARCH: Let’s Talk Privacy: Five-member team surveys 41 people on privacy | MIT Media Lab

• The blurry arms race over facial-recognition | David Pierce, Protocol

• You might want to uninstall Houseparty, expert calls it a privacy ‘trojan horse’ | Phillip Prado, Android Authority

IDENTITY AND PRIVACY

• The Sovrin Foundation Announces Formation of a New Board of Trustees | Sovrin

• Why Identity Resolution Platforms are so relevant today | Karen Burka, Marketing Land

• DTA wraps up digital ID pilot on myGov | Justin Hendry, IT News

• Decentralized identity management platform Magic launches from stealth with $4M | Lucas Matney, TechCrunch

GDPR AND EUROPE

• UK’s Lead Privacy Regulator Set to Deliver Landmark GDPR Decision in Twitter Case; WhatsApp Decision Reached Preliminary Draft Stage | Scott Ikeda, CPO Magazine

• GDPR – Even after Two Years of Existence, Full Enforcement Seems Far-away | Debjani Chaudhury, Enterprise Talk

• What the future of GDPR might look like in Ireland | Simon Cocking, Irish Tech News

• Legal challenge as UK contact tracing app retains personal data for 20 years | Ben Lovejoy, 9 to 5 Mac  

• Google cautions EU on AI rule-making | Tech Xplore

PRIVACY BUSINESS

• Brave’s massive growth signals rising concerns over privacy online | Robert Stevens, Decrypt

• Brave Has Over 15 Million Monthly Active Users | Paul Thurrott, Thurrott

• Popularity of Brave’s Crypto-Enabled Browser Doubles, 15 Million Active Users | Mike Dalton, Crypto Briefing

• CyberArk snaps up identity startup Idaptive for $70M | Zack Whittaker, TechCrunch

• ‘Careless’ Users Are Ruining Ethereum’s Privacy: Paper | Paddy Baker, CoinDesk

• Trading Higher: Ping Identity Holding Corp. (PING) Stock Pops Again, Will It Rise More? | StockWatch247

• As protests escalate, advertisers and media owners face a fresh crisis | Lara O’Reilly, DigidAY

ALSO NOTED

• Blockchain journalism startup Civil is no more | Andrew Hayward, Decrypt

EVENTS DATEBOOK

• Webinar | 5 Critical Security and Privacy Lessons From CCPA Litigation | July 9, Spirion, Bank Info Security