Mactaggart sues Cal AG after 27-minute filing delay imperils ballot spot for CCPA 2.0 privacy initiative; seeks court ruling by June 18

A 27-minute delay — and consideration of what  “immediate” means — could spell trouble for privacy advocates seeking to strengthen the California Consumer Privacy Act (CCPA). A court decision in Alastair Mactaggart, et al. v. Padilla could come June 18. The issue revolves around filing deadlines for initiative ballot questions in California.

Californians for Consumer Privacy (CCP) filed with 58 counties on May 1 petitions they said carried approximately 920,000 signatures of voters seeking to put a “California Privacy Rights Act” on the November ballot. If passed by voters, it would make changes in the CCPA. The counties had until May 13 to report to the state enough signatures received to start a certification process. The law says Secretary of State Alex Padilla must then “immediately” direct counties to begin sampling of the received petitions to make sure a total of 667,062 signatures are deemed by them to be statistically valid.

One county, Riverside, turned in its report at 5:27 p.m. on May 13. But the Secretary of State’s office — departing from typical practice — waited until 4:02 p.m. the next day — May 14 — to tell counties to start sampling. That then gave them 30 days to complete their work. If any council takes the full 30 days, they would be finished until the after (June 25) the Secretary of State must certify the question for the ballot.

CCP’s founder and petition proponent, Alastair Mactaggert, sued this week to compel Padilla’s office to in turn order the sampling completed by June 25 — after Padilla refused to do so. (See Quote of the Week, below).

• California Privacy Advocates Seek Court’s Help With Ballot Initiative | Wendy Davis, MediaPost

• A Day Late,  CPRA Ballot Initiative May Not Appear on Ballot | Justin Yedor et al., Password Protect/McGuireWoods law firm

• Mactaggert says 27-minute delay may imperil privacy of Californians | Wendy Davis, DigitalNewsDaily.com

• Californians for Consumer Privacy Submits Signatures to Qualify the California Privacy Rights Act for November 2020 Ballot | Californians for Consumer Privacy

MORE CCPA

• HOW TO: Verifying, responding to CCPA consumer requests | Yesmin Azodi & Jeffrey Glassman, Ervin Cohen law firm

• Two firms in fight over alleged unfair competition via CCPA violation | Allison Schiff, AdExchanger.com

• HOW TO: Verifying, responding to CCPA consumer requests | Yesmin Azodi & Jeffrey Glassman, Ervin Cohen law firm

• IAB Tech Lab releases CCPA data deletion spec | IAPP

• Uncertainty Looms as New Privacy Law in California Takes Effect in the COVID-19 Era | Menaka Fernando, Outten & Golden LLP

• Highlights From the Final CCPA Regulations | Privacy Compliance & Data Security

• RESOURCE: Countdown to CCPA compliance | Petrina Hall McDaniel, Square Patton Bogs law firm

• California AG Won’t Delay CCPA Enforcement, but May Exercise Prosecutorial Discretion | Privacy Compliance & Data Security

• CCPA litigation: Shaping the contours of the private right of action | IAPP

• Ad industry rep: CCPA privacy controls unclear, may promote fraud | Leigh Freund , Network Advertising Initiative

• California’s new Consumer Privacy act: Are you ready? | Genetec

• Early Consumer Reports research finds looming problems with CCPA consent procedures | Maureen Mahoney, Consumer Reports

• IAB Tech Lab Intros New Spec To Handle CCPA Data Deletion Requests | Allison Schiff, AdExchanger.com

• The California Data Broker Registry’s Growing Significance For Ad Tech | Richard Eisert, via AdExchanger.com

• IAB Tech Lab Has a New Spec for Data Deletion Ahead of CCPA | Andrew Blustein, Adweek

• CCPA and customer outreach: What marketing experts need to know | Christina Luttrell, ClickZ

• California Attorney General Finalizes CCPA Regulations as the Law’s Enforcement Date Nears |  John M. Brigagliano, Jon Neiditz, Amanda Witt and Vita Zeltser, Kilpatrick Townsend

• While Final CCPA Regulations Await OAL Approval, Companies Should Move Forward With Compliance Efforts | Publications | Loeb & Loeb LLP

PERSONAL PRIVACY
Future? Browser software protecting your privacy by checking your logins or related sites in W3C discussions

Your web-browser software may someday ask you if you want to be “logged in” to a particular website, and if you answer no, the site’s ability to store information about you on your machine would be restricted.

Or, the browser software may check to see if the website you’ve given permission to track you is a “relative” of another website; if not, no cross-site tracking.

Those are two ideas broached in respectful debate about re-designing the way identity and privacy work on the web, as web browser makers attempt to balance the privacy requests of users against the desire for advertising and publishers to “follow” their readers/customers across the web.

“The current behavior of the web is ‘logged in by default,” Apple WebKit engineer John Wilander wrote in April. “Meaning as soon as the browser loads a webpage, that page can store data such as cookies virtually forever on the device. That is a serious privacy issue. Long term storage should instead be tied to where the user is truly logged in.”

The discussions are occurring about every other week online in a public forum hosted by the World Wide Web Consortium (W3C), a respected, Cambridge, Mass.-based, nonprofit, technology standards promoter.  They involve the major web-software makers — Apple, Google, Mozilla, Microsoft and Brave — who otherwise compete but are able to talk with each other around public-benefiting standards development.

But the competition is not far below the surface. The “IsLoggedIn” idea is being championed by Apple for its Safari browser, with apparent support from Mozilla. The “First Party Sets” idea is advanced by Google, maker of the web-dominant Chrome browser.

Will they ever agree on a common approach? That’s the intriguing part of the W3C discussions. But one indication that anything is possible — until a few weeks ago, Google wasn’t participating formally in the W3C’s “privacy community group” where “IsLoggedIn”  is under consideration.  It was promoting “First Party Sets” in a different W3C’s “web platform incubator community group.”

But this week, a Google software engineering manager, Kaustubha Govind, was online in the privacy group to talk about First Party Sets.

“Ideally, we do want a policy that’s standardized,” she said. “And common across browsers.”  As for Google’s official thinking about such matters as the blocking of cookies or other methods for cross-site registration, she observed: “I don’t have a written policy to share yet.”

COVID-19 AND PRIVACY

• Police body cameras at protests raise privacy concerns | Alfred Ng, CNET

• States divided on coronavirus-tracing apps | Steven Overly, Politico.com

• Congress Has Proposed Two Competing COVID-19 Privacy Bills…One With a Personal Right of Action. Time to Get Your Data in a Row! | Jenny Colgate, Privacy Zone

• Decentralization: Preserving Personal Privacy While Fighting COVID-19 | Muneeb Ali, CoinTelegraph

• How Covid-19 Contact Tracing Works on Your Phone | David Nield, Wired

• Pandemic accelerated states’ identity and access management projects | Colin Wood, State Scoop

• Poland rolls out privacy-secure coronavirus tracking app | Reuters

• Cassidy, Cantwell, Klobuchar Introduce Bipartisan Legislation to Protect Consumer Privacy, Promote Public Health for COVID-19 Exposure Notification Apps | The Times of Houma/Thibodaux

• Bipartisan Bill Provides Privacy Protections for Users of Contact Tracing Tech | Samuel Hanks , Privacy & Information Security Law Blog

PERSONAL PRIVACY

• Citizens of the world, your face is being recognised…or not? | John Groom, Baker McKenzie

• Tom Jermoluk: “Flip the Internet”: Internet pioneer on the future of digital identity | Mathew DiSalvo, Decrypt.co

• Twitter’s newest trick relies on tracking more of your clicks | Sidney Fussell, Wired.com

• Juniper Networks assailed for government backdoors to user date | Sen. Ron Wyden news release

FACIAL RECOGNITION

• Amazon and IBM: Time out for facial recognition? | Ryan Johnston, StateScoop.com

• Microsoft won’t sell facial recognition to police until Congress acts | BBC News

• Amazon’s facial recognition moratorium has major loopholes | Zack Whitaker, TechCrunch.com

• Opinion: IBM, Amazon moves on facial recognition are good baby steps toward removing bias | Therese Poletti, MarketWatch.com

• Amazon’s facial recognition moratorium has major loopholes | Zak Whittaker, TechCrunch.com

• IBM is exiting the face recognition business | Ina Fried, Axios

• IBM exits facial recognition business, calls for police reform | Reuter

• Google Moves to Dismiss New Mexico COPPA Case | Carter Holland, Law Street Media

• Twitter’s newest trick relies on tracking more of your clicks | Sidney Fussell, Wired.com

• Juniper Networks assailed for government backdoors to user date | Sen. Ron Wyden news release

PRIVACY RESEARCH

• New Research: “Privacy Threats in Intimate Relationships” | Bruce Schneier & Karen Levy, Journal of Cybersecurity

• Report finds massive drop in Canadians’ willingness to disclose personal information for free online services | Josh Tabish, CIRA

ADVERTISING TECH
IAB sets next webinar as it seeks consensus on how user data might be legally shared after “third-party cookies”

The Interactive Advertising Bureau Technology Lab (IAB) has set dates for its next webinar in a series aimed at searching for consensus about how user data can be legally shared for the benefit of advertisers (and publishers) once third-party cookies are no longer available.

The “What Does the Removal of Identifiers” webinar, on July 16 at 11 a.m. EDT and repeated July 21 at noon EDT, will include a virtual panel of “buy side” parties — including two global ad agencies, Jordan Mitchell, who is heading IAB’s “Project Rearc” effort, told Privacy  Beat. A third webinar, featuring publishers discussing how loss of cookie based identifiers will affect their ad business, is still planned.

Project Rearc is IAB’s effort to show leadership at re-architecting how identity and privacy work on the web.  Even within the ad-tech ecosystem, which IAB effectively speaks for, there is uncertainty about who or what will emerge.

Back in September, Mitchell floated the idea for a neutral “publicly owned” single identifier — “standardized privacy settings and consumer controls tied to a neutral, standardized identifier” — is how he put it. Mitchell has championed an identifier called “DigiTrust” which would be controlled by the IAB. (ITEGA, sponsor of this email newsletter, has written about an authentication and authorization service that it would govern as an independent, public-benefit 501(c)3).

Mitchell calls Project Rearc “a collaborative process to educate critical stakeholders within our industry, and facilitate key global inputs into the development of new technical standards and guidelines that will determine how our industry operates without the use of third-party cookies.”

One of IAB’s members and a major ad-tech player, is LiveIntent, which has partnered on identity sharing with PubMatic.  “Behind the scenes, at conferences and in meetings, we’re told of solutions that will emerge that use CNAMEs, Universal IDs, device IDs, IP addresses, or other Rube Goldberg-ian hijinks to create the supposed 1:1 replace for how marketing was previously done,” LiveIntent’s president, Brad Silver, wrote at StreetFightMag.com on April 30.

Efforts to replace the third-party cookie ecosystem with something that meets emerging privacy and user-identity control standards in both Europe and the United States is the subject of talks at the World Wide Web Consortium (W3C) among browser-software makers, among public, advertiser and ad-tech trade organizations such as IAB — and is also affected by looming antitrust enforcement and privacy-advocating legislation which could change the business of the biggest ad-tech player of all, Google.

“We have to get to some sort of negotiated resolution on what the agreed-upon solution looks like, with buy-in from all parties,” one observer remarked to Privacy Beat. “In the meantime, more large organizations are coming in and staking their ground. The policy people think it’s a policy problem/solution; the business people think it’s a business problem/solution and the tech folks a tech problem/solution.”

MORE AD TECH

• Digiday Research: Coronavirus-related keyword blocking is a problem for 43% of all publishers | Shareen Pathak, Digiday

• Morally impossible: Some advertisers take a timeout from Facebook | Tiffany Huse & Cecilia Kang, New York Times

• New Google ‘confirmed clicks’ plan could depress publisher revenue | Lucinda Southern, Digiday

• Privacy browser Brave under fire for violating users’ trust | Robert Stevens, Decrypt

• Brave Blows Up Its Whole Reason for Existing | Soshana Widinsky, Gizmodo.com

• Brave browser CEO apologizes for automatically adding affiliate links to cryptocurrency URLs | Kim Lyons, The Verge

• ANALYSIS: Why the ISBA/Price Waterhouse ad trust report matters | Nick Manning, MediaTel News

• VIDEO: Brave’s Johnny Ryan speaks at P&G on Vimeo on brands, ad-tech and privacy