Support splinters over Proposition 24, the California privacy ballot initiative; some points, motives emerging
Disagreements among privacy advocates over California’s Proposition 24 — the California Privacy Rights Act (CPRA) — are cropping up. The policy fault lines are murky but emerging.
“The initiative’s sponsor sees the measure as a rebuke to tech companies that have been trying to water down protections in the California Consumer Privacy Act (CCPA), which went into effect this year,” Bloomberg Law’s Andrea Vittorio wrote in her account, adding: “ But the activists say some provisions in the proposal weaken privacy rights, including one that lets companies charge more to safeguard personal information.”
There were these developments this week:
- Mary Stone Ross, an ex-CIA analyst and House Intelligence Committee staffer, disclosed to Privacy Beat that she had filed papers forming “California Consumer and Privacy Advocates Against Proposition 24” and will be raising money to oppose the ballot initiative. Stone Ross came out against CPRA in January.
Consumer Reports said it was supporting the initiative (see what Justin Brookman tweeted and his colleague Maureen Mahoney’s analysis), along with the California chapter of the National Association for the Advancement of Colored People (NAACP). Another noteworthy supporter: Roger McNamee, the prominent Silicon Valley venture capitalist who was an early backer of Facebook.
The American Civil Liberties Union of California (CalACLU) also said it will oppose the initiative, as will Color of Change, Public Citizen and Oakland Privacy. On June 29, the Consumer Federation of California announced its opposition.
Stone Ross’ opposition is notable because she was a co-author in 2018 of the CCPA, which began being enforced July 1. Her opposition places her at odds with Alastair Mactaggart, of Californians for Consumer Privacy, co-author of the 2018 original CCPA and now principal architect of Proposition 24. Stone Ross, who testified about CPRA on June 20, says they now have policy differences.
Proposition 24 (TEXT) would make changes in the CCPA and that’s one reason for differences of opinion about whether to support it.
Another issue: Under California’s much-used initiative-petition process, it’s possible for citizens to enact laws that are difficult or nearly impossible for the Legislature to amend. Mactaggart has written Proposition 24 so that its terms can be amended by a simple-majority legislative process — if the changes preserve the “purposes and intent” of the initiative.
Mactaggart argues this will allow for flexibility to toughen privacy rules or make other changes that permit adjustments to account in the future for new technologies or situations. Ross Stone says that opens the door for business lobbying because one “purpose” of the initiative is to consider its impact on business and innovation. Her argument: Future proposals could argue business and innovation are being hurt.
An analysis on Medium by Santa Clara University School of Law Prof. Lydia F de la Torre explores the question of amendments for “purpose.”
“I don’t think the groups were CCPA fans either,” Future of Privacy Forum’s Jules Polonetsky tweeted about opponents. “But legislation can be amended,if it falls short. Concerns seem to be the legal uncertainty about how it can be changed.”
Stone Ross told Privacy Beat her group will need to raise millions to have an impact on voters in the fall. Asked if she would accept a check written by Goggle, she replied: “Gosh, I don’t think so. I think there would have to be very specific conditions in place.” Asked if she would accept one from Facebook, she replied: “I don’t think Facebook’s going to write me a check.”
Does your organization need customized privacy compliance solutions? ITEGA can help.
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
New York Times data exec explains privacy moves; takes note in Tweet about ad-tech W3C challenge
The executive charged with leading “data governance” at The New York Times says news organizations “have garnered a dismal reputation in terms of privacy” and the paper is making changes to make sure its business is not “based on tracking readers across their entire connected lives.”
Robin Berjon, heads data-governance for the paper and formerly worked in France for the World Wide Consortium (W3C), where he was a principal author of the HTML5 specification. His observations are in the post, “How The New York Times Thinks About Your Privacy,” appearing on the paper’s Medium pages.
Meanwhile, Berjon has also Tweeted about an Aug. 6 effort led by some ad-tech affiliated people seeking changes in the way the W3C facilitates the formulation of web privacy standards. He Tweets that an adtech coalition is trying to prevent browser makers from curbing tracking, and he says the coalition is arguing that “tracking is so good there should be a universal ID for people.”
Berjon says Times research shows readers are “broadly comfortable” with the paper “seeing some data about them.” He goes on: “But they are overwhelmingly unhappy with data be shared with third parties that can use the data for entirely different purposes.”
Finally, Berjon says the historical focus on affording users “transparency and control” over who gets data about them is not enough. The web of the future has to make it easy — as in a single step or interface — for the public to control how and where data about them is used, as well.
VALUE, DATA AND PRIVACY
Is Breitbart website profiting by opaque ad placements that take advantage of lax IAB ads.text standard?
The conservative political news website Breitbart is profiting by allegedly unintended use of an Interactive Advertising Bureau (IAB) standard — “ads.txt” — to reap revenues from ads running on hundreds of other websites unknown to the advertiser, ad-fraud activists say.
Researcher Zach Edwards describes the practice in a Medium post: ”Breitbart.com is Partnering with RT.com & Other Sites via Mislabeled Advertising Inventory.” Edwards, a Santa Monica, Calif.-based free-lance engineer and website data consultant, researched Breitbart and reporting his findings to the Nandini Jammi and Clare Atkin, who run the BRANDED ad-fraud exposure site. They write that Breitbart uses IAB’s ads.txt files and account IDs to recover ad revenue through revenue sharing.
Edwards explained in a conversation with Privacy Beat he thinks the disclosure is important because it points out a loophole in an IAB standard. He believes the loophole is advancing ad-fraud at the expense of legitimate publishers. “This inventory mislabeling creates online advertising Dark Pool Sales Houses, a market behavior that likely violates consumer protection frameworks.” He thinks mislabeling of online ad inventory should be illegal.
The solution, he argues, is two part: First, the ads.txt directory maintained by IAB and others should be open, free and public. Right now, he says, individual ad tech companies keep to themselves their decisions about untrustworthy sites, and the lists cost $10,000 or more to access.. Second, he says its time for an independent, nonprofit organization to emerge that could help audit and govern the trustworthiness of web services.
“Look at how insanely easy it is to *steal money* meant to go from legit advertisers to legit publishers! And the people who built this and support it are getting rich abetting this fraud,” New York Times had of data governance remarked in a Tweet about Edwards’ findings. Berjon also commented on the IAB’s administration of the service.
- The biggest unanswered questions around Apple’s upcoming privacy update | Lara O’Reilly, DigiDay.com
- UPDATE: Dutch publisher revenue increase after removing all 3rd-party tracking | Johnny Ryan, Brave Inc.
- Acxiom Launches A Solution To Connect Direct And Digital Audiences | Alison Weissbrot, AdExchanger.com
- Citing privacy concerns, Nielsen overhauls digital methodology | Wayne Friedman, DigitalNewsDaily
- Nielsen hatches new methodology for cookieless future | Sarah Sluis, AdExchanger.com
- DOJ Green Lights Proposed Outbrain and Taboola Merger | Sara Jerde & Ronan Shields, AdWeek.com (BACKGROUND)
- Q-and-A: Contextual targeting — more than a cookie substitute | Marco Godina, Silverbullet via ExchangeWire
- Mobile ad-tech companies trie to adapt to likely loss of Apple’s IDFA | Allison Schiff, AdExchanger.com
- What do Apple’s privacy-focused IDFA changes mean for Facebook? | Allison Schiff, AdExchanger.com
- Marketers ask for programmatic loog files; OpenX complies | Joe Mandese, MediaDailyNews
- Programmatic RTB ad exec frets about “apocalypse” of Apple dropping IDFA tracking in iOS | Ari Paparo, Beeswax via AdExchanger
- True cost of deceptive advertising? Upholding user trust during an election season | Tobais Silber, GeoEdge via Digital Content Next
- Your company’s data may be worth more than your company | Douglas B. Laney, Forbes CIO Network
FUTURE OF NEWS
Panelists plea for open-source, collaborative, long-term approach to loss of third-party ‘cookie’ tracking
In a webinar, top marketing and advertising industry executives this week argued for an open-source, collaborative, long-term approach to replace third-party ‘cookie’ tracking. The comments came during the event; ”How the Removal of Identifiers Impacts Brands & Agencies”, organized by the IAB Tech Lab as part of its “Project Rearc” initiative.
“One of the things we want to focus on is an open-source solution,” said Jean Fitzpatrick, VP of marketplace solutions for IPG Kinesso, part of the Interpublic group.. “Something that is generally accepted across the board, so that industries can innovate on top of that rather tan waiting for the rug to be pulled out from under them.”
Brands, advertisers, publishers and ad-tech outfits need to take responsibility for making the argument to consumers that a certain amount of better-disclosed data sharing produces valuable, personalized information services, argued co-panelist Krystal Olivieri, GroupM’s svp global data strategy and partnerships.
“I think if there are no new standards and we can’t get our act together as an industry, we have bigger problems,” said Olivieri. She said later: “We as agencies and as brands can use data governance, can use data ethics, can start to really interrogate the tactics being used and put ourselves in the frame of mind to ask: If we were a consumer would we be comfortable?”
The advertising industry was sold the idea that media would be 100% addressable to the individual and that will not be true in the future, Olivieri predicted. Because of regulation and other factors,a reset of expectations is required, she said.
“We have to coalesce around a new standard otherwise digital-media buying, it doesn’t work,” said Fitzpatrick. “So we have to find ways. Maybe either one standard way we all agree on . . . or different solutions in different areas.”
PRIVACY AND COVID-19
PRIVACY SHIELD / EUROPE
- No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs | Natasha Lomas, TechCrunch.com
- VIDEO: The Schrems II aftermath: Deep dive into SCCs | Hogan Lovells Engage (VIDEO)
- Schrems’ letter presses Irish data watchdog to enforce against Facebook | Max Schrems via Twitter
- Pompeo said ‘deeply disappointed’ in EU court decision to ditch trans-Atlantic Privacy Shield in Schrems case | Daphne Psaledakis, Reuters PLC
- Has Europe Signalled The Beginning Of Privacy Law Self-Isolation And Lockdown? | Stewart Room, Forbes.com
- EU Parliament debates: Could California be considered ‘adequate’ on its own? | Jennifer Baker, IAPP’s EU policy reporter
- With Privacy Shield dead, is CPRA best shot for ‘adequacy’? | Ashkan Soltani, via Twitter
- What “Schrems II’ means for controller-to-processor contracts | Francesco Gaudino & Michael Egan, IAPP Blog
- NOYB website offers answers, next steps for EU companies | Max Schrems, NOYB.eu
- SLIDE DECK: EU data exports after Schrems II — guidance by authorities | Hogan Lovells Law Firm
- ‘Schrems II’ and transfers of HR data: Action steps for US multinationals | Philip Gordon, Zoe Argento, Kwabena Appenteng, IAPP Blog
- What Privacy Shield organizations should do in the wake of ‘Schrems II’ | Brian Hengesbaugh, IAPP Blog
- ANALYSIS: DC-based legal academic privacy expert analyzes Schrems II decision | Daniel Solove, Privacy+Security Blog
- British privacy regulator publishes annual report | Elizabeth Denham, ICO.org.uk
- Privacy By Design: Responding To The EU-US Privacy Shield Ruling | Sam Curry, Cybersecurity via Forbes
- “Operational Adequacy Schemes” now required to transfer EU data after Privacy Shield case | Stewart Room, Cybersecurity via Forbes
QUOTES OF THE WEEK
A Silicon Valley data entrepreneur explains why he is going to vote for Prop 24 (CPRA)
“ . . . [M]y 30+ year professional career here in Silicon Valley has let me see firsthand the massive amounts of data that can be collected and the impact on having that data stolen and compromised. I started my career at Oracle, which is still the leading database company in the world, and witnessed in my role as an on-site database tuning expert the massive amount of data that businesses and governments can collect and the speed that those databases can process and analyze that data. More recently, as founder and CEO of Centrify, a $100+ million cybersecurity company, I saw how hackers specifically target sensitive personal data, and that better safeguards and regulation of the collection and use by businesses of that data will reduce the cost and number of breaches and the corresponding impact on individuals. This has led me to believe that if us as consumers had more control over who has our most sensitive data and what they can do with it, the less likely that data will be scattered around all over the place and be stolen . . . There are three main reasons I am supportive of Proposition 24: (1) It gives Californians more privacy rights; (2) It adds additional obligations to businesses to have them better protect our personal data; and (3) It provides more enforcement capability to better protect Californians . . . The CPRA adds additional enforcement in the form of Privacy Protection Agency (PPA), whose primary mission would be to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information.”
|ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to firstname.lastname@example.org.