PRIVACY BEAT: CCPA regs loosened; new privacy agency sought; Apple antitrust?

Privacy Beat

Your weekly privacy news update.


Explicit consent for new use dropped by Becerra in final CCPA regs; privacy agents have to have signatures; respecting browser signals retained

California Attorney General Xavier Becerra loosened the obligations of personal data companies in final regulations for enforcing the California Consumer Privacy Act, analysis by two different law firms shows. 

How will key aspects of the California Consumer Privacy Act (CCPA) be enforced? That’s the core question after the state documented final CCPA regulations, because rules about several key features of the privacy law were unexpectedly withdrawn without explanation. 

CCPA dominated privacy news this week, as law firms and trade publications sought to explain the compliance obligations of larger for-profit companies that deal in the personal data of California residents. 

The final regulations, made public Aug. 14, also fail to resolve a key area of ongoing ambiguity — what constitutes a “sale” of personal data. “The law’s broad definition of sale includes disclosures made for ‘valuable consideration’ — a term left undefined in the law,” wrote Wendy Davis at DigitalNewsDaily.

CCPA dominated privacy news this week, as law firms and trade publications sought to explain the compliance obligations of larger, for-profit companies that deal in the personal data of California residents. 

In a key surprise, the final regulations withdrew a provision requiring a business to notify the consumer —  and obtain explicit consent — before using previously collected personal information for a purpose “materially different” from originally disclosed, according to lawyers at Arent Fox. 

“Rather than obtaining express consent, businesses must comply with Section 1798.100(b) of the CCPA, which prohibits businesses from using personal information ‘collected for additional purposes without providing the consumer with notice consistent with this section’ “ wrote lawyers for Ballard Spahr LLP in their analysis, adding: “Because initial notice can generally be accomplished through an online privacy policy, it appears that updates to an online privacy policy may suffice if a business intends to start using previously collected personal information for an additional purpose.”

Davis’ story also said Consumer Reports criticized Becerra for dropping the express consent requirement, and also for dropping a requirement that opt-out mechanisms be “easy for consumers to execute.” 

The revised regulations make it clear that a business may deny requests to know, requests to delete, and requests to opt out that are received from agents that fail to provide a signed, written permission from the consumer authorizing the agent to act on the consumer’s behalf, according to an analysis by the Steptoe law firm.  Its lawyers say language suggesting that it might be sufficient for an agent to provide some other form of proof of its authority was deleted. 

One thing retained, however, was a requirement that data companies honor “do-not-sell-my data” requests automatically submitted by the user’s browser software. The provision was bitterly opposed by most of the U.S. advertising industry. 

In one development, a data-policy executive at The New York Times, Robin Berjon, disclosed in a “Tweet” that the company was treating an existing “Do Not Track” signal sent by a browser as equivalent to CCPA’s “Do Not Sell My Data.”  The Times also pointed to its CCPA-compliant privacy policy for California residents. 





Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

Harvard-Shorenstein researchers call for new agency to regulate tech platforms with  “public-interest expectations”

Former Federal Communications Commission  Chairman Tom Wheeler and two colleagues proposed this week formation of a U.S. “Digital Platform Agency” (DPA) that would guide and govern competition in digital marketplaces.   Their suggestion is contained in a white paper, “New Digital Realities; New Oversight Solutions in the U.S.” published via a Harvard University think tank, the Shorenstein Center on Media, Politics and Public Policy. (Read paper highlights) 

“In the absence of federal oversight, the dominant digital companies have made their own rules and imposed them on consumers and the market,” Wheeler, Phil Verveer and Gene Kimmelman write. “Just as industrial capitalism operated—and thrived—under public-interest obligations, so should internet capitalism be grounded in public interest expectations.”  

A public-private “Code Council” would help the DPA to create digital-marketplace behavioral rules, the trio writes. They say regulation by the independent agency should be based on two common-law concepts: The duty of care and the duty to deal.

Kimmelman is former head of the advocacy nonprofit Public Knowledge and Verveer is a longtime Washington, D.C., regulatory attorney.  Wheeler, who headed the FCC in the Obama administration, is now at the Brookings Institution.  Funding for their works is coming in part from the John S. and James L. Knight Foundation. 

The paper reviews the history of U.S. antitrust enforcement and suggests some changes. it outlines key features of the proposed agency and argues for a regulatory approach based on “risk management” focused on market outcomes rather than utility-style rules. It says the agency should pay particular attention to ensuring interoperability among tech platforms, opening up technology bottlenecks, forbidding exclusionary deals between big partners and prioritizing privacy-aware data practices.

“Too often, however, these advances come at the cost of harming consumers and denying others the opportunity to innovate,” the paper says, adding later: “The lack of legally mandated duties to protect consumers and competition in the new digital environment, and the practical limitations of antitrust jurisprudence, leaves society and the economy at enormous risk.

The paper cites examples of private marketplace regulation around safety and other rules benefiting the public, including initiatives of the National Fire Protection Association, the North American Electric Reliability Corp.,  the American Society of Civil Engineers and the features of the National Electric Code. 






RTB seen as “strange” — and privacy managed automatically in a decade — say predictions for 2030 in IAPP expert anthology  

Artificial intelligence that you program to then manage your privacy settings, Real Time Bidding as a strange relic and businesses that worry about angering users over privacy are among the predictions for the next decade by 20 experts. 

The predictions are contained in “Visions of Privacy: An Anthology of Privacy Predictions” a 46-page compendium put together by the International Association of Privacy Professionals as part of its 2oth-anniversary year.   Among writers are Jules Polenetsky, CEO of the Future of Privacy Forum; Julie Brill, Microsoft Corp.’s chief privacy officer; and Elizabeth Denham, the U.K.’s information commissioner. 

In the compendium released July 30, Both Polenetsky and  and Brill forsee a world of automated privacy negotiation and enforcement. 

 “By 2030, I expect artificial intelligence to help us manage our personal privacy choices in ways that reflect our true preferences without requiring us to constantly update our privacy settings manually,” Polenetsky writes in his esssage. “Users may even be able to train browsers and other operating systems to act on their behalf.”

Brill says she expects privacy protections will be built into data and systems and managed automatically, with companies seeing pribvacy as a service differentiator and area of competitive technical innovation. 

“I believe that by 2030, it’s possible that privacy will look a lot more like what security looks like today,” Brill writes. “Instead of trying to account for privacy through governance models — and asking consumers to read those hated privacy disclosure documents — privacy protections will be built into data and systems and managed automatically. 

Denham writes that today’s advertising-technology ecosystem and specifically Real Time Bidding will be seen in a decade as replaced by alternate system resulting from the combination of new technology and appropriate regulation. 

“We’ll look back at how strange it was that a system developed that involved sharing huge amounts of personal data with huge numbers of businesses, simply for the sake of a few extra pence on the sale of an ad,” Denham writes. “I think in 2030, we’ll wonder if a time ever existed where organizations would decide to use systems, like facial-recognition cameras, without asking questions like, ‘Is this proportionate, is this legal, and is this going to upset a lot of my customers?’ That last one is key.” 




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Publishers ask Apple to defend pricing discrimination with Amazon over App Store purchases; is Robinson-Patman Act relevant? 

A key news-industry trade group has mounted a pressure campaign to get Apple to explain why it gives a break to Amazon that it isn’t giving to publishers on the 30% commission charged on content sales within the App Store.  


At issue is an complicated area of antitrust law governed by the Robinson-Patman Act, along with the question of what Apple CEO Tim Cook meant when he said last month in congressional testimony Apple would offer the same deal to “anyone meeting the conditions, yes.” 


The Robinson-Patman Act was designed to provide relief to small buyers who may be at a competitive disadvantage because large buyers can purchase the same goods from a supplier at lower prices.  To be invoked, however, the price discrimination must be applied to similar competitiors in a market.  So the key question for Apple’s compliance with the law is whether it can argue that Amazon Prime Video — which is apparently effectively paying a 15% commission instead of 30% — is a competitor to publishers. 


Digital Content Next CEO Jason Kint made public on Aug. 20 a letter sent to Apple asking for an explanation. “”“I ask that you clearly define the conditions that Amazon satisfied for its arrangement so that DCN’s member companies meeting those conditions can be offered the same agreement,” Kint wrote. Chris Pedigo, DCN’s lobbyist, summarized the situation in a blog post. 




Competition in targeted advertising: Advertisers pay less, publishers receive more, consumers get quality? 

“The 2018 decision in Ohio v. American Express Co. is both the first time the Supreme Court has addressed an antitrust claim involving a two-sided platform and an instance of the Court majority’s non-interventionist priors. The decision has, at least, increased the complexity of antitrust enforcement involving digital platforms. But without regard to its intrinsic merits, it illustrates one thing beyond any serious dispute: A process that began with a government complaint in October 2010 and not ultimately resolved until June 2018 is insufficient to deal with today’s digital platforms. Something more will be required. Such a “something” begins with the recognition of certain digital platforms (or certain components of them) as essential facilities. As common experience and multiple studies have illustrated, however, these essential services do not confront effective competition and are unlikely to do so in the future. The consequences are significant.12 The introduction of competition in the case of targeted advertising, for instance, would have as predictable consequences that advertisers would pay less, publishers would receive more, and consumers would see an improvement in the quality and quantity of services available online.” 


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp