Explicit consent for new use dropped by Becerra in final CCPA regs; privacy agents have to have signatures; respecting browser signals retained

California Attorney General Xavier Becerra loosened the obligations of personal data companies in final regulations for enforcing the California Consumer Privacy Act, analysis by two different law firms shows. 

How will key aspects of the California Consumer Privacy Act (CCPA) be enforced? That’s the core question after the state documented final CCPA regulations, because rules about several key features of the privacy law were unexpectedly withdrawn without explanation. 

CCPA dominated privacy news this week, as law firms and trade publications sought to explain the compliance obligations of larger for-profit companies that deal in the personal data of California residents. 

The final regulations, made public Aug. 14, also fail to resolve a key area of ongoing ambiguity — what constitutes a “sale” of personal data. “The law’s broad definition of sale includes disclosures made for ‘valuable consideration’ — a term left undefined in the law,” wrote Wendy Davis at DigitalNewsDaily.

CCPA dominated privacy news this week, as law firms and trade publications sought to explain the compliance obligations of larger, for-profit companies that deal in the personal data of California residents. 

In a key surprise, the final regulations withdrew a provision requiring a business to notify the consumer —  and obtain explicit consent — before using previously collected personal information for a purpose “materially different” from originally disclosed, according to lawyers at Arent Fox. 

“Rather than obtaining express consent, businesses must comply with Section 1798.100(b) of the CCPA, which prohibits businesses from using personal information ‘collected for additional purposes without providing the consumer with notice consistent with this section’ “ wrote lawyers for Ballard Spahr LLP in their analysis, adding: “Because initial notice can generally be accomplished through an online privacy policy, it appears that updates to an online privacy policy may suffice if a business intends to start using previously collected personal information for an additional purpose.”

Davis’ story also said Consumer Reports criticized Becerra for dropping the express consent requirement, and also for dropping a requirement that opt-out mechanisms be “easy for consumers to execute.” 

The revised regulations make it clear that a business may deny requests to know, requests to delete, and requests to opt out that are received from agents that fail to provide a signed, written permission from the consumer authorizing the agent to act on the consumer’s behalf, according to an analysis by the Steptoe law firm.  Its lawyers say language suggesting that it might be sufficient for an agent to provide some other form of proof of its authority was deleted. 

One thing retained, however, was a requirement that data companies honor “do-not-sell-my data” requests automatically submitted by the user’s browser software. The provision was bitterly opposed by most of the U.S. advertising industry. 

In one development, a data-policy executive at The New York Times, Robin Berjon, disclosed in a “Tweet” that the company was treating an existing “Do Not Track” signal sent by a browser as equivalent to CCPA’s “Do Not Sell My Data.”  The Times also pointed to its CCPA-compliant privacy policy for California residents. 

CALIFORNIA PRIVACY | CCPA

• California Privacy Law Enforcement Risk Grows With New Rules | Daniel R. Stoller, BloombergLaw.com
• VIDEO: How Facebook’s Limited Data use setting for CCPA affects retargeting | Ginny Marvin, SearchEngineLand.com
• California’s landmark privacy law is Facebook’s next “nightmare” | Jon Swartz, MarketWatch.com
• What Google and Amazon are doing to comply with CCPA | Jon Swartz, MarketWatch.com
• California’s new privacy law is off to a rocky start | Zack Whittaker, TechCrunch.com
• Seven tips to make your website CCPA compliant | Andrew Burt, Risk & Compliance Matters
• Steps to comply with CCPA final regulations | F. Paul Pittman, White & Case law firm
• CCPA for Marketers: What You Really Need to Know | Anas Baig, ReadWrite.com
• Multiple Retailers Sued Under CCPA for Sharing Data Used to Identify Fraudulent Returns | Hutton Andrews Kurth law firm
• California AG posts final regulations enforcing CCPA effective July 1 | Xavier Becerra, state website | Final text 
• CCPA enforcement began July 1 with 30-day cure period 
• Becerra withdraws rules about using data for different purpose | 
• Three things you need to know to stay on top of CCPA enforcement | Jessica Lee, AdMonsters.com 
• San Jose Mercury News editorializes against Prop 24 | 
   

WASHINGTON BEAT

• “Hipster Antitrust” Movement Takes Center Stage in Congress | Charles Elder, Bradley Arant Boult Cummings LLP
• Privacy Policy Research Deserves a Much Wider Audience | Stuart N. Brothman, MediaInstitute
• ICE just signed a contract with facial recognition company Clearview AI | Kim Lyons, TheVerge.com
• Ohio senator proposes new privacy bill | Mary Grob, McGuire Woods law firm
  (June 18 statement) | Bill text
   

EUROPE AND GDPR

• What can America learn fro Europe about regulating big tech? | Nick Romeo, The New Yorker
• Facebook says it will start relying on SCCs rather than Privacy Shield for EU ad tech | Facebook Business Blog  (TEXT)
• Oracle, Salesforce  said to face multi-billion-euro cases for alleged GDPR breaches? | Emma Beswick, EuroNews.com
• EU-U.S. privacy rift leaves businesses in disarray | Ashley Gold, Axios.com
• Privacy Collective suit says Oracle, Salesforce collect user data illegally | Sarah Coble, InfoSecurity Magazine
• Max Schrems lodges complaints alleging illegal use of Google Analytics and Facebook Connect | Natasha Lomas, TechCrunch.com  (STATEMENT)
• Schrems group files complaints over EU-US data transfers | IAPP Daily Dashboard 
• Schrems  brings complaints against four Belgian companies | Alan Hope, Brussels Times/
• Goggle’s EU privacy overview page | Google Blog
• OPINION: Let’s mind the Privacy Shield ruling | Robert E.G. Beens, StartPage.com
• Twitter privacy ruling delayed after dispute among EU regulators | Padraic Halpin, Reuters PLC
• Twitter Data Case Sparks Dispute, Delay Among EU Privacy Regulators | Sam Schechner, WSJ.com

Harvard-Shorenstein researchers call for new agency to regulate tech platforms with  “public-interest expectations”

Former Federal Communications Commission  Chairman Tom Wheeler and two colleagues proposed this week formation of a U.S. “Digital Platform Agency” (DPA) that would guide and govern competition in digital marketplaces.   Their suggestion is contained in a white paper, “New Digital Realities; New Oversight Solutions in the U.S.” published via a Harvard University think tank, the Shorenstein Center on Media, Politics and Public Policy. (Read paper highlights) 

“In the absence of federal oversight, the dominant digital companies have made their own rules and imposed them on consumers and the market,” Wheeler, Phil Verveer and Gene Kimmelman write. “Just as industrial capitalism operated—and thrived—under public-interest obligations, so should internet capitalism be grounded in public interest expectations.”  

A public-private “Code Council” would help the DPA to create digital-marketplace behavioral rules, the trio writes. They say regulation by the independent agency should be based on two common-law concepts: The duty of care and the duty to deal.

Kimmelman is former head of the advocacy nonprofit Public Knowledge and Verveer is a longtime Washington, D.C., regulatory attorney.  Wheeler, who headed the FCC in the Obama administration, is now at the Brookings Institution.  Funding for their works is coming in part from the John S. and James L. Knight Foundation. 

The paper reviews the history of U.S. antitrust enforcement and suggests some changes. it outlines key features of the proposed agency and argues for a regulatory approach based on “risk management” focused on market outcomes rather than utility-style rules. It says the agency should pay particular attention to ensuring interoperability among tech platforms, opening up technology bottlenecks, forbidding exclusionary deals between big partners and prioritizing privacy-aware data practices.

“Too often, however, these advances come at the cost of harming consumers and denying others the opportunity to innovate,” the paper says, adding later: “The lack of legally mandated duties to protect consumers and competition in the new digital environment, and the practical limitations of antitrust jurisprudence, leaves society and the economy at enormous risk.

The paper cites examples of private marketplace regulation around safety and other rules benefiting the public, including initiatives of the National Fire Protection Association, the North American Electric Reliability Corp.,  the American Society of Civil Engineers and the features of the National Electric Code. 

MORE PRIVACY RESEARCH

• Study finds 93% of US citizens would switch to privacy-conscious organizations | Ryan Chiavetta, IAPP Privacy Advisor 
• Innovid-funded survey finds people will share data — in exchange | Joseph Zappa, StreetFightMag.com 
   

COVID AND PRIVACY 

• The Apple/Google contact tracing app; how private is my data? | Schillings law firm
• REVIEW: “I downloaded America’s first coronavirus exposure app. You should too” | Geoffrey A. Fowler, WashingtonPost.com
• Apple’s Exposure Notification System: Everything You Need to Know | Juli Clover, MacRumors.com
• Pennsylvania to pilot Google-Apple contact tracing app next week | Ryan Johnston, StateScoop.com
• Alabama launches statewide coronavirus tracking app | Amy Yurkanin, AL.com
• Pennsylvania prepares to launch virus-tracing app next month | The AP via WJAC-TV 
• Fearing coronavirus, a Michigan college is tracking its students with a flawed app | Zack Whittaker, TechCrunch.com
• Privacy experts see big problems with British COVID testing/tracing | Oumou Longley, Vice.com
• Face-off on Use of Biometric Technology in the UK | Keily Blair, Orric-Trust Anchor

PERSONAL PRIVACY

• Massachusetts top prosecutor forms data privacy enforcement unit | Mass. Atty. General website
• “Fawkes” cloaks your images to trick facial recognition Algorithms | Rob Mitchem, Univ. of Chicago via SciTechDaily.com
• Google’s latest Chrome update makes it easier to browse in secret | mark Wycislik-Wilson, TechRadar.com
• Clearview Hires Prominent First Amendment Lawyer To Argue For Its Right To Sell Scraped Data To Cops | Tim Cushing, TechDirt.com
• Protecting your privacy shouldn’t be this hard | David Lazarus, Los Angeles Times
• Facebook’s stealthy plan to own online identity | David Pierce, Protocol Source Code

WORLD PRIVACY

• Inside China’s unexpected quest to protect data privacy || Karen Hao, MIT Technology Review
• Japan amends tis data-privacy law, extending deletion rights | Scott Warren & Maika Kawaguchi, Square Patt Boss (US) LLP

RTB seen as “strange” — and privacy managed automatically in a decade — say predictions for 2030 in IAPP expert anthology  

Artificial intelligence that you program to then manage your privacy settings, Real Time Bidding as a strange relic and businesses that worry about angering users over privacy are among the predictions for the next decade by 20 experts. 

The predictions are contained in “Visions of Privacy: An Anthology of Privacy Predictions” a 46-page compendium put together by the International Association of Privacy Professionals as part of its 2oth-anniversary year.   Among writers are Jules Polenetsky, CEO of the Future of Privacy Forum; Julie Brill, Microsoft Corp.’s chief privacy officer; and Elizabeth Denham, the U.K.’s information commissioner. 

In the compendium released July 30, Both Polenetsky and  and Brill forsee a world of automated privacy negotiation and enforcement. 

 “By 2030, I expect artificial intelligence to help us manage our personal privacy choices in ways that reflect our true preferences without requiring us to constantly update our privacy settings manually,” Polenetsky writes in his esssage. “Users may even be able to train browsers and other operating systems to act on their behalf.”

Brill says she expects privacy protections will be built into data and systems and managed automatically, with companies seeing pribvacy as a service differentiator and area of competitive technical innovation. 

“I believe that by 2030, it’s possible that privacy will look a lot more like what security looks like today,” Brill writes. “Instead of trying to account for privacy through governance models — and asking consumers to read those hated privacy disclosure documents — privacy protections will be built into data and systems and managed automatically. 

Denham writes that today’s advertising-technology ecosystem and specifically Real Time Bidding will be seen in a decade as replaced by alternate system resulting from the combination of new technology and appropriate regulation. 

“We’ll look back at how strange it was that a system developed that involved sharing huge amounts of personal data with huge numbers of businesses, simply for the sake of a few extra pence on the sale of an ad,” Denham writes. “I think in 2030, we’ll wonder if a time ever existed where organizations would decide to use systems, like facial-recognition cameras, without asking questions like, ‘Is this proportionate, is this legal, and is this going to upset a lot of my customers?’ That last one is key.” 

ADVERTISING TECH

• Ads.txt The IAB’s Magic Bullet That Wasn’t Magical | Augustine Fou, Forbes.com
• PRAM update: Marketers striving to retain targetting despite TP cookie loss | Kim Davis, MarTechToday.com
• California Should Ban Use Of Contact-Tracing Data For Ad Targeting, Watchdogs Say | Wendy Davis, DigitalNewsDaily.com
• Omnicom seeks independent audit of ad adjacency | Tiffany Hsu, NYTimes.com
• Ad-tech company’s marketing message: One third of publishers don’t have user-tracking solution after TP cookies | LiveRamp advertising via DigiDay
• PODCAST: The Big Story: Identity earthquake buffets ad-tech | Allison Schiff, AdExchanger.com
• Facebook’s default Limited Data Use period ends Aug. 1: How to stay CCPA compliant | Ginny Marvin, SearchEngineLand.com
• App Data, Privacy, and the IDFA Armageddon: Industry Leaders’ Takes | Brian Bowman, StreetFightMag.com

PRIVACY BUSINESS

• Data privacy compliance becomes part of new normal | Chris Versace, Lenore Elle Hawkins & Mark Abssy, Nasdaq blog
• IBM pays up, settles with LA over its Weather Channel’s private data use | Teri Robinson, SC Media Magazine
• Facebook wins preliminary approval for $650M Illinois biometric settlement | Ann Maria Shibu, Reuters PLC
• Facebook wins preliminary approval to settle facial recognition lawsuit | Ann Maria Shibu, Reuters PLC