Microsoft doesn’t favor universal opt-in; P&G urges universal ID; does LiveRamp oppose Prop24?

Privacy Beat

Your weekly privacy news update.



Consensus sought in Senate privacy-bill hearing; Microsoft opposes universal “opt-in”; discussion of “private right”; CCPA costs “nowhere near” $55B

Efforts to craft a bipartisan consumer data privacy law appeared to advance this week with a hearing before the Senate Commerce Committee which featured testimony of ex-Federal Trade Commission officials and efforts by senators to appear collaborative with an eye toward 2021.

“There is an enormous amount of agreement among everyone on this committee about passing a bill,”  testified former FTC Chairman Jon Liebowitz, citing the Sherman Act, FTC Act and Clayton Act as examples of congressional action a century ago around antitrust. “America has been a leader in antitrust,” he said. “It can be the same for privacy, and it should be.”

The hearing was preceded by the filing by three key GOP senators of the latest version of their privacy proposal, dubbed the “SAFE DATA Act”.  (BILL TEXT). The advertising-industry advocacy group “Privacy for America” submitted a letter generally supporting efforts toward a national privacy law, while, a global consumer privacy group supported by at least three major U.S. foundations and the Swedish government, criticized the GOP proposal specifically.  Credit unions support the bill led by Sen. Roger Wicker, R-Miss., committee chairman.

The GOP measure deviates from a Democrat-led proposal filed last year by the committee’s ranking Democrat, Maria Cantwell, D-Wash., (TEXT) in that it preempts state privacy laws, while also declining to provide for a private-citizen right of action. (Cantwell bill legal analysis and EFF statement)  Cantwell released her bill along with a whitepaper on consumer online privacy.

But it incorporates bipartisanship on some less-contested points, according to an analysis by Muge Fazlioglu, a staff writer at the International Association of Privacy Professionals (IAPP).  Her analysis tracks provisions of the GOP-introduced SAFE DATA Act that have come from Democrat-offered proposals. (Additional analysis of GOP bill  HERE and HERE and HERE. Links to other proposals are HERE.

U.S. Sen. Richard Blumenthal, D-Conn., asked witnesses if nominees to the U.S. Supreme Court should be concerned with establishing clearer precedents about the scope of personal privacy.  He said he thought the Commerce Committee, in developing law, could inform that process.  Two of the former FTC commissioners agreed.

“I think most of us would agree we are beginning to lose not only the definition of privacy but the understanding of what it really means,” responded California Attorney General Xavier Becerra, in testimony, adding: “So it would be important to have justices on this court who would try to elevate the status of privacy once again before we have a generation of young Americans who don’t even understand or remember what privacy was about.”

In other testimony there were these additional points:

Multiple witnesses and senators agreed that consumers should have “ownership” and “control” of “their data” without specifics, with businesses being held to standards about disclosure of use.  Varying points of view continue to exist about the nature of providing “permission” to use a user’s data.

  • Committee Chairman Wicker defined “information that is linked or reasonably linkable to a person” as a “persistent identifier.” The bill includes persistent identifiers in its definition of “sensitive covered data,” according to one analysis. 
  • However, Microsoft spokesperson Julie Brill,  former FTC commissioner, declined to support a default “opt-in” requirement. “I do worry that if consumers are asked to opt in all the time to everything it will be overwhelming for consumers,” she said.
  • California Attorney General Xavier Becerra, in virtual testimony, opposed any federal effort to restrict the ability of states to enact stronger privacy rules of their own. (See QUOTE OF THE WEEK, below). Liebowitz urged a compromise around the “private right of action” challenge. Former FTC Chairman Willaim Kovacic said it might be a “perfectly reasonable choice” to enact a law without a private right and revisit the decision a few years later.
  • Becerra testified that California has not seen costs on business “anything near” an estimate of $55 billion which a consultant provided in a required legislative analysis of California Consumer Privacy Act (CCPA) after its adoption.
  • Witnesses generally supported the idea of increasing funding and privacy-regulation authority for the FTC, rather than establish a new federal agency dedicated to privacy.
  • Whether federal law should ban citizens from suing under privacy laws was disputed. Becerra and Sen. Blumenthal, said it should not. Ex-FTC commissioner Maureen Ohlhausen said it should prohibit such suits.
  • Without a federal law within two years, United States businesses and consumers will end up living under laws applied globally and established by others, including the European Union and states like California, several witnesses testified. “In two years 65% of the world’s population will be covered by privacy laws and many of these laws are being written with respect to a global standard that the United States is not participating in developing right now,” testified Microsoft’s Brill.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


P&G urges universal ID; Critero seeks server “gatekeeper” not web browser for ad preferencing: IAB principles

Advertisers and technology companies that serve them are working to stake out independence from the web-browser and platform makers with calls for open standards and universal identity — even as a new report details massive opaque ad tracking currently.

Exploring one example of how ad-tech is trying to end-run browser companies, AdExchanger writer Allison Schiff’s opinion piece this week cited the example of Criteo’s SPARROW proposal filed with the World Wide Web Consortium’s (W3C) advertising study group “that suggests the creation of a trusted gatekeeper outside of the browser that would serve as a clearing house of sorts for auctions and personal data.”

“The gatekeeper is an internet-based service responsible to run interest group auctions and to generate ad web bundles, instead of the browser in the TURTLEDOVE proposal,” writes SPARROW proponent Basile Leparmentier of ad-tech company Criteo.

  • A top executive at giant U.S. brand advertiser Proctor & Gamble used an industry gathering to call for an industry “universal ID to advance ad targeting, according to Steve McClellan’s reporting at Digital News Daily.
  • The nonprofit news website The Markup, published this week a detailed story about tracking cookies and pixels on websites entitled, “The High Privacy Cost of a ‘Free’ Website(see graphic, above, courtesy The Markup). It reports one Disqus cookie accepted by a website resulted in 21 other “piggyback” trackers tagging along. It counted 69,293 popular websites with third-party trackers.
  • In a news release, the IAB Tech Lab reported on a two-day meeting Sept. 16-17 declaring key members “committed to the principles of Project Rearc and collaboration towards open technical standards and privacy-centric solutions for addressable digital media.”  Rearc is the lab’s name for a set of meetings it’s convened to figure out how to replace third-party cookies and privacy problems with “real-time bidding” for ad serving. The term “addressable” replaces the term “tracking” to describe the desire to reach individuals with relevant advertising.

Four principles cited in the IAB Tech Lab statement were:

  1. Device-agnostic solutions that put the consumer, not the device or interface, at the center of privacy
  2. Predictable privacy for consumers, instead of fragmented, proprietary privacy settings

  3. Offering consumers user-friendly transparency and control, with clear communication of the value exchange, and respecting consumer choice

  4. Leveraging technical mechanisms within advertising systems that ensure ongoing adherence to consumer privacy choices and addressability standards

Item No. 1 reflects IAB’s desire not to have web-browser software, operating-system or platform rules define proprietary privacy requirements.  Item No. 2, appears to position against variable browser “do-not-track” signals.  The news release listed 16 IAB Tech Lab members — including all the largest ad-tech companies — as supporting the statement.





Does Prop24 improve or detract from privacy? A clue?  McNamee says data broker LiveRamp is opposed

The jockeying over whether Prop24 will advance or hobble consumer privacy in California is playing out as a contest to see which “side” can obtain and promote the most influential supporters.


This week saw the publication of dueling op-eds in the San Diego Union-Tribune, the first one, “Prop24 would strengthen consumer privacy laws,”  by prominent venture-capitalist, author and Facebook foe Roger McNamee.

Meanwhile, the Democratic Party of Orange County Tweeted that it supports Prop24.

McNamee’s argument is that the current California Consumer Privacy Act (CCPA) “has noble intent but few teeth” as a result of pre-passage lobbying by industry in Sacramento in 2018.  He says the Nov. ballot initiative Prop24, the California Privacy Rights Act (CPRA),  “is a huge step forward.” He says Prop24 is opposed by one of the world’s largest data brokers, LiveRamp Holdings (formerly Acxiom Corp.)

He continues: “Proposition 24 plugs many holes in CCPA. It provides the right to prevent the collection of unnecessary data, restrictions on transfers of personal data, penalties for the loss of email addresses due to negligence, the right to correct your data, an opt-out of the use of precise geolocation and other highly sensitive information like health, race and sexual orientation, new standards for high-risk processors of data and transparency around automated decision-making.”

Arguing against voter approval of Prop24 is Stacey Rosenberg, executive director of the Media Alliance.  She writes the 53-page measure has “loopholes and exemptions” that favor business users of consumer data.

She writes, in excerpts: “Loopholes put in Proposition 24 to please commercial credit companies like Experian . . . [also] buried deep in the fine print, Proposition 24 says any future privacy-protection laws are null and void if they conflict with Proposition 24  . . . [and] Proposition 24 asks you to vote for what is in effect a privacy poll tax. Current law allows companies to charge you higher prices if you “opt out” of letting them sell your personal information, up to the value of your data to the business . . .If the right to privacy becomes a luxury item that only the affluent can afford, then most of us no longer have privacy protections.”



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Ryan, with Irish civil-liberties NGO, presses for privacy authority to act against real-time bidding

Fresh from a two-year engagement with the Brave browser maker, Irish ex-journalist and ad-tech privacy crusader Johnny Ryan is out with a new report for his new employer — the respected Irish Council for Civil Liberties (ICCL). The nonprofit is calling Real Time Bidding a crisis, and  “the largest data breach ever recorded, leaking out secrets hundreds of billions of times per day.” It says the Irish Data Protection Commission’s lack of action on a two-year-old complaint filed by Ryan is “unacceptable.”

TechCrunch’s Natasha Lomas picked through Ryan’s 16-page report, released Sept. 21. In the report, the ICCL estimates that just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year, Lomas writes. She includes a comment on Ryan’s claims from Google and from the Irish data authority.





Three voices: Why Congress must pass data-privacy law and why it shouldn’t hamstring California’s best efforts

“If we do not adopt a national privacy law of our own that reflects the deliberations of this committee, those who have thought a lot, we will get a national privacy policy, it will be called the GDPR.  That will be it. We’ll have one. Supplemented by the CCPA with all the thoughtful work that has been done there.  But do we want our national privacy policy to be the product of a decision made by a thoughtful foreign government, very thoughtful state, but without the contribution of the national legislature to formulate our own distinctive collective judgement about these issues.” 

  • Excerpt of Q-and-A testimony by former Federal Trade Commission chairman William Kovacic to a Senate Commerce Committee hearing Sept. 23, 2020 considering consumer data-privacy legislation. 

“If the U.S. does not pass a strong robust federal privacy law we will lose our edge in terms of competitiveness on the global stage and that means both in terms of the global economy and the ability of companies to engage effectively in the global economy. We will also lose our thought leadership in terms of where the world is moving in terms of how people’s data should be respected and how it should be treated . . . In two years 65% of the world’s population will be covered by privacy laws “and many of these laws are being written with respect to a global standard that the United State is not participating in developing right now.”  

  • Excerpt of Q-and-A testimony by Microsoft executive Julie Brill, a former U.S. Federal Trade Commission member, to a Senate Commerce Committee hearing Sept. 23, 2020 considering consumer data-privacy legislation.

(1)  “We have a lot of different laws …. the federal government for example has never passed a data-breach notification law and yet every state has been able to function. We sued EquiFax and got a national settlement even though the federal government is nowhere on this and we have 50 states with different laws.  This happens all the time. And so we can cope. What we’re trying to do is we can use the best practices to come up with the best law to protect our people and in California we think we’ve done a pretty good job . . . . ”

(2)  “I think most of us would agree is we are beginning to lose not only the definition of privacy but the understanding of what it really means. So it would be important to have justices on this court who would try to elevate the status of privacy once again before we have a generation of young Americans who don’t even understand or remember what privacy was about.” 

  • Excerpts of Q-and-A testimony by California Attorney General Xavier Becerra to a Senate Commerce Committee hearing Sept. 23, 2020 considering consumer data-privacy legislation.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp