Consensus sought in Senate privacy-bill hearing; Microsoft opposes universal “opt-in”; discussion of “private right”; CCPA costs “nowhere near” $55B

Efforts to craft a bipartisan consumer data privacy law appeared to advance this week with a hearing before the Senate Commerce Committee which featured testimony of ex-Federal Trade Commission officials and efforts by senators to appear collaborative with an eye toward 2021.

“There is an enormous amount of agreement among everyone on this committee about passing a bill,”  testified former FTC Chairman Jon Liebowitz, citing the Sherman Act, FTC Act and Clayton Act as examples of congressional action a century ago around antitrust. “America has been a leader in antitrust,” he said. “It can be the same for privacy, and it should be.”

The hearing was preceded by the filing by three key GOP senators of the latest version of their privacy proposal, dubbed the “SAFE DATA Act”.  (BILL TEXT). The advertising-industry advocacy group “Privacy for America” submitted a letter generally supporting efforts toward a national privacy law, while AccessNow.org, a global consumer privacy group supported by at least three major U.S. foundations and the Swedish government, criticized the GOP proposal specifically.  Credit unions support the bill led by Sen. Roger Wicker, R-Miss., committee chairman.

The GOP measure deviates from a Democrat-led proposal filed last year by the committee’s ranking Democrat, Maria Cantwell, D-Wash., (TEXT) in that it preempts state privacy laws, while also declining to provide for a private-citizen right of action. (Cantwell bill legal analysis and EFF statement)  Cantwell released her bill along with a whitepaper on consumer online privacy.

But it incorporates bipartisanship on some less-contested points, according to an analysis by Muge Fazlioglu, a staff writer at the International Association of Privacy Professionals (IAPP).  Her analysis tracks provisions of the GOP-introduced SAFE DATA Act that have come from Democrat-offered proposals. (Additional analysis of GOP bill  HERE and HERE and HERE. Links to other proposals are HERE.

U.S. Sen. Richard Blumenthal, D-Conn., asked witnesses if nominees to the U.S. Supreme Court should be concerned with establishing clearer precedents about the scope of personal privacy.  He said he thought the Commerce Committee, in developing law, could inform that process.  Two of the former FTC commissioners agreed.

“I think most of us would agree we are beginning to lose not only the definition of privacy but the understanding of what it really means,” responded California Attorney General Xavier Becerra, in testimony, adding: “So it would be important to have justices on this court who would try to elevate the status of privacy once again before we have a generation of young Americans who don’t even understand or remember what privacy was about.”

In other testimony there were these additional points:

Multiple witnesses and senators agreed that consumers should have “ownership” and “control” of “their data” without specifics, with businesses being held to standards about disclosure of use.  Varying points of view continue to exist about the nature of providing “permission” to use a user’s data.

• Committee Chairman Wicker defined “information that is linked or reasonably linkable to a person” as a “persistent identifier.” The bill includes persistent identifiers in its definition of “sensitive covered data,” according to one analysis. 
• However, Microsoft spokesperson Julie Brill,  former FTC commissioner, declined to support a default “opt-in” requirement. “I do worry that if consumers are asked to opt in all the time to everything it will be overwhelming for consumers,” she said.
• California Attorney General Xavier Becerra, in virtual testimony, opposed any federal effort to restrict the ability of states to enact stronger privacy rules of their own. (See QUOTE OF THE WEEK, below). Liebowitz urged a compromise around the “private right of action” challenge. Former FTC Chairman Willaim Kovacic said it might be a “perfectly reasonable choice” to enact a law without a private right and revisit the decision a few years later.
• Becerra testified that California has not seen costs on business “anything near” an estimate of $55 billion which a consultant provided in a required legislative analysis of California Consumer Privacy Act (CCPA) after its adoption.
• Witnesses generally supported the idea of increasing funding and privacy-regulation authority for the FTC, rather than establish a new federal agency dedicated to privacy.
• Whether federal law should ban citizens from suing under privacy laws was disputed. Becerra and Sen. Blumenthal, said it should not. Ex-FTC commissioner Maureen Ohlhausen said it should prohibit such suits.
• Without a federal law within two years, United States businesses and consumers will end up living under laws applied globally and established by others, including the European Union and states like California, several witnesses testified. “In two years 65% of the world’s population will be covered by privacy laws and many of these laws are being written with respect to a global standard that the United States is not participating in developing right now,” testified Microsoft’s Brill.

WASHINGTON BEAT 

• Justice Department advances Trump Section 230 bid to control platform content | Timothy Karr, FreePress.net
• Trump meets with GOP state AG’s around Section 230 bid | David Shepardson & Nandita Bose, Reuters PLC
• How the White House would change Section 230 | Issie Lapowsky, Protocol.com
• (REDLINE TEXT OF PROPOSED CHANGES)
• Ex-Virginia governor on privacy-law need | Terry McAuliffe via Richmond.com
• Judge halts Trump administration order banning WeChat from app stores | Amanda Macias, CNBC.com
• Don’t ban TikTok and WeChat |  Hina Shamsi, ACLU.org
• The WeChat ban vs. the First Amendment | Sara Fisher/Scott Rosenberg via Benton Institute
• U.S. Magistrate Judge Laurel Beeler’s injunction against WeChat ban | USCourts.gov
• Judge said U.S. must defend or delay TikTok app store ban by Friday (developing) | David Shepardson, Reuters PLC
• BACKGROUND: CCPA, Prop24 and federal prospects | Laura E. Jehl & Austin Mooney, McDermott Will & Emery law firm

STATEHOUSE BEAT 

• Washington Privacy Act reintroduced; advances | Cathy Cosgrove, IAPP Privacy Tracker
• New York AG announces settlement with Dunkin’ over data breach Lawsuit | Ronald Raether Jr. & Sam Hyamns, Troutman Pepper law firm

P&G urges universal ID; Critero seeks server “gatekeeper” not web browser for ad preferencing: IAB principles

Advertisers and technology companies that serve them are working to stake out independence from the web-browser and platform makers with calls for open standards and universal identity — even as a new report details massive opaque ad tracking currently.

Exploring one example of how ad-tech is trying to end-run browser companies, AdExchanger writer Allison Schiff’s opinion piece this week cited the example of Criteo’s SPARROW proposal filed with the World Wide Web Consortium’s (W3C) advertising study group “that suggests the creation of a trusted gatekeeper outside of the browser that would serve as a clearing house of sorts for auctions and personal data.”

“The gatekeeper is an internet-based service responsible to run interest group auctions and to generate ad web bundles, instead of the browser in the TURTLEDOVE proposal,” writes SPARROW proponent Basile Leparmentier of ad-tech company Criteo.

• A top executive at giant U.S. brand advertiser Proctor & Gamble used an industry gathering to call for an industry “universal ID to advance ad targeting, according to Steve McClellan’s reporting at Digital News Daily.
• The nonprofit news website The Markup, published this week a detailed story about tracking cookies and pixels on websites entitled, “The High Privacy Cost of a ‘Free’ Website” (see graphic, above, courtesy The Markup). It reports one Disqus cookie accepted by a website resulted in 21 other “piggyback” trackers tagging along. It counted 69,293 popular websites with third-party trackers.
• In a news release, the IAB Tech Lab reported on a two-day meeting Sept. 16-17 declaring key members “committed to the principles of Project Rearc and collaboration towards open technical standards and privacy-centric solutions for addressable digital media.”  Rearc is the lab’s name for a set of meetings it’s convened to figure out how to replace third-party cookies and privacy problems with “real-time bidding” for ad serving. The term “addressable” replaces the term “tracking” to describe the desire to reach individuals with relevant advertising.

Four principles cited in the IAB Tech Lab statement were:

1. Device-agnostic solutions that put the consumer, not the device or interface, at the center of privacy

2. Predictable privacy for consumers, instead of fragmented, proprietary privacy settings

3. Offering consumers user-friendly transparency and control, with clear communication of the value exchange, and respecting consumer choice

4. Leveraging technical mechanisms within advertising systems that ensure ongoing adherence to consumer privacy choices and addressability standards

Item No. 1 reflects IAB’s desire not to have web-browser software, operating-system or platform rules define proprietary privacy requirements.  Item No. 2, appears to position against variable browser “do-not-track” signals.  The news release listed 16 IAB Tech Lab members — including all the largest ad-tech companies — as supporting the statement.

ADVERTISING TECH 

• iPhone TP cookie tracking turnoff seen as hurting advertising | Rob Willams, MediaPost.com
• Twitter sued over inadvertent use of phone numbers for advertising | Wendy Davis, DigitalNewsDaily/MediaPost.com
• AUDIO: NYTimes digital ad strategy chief Allison Murphy explains their strategies | DigiDay.com
• Facebook fails to prevent PACs from lying in ads | Wendy Davis, MediaPost.com
• Companies track your phone movements to target ads | Sidney Fussell, Wired.com

PLATFORMS and PRIVACY

• Expert critics of Facebook privacy/trust form their own “oversight” board | Olivia Solon, NBCNews.com
• Critics form their own Facebook policy review board | Karlene Lukovitz, MediaPost.com
• Facebook critics take on its oversight board | Sarah Fisher, Axios.com
• Justice Department briefs states on Google antitrust inquiry | Cecilia Kang, et al., NYTimes.com
• Resisting the “Facebook-ization” of our public spaces | Lucy Bernholz et al., Stanford Digital Civil Society Lab

COVID-19 AND PRIVACY

• What the pandemic has revealed about data privacy | Davis Aunders & Kelly Hagedorn, IAPP Privacy Perspectives
• Canadian university students worried anti-cheating software invades privacy | CBC News
• Privacy will trump public’s need to know in Canadian COVID-19 school cases | Chris Montanini, StratfordBeaconHerald.com

PERSONAL PRIVACY 

• Most people wary of data collection by platforms, CR study finds | Wendy Davis, DigitalNewsDaily/MediaPost.com (REPORT DOCUMENT)
• Most Americans support government regulation of platforms | ConsumerReports.org
• Facebook’s Illinois users can apply for up to $400 privacy payout | Jeff John Roberts, Fortune.com
• A guide to  privacy litigation of government identity systems | Maithili Pai & Spencer Bateman, PrivacyInternational.org
• Nonprofit “Blacklight” launches website privacy inspection tool | Julia Angwin, via IAPP Daily Dashboard
• Average American recorded by security cameras 238 times each week | Chris Melore, StudyFinds.org
• How much is your data worth? New tool will help you find out | Stepanie Miles, StreetFightMag.com
• Glow pregnancy app exposes women to privacy threats | Jerry Beilinson, Consumer Reports
• Portland’s facial-recognition ban sets up biometric class actions | Marissa Serafino, Holland Knight law firm
• CR research: Eight out of 10 citizens concerned about platform data collection | Wendy Davis, MediaPost.com
• How Vice is preparing for life after the third-party cookie | Lara O’Reilly, DigiDay.com
• Killi helps you to figure what “your data” is worth to marketers | Stephanie Miles, StreetFightMag.com
• How the NSA is collecting your data via devices | Robert Beens, StartPage.com | VIDEO: Beens interviewed about StartPage history

Does Prop24 improve or detract from privacy? A clue?  McNamee says data broker LiveRamp is opposed

The jockeying over whether Prop24 will advance or hobble consumer privacy in California is playing out as a contest to see which “side” can obtain and promote the most influential supporters.

PROPONENTS’ SINGLE-SHEET ARGUMENT

This week saw the publication of dueling op-eds in the San Diego Union-Tribune, the first one, “Prop24 would strengthen consumer privacy laws,”  by prominent venture-capitalist, author and Facebook foe Roger McNamee.

Meanwhile, the Democratic Party of Orange County Tweeted that it supports Prop24.

McNamee’s argument is that the current California Consumer Privacy Act (CCPA) “has noble intent but few teeth” as a result of pre-passage lobbying by industry in Sacramento in 2018.  He says the Nov. ballot initiative Prop24, the California Privacy Rights Act (CPRA),  “is a huge step forward.” He says Prop24 is opposed by one of the world’s largest data brokers, LiveRamp Holdings (formerly Acxiom Corp.)

He continues: “Proposition 24 plugs many holes in CCPA. It provides the right to prevent the collection of unnecessary data, restrictions on transfers of personal data, penalties for the loss of email addresses due to negligence, the right to correct your data, an opt-out of the use of precise geolocation and other highly sensitive information like health, race and sexual orientation, new standards for high-risk processors of data and transparency around automated decision-making.”

Arguing against voter approval of Prop24 is Stacey Rosenberg, executive director of the Media Alliance.  She writes the 53-page measure has “loopholes and exemptions” that favor business users of consumer data.

She writes, in excerpts: “Loopholes put in Proposition 24 to please commercial credit companies like Experian . . . [also] buried deep in the fine print, Proposition 24 says any future privacy-protection laws are null and void if they conflict with Proposition 24  . . . [and] Proposition 24 asks you to vote for what is in effect a privacy poll tax. Current law allows companies to charge you higher prices if you “opt out” of letting them sell your personal information, up to the value of your data to the business . . .If the right to privacy becomes a luxury item that only the affluent can afford, then most of us no longer have privacy protections.”

CALIFORNIA PRIVACY

• Prop24 is supposed to strengthen privacy; why do some privacy advocates oppose it? | Gilad Edelman, Wired.com
• Single-sheet flyer opposing Prop24 | Source: LWV, ACLU and LGBTQ group
• The No On 24 website | The Californians for Consumer Privacy (pro-24) website 
• California’s Proposition 24 would protect data-privacy law from being weakened in Legislature | Dustin Gardiner, San Francisco Chronicle
• AUDIO:  Media Alliance leader discusses initiative with Prop24 opponent | via Neptune Ops political advocacy firm
• AUDIO:  How CPRA will amend and extend CCPA provisions |
• Alan Friel, BakerHostetler law firm
• OPINION: CCPA doesn’t restrict loyalty programs to data value | David A. Zetoony, Bryan Cave Leighton Paisner law firm
• CCPA $25M threshhold applies to global revenues | David O’ Klein, Klein Moynihan Turco LLP
• EXPLAINER: CPRA or CCPA 2.0 | Brandon P. Reilly, Manatt law firm

WORLD PRIVACY

• ROUNDUP: Global companies adopt conservative approach to privacy | Pulina Whitaker & Andrew Gray, Morgan Lewis law firm
• In New Zealand, tech vs. privacy among poor regulation | Jessie Ciang, Radio New Zealand
• IAPP reports on FTC’s data-portability workshop discussions | Joseph Duball, IAPP Privacy Advisor
• Comparing Brazil’s  new data privacy law with GDPR | Brooke Penrose, Burns & Levinson law firm