REGISTER: Identity, Advertising and Future of Journalism

Brookings scholars lay out text roadmap for federal privacy law including private compliance programs

Two scholar-attorneys at the Brookings Institution, the nonpartisan but generally liberal DC think tank, finalized a detailed roadmap this week for proposed U.S. privacy legislation.  Coming soon after California’s adoption of Prop 24, the framework is likely to form the basis of bipartisan federal privacy-law negotiations on Congress.

Authors Cameron F. Kerry and John B. Morris Jr., who have extensive government regulatory and privacy backgrounds, first unveiled in June a 48-page model “Information Privacy Act.”  This week, they provided justification for it — language for “legislative findings” that typically form a preamble for groundbreaking new laws to give them context for later legal interpretation.  Kerry is the brother of former U.S. Sen. John F. Kerry, D-Mass.

The findings begin with this statement: “Privacy is a value deeply embedded in American law and society” which is “a personal and fundamental right protected by the [U.S.] Constitution.”  The findings language amounts to an essay on the importance of digital privacy. It concludes with a series of policy statements. (See QUOTE OF THE WEEK below)

The model act proposed by the Brookings team includes four key provisions, some of which do not yet have broad bipartisan support, and generally adopting the view of Democrats. The pre-emption language represents an offer of compromise obviously attempting to preserve the California Privacy Rights Act and garner support from that state’s delegation. Key provisions:

• Enforcement by the U.S. Federal Trade Commission rather than by any new federal agency. Fines of up to $43,280 per person per incident.
• Authority provided to state attorneys general to independently enforce the act.
• The right of individuals to sue under the act.
• Pre-emption of any “inconsistent” state laws for eight years, unless they afford “greater protection to individuals” or “supplement” the act.

One section would also authorize the FTC to approve private compliance programs which include “meaningful action” for noncompliance. Such actions “may include” removal of a covered entity from the program, referral for enforcement, public reporting of disciplinary action, redress for individuals harmed or voluntary payment of federal fines.

Pollyann Sanderson’s reporting on the act and findings for the Future of Privacy Forum, explaining why the Brookings work matters, included a diagram of key issues, reproduced above.

WASHINGTON BEAT

• Assessing what’s cooking in Washington around privacy legislation | Stephanie Miles, StreetTalkMag.com
• Future of Privacy Forum execs “best-chance” optimistic about federal privacy law in 2021 | Jennifer Bryant, IAPP Privacy Advisor
• OPINION: How might the 117th Congress approach privacy and cybersecurity? | Nicole Sakin, IAPP Privacy Perspectives
• Senate hearing ponders US remedies for Privacy Shield invalidation | Joseph Duball, IAPP Privacy Advisor
• What Wednesday’s end-of-year Senate privacy hearing meant for 2021 | Alexandra S. Levine, Politico.com
• WEBCAST ARCHIVE: The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows | Senate Commerce Committee

STATEHOUSE BEAT 

• OPINION: Washington state needs a privacy law that protects people, not corporations | Seattle Times editorial

ANTITRUST ANALYSIS 

• Facebook faces U.S. lawsuits that could force sale of Instagram, WhatsApp | Diane Bartz et al., Reuters PLC
• In antitrust suits, Facebook’s biggest liability is Zuckerberg’s own words | Issie Lapowsky, Protocol.com
• News release: Challenging “multi-year course of unlawful conduct | Federal Trade Commission website |  RELATED: Suit document PDF 
• The Facebook lawsuits explained | Shira Ovide, New York Times

WORLD PRIVACY

• Digital minister says Taiwan to guard privacy with new “independent” agency | Huizhong Wu, The Associated Press

EU PRIVACY 

• Civil-society groups in six nations target Google and IAB with fresh RTB privacy complaints | Natasha Lomas, TechCrunch.com
• IAB Europe responds to Belgian DPA concerns about its TCF ad-tech architecture | IAB News Release
• ADVOCACY: For a truly “Trustworthy AI,” EU must protect rights and deliver benefits | AccessNow.org
• EU’s Vestager hints Big Tech will have to end ‘self-preferencing’ under new competition rules | Silvia Amaro, CNBC.com
• EU sets out search ranking guidelines for Google, Microsoft, platforms | Foo Yun Chee, Reuters PLC
• EU will seek penalties of 6% of revenues if  Big Tech doesn’t “police” web | Javier Espinoza, Financial Times
• French privacy regulator fines for Google (100-milion Euros), and Amazon  (35-million-Euros) | Elisa Braun & Vincent Manancourt, Politico.eu | Related stories by CNBC, France24, NextInpact.
• EU Privacy Agency Does Not Expect New EU-US Data Privacy Accord Any Time Soon |  Foo Yun Chee, Reuters PLC
• Lawyer seeks likelihood that U.K. cross-border data transfers will be blocked by Brexit | Andrew Dunlop, Burgees Salmon law firm

Optional, uniform-style “opt-out” button is proposed for the current California privacy law; comments due Dec. 28

Websites that must comply with the current California Consumer Privacy Act (CCPA) would have the option to use a standardized “opt-out” button on a home page for consumers to click under regulations proposed this week by the state’s attorney general.  Earlier regulations included an opt-in button design but it was dropped when privacy advocates objected to its format.

• California formalizes “opt-out” button look and option in fresh CCPA regulatory update; comments by Dec. 28 | David Stauss, Malia Rogers & Shelby Dolen, Husch Blackwell law firm |  TEXT OF RULEMAKING | RELATED STORY

The new regulatory draft says the opt-out button, shown above, “may be used in addition to posting the notice of right to opt-out, but in lieu of any requirement to post the notice of right to opt-out.”  It continues: “Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text” and should link to the same place as the text.  Finally, the draft rule says the button “shall be approximately the same size as any other buttons used by the business on its website.”

Comments on the new regulatory language are due by Dec. 28 at 5 p.m.

CALIFORNIA PRIVACY 

• AUDIO: Seven minutes with Alastair Mactaggart about the success and impact of CPRA / Prop 24 | KSRO Sonoma County
• ANALYSIS: Meet the CPRA — law firm’s section-by-section  analysis | Scot Ganow & Zenus Franklin, Taft Stettinius & Hollister LLP via LexBlog.com
• CPRA seen as mainly about third-party data sharing and bridging CCPA to GDPR | Justin Joffe, AdMonsters.com

PLATFORM PRIVACY BATTLES 

• Could rumored privacy-focused Apple search engine really compete with Google? | Hamza Mudassir, FastCompany.com
• Apple’s CEO takes swipe at Big Tech rivals for alleged “lack of responsibility” | Michelle Gao, CNBC.com
• Starting Jan. 18, Chrome extensions must display privacy practices, Google says | Emil Protalinski, VentureBeat.com
• BACKGROUND: Understanding the Apple/Facebook privacy battle over “labels” | Sara Fisher, Axios.com
• OVERVIEW: “Nutrition” privacy labels and lookalike audiences | Ben Thompson, Stratechery.com
• Specific rules for Apple’s upcoming privacy  “nutrition labels” for apps reviewed | David Stauss et al., Husch Blackwell law firm | RELATED STORY
• Through WhatsApp, Facebook blasts Apple over iOS14 privacy labels | Wendy Davis, DigitalNewsDaily/MediaPost
• Apple exec says ad-tech companies make “outlandish” and “false” claims about IDFA deprecation | Natasha Lomas, TechCrunch.com
• Apple responds to WhatsApp criticism, confirms its own apps will show privacy labels | Michael Potluck, 9to5Mac.com
• Apple top exec touts privacy efforts and App Tracking Transparency in keynote | Chance Miller, 9to5Mac.com

W3C privacy group debates Google’s user-sharing Chrome proposal and Global Privacy Control signal

Key proposals affecting networks of affiliated websites, ways advertisers learn if their ads work, and the ability of users to easily signal privacy preferences were discussed this week among some 80 people during a regular webinar of the World Wide Web Consortium’s (W3C) Privacy Community Group.

The meetings are for voluntary standards discussions and they have a history of respectful and robust debate chiefly among engineers.  This week, a Google proposal encountered some criticism, and a Facebook engineer raised concerns about a privacy proposal, minutes show. Two of the proposals involve efforts to replace functions of cross-site tracking of the third-party cookie, which browsers are now or will soon block on privacy grounds.

• The first discussion concerned “First Party Sets,” a Google proposal to limit  and govern to some degree the ability to track without cookies when a user is part of a group of collaborating or same-owner web services.  Engineers from Mozilla and Apple, competing browser makers, said they opposed the Google initiative, but folks from Microsoft, and SalesFroce  said they support it. Another engineer from Samsung, and the Trustworthy Advertising Group, Dan Applequist, says he was worried about the lack of consensus in such a voluntary standards discussion.  “The impact would be devastating in terms of wb compatibility if Chrome were to shop this,” said Steven Englehardt, of Mozilla. “Sites are just going to be broken in Firefox.”
• Apple’s John Wilander next updated the group on its Privacy Click Measurement proposal, a means to report back to advertisers when a person who has seen an ad ends up buying a related product. The challenge is how to make such a report without revealing the identity of the buyer.  A key issue is for how long the data can be associated with a specific — yet anonymous — user.  Wilander said the current proposal is seven days — “one week of potential ad-click attribution.”  Google’s Charlie Harrison said his team had a related proposal that it may make to an advertising interest group of the W3C.  There is also proposals from ad-tech companies.
• The most challenging exchange of the day occurred during an hour-long update on the Global Privacy Control initiative begun by Wesleyan University Prof. Sebastian Zimmick and embraced by the New York Times, The Washington Post, Financial Times Consumer Reports, Mozilla, Digital Content Next and others.

Facebook engineer Ben Savage described GPC as “a user is able to say privacy, or no privacy, and privacy has been reduced to a binary spectrum that maps onto unknown things in different places via some mechanism.”  Earlier, he said: “It does not tell me which laws exist in each jurisdiction. That’s up to me to figure out . . . and it does not tell me what I have to do as a result . . . and what it may map to to is radically different things depending on the jurisdiction.”

“That is a good point but it is not a correct interpretation,” responded Robin Berjon of The New York Times.  So if that’s what you understood from our explanation then obviously we need to explain it again.”  He said GPC “conveys a clear user intent . . . as a website operator you can OK, I can do several things . . . basically it just ties to these very simple rights that have not wildly differing interpretations across jurisdictions.”

GPC supports say their intent is that the signal invoked from a user’s browser is designed to object to the “processing of personal information.”  Savage, from Facebook, said “processing refers to anything, not sharing or selling. If you sort in a database you’re processing.”

AD TECH AND PRIVACY

• VIDEO: Big agency exec from Omicom group warns possibility of virtually no consumers opting in to tracking | Robert Williams, Beet.TV
• Data clean rooms and universal IDs — the future of advertising? | Gavin Dunaway, Lynne d Johnson, AdMonsters.com
• Amazon boasts to advertisers all the data it collects on shoppers | Shoshana Wodinsky, Gizmodo.com
• “Pelican” — data-aggregator Neustar’s effort to help ad attribution survive end of cookie | Allison Schiff, AdExchanger.com
• ANA forms influencer marketing board to standardize measurement, trust, transparency | Joe Mandese, DigitalNewsDaily/MediaPost.com
• LINGO PRIMER: AdWeek offers links and definitions for changes in ad-tech world | Ronan Shields, AdWeek.com
• Respected auditing firm to certify human audiences against ad fraud | Tom Drouillard, AuditedMedia.com
• VENDOR OPINION: How to survive the consent economy | Joseph LKospalluto, Smart AdSever
• Sell-side ad platform PubMatic “goes public” and shares shoot up 50% | Megan Graham, CNBC.com | RELATED STORY
• Nielsen plans single cross-media measurement system | Karlene Lukovitz, DigitalNewsDaily/MediaPost.com
• A “single, multiplatform measurement service controlled by Nielsen”? |  Joe Mandese, DigitalNewsDaily/MediaPost.com

COVID-19 AND PRIVACY 

• Trump administration efforts to track COVID-19 vaccinations raise privacy concerns | Jesse Turnure, NextStar Digital
• Privacy risks persist with DIY COVID-19 contact tracing apps | Lance Whitney, TechRepublic.com
• Tracking apps show effectiveness promise but prove tough privacy sell | Jennifer Valentino-DeVries, New York Times
• Health officials in California county fear immigrants may not take COVID-19 vaccine over privacy | Mauricio LaPlante, SanJoseSpotlight.com
• Blockchain-based immunity passports don’t solve core privacy problem | Benjamin Powers, CoinDesk.com

FACIAL RECOGNITION

• Massachusetts governor won’t sign police reform bill with facial recognition ban | Zack Whittaker, TechCrunch.com
• Privacy, Civil Rights Groups Plan Facial Recognition Offensive in Washington | Dean DeChiaro, CQ-RoleCall via GovernmentTechnology.com
• China’s citizens push back on run-amok facial recognition | Shen Lu, Vice.com
• In U.K., Co-op grocery facial recognition trial raises privacy concerns | Jane Wakefield, BBC News via Yahoo