Federal privacy law roadmap suggests private compliance programs; W3C debates meaning of “Global Privacy Control”

Privacy Beat

Your weekly privacy news update.



REGISTER: Identity, Advertising and Future of Journalism

Brookings scholars lay out text roadmap for federal privacy law including private compliance programs

Two scholar-attorneys at the Brookings Institution, the nonpartisan but generally liberal DC think tank, finalized a detailed roadmap this week for proposed U.S. privacy legislation.  Coming soon after California’s adoption of Prop 24, the framework is likely to form the basis of bipartisan federal privacy-law negotiations on Congress.

Authors Cameron F. Kerry and John B. Morris Jr., who have extensive government regulatory and privacy backgrounds, first unveiled in June a 48-page model “Information Privacy Act.”  This week, they provided justification for it — language for “legislative findings” that typically form a preamble for groundbreaking new laws to give them context for later legal interpretation.  Kerry is the brother of former U.S. Sen. John F. Kerry, D-Mass.

The findings begin with this statement: “Privacy is a value deeply embedded in American law and society” which is “a personal and fundamental right protected by the [U.S.] Constitution.”  The findings language amounts to an essay on the importance of digital privacy. It concludes with a series of policy statements. (See QUOTE OF THE WEEK below)

The model act proposed by the Brookings team includes four key provisions, some of which do not yet have broad bipartisan support, and generally adopting the view of Democrats. The pre-emption language represents an offer of compromise obviously attempting to preserve the California Privacy Rights Act and garner support from that state’s delegation. Key provisions:

  • Enforcement by the U.S. Federal Trade Commission rather than by any new federal agency. Fines of up to $43,280 per person per incident.
  • Authority provided to state attorneys general to independently enforce the act.
  • The right of individuals to sue under the act.
  • Pre-emption of any “inconsistent” state laws for eight years, unless they afford “greater protection to individuals” or “supplement” the act.

One section would also authorize the FTC to approve private compliance programs which include “meaningful action” for noncompliance. Such actions “may include” removal of a covered entity from the program, referral for enforcement, public reporting of disciplinary action, redress for individuals harmed or voluntary payment of federal fines.

Pollyann Sanderson’s reporting on the act and findings for the Future of Privacy Forum, explaining why the Brookings work matters, included a diagram of key issues, reproduced above.






Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Optional, uniform-style “opt-out” button is proposed for the current California privacy law; comments due Dec. 28

Websites that must comply with the current California Consumer Privacy Act (CCPA) would have the option to use a standardized “opt-out” button on a home page for consumers to click under regulations proposed this week by the state’s attorney general.  Earlier regulations included an opt-in button design but it was dropped when privacy advocates objected to its format.

The new regulatory draft says the opt-out button, shown above, “may be used in addition to posting the notice of right to opt-out, but in lieu of any requirement to post the notice of right to opt-out.”  It continues: “Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text” and should link to the same place as the text.  Finally, the draft rule says the button “shall be approximately the same size as any other buttons used by the business on its website.”

Comments on the new regulatory language are due by Dec. 28 at 5 p.m.




W3C privacy group debates Google’s user-sharing Chrome proposal and Global Privacy Control signal

Key proposals affecting networks of affiliated websites, ways advertisers learn if their ads work, and the ability of users to easily signal privacy preferences were discussed this week among some 80 people during a regular webinar of the World Wide Web Consortium’s (W3C) Privacy Community Group.

The meetings are for voluntary standards discussions and they have a history of respectful and robust debate chiefly among engineers.  This week, a Google proposal encountered some criticism, and a Facebook engineer raised concerns about a privacy proposal, minutes show. Two of the proposals involve efforts to replace functions of cross-site tracking of the third-party cookie, which browsers are now or will soon block on privacy grounds.

  • The first discussion concerned “First Party Sets,” a Google proposal to limit  and govern to some degree the ability to track without cookies when a user is part of a group of collaborating or same-owner web services.  Engineers from Mozilla and Apple, competing browser makers, said they opposed the Google initiative, but folks from Microsoft, and SalesFroce  said they support it. Another engineer from Samsung, and the Trustworthy Advertising Group, Dan Applequist, says he was worried about the lack of consensus in such a voluntary standards discussion.  “The impact would be devastating in terms of wb compatibility if Chrome were to shop this,” said Steven Englehardt, of Mozilla. “Sites are just going to be broken in Firefox.”
  • Apple’s John Wilander next updated the group on its Privacy Click Measurement proposal, a means to report back to advertisers when a person who has seen an ad ends up buying a related product. The challenge is how to make such a report without revealing the identity of the buyer.  A key issue is for how long the data can be associated with a specific — yet anonymous — user.  Wilander said the current proposal is seven days — “one week of potential ad-click attribution.”  Google’s Charlie Harrison said his team had a related proposal that it may make to an advertising interest group of the W3C.  There is also proposals from ad-tech companies.
  • The most challenging exchange of the day occurred during an hour-long update on the Global Privacy Control initiative begun by Wesleyan University Prof. Sebastian Zimmick and embraced by the New York Times, The Washington Post, Financial Times Consumer Reports, Mozilla, Digital Content Next and others.

Facebook engineer Ben Savage described GPC as “a user is able to say privacy, or no privacy, and privacy has been reduced to a binary spectrum that maps onto unknown things in different places via some mechanism.”  Earlier, he said: “It does not tell me which laws exist in each jurisdiction. That’s up to me to figure out . . . and it does not tell me what I have to do as a result . . . and what it may map to to is radically different things depending on the jurisdiction.”

“That is a good point but it is not a correct interpretation,” responded Robin Berjon of The New York Times.  So if that’s what you understood from our explanation then obviously we need to explain it again.”  He said GPC “conveys a clear user intent . . . as a website operator you can OK, I can do several things . . . basically it just ties to these very simple rights that have not wildly differing interpretations across jurisdictions.”

GPC supports say their intent is that the signal invoked from a user’s browser is designed to object to the “processing of personal information.”  Savage, from Facebook, said “processing refers to anything, not sharing or selling. If you sort in a database you’re processing.”




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Brand leadership necessary and third-party user-data “trust bank” seen as one option for ad-tech privacy

The need for leadership from brand advertisers, the idea of a “trust bank” of user data for targetted advertising and a plea to rethink what is meant by “personalized” advertising were among ideas broached in a virtual panel at the PrivSec Global data protection, privacy and security conference which organizers say drew about 10,000 online participants over four days Nov. 30-Dec. 3.  The panel was entitled: “Consumer Trust,, Consent and Privacy Rights.”

Four speakers explored changes upending the way advertising is sold and personal information is handled on the web. Their focus: The need to transition to a state in which privacy is at the center of the system.  Solutions need to come from the industry because they will be too complex for regulators to figure out independently, said Roman Gauthier, CEO/founder of Didomi, a French company which provides privacy-consent systems.

“The brands need to take leadership with this, driving this,” said Conan Chitham, senior privacy counsel with the ad-tech firm MediaMath. “I think advertisers themselves need to get behind this.”  Although browser makers have ideas, Chitham said, they should be viewed with skepticism, and publishers need to be involved or else the results “could go off in a horrible way and end in a closed ecosystem.”

On another point, Chitham said he liked the idea of a “third-party trust bank” to govern and manage information about web users that would allow them to be served relevant advertising without revealing their identity. He continued: “It’s the idea of a third-party trust bank, where you can tender your preferences and advertisers can go and get them in segments.” He said such an idea would require broad suppport to get going, and people able to taken responsibility for managing their preferences.

Gauthier said he thought directing advertising to a specific individual would become more rare in the future because of privacy laws. “That’s OK to move back a bit from this idea of hyper personalization that is around everything,” he told fellow panelists, adding: “Overall, we have to question the whole idea of personalization and ask if it brings as much value to the consumer as it does to the ad tech companies in between.”






A national policy on privacy: Proposal from Brookings institution scholars for preamble to a model federal law

“In order to protect the privacy of individuals, it is necessary and proper for Congress to regulate the collection, use, processing, and sharing of personal information. There is a compelling national interest in providing meaningful and effective boundaries on the collection, use, storage, and sharing of personal information so all individuals linked or linkable to such information have a basis to trust that such information will be handled in ways consistent with their privacy and other interests.

“There is a compelling national interest in empowering individuals through meaningful and effective rights with respect to personal information linked to them so that those individuals who want to can ensure this information is used and shared in ways consistent with their privacy and other interests.

“It is the policy of the United States to provide a consistent national approach to the collection, processing, storage, and sharing of personal information, but also to preserve the existing fabric of state and local statutory and common law protecting privacy to the extent it does not interfere with the comprehensive operation of federal law.

“It is the policy of the United States to provide individuals with meaningful remedies for privacy harms, whether those harms are financial, physical, reputational, emotional, or other kinds; and to ensure that an exclusive federal remedy for violation of privacy rights vindicates interests that have long been protected by other privacy laws.

“It is the policy of the United States to ensure that protections for users’ privacy can remain up-to-date, and continue to evolve as technology, innovation, and services—and risks to privacy—evolve.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp