Klobuchar, Kennedy tee up bipartisan privacy vehicle; Brookings expert sees “safe harbor” as key and says ITEGA would “fill bill” |

Privacy Beat

Your weekly privacy news update.



Brookings privacy expert sees “safe harbor” as part of bipartisan measure; says ITEGA might “fill the bill” — but may be premature

A Brookings Institution legal scholar who has worked for years on federal privacy initiatives thinks that the concept of “safe harbor” regimes would likely be part of any bi-partisan Congressional action on comprehensive federal digital privacy.  John B. Morris, Jr., also said in an interview with Privacy Beat that he thinks such regimes have real value.

Morris envisions that a federal baseline privacy law would create a regulatory regime in which a federal agency (he suggests the U.S. Federal Trade Commission) can review, approve, or reject proposed safe harbor systems, and then closely monitor the implementation and effectiveness of such systems.

In his view, such a regime could be a force-multiplier for the federal agency, and could allow clear privacy guidance and compliance procedures to be developed for industries that might otherwise fall under the radar of federal or state privacy enforcement efforts.  Morris and his Brookings colleague (and former Department of Commerce General Counsel) Cameron Kerry included the idea in model privacy legislation they unveiled last year. 

In the interview, Morris said:

  • The Information Trust Exchange Governing Association (ITEGA.org), the publisher of Privacy Beat, would likely have “filled the bill” as an element of the safe-harbor approach included in the draft privacy legislation that the the Obama White House released in 2015 (while Morris was working at the National Telecommunications and Information Administration).

  • Today, Morris sees a “chicken or egg” challenge — is law needed to empower a public-interest privacy enforcer like ITEGA, or does ITEGA need to be operational as an example to write law around? He believes the former.  “I am doubtful that voluntary nongovernmental initiatives are going to have much viability without federal legislation that expressly creates a strong federal review and oversight system,” he explained.

In the end, says Morris, something like ITEGA — a 501(c)3  public-benefit entity that proposes making and enforcing business rules and policies around a privacy and identity ecosystem by “pulling the plug” on violators — could be valuable.

“Does ITEGA have any potential?” he asked rhetorically. “My short answer is I don’t know but I hope so.  And that’s because I think that a well-crafted system for federal review of and oversight over safe-harbor systems would make federal baseline privacy law stronger, would better protect privacy, and could give small and large industries more concrete and enforceable guidance about how to respect the privacy of all users.


Klobuchar, Kennedy tee up bipartisan vehicle for privacy compromise, straddling opt-in, pre-emption and “private right” — where’s the text? 

The Democratic chair and top Republican on a Senate subcommittee dealing with online privacy have together re-introduced their data-privacy proposal that could be a platform for bipartisan compromise. Sporting a new title, the Social Media Privacy Protection and Consumer Rights Act (S.1667)  apparently straddles at least two contentious issues.

Klobucher introduced the bill in the Senate on May 18 and it was immediately referred to her subcommittee.  But the bill text had not yet been posted to Congress’ system by May 28, so precise language parsing from an official version is not yet accessible. Press statements and news accounts provide hints.

Those accounts say the bill, if enacted, will not supersede any existing state laws, such as the California Privacy Rights Act (CPRA).  California Democrats in the House have said they would not agree to federal “pre-emption” of tougher state privacy laws, but the GOP and industry want a single national standard.

But in a concession to the advertising and technology industries, the bill would preclude most options for individual citizens to sue over violations of the law. Instead, only the U.S. Federal Trade Commission — and state attorneys general — could do so. The idea of individual class-action lawsuits is a hot button for industry which fears financial exposure and massive litigation.

In a third policy area, the proposal takes an approach thought to favor industry — individual data collection would be legal unless an individual “opts out”.  European law requires “opt-in” for data collection, and even some advertising-industry executives are expecting that will be the law in the United States eventually.  The Klobuchar-Kennedy bill does impose strict rules on providing an easy, transparent way to opt out. That puts Klobuchar at odds with two powerful fellow Democrats, Rep. Jan Schakowsky, of Illinois, and Sen. Richard Blumental of Connecticut.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More



Shoshana Zuboff | Photo courtesy Wikipedia

Zuboff calls out Apple to lead alliance to spark investment opportunity away from surveillance capitalism 

Author and emeritus Harvard Business School Prof. Shoshana Zubuff is challenging Apple Chairman Tim Cook to lead a pivot of the current “surveillance” marketing ecosystem by forming alliances with other large, medium and mall companies.  Her call, in a New York Times interview, echoes similar statements she first made in 2019 after the publication of her groundbreaking book, “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power.”

“They’ve already made it clear that they’re looking at a way to expand their own advertising model, which is different from online targeted advertising,” Zuboff says of Apple in The Times Q-and-A. “They’re putting down the elements here of an alternative advertising paradigm. This is an opportunity for that new paradigm to now converge with their stated values and not rely on massive scale collection of human generated data in secret.

In a 2019 interview with Ralph Nader, Zuboff said a big opportunity then existed for a collaborative alliance of companies to counter Google and Facebook on privacy.  At the time, she cited Apple specifically as a potential catalyst.  She said such an alliance would have the potential to have “every person on earth as a customer” and would therefore attract investment.

“This alternative ecosystem is waiting for leadership,” she says in the new Times interview, adding: “Apple is the corporation that can provide that leadership . . . . ”






Ad industry frets possible N.Y. Senate action on bill requiring data “opt-in” and allowing citizen lawsuits over privacy

The advertising industry is up at arms over a tough digital privacy bill introduced into the New York state Senate a couple of weeks ago — because it would require consumer “opt-in” to some data collection and would also allow individual consumers to sue for violations. The measure, SB 6701, is ready for a final Senate vote. It would still require a House vote before June 10, when Albany, N.Y., lawmakers adjourn the session.

The New York Privacy Act text would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. Consumer Reports, the nonprofit group, backs the bill.






Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Google aids effort that’s starting “federated identity” W3C interest group; minutes show Facebook’s, others’ concerns 

In nearly six hours of web-based discussion over two days involving more than 80 technologists and corporate strategists, a Google-supported discussion has moved to form a “federated identity” community group within the World Wide Web Consortium (W3C). The group will be focused on challenges to web privacy and identity resulting from the deprecation of third-party cookies.

For now, it won’t consider so-called “decentralized identity” or “self-sovereign identity” initiatives, but may become a subset of a larger, broader identity interest group later, organizers decided.

This week’s Zoom-in “workshop” around federated identity was organized and facilitated by Heather Flanagan, an academic librarian, university IT manager and expert at multistakeholder process for ICANN and others.  Flanagan told Privacy Beat that out of frustration about the confusion over Internet identity management she reached out to friends within Google, who agreed to pay her as a consultant to organize the two-day workshop.  A ground rule she laid down was that Google would not influence the design or outcome of the discussions.


(see quote of week, below)





Google avails PRAM to try and explain what it is doing about web identity after TP cookie 

  • The following is an excerpt of a statement from Chetna Bindra, group product manager, user trust and privacy, of Google Inc., posted May 4 to the website of the ad-industry’s Partnership for Responsible Addressable Media (PRAM.org).

“In March, Google reconfirmed our commitment to user privacy by clarifying that once third-party cookies are phased out, we will not build or use alternate identifiers to track individuals as they browse across the web. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers [and] . . .  .

“[R]ecently, we shared an update on efforts underway to support key conversion measurement use cases . . . First-party data will also continue to be an important strategy, and publishers who have built first-party relationships will continue to be able to provide personalized ad experiences to those audiences. To help publishers make use of their first-party relationships, we are working on further developing tools that allow publishers of all sizes to activate data from user engagement on their own sites.

“ . . . We are experimenting with tools that enable publishers to share encrypted signals, such as first-party identifiers or third-party identity solutions, directly with the partners of their choice. With this solution, Google Ad Manager will provide the infrastructure through which publishers may pass signals to the third-party bidders they choose. Google will not be able to read or decrypt the signals, preserving the confidentiality of the relationship between publishers and their partners . . . . “ 

“We are still working out the details of how customers will indicate these preferences and how auctions that make use of various monetization approaches will best work together, but we remain committed to creating the optimum experience for our publisher customers . . . we’ll continue to support first party data on our own properties through solutions like Customer Match and audiences on Google Ads and YouTube Likewise, we’ll continue to enable advertisers’ direct relationships with publishers to reach their audiences . . . .

“Ads Data Hub is a valuable tool  . . . [a]s with all of our products, we continue to assess how to ensure ADH continues to deliver performance in a privacy-centric manner.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp