Meet CPPA’s Ashkan Soltani — now America’s top data-privacy “cop” — at least until Washington gets cracking

The United States has a new top privacy cop on the beat and he is likely to be tough on curbing programmatic advertising — and the use of email as a unique identifier.  His name is Ashkan Soltani and he was hired this week as executive director of the California Privacy Protection Agency (CPPA).

Legal observers and privacy-rights activists believe California law, in the absence of congressional action, will have to be followed nationwide as a practical matter because the state is so large and so many tech companies are based there. The board which hired Soltani is packed with privacy experts already, and Soltani was a principal author/advisor on both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Soltani, a former journalist and U.S. Federal Trade Commission chief technologist,  is now “the de facto chief privacy regulator for the United States,” tweeted Celine Mactaggart, a founder of Californians for Consumer Privacy with her husband Alastair, who was the key backer of both California laws. Soltani also helped author and implement.

California Attorney General Rob Bonta has already started focusing on privacy abuses in the “programmatic” advertising industry, which is based on opaque collection of user activity to send targeted commercial messages. Soltani will likely accelerate that scrutiny. And he has also suggested in comments before Congress and elsewhere that he doesn’t think the sharing of unique email addresses to extend cross-site targeting is legal under the CCPA or CPRA.

A third likely area of focus for Soltani will be to make sure websites serving California residents honor and respect a blanket “do not share my information” signal sent by a consumer with the Global Privacy Control web-browser signal — something Soltani also helped deploy as an independent privacy technologist. Bonta’s office issued an opinion July 15 declaring the GPC signal is a valid signal under the CCPA.

The privacy board has scheduled a public meeting on Oct. 18 that can be viewed online.

RELATED LINKS: 

• Former FTC technologist Soltani to head California privacy agency | Sara Merken, Reuters PLC | RELATED REPORT
• FTC alum Ashkan Soltani selected to lead CPPA | Joseph Duball, IAPP Staff Blogger | RELATED STORY
• Soltani Brings Technical, Regulatory Expertise to Privacy Agency | Jake Holland, BloombergLaw.com | RELATED STORY
• PDF DOCUMENT: Comparing California’s CCPA and CPRA — a legal white paper | Sherry-Maria Shafchuck & Garylene Javier, Buckley LLP law firm

REACTION: FACEBOOK OUTAGE 

• Facebook Whistleblower’s Testimony Builds Momentum for Tougher Tech Laws | John D. McKinnon & Ryan Tracy, WSJ.com
• Ex-Facebook employee asks lawmakers to step in. Will they? | Marcy Gordon, Associated Press
• Venture capitalist Roger McNamee: Facebook will not fix itself | Roert McNamee, Time.com
• ‘Facebook can’t keep its head in the sand’: Roger Mcnamee and four other experts debate the company’s future | Johana Bhuiyan, TheGuardian.com
• The problems Facebook faces: Publisher trade-group exec lists his picks | Jason Kint, CEO DCN, via Twitter
• Cloudflare provides a credible description of why Facebook outage escalated | SOURCE: Cloudflare
• VIDEO: Frances Haugen on 60 Minutes — the interview | CBS 60 Minutes via YouTube.com
• Tweaks to Outdated Privacy Protections Won’t Be Sufficient, Haugen Says | Ryan Tracy, MarketWatch.com
• Zuckerberg’s Early Notes on Privacy Now Haunt Facebook in Suit | Peter Blumberg, Bloomberg.com
• Like Facebook, AT&T once dominated communications. The difference? It was regulated | Dan Schiller, Univ. of Illinois via WashingtonPost.com

Hartzog: Massachusetts lawmakers in spotlight for hearing on ACLU-backed “revolutionary” privacy proposal; retailers opposed private right of action

The spotlight on privacy and the use of personal data is turning to the cradle of liberty, where Massachusetts lawmakers will take up a data-privacy proposal that could be “the most revolutionary” in the United States, according to a prominent data-privacy-rights academic. Woodrow Hartzog. The Northeastern University law-school and computer-science professor, wrote this week that the proposed Massachusetts Information Privacy Act (MIPA) would go beyond California or other states in some respects.

The bill was subject of a virtual hearing on Wed., Oct. 13. It’s supported by the Civil LIberties Union of Massachusetts and opposed by retailers. It is sponsored by Sen. Cynthia Stone Creem, the majority leader of the overwhelmingly Democrat-controlled Senate, and Sen. Eric P. Lesser, a Democrat who chairs the committee holding the hearing. The bill, S.46, is teed up in second of 40 bills on the hearing agenda.

Hartzog authored the 2018 book,  “Privacy’s Blueprint: The Battle to Control the Design of New Technologies.”

“Most states don’t have a true data privacy law, Hartzog wrote in a Boston Globe op-ed about the bill, adding: “Even the few that do, such as California, Virginia, and Colorado, have a relatively narrow focus or weak enforcement provisions. MIPA takes the best parts of those laws and adds some strong prohibitions and penalties.” Hartzog writes that the bill would regulate the collection of data for ad targeting, and address technologies that apply facial recognition, voice recognition, other sensors and prohibit somes uses of GPS location data.

The bill would make law formidable duties of confidentiality, care and loyalty on collection or use of personal data, Hartzog writes, adding: “Under a duty of confidentiality, companies would be prohibited from selling your data without ensuring, for example, that the recipient of your data is contractually bound to the same duties of confidentiality, care, and loyalty. This would practically eliminate a large chunk of data sales.”

Hartzog writes the bill would create a Massachusetts Information Privacy Commission with authority to investigate wrongdoing, create and enforce privacy regulations, and provide ways for private citizens to bring complaints to the commission and seek monetary damages in court.

STATE HOUSE SCOOP 

• What California, Colorado and Virginia Teach Us About the Future of US Privacy Law | Ali Jessani, WilmerHale law firm, via InfoSecurity Magazine
• RESEARCH: Detailing how data privacy laws vary across eleven states | Caroline Delbert, ZApproved.com

PRIVACY, THE FTC AND CONGRESS 

• FTC Commissioner Advocates ‘Data Minimization’ In Advertising | James Hercher, AdExchanger.com
• FTC’s Slaughter Blasts ‘Fundamental Unfairness’ Of ‘Data Economy’ | Wendy Davis, DigitalNewsDaily/MediaPost.com | SLAUGHTER SPEAKING OCT. 21
• Senators waiving white flag on privacy law with request to FTC? | Aaron Nicodemus, ComplianceWeek.com
• FTC Chair Khan’s Vision for Privacy – and Some Dissents | Jessica Rich et al., Kelley Drye law firm
• Senators Agree FTC Needs New Resources & Staff to Police Privacy | Justin Hendrix, TechPolicy.Press
• FTC Releases Report to Congress on Privacy and Security |  Summary, Benton Institute
• Analysis of FTC’s report to Congress on its needs for privacy and security enforcement | InfoBytes Blog, Bulkley law firm | REPORT DOCUMENT 

SECTION 230 

• Section 230: How it shields Facebook and why Congress wants changes  | Marguerite Reardon, CNet.com
• Algorithms shouldn’t be protected by Section 230, Facebook whistleblower tells Senate | Tim De Chant, ArsTechnica.com
• Facebook Whistleblower, Former Facebook Data Scientist Support Section 230 Reform | Lindsey Loving, NewsMediaAlliance.org

ANTITRUST AND PRIVACY 

• Privacy Playing Increased Role in Antitrust Enforcement | Michael Scarborough et al., SheppardMullin law firm
• A Star Corporate Lawyer Now Set to Take On Corporate America | Steve Lohr & Cecilia Kang, NYTimes.com

W3C federated-identity working group eyes practice of email for targeting — is that appropriate “sanctioned” data use?

A working interest group of the World Wide Web Consortium (W3C) continued discussions this week trying to figure out what should be considered “sanctioned” vs. “unsanctioned” tracking of users.  The context was a use-case document posted for members of the Federated Identity Community Group — a group thinking about how browsers or other technology should regulate exchange of individual user data among unrelated websites.

Notes from Friday’s virtual meeting posted publicly HERE and HERE show the discussion around whether a user is aware of what’s happening and what their data — such as an email address — is being used for besides just “logging in” to a so-called “relying party” (RP) website other than their home-base identity-service provider (IdP).

“If the user shares their email address with the RP, the user has an intuition that they are sharing it for the purposes of communication,” the notes say Sam Goto, a Google engineer said during the discussion. “What is less clear is if the different websites use that same email address for purposes other than for emailing me — that falls into the ‘catches users by surprise,’ “ Goto is recorded as adding. Then a moment later, Goto says: “I want to focus exclusively that when I share my email address with a website, that I don’t expect the website to have the ability to have my activity in this website joined with my activity in another website.”

Goto’s comments are important because a number of ad-tech companies are proposing identity systems that would operate after the deprecation of third-party cookies which are based upon the sharing of end-user email addresses among websites. As well, California privacy laws may be interpreted by regulators to outlaw that practice.  The result could be to frustrate the ability of data warehousing and ad-tech firms to match user data for targeting and marketing.

AD TECH

• IAB Tech Lab Releases Content Taxonomy 3.0 | IAB Tech Lab news release
• VENDOR VIEW: Privacy, personalization and attribution — a fight for ad-tech’s life | Diane Perlman, Blis CEO via AdExchanger.com
• Does Apple’s iPhone privacy changes signal desire to enter advertising? | Tapanjana Rudra, Reuters PLC
• VENDOR VIEW: How to thrive in a privacy-first ecosystem: Understanding cookie deprecation | Pierce Cook-Anderson, Smart via WhatsNewInPublishing.com
• Cohorts, Context And Cookies: What’s Next In The Quest For A Sustainable Ad Ecosystem? | Andrew Frank, Gartner Inc., via AdExchanger.com
• VENDOR VIEW: How advertisers can achieve success in a contextual-driven new world | Chris Ebmyer, TheDrum.com
• VENDOR VIEW: How to boost your data-driven marketing and still respect privacy | Ian Simons, Facebook via. AdAge.com

PLATFORMS AND PRIVACY 

• Google breaks web standards with Chrome with impunity and without consensus, analyst argues | Scott Gilberton, TheRegister.com
• Criteo’s FLoC Tests Confirm There’s Way More Work Before It’s Ready For Prime Time | Allison Schiff, AdExchanger.com
• Analysis of Google’s “Privacy Budget” proposal’s fingerprinting problem | Eric Rescorla, Mozilla Corp., via dist://ed blog
• Facebook Asks Court To Throw Out FTC’s Revised Antitrust Claims | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Business school professors explain how companies should do privacy better | Ruslan Momot et al., Northwestern-Kellogg School
• Criteo’s FLoC Tests Confirm There’s Way More Work Before It’s Ready For Prime Time | Allison Schiff, AdExchanger.com
• Ex-Apple engineers’ survey claims iPhone tracking privacy feature is “functionally useless” | Stephen Warwick, iMore.com | UNDERLYING REPORT

IDENTITY AND PRIVACY 

• Media Briefing: Why universal ID maintenance is becoming ‘a big consideration’ among publishers | Tim Peterson, DigiDay.com
• VENDOR VIEW: What is an identity strategy for publishers, advertisers?  | Wenda Zhou, IPONWEB via AdMonsters.com
• BigID — not a necessary tool, according to privacy group’s study | Ria Sawheny, AccessNow.org
• US spends $239M on federal agency digital identity projects | Jim Nash, BiometricUpdate.com

NETWORKS AND JOURNALISM 

• Publishers break silence over secret deals behind $1bn Google publisher payments | William Turvill, PressGazette.co.uk | RELATED REPORT
• Can freemium ever be free? Paywall strategies from news, B2B and B2C | Chris M. Sutcliffe, DigitalContentNext.org
• How streaming entertainment makes rural broadband unsustainable | Stephanie Kanowitz via Benton Institute
• Summarizing positive developments in charging for news | Marc Tracy, NYTimes.com