Will Solatani challenge email IDs, programmatic advertising? | W3C group considers ‘sanctioning’ email identity

Privacy Beat

Your weekly privacy news update.



Meet CPPA’s Ashkan Soltani — now America’s top data-privacy “cop” — at least until Washington gets cracking

The United States has a new top privacy cop on the beat and he is likely to be tough on curbing programmatic advertising — and the use of email as a unique identifier.  His name is Ashkan Soltani and he was hired this week as executive director of the California Privacy Protection Agency (CPPA).

Legal observers and privacy-rights activists believe California law, in the absence of congressional action, will have to be followed nationwide as a practical matter because the state is so large and so many tech companies are based there. The board which hired Soltani is packed with privacy experts already, and Soltani was a principal author/advisor on both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Soltani, a former journalist and U.S. Federal Trade Commission chief technologist,  is now “the de facto chief privacy regulator for the United States,” tweeted Celine Mactaggart, a founder of Californians for Consumer Privacy with her husband Alastair, who was the key backer of both California laws. Soltani also helped author and implement.

California Attorney General Rob Bonta has already started focusing on privacy abuses in the “programmatic” advertising industry, which is based on opaque collection of user activity to send targeted commercial messages. Soltani will likely accelerate that scrutiny. And he has also suggested in comments before Congress and elsewhere that he doesn’t think the sharing of unique email addresses to extend cross-site targeting is legal under the CCPA or CPRA.

A third likely area of focus for Soltani will be to make sure websites serving California residents honor and respect a blanket “do not share my information” signal sent by a consumer with the Global Privacy Control web-browser signal — something Soltani also helped deploy as an independent privacy technologist. Bonta’s office issued an opinion July 15 declaring the GPC signal is a valid signal under the CCPA.

The privacy board has scheduled a public meeting on Oct. 18 that can be viewed online.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Hartzog: Massachusetts lawmakers in spotlight for hearing on ACLU-backed “revolutionary” privacy proposal; retailers opposed private right of action

The spotlight on privacy and the use of personal data is turning to the cradle of liberty, where Massachusetts lawmakers will take up a data-privacy proposal that could be “the most revolutionary” in the United States, according to a prominent data-privacy-rights academic. Woodrow Hartzog. The Northeastern University law-school and computer-science professor, wrote this week that the proposed Massachusetts Information Privacy Act (MIPA) would go beyond California or other states in some respects.

The bill was subject of a virtual hearing on Wed., Oct. 13. It’s supported by the Civil LIberties Union of Massachusetts and opposed by retailers. It is sponsored by Sen. Cynthia Stone Creem, the majority leader of the overwhelmingly Democrat-controlled Senate, and Sen. Eric P. Lesser, a Democrat who chairs the committee holding the hearing. The bill, S.46, is teed up in second of 40 bills on the hearing agenda.

Hartzog authored the 2018 book,  “Privacy’s Blueprint: The Battle to Control the Design of New Technologies.”

“Most states don’t have a true data privacy law, Hartzog wrote in a Boston Globe op-ed about the bill, adding: “Even the few that do, such as California, Virginia, and Colorado, have a relatively narrow focus or weak enforcement provisions. MIPA takes the best parts of those laws and adds some strong prohibitions and penalties.” Hartzog writes that the bill would regulate the collection of data for ad targeting, and address technologies that apply facial recognition, voice recognition, other sensors and prohibit somes uses of GPS location data.

The bill would make law formidable duties of confidentiality, care and loyalty on collection or use of personal data, Hartzog writes, adding: “Under a duty of confidentiality, companies would be prohibited from selling your data without ensuring, for example, that the recipient of your data is contractually bound to the same duties of confidentiality, care, and loyalty. This would practically eliminate a large chunk of data sales.”

Hartzog writes the bill would create a Massachusetts Information Privacy Commission with authority to investigate wrongdoing, create and enforce privacy regulations, and provide ways for private citizens to bring complaints to the commission and seek monetary damages in court.






W3C federated-identity working group eyes practice of email for targeting — is that appropriate “sanctioned” data use?

A working interest group of the World Wide Web Consortium (W3C) continued discussions this week trying to figure out what should be considered “sanctioned” vs. “unsanctioned” tracking of users.  The context was a use-case document posted for members of the Federated Identity Community Group — a group thinking about how browsers or other technology should regulate exchange of individual user data among unrelated websites.

Notes from Friday’s virtual meeting posted publicly HERE and HERE show the discussion around whether a user is aware of what’s happening and what their data — such as an email address — is being used for besides just “logging in” to a so-called “relying party” (RP) website other than their home-base identity-service provider (IdP).

“If the user shares their email address with the RP, the user has an intuition that they are sharing it for the purposes of communication,” the notes say Sam Goto, a Google engineer said during the discussion. “What is less clear is if the different websites use that same email address for purposes other than for emailing me — that falls into the ‘catches users by surprise,’ “ Goto is recorded as adding. Then a moment later, Goto says: “I want to focus exclusively that when I share my email address with a website, that I don’t expect the website to have the ability to have my activity in this website joined with my activity in another website.”

Goto’s comments are important because a number of ad-tech companies are proposing identity systems that would operate after the deprecation of third-party cookies which are based upon the sharing of end-user email addresses among websites. As well, California privacy laws may be interpreted by regulators to outlaw that practice.  The result could be to frustrate the ability of data warehousing and ad-tech firms to match user data for targeting and marketing.






Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Cisco-funded polling finds increasing global privacy concern and willingness switch companies over data policies

Two new polls confirm again growing public concern over misinformation and misuse of personal data — one commissioned by The Associated Press and another by the prominent networking hardware maker Cisco Systems Inc.

The AP poll of 1,073 Americans Sept. 9-13 found that while only 2 in 10 are “very worried” they may have spread misinformation, 41% are “very worried” they have been exposed to it. According to the poll, 79% of Republicans and 73% of Democrats said social media companies have a great deal or quite a bit of responsibility for misinformation.

In June, researchers hired by Cisco contacted 2,600 adults in 12 countries  and asked them about companies’ use of personal data.  The respondents were not told who was conducting the study.

The study found that (1) consumers are willing to act to protect their data (2) privacy laws are viewed positively around the world and (3) consumers are very concerned about the use of their personal information in artificial-intelligence applications and that abuse erodes trust. Specific datapoints:

  • Forty-six percent of respondents said they aren’t able to effectively protect their personal data and 76% agreed with the statement it is “too hard to figure out what companies are doing with my data.”
  • The number of respondents classified by the survey as “privacy actives” increased to 32% from 29% in a 2020 survey. Of that group, 86% said they care about data privacy and protecting others and want more control; 79% of the segment was willing to act, and 47% have already acted by switching companies or providers over data policies.
  • “Privacy actives” in 25-34 age bracket are the most concerned about privacy, followed by 37% of 35-44 and 36% of 18-24. The least concerned were those over 75 (14%).

Robert Waitman is director of privacy research and economics at Cisco.







 “Without an identity layer on the internet, we exist online as mere account holders”

  • Below are edited excerpts of a blog post by Zac Cohen, chief operating officer of Trulioo, an Canadian digital-identity network operator, about the complex challenge of building an identity layer when the Internet doesn’t have one. It’s entitled “The Digital Identity Imperative.”  He concludes:  “Without an identity layer on the internet, we exist online as mere account holders that are bound to the terms and conditions of the social media services and platforms we belong to.”

” . . . Establishing a verified digital identity is a complex process. Authenticating that a person performing an action online is who they say they are, and then validating that they exist is tedious for two major reasons.

“Firstly, digital identification procedures require checking in with conventional and alternative data sources and identity tools that are scattered across many different channels and providers. 

“Secondly, identification verification procedures are not uniform across the globe – identity infrastructure, technological capabilities, data normalization and privacy policies vary from country to country and sometimes even state by state.

“Additionally, individuals around the world have unique attributes that are dependent upon things like jurisdiction, use cases and other factors. This further illustrates why building an identity layer that comprises a robust network of tools and data points is extremely difficult . . . .

“Governments have been introducing a variety of privacy protection regulations, such as GDPR in Europe. Not only are there huge potential fines for non-compliance, breaches or lapses in protecting personally identifiable information (PII) erode trust and confidence in online services.

“A uniform digital identity network would support data minimization, that is, ensuring only the sensitive information needed for a specific interaction would be accessed securely by a third party with our authorization. And importantly, it would free the siloed identities we have across online services by making our digital identity portable and applicable to every interaction and transaction.

“Without an identity layer on the internet, we exist online as mere account holders that are bound to the terms and conditions of the social media services and platforms we belong to. Most importantly, this would help to preserve the trust and safety that is so vital to the digital interactions we participate in every day.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp