VIEW IN YOUR BROWSER

Utah Consumer Privacy Act gubernatorial fate not-yet announced as of March 24 

• Utah Likely Next State to Enact Consumer Privacy Law | National Law Review | DETAILS ON UTAH LAW
• Utah law provides broad protection and rights concerning the collection, use, processing | Anjali C. Das, Wilson Elsner law firm | RELATED REPORT
• How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws | Aaron J. Burstein, Kelley Drye law firm | RELATED STORY
• How Utah law differs from other state privacy laws | Max Reiper, MultiState.us
• Utah Consumer Privacy Act – Mintz’s Hot Take | Cynthia Larose & Christopher Buontempo, Mintz law firm

STATEHOUSE BEAT 

• Tech companies seen as lobbying for weak state privacy laws | Margaret Harding McGill, Axios.com | (Consumer Reports worried about race to bottom)
• Proposed State Privacy Law Update: March 21, 2022 | David Stauss, HuschBlackwell law firm
• Avoiding “dark pattern” consent under California, Virginia, Colorado privacy laws | David Stass & Stacey Webber, Husch Blackwell LLP law firm
• Iowa House overwhelmingly advances privacy law similar to Utah’s | IAPP Daily Dashboard
• Sponsors of Massachusetts data-privacy bill sit for Q-and-A interview | David Stauss, Husch Blackwell law firm
• Florida House approves consumer data-privacy law; Senate tackles | Joseph Duball, IAPP Staff | BILL TEXT
• Colorado attorney general soliciting CPA rulemaking comments | IAPP Daily Dashboard
• Connecticut lawmakers tackle data privacy and loyalty | Christine Stuart, NBCConnecticut.com
• Consumer Reports asks public to support Washington State privacy proposal | Consumer Reports website
• VIDEO: State Law Privacy Video Series: Data Protection Assessment | David Saunders, McDermott Will & Emery law firm

EU & UK PRIVACY 

• Johnny Ryan’s NGO sues Irish privacy regulators to stop Google real-time bidding | Irish Council for Civil Liberties
• Schrems’ NOYB put 270 firms on notice about privacy banners | Luca Bertuzi, Euractiv.com | NOYB’S STATEMENT
• Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR |  Natasha Lomas, TechCrunch.com | RELATED STORY
• UK ICO publishes draft on privacy-preserving governance approaches | IAPP Daily Dashboard
• German state DPA publishes updated cookie guide | IAPP Daily Dashboard
• Busted: Three Myths EU Companies Have About US Privacy laws | Odia Kahn, Fox Rothschild LLP law firm
• IAB Europe updates post-third-party cookie guide | IAPP Daily DashboarD
• FormerUK privacy commissioner joins U.S. privacy nonprofit advocacy board | Jennifer Bryant, IAPP Privacy Advisor
• Cybersecurity Experts Urge EU Lawmakers to Fix Website Authentication Proposal That Puts Internet Users’ Security and Privacy at Risk | Statement of Electronic Frontier Foundation
• European Parliament’s GDPR review hearing details enforcement hurdles | EU News release via IAPP Daily Dashboard

US-EU PRIVACY SHIELD TALKS

• Did U.S. Supreme Court decision make US-EU Privacy Shield agreement even harder? | Patrick Toomey & Ashley Gorski, TheHill.com
• EU’s Vestager: Privacy Shield 2.0 is ‘high priority’ but ‘not easy’ | Natasha Lomas, TechCrunch.com | EARLIER STORY

GLOBAL PRIVACY

• The evolution of India’s data privacy regime in 2021 | Rishi Wadhwa & Grace Bains, IAPP Privacy Tracker
• Australia proposes tougher child privacy standards for social media | Campbell Kwan, ZDNet.com

UPCOMING EVENTS

• WEBINAR: Privacy Priorities for 2022: Tracking State Law Developments | March 24, KelleyDrye law firm
• WEBINAR: State Privacy Law Summit: Brand & Privacy Obligations | March 29, April 14, Interactive Advertising Bureau
• MEETING/ONLINE: California Privacy Protection Board | March 29-30 | RULEMAKING DETAILS
• WEBINAR: Privacy + Security Forum | March 23-25, Daniel J. Solovy Teach Privacy LLC
• WEBINAR: Privacy Enhancing Technologies Evolution Series | March 24, IAB Tech Lab
• IAPP Global Privacy Summit 2022 | April 12-13, Washington, D.C. | (discount offer)
• EVENT: IAPP Global Privacy Summit | April 10-13, International Association of Privacy Professionals
• LIST: Omidyar Good ID project lists upcoming identity gathering

QUOTE OF THE WEEK 

Berjon: Governance and neutrality — even if “centralized” — can help eliminate web concentration of power

• The following are excerpts from a personal essay posted by New York Times data-governance vice president Robin Berjon earlier this month to his blog. Entitled “Capture Resistance,” it lays out Berjon’s thoughts for keeping the web open and competitive, with privacy as an important value.  The full piece is found at: https://berjon.com/capture-resistance/

“A decentralized system, in the sense of not having a topologically central point of control, is neither necessary nor sufficient to eliminate the excessive concentration of power that a party may hold over others in the system. Hypertext is decentralized but the Web can still be captured by controlling discovery or browsing. Token-based governance may share power but is susceptible to plutocracy. Conversely, a centralized system operating under institutional rules of democratic access can (imperfectly) resist the excessive accrual of power — see for instance Wikipedia.

“A recent and excellent IETF draft from Mark Nottingham defines centralization as “the ability of a single entity (e.g., a person, company, or government) — or a small group of them — to exclusively observe, capture, control, or extract rent from the operation or use of a Internet function . . . . ”

“ . . . Centralisation results in another entity being able to overpower your ability to operate your system according to your intentions. It develops over time through various types of capture that include, as listed in the IETF draft, observing your operations (breaching confidentiality, appropriating trade secrets such as the behavior of people on your property), controlling your system (forcing you into choices that are inferior from business and technical perspectives), or extracting rent which, by any meaningful measure of its impact, is often indistinguishable from extracting ransom . . . .

” . . . A common component of capture attacks is to statistically rig the game so as to generate capture effects involving large populations even though, technically, any one of those people could have resisted the statistical nudging. A good example of this is using defaults to move laterally and project power from one space into another rather than compete on the merits. (Defaulting the search engine, browser, or mapping provider are all typical examples of lateral capture.) . . .  when capture succeeds (even partially), the operational performance of the technological system being captured is degraded because its owners lose control over it, lose revenue from it, and fewer people have access to better products or better technology. An architecture that is susceptible to capture has a vulnerability; and we can explore capture resistance through threat modeling and develop best practices for mitigation . . . First, information is power and a company developing the capability to observe the behavior of users on another business’s products is a capture vector. More generally, extracting data across contexts is a major contributor to anti competitive advantage.

“Privacy is first and foremost about people, but it also needs to protect businesses against the misappropriation of trade secrets. We need to grow our common understanding of privacy beyond a narrow understanding of personal data and extend it to the governance of data flows that impact people, including of actions that take place at a remove from personal data, for instance after anonymisation or through on-device methods. Preventing data from leaking, strictly forbidding user agents such as OSs and browsers from collecting data beyond basic telemetry and crashes, and enforcing purpose limitations whenever data has to be shared are all important mitigations . . .  We must prevent bad actors from using defaults to project power laterally between markets. The Web community should develop standard choice dialogs for browsers and search, including nutrition labels to help guide people make informed decisions over aspects of the options they cannot readily assess for themselves (eg. for privacy). For historical reasons this will also require better financing models for browsers, a hard conversation that is long overdue and must happen if we want a diverse and pluralistic Web instead of one captured by a self-reinforcing browser/search dynamic . . . .

” . . . Repairing the damage this has caused will require developing a sounder understanding of gatekeeping power, ridding the tech community of the dangerous delusion that neutral relevance exists, and developing sustainable interoperability in social, search, and aggregation . . . . .

” . . . We also need to do work to prevent opaque mechanisms from being used in place of open markets. Much has been said about the US State Attorneys General’s complaint that alleges that Google ran third-price auctions which they claimed were second-price and pooled the difference to inflate other bids to help make its offering look better than competitors’ and reap the benefits from winning more bids. Whether these allegations are true is for the courts to decide, but the fundamental problem is that the allegations should not be possible. It should be obvious to all involved in a market and easily proven, especially in a market that is a key infrastructrural component of the Internet, how auctions are operating and who wins what under which terms . . . .

” . . . Replacing a market with opaque mechanism design has two consequences. First, it captures the market since the mechanism will be optimized to benefit its designer rather than as a public good. Second, it captures the participants in the transactions because, in the absence of the information that a market normally provides, they lose the ability to take rational initiative and have to put their trust in charlatans — a situation that will sound familiar to those who know digital advertising . . . . 

” . . . The more general issue of which replacing markets with designed mechanisms is an instance is that of infrastructure neutrality. When infrastructure ceases to be neutral, which is to say when the infrastructure system uses data about its users in order to manage their behavior (an approach often labeled “smart”), it becomes decreasingly possible for them to act freely, rationally, and to take risks or innovate. Without infrastructures neutrality, the companies that operate on it lose the ability to learn about their environment, to adapt to it, or to develop a vision for their future because they are being too shaped by the infrastructure. … .A key requirement here is that any infrastructural layer must be subject to either exit or voice (or both), which is to that either it must be easy and practical for participants to leave one infrastructure provider for another (thanks to portability and interoperability arrangements) or they must be a stakeholder with genuine influence (at the very least a modicum of control such as voting in their constituency) over the governance of the system. This applies to app stores just as much as it does to advertising infrastructure . . . .

” . . . The danger of intermediation in particular cannot be stressed enough. Given the fast-growing complexity of our digital lives, we are facing with high probability and inside of a few years the dystopia of a single company inserting itself as the broker for all of our transactions with third parties. As a community, we need to become systematic and unforgiving in hardening our architectures against capture and we need to do it proactively rather than reactively. This requires an in-depth understanding of attack vectors and their mitigation.”