POLL: Some 80% of Americans support many parts of privacy bill | Chris Teale, MorningConsult.com
Advertisers, tech, business don’t like the ADPPA so far; neither does Sen. Cantwell. Leaving California driving?
Ongoing reaction to a “bipartisan” effort to enact a new U.S. data privacy law is lining up along the same fault lines that have blocked congressional action for years. The advertising and technology industries don’t like the latest proposals and privacy advocates are generally supportive, while looking for additional protections. And Senate Commerce Committee chair Maria Cantwell, D-Wash., remains unconvinced.
“Federal privacy legislation cannot undermine California’s groundbreaking privacy laws,” Rep. Anna Eshoo, D-Calif., said during a hearing. Similarly unconvinced, via Tweet, is Sen. Ron Wyden, D-Ore., an ardent tech-privacy advocate.
The American Data Privacy Protection Act (ADPPA) proposes a compromise on the preemption of state laws and individuals’ ability to sue, two hot-button issues that have stymied legislative progress. Cantwell reacted earlier this month: “For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes.” She added: “Consumers deserve the ability to protect their rights on day one, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data.”
REACTION TO ADPPA DRAFT
Staffers working for the GOP and Democratic supports of the draft bill prepared a roundup up supportive comments, including from a lawyer for the Future of Privacy Forum, a moderate, industry back policy group, and Free Press.
Under the draft bill, big tech companies would be limited to collecting, processing and transferring only the data that is reasonably necessary to provide their services, the Wall Street Journal reported. And for some sensitive categories of data, such as geolocation data or biometric information, the bill would prohibit transfer or restrict it to very limited circumstances.
“Our members remain concerned that it’s too broad,” John Miller of the Information Technology Industry Council, was quoted by the Wall Street Journal’s John McKinnon as saying, calling the draft bill “a recipe for a flood of lawsuits.”
The powerful U.S. Chamber of Commerce said the draft was ‘unworkable and should be rejected,’ The chamber continued: “Unfortunately, the ADPPA was released with less than two months before the August recess, and we believe that a bill that is so novel, complex and far-reaching into the businesses practices of nearly every industry like the manufacturing, retail, financial services, hospitality, and innovation sectors should not be rushed through the last six months of the 117th Congress.”
The most prominent advisor to the ad-tech industry, lawyer Stuart Ingis, opposes the bill, arguing the provisions regarding tracking are too restrictive. “I don’t think the bill as written is fixable,” Venable attorney Stuart Ingis, advisor to the industry coalition Privacy for America, says. “It’s going to have huge negative implications on the whole internet economic model — which will be bad for consumers and bad for businesses,” Ingis says.
Privacy for America — a coalition that includes the Interactive Advertising Bureau, Association of National Advertisers, American Association of Advertising Agencies, Digital Advertising Alliance, and Network Advertising Initiative — stated earlier in week that the draft bill “unfortunately falls short in terms of protecting responsible data use.”
Data minimization one focus of questions at ADPPA hearing | Joseph Duball, IAPP Staff
Warren, Wyden, Murray, Whitehouse, Sanders Introduce Legislation to Ban Data Brokers from Selling Americans’ Location and Health Data |. U.S. Senate news release
FTC AND PRIVACY
Legality of RTB data “sharing” questioned in U.S. federal court — and separately in legal threat from Ryan
A tech-savvy federal judge in California, in a preliminary ruling, is setting the stage for a monumental battle over the legality of “real-time bidding” (RTP) for companies that must comply with the California Privacy Rights Act (CPRA) beginning next year. So is Johnny Ryan, the Irish privacy advocate.
U.S. District Judge Yvonne Gonzalez Rogers’ rejected a request by Google Inc. to dismiss a class-action lawsuit launched last year. Missouri resident Kimberley Woodruff and other users say the RTB system violates privacy by sharing personal information with third parties. Google’s main argument is that the information shared is not “personal,” consumers have no expectation of privacy, and the company’s privacy statements disclose its practices adequately.
Rogers disagrees in her June 13 decision. “While plaintiffs might have been informed about Google’s use of information for its own internal purposes such as directing targeted advertising to plaintiffs, the referenced disclosures do not discuss the challenged conduct here — the sale and disclosure of plaintiffs’ personal information to third parties without plaintiffs’ consent or knowledge.”
The judge ruled the suit alleges enough facts to infer that personal information is shared by Google via the RTB process, and the case can therefore move forward. “Google argues that such information routinely shared and thus cannot support a reasonable expectation of privacy,” she ruled. “Not so,” she concludes.
Meanwhile, Irish Council for Civil Liberties privacy advocate Johnny Ryan says his organization is determined to challenge use in the European Union of a new initiative of the IAB Tech lab called “Global Privacy Platform (GPP).” (THIRD ITEM) In a June 8 letter to the IAB’s chief executive, Ryan says GPP relies upon a transparency-and-consent framework already found by EU regulators to violate the EU’s General Data Protection Regulation (GDPR). “”Therefore, we will be obliged to take legal action if you persist,” Ryan wrote in the letter to the IAB’s Anthony Katsur.
IDENTITY AND PRIVACY
Facebook Sued For Allegedly Collecting Patient Data From Hospital Sites | Wendy Davis, DigitalNewsDaily/MediaPost.com
PLATFORMS AND PRIVACY
- What Is the Competition and Transparency in Digital Advertising Act | Yakira Young, AdMonsters.com
- AUDIO: Johnny Ryan On How Ad Tech Can Change So Much – And Also Not At All | James Hercher, AdExchanger.com
- Five tech giants own over half the global ad market | Sara Fischer, Axios.com
- Exploding three myths that claim contextual advertising is ineffective | Joseph Zappa, StreetFightMag.com
- Publishers realize their user data is valuable to brands and agencies | Susie Stulz, AdMonsters.com
- Apple’s ad business may reach $6 billion by 2025 | Nicole Farley, SearchEngineLand.com
- VENDOR VIEW: Future of ad-tech is about consent, not cookies | Joe Root, CEO, Permutive.com
- RESEARCH: $1B in streaming ads may be playing to powered-off devices | Shoshana Wodinsky, GizModo.com
As California develops CPRA enforcement rules for 2023, law firm details challenges with “sharing” of user data
As regulators works through the process of making rules for the Jan. 1, 2023 enforcement of the California Privacy Rights Act (CPRA), a law firm has provided a heads up on why the definition of “sharing” vs. “selling” will become a big deal at that time.
“The CPRA concept of ‘sharing’ . . . focuses on whether personal information is used by third parties for cross-context behavioral advertising, rather than on whether there is monetary or other valuable consideration for disclosure,” write W. James Denvil and Sophie Baum of the Hogan Lovells law firm in their blog/newsletter analysis entitled, “CPRA countdown: The new concept of ‘sharing.’ “ (See, QUOTE OF THE WEEK, below, for an excerpt)
- EU privacy chief rebukes Irish DPA over lack of GDPR enforcement against Big Tech | Vincent Manancourt, Politico.eu
- Regulator Calls for Big Tech Privacy Cases to Be Handled by EU Watchdog | Foo Yun Chee, Reuters PLC
- Analyzing European Commission’s Q&A On The New Standard Contractual Clauses | Mark Prinsley et al., Mayer Brown law firm
- French privacy regulator offers guidance on use of Google Analytics in cross-border transfers | Patrice Navarro & Julia Schwartz, Hogans Lovells law firm
- WhatsApp has until July to comply with EU consumer law, EU says | Fuu Yun Chee, Reuters PLC
- Apple Faces German Antitrust Probe Into App Tracking Transparency | Tim Hardwick, MacRumors.com | REGULATOR’S STATEMENT | RELATED STORY
- REPORT: The challenge of filing data-protection complaint under the GDPR | AccessNow.com
- Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules | Wim Nauwelaerts, Alston & Bird law firm
- In France, Marseille battles against cameras and the surveillance state | Fleur Macdonald, MIT Technology Review
PLATFORMS AND PUBLISHERS
QUOTE OF THE WEEK
What is the difference between “sharing” and “selling”? With CPRA it matters
A key distinction in privacy regulation emerging in both California and within the European Union is distinguishing between “selling” and “sharing” information about consumer users of web services, especially for targeting advertising. In an excerpt below HoganLovells attorneys W. James Denvil and Sophie Baum describing the distinction which becomes effective next year in California.
“What is the difference between “sharing” and “selling”?
“Sharing” means “communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”
“A key difference between the concepts of “sale” and “sharing” is that “sales” of personal information under the [California Privacy Rights Act] CPRA require consideration; “sharing” does not. To understand what constitutes “sharing,” therefore, one must understand what cross-context behavioral advertising is and what entities are third parties. The CPRA defines the term as:
‘the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.’
“CPRA sharing therefore involves the disclosure, transfer, or other communication of personal information to third parties for purposes of advertising that is targeted based on a consumer’s activities on third-party and distinctly branded digital platforms.
“Under the CPRA, third parties are entities that are not:
- The business that a consumer intentionally interacts with;
- Service providers or contractors to such businesses that provide services to the business for specified purposes.
“Therefore, if businesses engage online advertisers, cookie providers, or other adtech providers to support cross-context behavioral advertising in the roles of service providers or contractors, the disclosure of personal information will not be considered “sharing.” The key questions for assessing whether information is “shared” are, therefore:
- Is the personal information of California residents disclosed to an entity for cross-context behavioral advertising (e.g., interest-based advertising targeted based on activities across the digital properties of other businesses or distinctly branded digital properties)?
- Is the recipient a third party, rather than a contractor or service provider?
- If the answer to both questions is, “yes,” the practice likely constitutes sharing, subject to the exceptions discussed below.
[To learn more about the CPRA’s opt-out rights, see the HoganLovells post here.
|ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to email@example.com.