|
Amid CCPA confusion, consumer law and antitrust law need common privacy ground, says key attorney
Creating a better understood environment for privacy in cyberspace is going to end up involving elements of both antitrust law and consumer trade regulation and it would be useful for practitioners and advocates of both to begin coordinating their efforts, a prominent privacy and antitrust attorney says.
Alysa Z. Hutnik, a partner with the DC law firm of Kelley Drye & Warren LLP spoke by phone with Privacy Beat after moderating a panel last week. (See: “In a word — conundrum — as ad-tech, agency and publisher lawyers consider terms, enforcement of CCPA”).
“There are different principles for consumer antitrust vs. consumer privacy,” said Hutnik. “It is just that they affect one and the other…privacy and antitrust concerns meet in the middle.”
Hutnik has major brand publishing clients, as well as ad-tech companies, but neither Facebook nor Google, she said. She chairs her firm’s digital-privacy and security practice and is the consumer-protection officer of the American Bar Association’s antitrust section.
The COVID-19 epidemic has largely shut down efforts by other states to adopt digital privacy laws similar to California’s, said Hutnik. However, if the California situation gets murkier this fall with a new ballot initiative and continuing regulatory uncertainty, it could rekindle efforts on Capitol Hill toward superseding federal law. Right how, however, she sees no likely DC action.
In a phone discussion, Hutnik made these additional points:
-
Publishers, advertisers, platforms and others who deal with the personal information and privacy preferences of the public are stuck with a period of uncertainty that could go on for years because of evolving law in California — yet little movement in Washington.
-
The California Consumer Privacy Act (CCPA) and emerging regulations are so fluid that it is impossible to be certain what business practices will be outlawed or subject to enforcement. Thus, privacy officers should behave with good faith and follow emerging industry practices.
-
Draft CCPA regulations won’t be final until Oct. 1 at the earliest, and possibly not for months thereafter.
-
If Alastair Mactaggart’s new California new privacy initiative qualifies in the next few weeks for California’s November ballot, Mactaggart is unlikely to negotiate away the initiative in exchange for legislative action as he did with CCPA. If voters pass it, the new law will add potentially years of new complications.
-
One of the most ambiguous parts of the CCPA is the question of when it is illegal to “discriminate” against an online user who chooses not to share personal information. That’s because it is not always clear what constitutes “sale” of data, nor how to value the data in an exchange for services.
-
Hutnik believes publishers are OK to maintain adjustable paywalls, although she says a service such as Scroll, which provides multi-site, ad-free content viewing (and thus reduced tracking) for $5/month, may raise CCPA issues. But she said draft CCPA regulations “add more confusion that clarity” to the discrimination question.
-
There is no common understanding yet of how to value consumer data, even though the idea of a “data dividend” was broached by California Gov. Gavin Newsome in 2019.
“So for a publisher who is exercising good faith and efforts on the entire risk spectrum, what is the likelihood the attorney general’s office is going to enforce?” Hutnik asks. She thinks the likelihood is low, and adds: “That gives some breathing room.” She continued: “[With CCPA] you have an omnibus type of law that has a whole lot of moving parts to it with a lot of ambiguity.”
CCPA — WEEK TWENTY-ONE
FOR THE RECORD — TRUMP, TWITTER AND 230
WASHINGTON WATCH
|
|
Does your organization need customized privacy compliance solutions? ITEGA can help.
|
|
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
|
|
|
AT AGE TWO — ASSESSING GDPR
Privacy activist claims GDPR collaboration is ineffective, asks European Commission for sanctions
Hailed as a consumer-privacy breakthrough, Europe’s General Data Protection Regulation (GDPR) has growing pains as it reached two years of age this week, prompting a plea from the region’s most aggressive data-privacy advocate to get moving on complaints about Facebook and other platforms.
The activist and lawyer Max Schrems called on European authorities to push the Irish data-protection regulator to speed up its handling of cases he brought against Facebook. But regulators are plagued by too few regulators and too much business, others say, leaving them vulnerable to being swayed by big tech. And there are those who question a premise of GDPR that “consent” is a key way to frame privacy protection.
In his 16-page, May 25, GDPR-second-birthday open letter, Schrems says lack of cooperation among data-protection commissions in the various European Union nations is making the GDPR “fundamentally dysfunctional.” He says French authorities were able to swiftly investigate and fine Google 50-million Euros in a few months, while, he alleges, his cases filed two years ago against Facebook, Instagram and WhatsApp are stalled in Ireland.
In his letter he makes these claims:
-
There have been “no penalties” under GDPR for two years, despite more than 7,125 complaints in 2019 alone.
-
Facebook fails to properly obtain consent to use consumer data which it collects, employing what he calls a “consent bypass.” He says authorities in Ireland, where Facebook has its main EU office, are engaging in “secret cooperation” with the company, something the authorities dispute.
-
An optional investigative phase has added more than a year to the process, demonstrating “poor procedure management” by the Irish authorities and uncovering lack of cooperation with equivalent authorities in Austria, where Schrems’ European Center for Digital Rights — “noyb.eu” — is based.
Schrems asks the European Commission to sanction nations which are not promoting “effective application of the GDPR.”
RELATED LINKS
-
Under GDPR, life not much different for consumers | Joseph Zappa, StreetFight.com
-
EU: GDPR Survey: Benefits Beyond Compliance | Magalie Dansac Le Clerc, Global Compliance News
-
Top EU data protection agency under pressure to act against Internet giants as GDPR turns 2 years old | Glynn Moody, Private Internet Access
-
As the GDPR turns 2, Big Tech should watch out for big sanctions | Katie Collins, CNET
-
GDPR shows fixing online privacy will take longer than two years | Joseph Brookes, Which 50
-
GDPR at two: How far we’ve come, how far we still have to go | Alex Scroxton, Computer Weekly
-
On the second anniversary of GDPR, Covid-19 brings new data protection challenges | Ellen Daniel, Verdict
-
Belgian DPA Releases Report for Second Anniversary of the GDPR | Hunton Privacy Blog
-
We need to fix GDPR’s biggest failure: broken cookie notices | Matt Burgess, Wired
GDPR ENFORCEMENT
-
Vestager’s next big fight will be with Europe | Mark Scott, Politico
-
Key GDPR decision on “lawful” data transfer anticipated from Euro court | Henrik Hanseen, Laur Badi & Julian Flamant, Higan Lovells law firm
-
First major GDPR decisions looming on Twitter and Facebook | Natasha Lomas, Yahoo
-
Ireland’s data protection boss questions Apple over Siri privacy | Luke Dormehl, Cult of Mac
-
EU privacy enforcer hits make-or-break moment | Mark Scott, Politico
-
Facebook German privacy case referred to European Court | WHBL News Radio
-
Irish regulator reaches preliminary decision in Twitter privacy probe | Euractiv
-
Google accused of using GDPR to impose unfair terms on publishers | Natasha Lomas, TechCrunch
-
What are common examples of “legitimate interests” that are relied upon by controllers? | David Zetoony, Bryan Cave Leighton Paisner LLP
-
(How) will the EU shape the platform economy? | Bernd Meyring, Tech Insights
-
ANALYSIS: EU courts’ antitrust challenge to Google “shopping” is assessed | Lesley Hannah and Claus Wenzler, Hausfeld law firm
-
Norwegian DPA creating regulatory sandbox for AI | IAPP
-
Dutch grandmother’s Refusal to Remove Photos From Facebook Tests Privacy Law | Adam Satariano and Claire Moses, New York Times
-
An oversharing grandma’s court case offers lessons on setting boundaries for kids’ online privacy | Stacey Steinberg, My San Antonio
COVID-19 AND PRIVACY
-
‘Privacy has taken a back seat’ as governments pursue digital contact tracing | Derek du Preez, Diginomica
-
Apple and Google roll out their new exposure notification tool. Interest seems limited. | Sara Morrison, Vox
-
The world’s first contact-tracing app using Google and Apple’s API goes live | Daphne Leprince-Ringuet, ZDNet
-
AI can battle coronavirus, but privacy shouldn’t be a casualty | Philip Howard and Lisa-Maria Neudert, TechCrunch
-
Singapore’s contact-tracing app tops privacy study | Aaron Tan, TechTarget.com
-
North Dakota Microsoft Developer For COVID Tracing App Refutes Data-Sharing Allegations | Laurie Sullivan, Media Post
-
Contact Tracing Is Harder Than It Sounds | Kate Murphy, New York Times
-
Fever-checking technology is a danger to privacy and may not be accurate, ACLU says | Simone Jasper, Miami Herald
-
Coronavirus: French Privacy Watchdog Okays Contact Tracing App | Agence France-Presse, Gadgets 360
IDENTITY AND PRIVACY
PERSONAL PRIVACY
-
Consumer Reports’ Digital Lab Releases Two Studies on Digital Privacy and Online Tracking | Justin Brookman and Katie McInnis, Consumer Reports
-
Could Google’s ‘federated analytics’ analyze end-user data without invading privacy? | Kyle Wiggers, VentureBeat.com
-
Arizona sues Google over allegations it illegally tracked Android smartphone users’ locations | Tony Romm, Washington Post
-
U.S. state of Arizona files consumer fraud lawsuit against Google | Reuters
-
Arizona sues Google over claims it illegally collected location data from smartphone users even after they opted out | Tyler Sonnemaker, Business Insider
-
Arizona sues Google over claims it illegally tracked location of Android users | Nick Statt, The Verge
-
I tried to delete myself from the internet. Here’s what I learned | Seth Fiegerman, CNN
-
Look to Design, Not Laws, to Protect Privacy in the Surveillance Age | Raullen Chai, Coin Desk
-
Brave’s browser now includes a privacy-focused video calling app | Rachel England, Engadget
-
How Can We Take Back Control Of Our Data? | Dell Cameron, IB Times
-
Privacy flaws in security and doorbell cameras discovered by Florida Tech Student | Adam Lowenstein, Science Magazine
-
2020 Ends a Decade of 62 New Data Privacy Laws | Graham Greenleaf and Bertil Cottier, SSRN
|
|
|
ADVERTISING TECHNOLOGY
The IAB Tech Lab is moving ahead on its “Project Rearc” effort to find a replacement for the third-party cookie — a mainstay of web advertising that browser makers, including Google, are determined to gobble up and eliminate in response to consumer privacy concerns.
Third-party cookies continue to be the principal way that advertising networks “tag” and identify users across multiple independent websites to support real-time bidding (RTB) advertising. The problem is that the process is tech-and-bandwidth intensive, slows down websites, and results in data about users being stored opaquely all over the internet. And for publishers, it introduces a whole infrastructure of technology middlemen between the advertising and the publisher who must be paid.
The initiative began at IAB’s annual meeting over the winter in California and kickoff webinars on March 26 and 31 were designed to tell a “how did we get here and where are we today” story. At least two more webinars are planned, the first sometime during June, entitled “What does the removal of identifiers mean for publishers?” A third webinar will be entitled, “What does it mean for agencies and brands?”
IAB Tech Lab has also set up a task force and a series of working groups, some of which are open to the public.
MORE AD TECH
-
Digital ad-spend up 16%; CPMs down 16% in QT1 | Laurie Sullivan, MediaPost.com
-
Here’s Why LiveRamp Holdings Is Soaring Today | Chris Neiger, The Motley Fool
-
More intuitive privacy and security controls in Chrome | AbdelKarim Mardini, Google
-
Contextually Aligned Ads Drive a 93% Increase in Brand Awareness, USC and Channel Factory Find | Exchange Wire
-
California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative | Mark Brennan, Bret Cohen, Timothy Tobin and Julian Flamant, HL Data Protection
-
Are Publishers Finding Alternatives to Third-Party Cookies? | Video Ad News
-
What changes (and accelerates) in ad tech during a recession | Seb Joseph, Digiday
-
Google Begins Trialling Privacy Sandbox || Grace Dillon, Exchange Wire
-
Most Google searches don’t result in commerce, Searchmetrics study finds | Laurie Sullivan, MediaPost
|
|
PUBLISHING / ADVERTISING
Backers of brand-safe publisher websites report more than 70 advertisers, agencies adopt “white list” for placements
A news-industry effort to encourage more brand advertising on publisher websites reports some success in its first month, two organizers said this week.
The Local News Advertising Whitelist (LNAW) was announced April 2 after publishers endured a period of dramatic drops in programmatic advertising because some advertisers were telling computers not to put their ads on pages that carried news about the COVID-19 pandemic. But the initiative has a longer-term goal — to provide an alternative to ad placements on unknown or untrustworthy sites that mimic news purveyors.
The LNAW is a list of more than 4,000 URLs of quality news and information websites of radio, TV, print and digital-only local news organizations in the United States and Canada. It has been downloaded by over 70 companies, including top advertising-agency holding companies and marketers in addition to ad tech and brand-safety verification vendors, said Fran Wills, CEO of the Local Media Consortium (LMC).
“Many of the buyers downloading the list have indicated the inclusion of 100-3,000 domains that were previously not included in their buying lists,” said Scott Cunningham, a founder of the IAB Tech Lab who put together the list and maintains it for LMC and the partnered Brand Safety institute. “This indicates a massive adoption of local news as a content vertical, further separating it from social media in large advertising audience buys.”
The Local Media Consortium has financially supported ITEGA, the sponsor of Privacy Beat.
TRUST, PRIVACY AND THE NEWS
GLOBAL PRIVACY
BUSINESS OF PRIVACY
STATEHOUSE WATCH
-
ACLU sues Clearview AI over alleged Illinois biometric law violation | Ryan Mac, BuzzFeedNews.com
-
ACLU accuses Clearview AI of privacy “nightmare scenario” | Davey Alba, New York Times
-
ACLU calls Clearview AI tool “unprecedented violation” of privacy rights | Clare Duffy, CNN Business
-
Maine defends broadband privacy law against First Amendment challenge | Wendy Davis, MediaPost.com
-
EFF tells court Maine broadband privacy law DOES pass First Amendment muster | Adam Schwartz, Andrew Crockder & Kit Walsh, EFF.org
-
ACLU steps in to support Maine’s online privacy law | Edward Murphy, Portland Press Herald
-
Does California’s Privacy and Consumer Protection Committee actually care about privacy? | Caleb Chen, Private Internet Access
-
Google’s “Sidewalk” tech-aware community faces privacy concerns even after ditching Toronto | Ryan Johnston, StateScoop.com
-
Inside New Jersey’s Latest Effort on the Privacy Front | Kenneth K. Dort and Mitchell S. Noordyke, Faegre Drinker Biddle & Reath
EVENTS DATEBOOK
|
|
QUOTES OF THE WEEK
‘Doc’ Searls on marking GDPR turning two: The practice of ‘compliance’ isn’t working and tracking prevails
“Two years after the GDPR became enforceable, privacy would be the norm rather than the exception in the online world. That hasn’t happened, but it’s not just because the GDPR is poorly enforced. It’s because it’s too easy to claim compliance to the letter of GDPR while violating its spirit. Imagine if every shop you passed on the street sent someone outside to painlessly jab a needle into your neck, and then injecting a load of tracking beacons into your bloodstream. Would you be okay with that? Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice…Get this: There is also no way for you to know exactly how you are being tracked or what is done with that information, because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented. You also have no record of agreeing to anything, other than a cookie it’s hard to find, examine or explain, deep in your browser’s bowels. Consenting to a cookie notice leaves nothing resembling an audit trail. So let’s go back to a simple privacy principle here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one…[T]tracking is still worse than rampant: it remains a defaulted practice for both advertising and site analytics.”
– An excerpt from a May 25 blog post at the Harvard Berkman Klein Center for Internet & Society by web-advertising/turned privacy pioneer Doc Searls, author of The Intention Economy and The Cluetrain Manifesto. Searls has been a Berkman Klein fellow working on Project VRM.
|
|
ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to newsletter@itega.org.
|
|
|
|
|
|