“Redline” version of amended ADPPA bill HR 8152

Ball in Pelosi’s and Cantwell’s courts to decide if a national privacy law will end ‘creepy’ targeting; advertisers worrying?

Bipartisan, round-the-clock drafting work by congressional staffers has sent to the floor of the U.S. House — days before a summer recess — a privacy bill that could end opaque data sharing and ad targeting that has dominated the Internet for more than 25 years.

“I believe [that is] the way the legislative process should be,” said Nora Benavidez, a justice and civil-rights lawyer with advocacy group FreePress. “It should be staffers, experts, civil society, coming together to come up with something.”  Benavidez was interviewed by Justin Hendrix, of TechPolicy.Press.

She was talking about the American Data Privacy and Protection Act (ADPPA), H.R. 8152, approved 53-2 by the House Energy and Commerce Committee on July 20 and sent to the House floor. The 132-page bill was substantially amended throughout before the vote. (REVIEW RED-LINED VERSION) | READ KEY DEFINITIONS

Chart compares federal proposal vs. California law 

Three advocacy groups, the Electronic Privacy Information Center (EPIC), the Lawyers Committee for Civil Rights Under the Law and the Center for Democracy and Technology put together a 11-page chart showing key provisions of California compared with provisions of the bill now headed for a potential U.S. House floor vote. The Washington Post’s Christiano Lima summarized the three groups’ point of view — that the House bill is better for consumers than the CPRA.

The bill contains key definitions of terms like opting out of targeted advertising; covered, derived and sensitive data; service provider, third party, transfer and addresses questions about loyalty programs and pricing.

• Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill | Gilad Edelman, Wired.com
• Bill sent to full House seen as giving GOP pre-emption and Dems private right | Cristiano Lima, WashingtonPost.com | AMENDED VERSION AS APPROVED 53-2 | BILL STATUS PAGE

Advertisers oppose in unison

Seven advertising and ad-tech policy organizations jointly said they oppose the measure, which would appear to largely outlaw — absent explicit user consent — the practice of opaquely collecting and sharing browsing habits and demographics of users across the web. They said H.R. 8152 would “severely damage the U.S. consumer economy.”

The law defines, and somewhat restricts the use of “covered data” and outright prohibits sharing of “sensitive data.”  Before a website may show a user an ad targeted to an individual’s web behavior, the user must be given an unambiguous chance to refuse it. Since that is how almost all advertising on the web is now placed, it’s no surprise ad-tech companies are worried.

Publishers — key beneficiaries of “contextual” rather than data-driven advertising — have not commented, so far. Contextual advertising would be unaffected by the measure.

• Seven ad and ad-tech lobby groups oppose bill in pre-markup letter, urging opt-out | Wendy Davis, DigitalNewsDaily/MediaPost.com | ADVERTISERS’ STATEMENT | LETTER TEXT
• Bill That Would Outlaw Behavioral Advertising Advances To House Floor | Wendy Davis, DigitalNewsDaily/MediaPost.com | EARLIER STORY

Writing at DigiDay, Marty Swank quoted Lartease Tiffith, evp of public policy at the Interactive Advertising Bureau, whose members include mostly tech and ad-tech companies and some advertisers, publishers and agencies.  “If you lose the ability to reach people based on what they’re interested in, you end up getting billboard ads.”

Advertisers aside, the more general consensus seems to be that the just-amended bill does more for consumer privacy — and particularly for marginalized groups — than laws already in effect in Europe, California and several states. A last-minute amendment would allow California regulators to become enforcers of the federal law as well as existing state law — but with some of the teeth removed from the state statutes and replaced by a more detailed federal law.

House Speaker Nancy Pelosi, D-Calif., has said she would not support “pre-emption” of California’s public-initiative privacy laws; she is likely now studying H.R. 8152 to decide if she will let it come to a full House vote this week. And the current language is not acceptable to attorneys general of 10 states including California.

• Limited private right of action possible after two years;  California may enforce | Cristiano Lima, WashPost via Twitter
• LETTER TEXT: Ten attorneys general, including California oppose House privacy bill | Rob Bonta via state of California
• There is debate over whether the bill is stronger or weaker than California in some respects | Cristiano Lima, WashingtonPost.com

If H.R. 8152 clears the House, it would move to the Senate, where Sen. Maria Cantwell, D-Wash., chairs the relevant committee to hear it. She has been distinctly negative about earlier congressional proposals that preempted state laws and limited the right of citizens to sue over privacy violations. But H.R. 8152 is designed to be a compromise on both points.

• Privacy hawks are learning to live with compromises. Will the Senate? | Ben Brody & Hirsh Chitkara, Protocol.com
• A national data privacy bill is gaining traction, but not everyone is yet on board | Marty Swank, DigiDay.com

Other reactions

Among supporter of the bill’s current language are Common Cause, by Consumer Reports, the Lawyers Committee for Civil Rights Under the Law and the Future of Privacy Forum, which notes the bill’s civil-rights protections in particular. But the Electronic Frontier Foundation is opposing it, seeking additional changes on the House floor. The ACLU also wants changes.  One of the closest followers of data privacy is lawyer Justin Brookman, director of technology policy at Consumer Reports.  He says the bill would create “dramatic . . . robus” privacy protections for the public if it becomes law. (See QUOTE OF THE WEEK, below, for more of Brookman’s thoughts).

More reaction from ad-tech 

The Interactive Advertising Bureau (IAB), which says it cannot support the bill, warned that the legislation will create a less friendly online environment not just for advertisers and small businesses but for the average online user whose speed and convenience of online experience depend on data.

“By some estimates, the proposed legislation is more punitive than EU regulations, which harm investments,” said Lartease Tiffith, EVP of public policy for IAB. “In an effort to ‘rein in Big Tech,’ Congress is stumbling down the same path, despite the consequences to small businesses and a vital industry.”

Perhaps the best-informed reporting on the ADPPA status is coming from Joseph Duball of the International Association of Privacy Professionals (IAPP).  He quoted Rep. Jan Schakowsky, D-Ill.: “It’s been a lot of work bringing these stakeholders together. I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a Band-Aid for the American people who are just fed up with the lack of privacy online.”

FTC told to enable “Safe Harbor” entities? 

In one features of H.R. 8152 relevant to the Information Trust Exchange Governing Association (ITEGA.org), the sponsor of this newsletter, the measure’s language would authorize the U.S. Federal Trade Commission to seek and sanction private entities that manage data-privacy compliance programs, a concept known as “Safe Harbor.” (See: “Brookings privacy expert sees ‘safe harbor’ as part of bipartisan measure; says ITEGA might ‘fill the bill, but may be premature” (Privacy Beat, May 28, 2021)

RELATED LINKS

• As Congress dithers, a plea for the FTC to lead on privacy regulation | by Mark McCarthy, Brookings Institution
• Expert privacy lawyer provides thorough analysis of bill’s status, politics and prospects | David Stauss, Husch Blackwell law firm
• Congress’ big new privacy bill might just neuter the FCC’s role in broadcast/telcom enforcement | Jacob Seitz, DailyDot.com
• Federal Privacy Bill: Still Moving Forward, Cloudy Skies Ahead, FTC On Deck | Jessica Rich, Kelley Drye law firm

CALIFORNIA PRIVACY AND H.R. 8152

• California got right to enforce federal privacy proposal in last-minute tweak | Maria Curi, Bloomberg Government | DOCUMENT: TRACKING MOST SIGNIFICANT CHANGES
• CCPA’s Maureen Mahoney had explained earlier why it didn’t like H.R. 8152 | Hunton Andrew Kurth law firm | MAHONEY MEMO
• California Democrats Differ Over Comprehensive Federal Privacy Legislation | John Eggerton, MultiChannelNews.com
• Eshoo says House bill would cut back privacy rights for Californians | Marguerite Reardon, CNet.com
• CPRA regulation comments due Aug. 23; consumer requests | Aaron J. Burstein et al., Kelley Drye law firm
• New CPPA Rules for CPRA CPPA Updates. Confused Yet? | David Hale, Brownstein Hyatt Farber Schreck law firm

Drummond Reed, above, technologist among those behind “Decentralized Identifiers”

Over Google, Mozilla objections, W3C recommends “decentralized identifiers” as user-centric alternative to phone, email, social media IDs

A technology aimed at shifting more control of identity away from tech platforms, telecoms and other web operators and in the hands of individuals was embraced as a new “standard” last week by the World Wide Web Consortium (W3C).  It’s called “Decentralized Identifiers (DIDs)” or a form of globally unambiguous identifier.

The idea is to use cryptography — math-based software that includes digital “keys” — to supplement or even replace phone numbers or email addresses as the default way a person is represented across the web. As a result, supporters say, a person’s identity becomes portable and not controlled by some central authority or company.

Most email and social-network addresses are not “owned” by individuals, the W3C said in a July 19 announcement about the DIDs status, while DIDs “can be controlled by the individuals or organizations that create them, are portable between service providers, and can last for as long as their controller wants to continue using them.”

“One of the root causes of phishing (fraud) attacks is that most electronic communications addresses today (caller IDs, SMS, email addresses) are not cryptographically verifiable,” DID co-developer Drummon Reed told the news site PortSwigger. “They are easy to spoof. By contrast, control of a DID is cryptographically verifiable — the sener of a message can prove they control the private key for the DID.”

W3C is an unincorporated consortium hosted by MIT and three other global institutions with about 450 corporate members who’s technologists work on standards to make the World Wide Web more open and trustworthy.  It decided to “recommend” DIDs as a standard over the objections of member organizations Mozilla and Google, Reed said.

That’s because there are at least 120 registered methods being tried to implementing DIDs, and no consensus on which will become most common, promoting interoperability. The DID Working Group within W3C decided the market should decide, promoting innovation.

PERSONAL PRIVACY 

• T-Mobile settles to pay $350M to customers in data breach | Anne D’Innocenzio  Associated Press
• INTERVIEW: Why privacy matters; interviewing Neil Richards | Julia Angwin, TheMarkUp.org
• How to skim a privacy policy to spot red flags | Tatum Hunter, WashingtonPost.com
• Hospitals that sent patient data to Facebook should be investigated, state reps say | Teddy Rosenbluth, Charlotte Observer
• Where to find, edit, and remove everything your browser knows about you | David Nield, Popular Science
• Examining the intersection of data privacy and civil rights | Samatha Lai & Brooke Tanner, Brookings.edu
• Future of Privacy Forum releases “report” on privacy and sexual orientation | Amie Stepanovich, FPF.org

PRIVACY AND ABORTION

• Spurred by Roe overturn, senators seek FTC probe of iOS and Android tracking | Jon Brodkin, ArsTechnica.com | LETTER TEXT | (The letter was signed by Sen. Ron Wyden, D-Ore.; Sen. Elizabeth Warren, D-Mass.;  Sen. Cory Booker, D-N.J.; and Rep. Sara Jacobs, D-Calif.) | RELATED STORY | RELATED STORY
• In a Post-Roe World, (Does)  the Future of Digital Privacy Looks Even Grimmer? | Natasha Singer and Brian X. Chen, NYTimes.com
• The end of Roe could finally convince Americans to care more about privacy | Sara Morrison, Vox.com
• Lawmakers Question Oracle, Amazon And Others Over Location Data | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Big Tech silent on data privacy in post-Roe America | Jessica Lyons Hardcastle, TheRegister.com
• Data privacy concerns make the post-Roe era uncharted territory | Juliana Kim, NPR.org
• Can US women trust big tech with their data after Roe v Wade? | Alex Hern, TheGuardian.com
• You scheduled an abortion. Planned Parenthood’s website could tell Facebook | Tatum Hunter, WashingtonPost.com
• Scholars question future of privacy rights after SCOTUS Roe decision | Margaret Harding McGill & Ashley Gold, Axios.com
• Period tracker app Flo developing ‘anonymous mode’ to quell post-Roe privacy concerns | Amina Kilpatrick, NPR.org

PLATFORMS AND PRIVACY 

• Google Changing Ranking Of Personal Data Websites Based On Privacy Concerns? | Laurie Sullivan, MediaPost.com
• Amazon’s $3.9 billion One Medical acquisition is already raising data privacy concerns | Clint Rainey, FastCompany.com
• Brave says it has a way of collecting your data without undermining your privacy | Joel Khalili, TechRadar.com
• Fourteen privacy groups urge Google to rethink their gathering and use of data | Wendy Davis, DigitalNewsDaily/MediaPost.com | LETTER TEXT
• Google Allowed Russian Ad Company to Harvest User Data for Months | Craig Silverman, ProPublica.org
• Google targeted in fresh EU consumer groups’ privacy complaints | Foo Yun Chee, Reuters PLC
• EU privacy advocates say Google signups “unclear, incomplete, and misleading” | Ashley Belanger, Arstechnica.com
• DuckDuckGo traffic declines as it confirms deal to use Microsoft search engine | Barry Schwartz, Search Engine Roundtable
• Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’ | Kashmir Hill, NYTimes.com

Why data matters — what food retailer Kroger says in its annual report — third-party revenue on 60 million households

It’s isn’t just Google, Facebook, Apple, Amazon and ad-tech companies that realize the value of user data, as is evident in the annual report (10-K) of The Kroger Co., the giant, Cincinnati-based supermarket chain and affiliates.  Here’s an excerpt from the report, filed with the U.S. Securities and Exchange Commission and sent to shareholders, which describes Kroger’s marketing strategy, in part, as delivering “billions of personalized recommendations . . . . “

“We are evolving from a traditional food retailer into a more diverse, food first business. The traffic and data generated by our retail supermarket business, including pharmacies and fuel centers, is enabling this transformation. Kroger serves over 60 million households annually and because of our market leading rewards program, 96% of customer transactions are tethered to a Kroger loyalty card.

“Our 20 years of investment in data science capabilities is allowing us to leverage this data to create personalized experiences and value for our customers and is also enabling our fast-growing, high operating margin alternative profits, including data analytic services and third party media revenue.”

“. . . Data governance failures can adversely affect our reputation and business. Our business depends on our customers’ willingness to entrust us with their personal information.”

ADVERTISING TECH 

• Some 75% Of U.S., U.K. Consumers Uncomfortable Buying From Brands With Poor Data Ethics | Karlene Lukovitz, DigitalNewsDaily/MediaPost.com
• Advertisers spent $115 million on clickbait sites, report finds | Ryan Barwick, MarketingBrew.com
• Trade Desk asserts more buy-in on UID 2.0, but no “administrator” yet | Allison Schiff, AdExchanger.com
• AUDIO: Google struggles to get buy-in on Google Analytics overhaul; delays cookie sunset | James Hercher, AdExchanger.com
• BACKGROUND: Inventor of digital cookie has some regrets | Nicolas Rivera, Quartz.com
• Vendor’s data show first-party IDs outperformed third-party cookies in programmatic | Laurie Sullivan, DigitalNewsDaily/MediaPost.com
• AUDIO: Prebid sees its ranks swell as publishers seek shop-talk forum  ($$) | Catherine Perloff & Mark Stenberg, AdWeek.com
• As publishers focus on their user data, potential for collaboration with brands, agencies grows | Susie Stulz, AdMonsters.com

ANTITRUST

• Internal documents show Facebook and Google discussing platform strategies | Makena Kelly, TheVerge.com
• U.S. Antitrust Reform Is Necessary to Defend Global Human Rights | Jennifer Brody, AccessNow via TechPolicy.Press
• Mozilla, in full-page ad ‘co-signed’ by 4,000 people, urges Congress to pass antitrust law curbing platforms | Rebecca Klar, TheHill.com | RELATED STORY | MOZILLA AD IMAGE
• DOJ Poised to Rebuff Google Concessions, Clearing the Way for Antitrust Suit | Leah Nylen, Bloomberg.com
• Lina Khan’s Tight FTC Timetable for Tackling Big Tech | Paul Alexander, TheBulwark.com
• U.S. Chamber of Commerce sues the FTC | Ashley Gold, Axios.com

NEWS, TRUST AND PLATFORMS 

• Facebook/Meta reportedly cutting back in investment in news and newsletters | Andrew Hutchinson, SocialMediaToday.com
• Digital media veterans raise $25M for “Semafor” to tackle trust in news | Katie Robertson & Benjamin Mullin, NYTimes.com
• REPORT: The State of Local News, 2022  | Penny Abernathy, Northwestern-Medill University
• Google Avoids More Fines After Settling French News Dispute | Gaspard Sebag, Bloomberg.com
• U.S. newspapers continuing to die at rate of 2 each week | David Bauder, The Associated Press
• Can Taxing Big Tech Save Journalism? An idea from Ohio | Julia Angwin, TheMarkup.org
• OPINION:  I stopped reading the news. Is the problem me — or the product? | Amanda Ripley via WashPost.com