Data Digest № 027
Welcome to Datawallet’s Data Digest, where I review and occasionally analyze the latest news and the most critical developments in the data industry.
Sign up 👉 right here 👈 to get the Data Digest in your inbox.
Here’s a look at the latest developments:
What Problems Does the IAB’s CCPA Compliance Framework Solve?
This week I had the pleasure of analyzing the strengths and weaknesses of the IAB’s CCPA Framework for AdMonsters. The IAB and IAB Tech Lab’s CCPA Compliance Framework provides a set of standards to help make it easier for publishers and their ad tech partners to comply with the CCPA’s requirements around the sale of PI. The Framework speaks of four key players within the ad ops industry: Publishers of Digital Property, SSPs, DSPs, and DMPs.
The IAB Framework aims to provide technical guidelines on how to comply with the CCPA’s regulatory standard; however, this is where the gaps between law and technology become apparent. The Framework deviates from reality and specifies that, in some cases, an opt-out can only happen at the device-level. The CCPA speaks solely of an opt-out on consumer-level and states that a global opt-out of sale should display prominently. There is no mention of a device-level opt-out in the text of the law. The Framework asserts that the Digital Property publisher may request additional information from the consumer for identification purposes to effectuate a consumer-level opt-out, but steers clear from specifying which data-points should be required. Request verification processes are specified in-depth in the CCPA Draft Regulations (Article 4).
Although the IAB’s CCPA Compliance Framework provides a much-needed industry-standard to pass along crucial information about a consumer’s sold PI and the consumer’s journey concerning what the CCPA requires. The Framework’s weaknesses and strengths come from the same source — its purpose is not to provide a definitive answer on CCPA language and interpretation, or to solve all CCPA compliance issues. Instead, it intends to deliver a distinct twist on CCPA compliance for ad tech, who can recognize and incorporate the Framework into their systems as they see fit. Using the Framework will undoubtedly ease the complexities of dealing with the rest of the ad ops ecosystem. However, it’s essential to comply with all the other extensive areas the CCPA covers. Compliance can be costly, but getting it wrong is even more expensive. Working with a company that provides the infrastructure to automate all other compliance aspects not covered by the Framework will dramatically reduce costs and demands on in-house resources, including guaranteed constant compliance.
Datawallet Head of Policy & Strategy, Dr. Else van der Berg, submits comments on CCPA to California’s Attorney General
Datawallet’s Head of Policy & Strategy, Dr. Else van der Berg, has submitted comments to the Attorney General (AG) of California regarding critical issues and concerns with the proposed draft regulations pursuant to the California Consumer Privacy Act (CCPA). The letter highlights Datawallet’s stance as a strong consumer advocate, supporting the importance of forcing companies to be explicit about the reasons and purposes at the point data is collected from consumers, and forcing them to ask for explicit opt-in consent for any new purposes, giving consumers the effective control over personal data they deserve and need. Touching on the CCPA’s and Draft Regulations’ far-reaching scope and definition of personal information, Dr. van der Berg is additionally advocating on Datawallet’s behalf for the explicit inclusion of content from messaging in the definition of personal information. Datawallet’s letter to the AG also asks for clarification in the final regulations to define exactly which obligations service providers face, and what they need to do to achieve compliance. You can find the full letter below:
Twitter Updates Its Global Privacy Policy
Twitter is updating its global privacy policy to comply with the California Consumer Privacy Act, going into effect on January 1st 2020. Twitter has faced some severe data discredits this year, most recently in October, when the company realized they had used phone numbers and email addresses that users provide for two-factor authentication for advertising purposes. To redeem their reputation, Twitter stated in a blog post that it would both upgrade its systems and build privacy into new products. The company is furthermore launching the Twitter Privacy Center to clarify the company’s data protection efforts and give users an easier way to access and download their data. The company is also moving accounts of users outside of the United States and European Union from the Twitter International Company in Dublin, Ireland, to Twitter Inc., based in San Francisco, to provide users more controls over preferences that could be restricted by the EU General Data Protection Regulation.
The Toughest Federal Privacy Legislation On The Block: Consumer Online Privacy Rights Act (COPRA)
Among the numerous federal privacy bills introduced to Congress this year, Sen. Maria Cantwell’s COPRA bill is by far the most aggressive. The bill codifies privacy as a right and recognizes that a lack of enforcement results in “empty gestures.” Requiring explicit opt-in consent from consumers when processing or sharing sensitive data with third parties (in comparison to the CCPA’s opt-out), COPRA holds companies responsible for correcting or deleting inaccurate data and ensures that companies collect as little information as possible about consumers. The bill calls for the establishment of a new bureau under the Federal Trade Commission and introduces language that would strengthen the F.T.C’s hand to extend its protection of consumer digital privacy issues by deeming violations to be “harmful and deceptive practices.”
It also expanded the scope of sensitive information to include biometric facial recognition and geolocation data, content of messages and derived data, while preventing companies from collecting cross-site profiles and sharing personal information. Even better, it provides protections to whistleblowers, puts the onus on companies to safeguard consumer data, and includes a data portability provision– forcing companies to make it easy for consumers to transfer their data. Unfortunately, COPRA still lacks a Republican sponsor, making it likely that the calendar will table to 2021. Co-sponsored by Sens. Brian Schatz, D-Hawaii, Amy Klobuchar, D-Minn., and Ed Markey, D-Mass., this bill is a comprehensive and well-thought-out action plan to tackle national data privacy issues.
For a detailed overview of the key differences between COPRA and US CDPA 19 see our latest blog post:
Victims Take A Stand Against The Equifax 2017 Data Breach Settlement
On December 19th, District Judge Thomas Thrash of Atlanta must decide whether he approves the current Equifax settlement of $700 million for the massive data breach affecting data of 147 million Americans. If he does, a mere $31 million will go to the victims, a portion of which will only receive free credit monitoring. $31 million would amount to just 21 cents per person if all 147 million victims of the breach were to file a claim — less than 5% of the total settlement. Even more worrisome, Equifax, itself would provide the free credit monitoring service. Talk about a fox watching the henhouse.
An interesting solution was presented by Reuben Metcalfe, founder of Class Action Inc., who created a chatbot tool that automatically files objections for the Equifax settlement at zero cost. Thanks to his device, 911 people objected to the arrangement. Thrash’s decision is about much more than compensation. His response to these objections will reflect a broader conversation in the world of data privacy. Metcalfe stated that Judge Thrash “has agency where 147 million people have none.’’ If companies think that it’s cheaper to get fined than obey the law in the first place, (remember the Federal Trade Commission’s $5 billion settlement with Facebook?), they will fail to invest in security, and continue to deepen their pockets by abusing people’s data.
Companies Are Shockingly Unprepared For Upcoming Data Regulations
In under three weeks, the enactment date of the California Consumer Privacy Act (CCPA) will commence. A staggering 88% of companies responded in a survey they had not reached “an adequate state of compliance.” Over 38% said they would need 12 months to become compliant with upcoming data regulations, with another 70% saying they had no engineering solution for policy compliance. These results are particularly concerning because as soon as the CCPA goes into effect on January 1st, 2020, businesses are granted a mere 30-day timeframe to cure the violation and ensure that no further breaches of the same type occur. Companies that defer tackling the CCPA run the risk of facing steep fines that cause considerably more damage than the GDPR, discussed in a recent article we posted.
Companies who think they can get away with a reactive “wait and see” approach risk severe damages, especially since it may constitute willful non-compliance opening them up to $7,500 in damages per incident per person. Datawallet is easily adaptable based on privacy laws with which you need to comply. It can be used as an end-to-end solution or as an extension to an existing solution. Designed with global compliance in mind, our combination of in-house experts and legal partners comb over each personal data law to ensure continuous compliance. If you’re part of the 88% of companies who are not prepared, reach out to us right here.
Amazon’s Ring Plans For Facial Recognition “Watch Lists”
Amazon’s plans to create AI facial recognition software in its home security cameras to build “watch lists” were revealed by internal documents reviewed by The Intercept. Though it remains unclear who would have access to these “watch lists,” the documents frequently refer to law enforcement, with whom Ring has recently formed 631 partnerships with throughout the US. Mobilization against these partnerships from digital rights activists such as Fight for the Future and other civil rights groups have demanded that new regulations are put in place to stop local governments and police departments from partnering with Ring. From the blueprints, it appears that a Ring camera would be able to capture “suspicious activity,” or “suspicious individuals,” and the Ring owner would be alerted. Ring’s Neighbors app would also provide lists for the Ring owners to discuss possible security threats. Motherboard reported that Ring had urged its users to report any unusual or suspicious activity in exchange for product discounts earlier this fall.
One of the many invasive features detailed in Ring’s plans was the addition of “proactive suspect matching.” There is serious potential for this to turn into an arbitrary system that tracks, profiles, and silently reports individuals based on a network entirely owned and controlled by Amazon. The company’s staff have been wrestling with the same concerns. An anonymous employee told The Intercept, “[it would] maybe catch porch pirates, but more realistically fuck over an innocent person of color.” Researchers and legal scholars have repeatedly confirmed that facial recognition and algorithms are susceptible to racial biases, and in many cases, propagate systemic racial discrimination. In February, Motherboard found that out of “100 user-submitted posts in the Neighbors app between December 6 and February 5, the majority of people reported ‘suspicious’ were people of color.”
Other stories you shouldn’t miss:
If The US Ban Strong Encryption, The Privacy Shield Data-Sharing Agreement Could Be At Risk [Techdirt]
Your Health Data Isn’t as Safe as You Think [WSJ]
Is ‘Do Not Track’ The New ‘Do Not Sell’? [Adexchanger]
Now even the FBI is warning about your smart TV’s security [Techcrunch]
Tech’s woke CEO takes the stage [Politico]
Facial recognition needs a wider policy debate [Financial Times]
If you’re interested in what we’re doing at Datawallet, including our Consumer First Compliance solution that helps you comply with an increasingly complicated patchwork of US and international data privacy laws, gives your customers control over their data, and provides you with modular decision-making powers to align with every new data regulation in a single consumer portal and consent management platform (CPM), go to https://datawallet.com/.
Best,
Serafin
