Data Digest № 026
Welcome to Datawallet’s Data Digest, where I summarize and sometimes analyze the latest news in the data industry. Or in this case, the news over the last three weeks.
Microsoft expands coverage of the CCPA across the U.S.
Microsoft has vowed to ‘honor’ the ‘core rights’ of the California Consumer Privacy Act (CCPA) and expanded its coverage across the entire United States. Announced in a statement on Monday, Julie Brill, Microsoft’s chief privacy officer, said that the company will apply the principles of the CCPA across the whole of the U.S., similarly to the companies’ approach last year to Europe’s General Data Protection Act (GDPR). Brill wrote, “CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.” Microsoft’s decision to roll out CCPA style rights across their entire customer base in the U.S. marks an important precedent in how large tech companies choose to meet the new privacy challenges posed by state privacy laws. Instead of creating what Marc Benioff has previously called “second class data citizens” Microsoft’s decision to treat all customers equally in terms of their data is, if anything, an acknowledgment of the importance of corporate data custodianship in consumers’ buying decision. With 87% of consumers stating that they will take their business elsewhere if they don’t trust how a company handles their data, Microsoft is smart to brand itself as a good data custodian by rolling out CCPA data rights to their entire customer base and therefore incentivizing customer retention as well as new customer acquisition. Smart move, Microsoft!
80% of Americans feel like they have very little or no control over the data being collected about them
According to a recent survey by Pew Research, over 80% of Americans feel like they have little to no control over the data being collected about them. Over 70% believe that almost everything they do online is being tracked with almost as many believing the same to be true offline, and 79% say they don’t trust companies to own up to mistakes when they mishandle data.
Considering recent history, such as the Cambridge Analytica scandal or the Equifax breach in 2017, it’s no surprise that Americans feel a lack of control over their data. Americans are more aware than ever of the unfair value exchange involving the trading of data for technology and convenience. As the Pew survey revealed most Americans have arrived at the conclusion that the potential risks of data collection by companies and governments significantly outweigh the benefits. It is precisely this evolution in public sentiment which helps understand the emergence of strict data privacy regulation intended to address the growing demand for control over data among voters with California enacting the most groundbreaking privacy bill in the U.S. on January 1st, the CCPA.
Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information
The might of CCPA fines and how Facebook is using your camera to spy on you
Two weeks ago, it came to light that Facebook’s app may have been opening iPhone cameras in the background without their users’ knowledge. The bug was detected on iOS 13.2.2 but not on iOS 12. Video and potentially sound recordings, which could easily be linked to individuals and therefore constitute personal information/data under the CCPA and the GDPR, were collected without the knowledge of the app-users, violating GDPR, CCPA, and potentially SB-220. Facebook commented, “we inadvertently introduced a bug that caused the app to partially navigate to the camera screen adjacent to News Feed when users tapped on photos.”
When the California Consumer Privacy Act (“CCPA”) takes effect on January 1st, 2020, California will be the first state to give residents the right to seek statutory damages of up to $7500 per incident, if their personal information is exposed in a data breach, with or without any actual harm. To succeed, the defense of the breached business must demonstrate that it had sufficient security procedures in place. A “wait and see” strategy is not an option with the CCPA.
After being flagged by the Attorney General for a violation, businesses are granted a mere 30-day timeframe to cure the violation and ensure that no further violations of the same type can occur. A broad interpretation of the term “cure” would mean overhauling entire processes and IT-systems. Failing to do this within the short timeframe might lead to the violation being categorized as intentional, which could lead to fines being tripled. Businesses that are more prepared to respond to data breaches will inevitably maintain a better defense in a breach lawsuit. But CCPA fines don’t stop there. There are many other costs associated with data breaches for businesses to consider including; reputation, business continuity, competitive disadvantages, investigation, legal, contractual, regulatory, notification, and litigation costs.
For a more in-depth look at the potential risks of CCPA fines, you can read our blog post.
CCPA fines blow GDPR's out of the water
Google to let sites block personalized ads under CCPA
Google has announced that the launch of a new feature that allows websites subject to the California Consumer Privacy Act (CCPA) to block personalized ads for consumers in California. In spite of Big Tech’s efforts to exempt personalized ads from California’s landmark privacy bill, Google will need to allow customers to opt-out of the sale of their personal data, of which personalized ads are a major use case. Since collecting and processing information on consumers helps companies like Google more accurately target the latter with ads, premiums for this type of inventory often have a 10x premium compared to regular ads. Not being able to offer this type of premium inventory will likely result in a major revenue loss for Google and other ad tech players, as advertising dollars will be diverted to other advertising channels. Google said that when the “restricted data processing” is triggered, ads will only be based on general data such as the user’s city-level location or the subject of the page where the ad is appearing. Choosing whether or not to enable restricted processing is left to the operator of a website, meaning the compliance burden and potential legal ramifications are on website owners.
Google to let sites block personalized ads under California privacy law
Google’s secret “Project Nightingale” collects sensitive health information of millions of Americans, and simultaneously, they’ve acquired Fitbit
The announcement of Google’s new partnership with Ascension, the second-largest health care system in the U.S., and their recent acquisition of Fitbit have raised serious concerns around the collection and usage of personal data. The secret project, named “Project Nightingale” was reported by the WSJ last week and has since caused a stir.
Sounding increasingly like an episode of Black Mirror, the data collection is part of Google’s bigger plan to introduce new software using AI that will analyze patient information for Ascension and provide recommendations for people to improve their health. The move has also come just as the company has acquired a fitness watchmaker, Fitbit, for $2.1 billion, also infamous for its bad data collection practices.
Over 150 employees at Google’s parent company, Alphabet, have already been given access to the health data of tens of millions of Americans. And while the information they are collecting is not technically illegal under the Health Insurance Portability and Accountability Act of 1996 (giving hospitals permission to share some data with businesses as long as it’s used to “help the covered entity carry out its health care functions”), the increased dominance that Google will consolidate from these two business deals is clearly a violation of people’s rights to health data privacy. Google is currently hiring healthcare executives, showcasing their plans to move forward regardless. In response to widespread outrage among privacy advocates, Google stated that no Fitbit data would be used for advertising purposes. Google exec, Rick Osterloh, promises that “Fitbit health and wellness data will not be used for Google ads.” This sounds awfully similar to claims made by Zuckerberg to not merge Whatsapp data with Facebook data, which were to no avail. Furthermore, there is no law currently in place to prevent Google from doing so.
WSJ News Exclusive | Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans
One Of The Biggest Data Leaks Ever Exposes Data On 1.2 Billion People
A data leak discovered by Bob Disaschenko and Vinny Troia unveiled over 4 terabytes of data from 1.2 billion unique people on an unsecured Elasticsearch server, making it the largest single source data breach of all times. So far, it looks like the data has originated from two different data enrichment companies, People Data Labs (PDL), and OxyData.io who pride themselves on having “unparalleled coverage across over 150 data points” and “in-depth data on people and companies”. Enriching of data is the process of taking a data set and augmenting the existing data with third-party data that is matched around a certain identifier, be it emails, names, IP addresses, or similar. The data assets maintained by People Data Labs and OxyData for enrichment and now breached contained information including names, email addresses, phone numbers, LinkedIn and Facebook profile information. When the researchers contacted the companies, both denied ownership of the server leaking the data. Troia noted that they may never find the culprit who combined the companies data into a single database and left it exposed.
1.2 Billion Records Found Exposed Online in a Single Server
A new online privacy act is cooking in Silicon Valley
Anna Eshoo and Zoe Lofgren, lawmakers who represent Silicon Valley have announced an ambitious but all-encompassing online privacy act. Requirements of the bill include the limiting of use, collection, and sharing of personal information for specific business needs. It would also require users to opt into specified data collection and give them the ability to delete and correct data about themselves, as well as limiting the duration period companies could hold their information. The lawmakers claim that the current enforcement, the Federal Trade Commission, are lacking in resources, are “toothless” and have issued “the equivalence of parking tickets” to reprimand privacy violations. The two, therefore, suggest the enforcement of a Digital Privacy Agency of up to 1,600 employees. In representing the districts of some of the largest technology companies in the world, Lofgren stated that she and Eshoo wanted to make a point, “if the representatives from Silicon Valley took a strong stand for privacy rights, it would be meaningful to the rest of Congress, that’s why it’s as bold as it is.”
For a more in-depth analysis of the proposed Online Privacy Act (OPA), you can read our latest blogpost.
Proposed Federal Online Privacy Act Goes After Big Tech and puts Consumers in the Driver’s Seat
What I'm Reading:
Breach affecting 1 million was caught only after hacker maxed out target’s storage
Senate Democrats unveil priorities for federal privacy bill
T-Mobile confirms customers' personal data accessed in hack | Engadget
Thousands of hacked Disney+ accounts are already for sale on hacking forums | ZDNet
Google to let sites block personalized ads under California privacy law
New York Expands Definition of Private Information and Imposes Groundbreaking Cybersecurity Requirements
Facebook Viewpoints pays users for well-being surveys & tasks – TechCrunch
SerafinData Digest Consumer PrivacyCCPA GDPR Industry Trends Analyst Reports Data Breaches Data Misuse