Data Digest № 027
Welcome to Datawallet’s Data Digest, where I review and occasionally analyze the latest news and the most critical developments in the data industry. Here’s a look at the latest developments:
What Problems Does the IAB’s CCPA Compliance Framework Solve?
This week I had the pleasure of analyzing the strengths and weaknesses of the IAB’s CCPA Framework for AdMonsters. The IAB and IAB Tech Lab’s CCPA Compliance Framework provides a set of standards to help make it easier for publishers and their ad tech partners to comply with the CCPA’s requirements around the sale of PI. The Framework speaks of four key players within the ad ops industry: Publishers of Digital Property, SSPs, DSPs, and DMPs.
The IAB Framework aims to provide technical guidelines on how to comply with the CCPA’s regulatory standard; however, this is where the gaps between law and technology become apparent. The Framework deviates from reality and specifies that, in some cases, an opt-out can only happen at the device-level. The CCPA speaks solely of an opt-out on consumer-level and states that a global opt-out of sale should display prominently. There is no mention of a device-level opt-out in the text of the law. The Framework asserts that the Digital Property publisher may request additional information from the consumer for identification purposes to effectuate a consumer-level opt-out, but steers clear from specifying which data-points should be required. Request verification processes are specified in-depth in the CCPA Draft Regulations (Article 4).
Although the IAB’s CCPA Compliance Framework provides a much-needed industry-standard to pass along crucial information about a consumer’s sold PI and the consumer’s journey concerning what the CCPA requires. The Framework’s weaknesses and strengths come from the same source — its purpose is not to provide a definitive answer on CCPA language and interpretation, or to solve all CCPA compliance issues. Instead, it intends to deliver a distinct twist on CCPA compliance for ad tech, who can recognize and incorporate the Framework into their systems as they see fit. Using the Framework will undoubtedly ease the complexities of dealing with the rest of the ad ops ecosystem. However, it’s essential to comply with all the other extensive areas the CCPA covers. Compliance can be costly, but getting it wrong is even more expensive. Working with a company that provides the infrastructure to automate all other compliance aspects not covered by the Framework will dramatically reduce costs and demands on in-house resources, including guaranteed constant compliance.
What Problems Does the IAB’s CCPA Compliance Framework Solve? - AdMonsters
Datawallet Head of Policy & Strategy, Dr. Else van der Berg, submits comments on CCPA to California’s Attorney General
Datawallet’s Head of Policy & Strategy, Dr. Else van der Berg, has submitted comments to the Attorney General (AG) of California regarding critical issues and concerns with the proposed draft regulations pursuant to the California Consumer Privacy Act (CCPA). The letter highlights Datawallet’s stance as a strong consumer advocate, supporting the importance of forcing companies to be explicit about the reasons and purposes at the point data is collected from consumers, and forcing them to ask for explicit opt-in consent for any new purposes, giving consumers the effective control over personal data they deserve and need. Touching on the CCPA’s and Draft Regulations’ far-reaching scope and definition of personal information, Dr. van der Berg is additionally advocating on Datawallet’s behalf for the explicit inclusion of content from messaging in the definition of personal information. Datawallet’s letter to the AG also asks for clarification in the final regulations to define exactly which obligations service providers face, and what they need to do to achieve compliance.
Twitter makes global changes to comply with privacy laws
The Toughest Federal Privacy Legislation On The Block: Consumer Online Privacy Rights Act (COPRA)
Among the numerous federal privacy bills introduced to Congress this year, Sen. Maria Cantwell’s COPRA bill is by far the most aggressive. The bill codifies privacy as a right and recognizes that a lack of enforcement results in “empty gestures.” Requiring explicit opt-in consent from consumers when processing or sharing sensitive data with third parties (in comparison to the CCPA’s opt-out), COPRA holds companies responsible for correcting or deleting inaccurate data and ensures that companies collect as little information as possible about consumers. The bill calls for the establishment of a new bureau under the Federal Trade Commission and introduces language that would strengthen the F.T.C’s hand to extend its protection of consumer digital privacy issues by deeming violations to be “harmful and deceptive practices.”
It also expanded the scope of sensitive information to include biometric facial recognition and geolocation data, content of messages and derived data, while preventing companies from collecting cross-site profiles and sharing personal information. Even better, it provides protections to whistleblowers, puts the onus on companies to safeguard consumer data, and includes a data portability provision– forcing companies to make it easy for consumers to transfer their data. Unfortunately, COPRA still lacks a Republican sponsor, making it likely that the calendar will table to 2021. Co-sponsored by Sens. Brian Schatz, D-Hawaii, Amy Klobuchar, D-Minn., and Ed Markey, D-Mass., this bill is a comprehensive and well-thought-out action plan to tackle national data privacy issues.
For a detailed overview of the key differences between COPRA and US CDPA 19 see our latest blog post:
Federal Privacy Legislation in 2020? Democrats and Republicans Remain Conflicted
Victims Take A Stand Against The Equifax 2017 Data Breach Settlement
On December 19th, District Judge Thomas Thrash of Atlanta must decide whether he approves the current Equifax settlement of $700 million for the massive data breach affecting data of 147 million Americans. If he does, a mere $31 million will go to the victims, a portion of which will only receive free credit monitoring. $31 million would amount to just 21 cents per person if all 147 million victims of the breach were to file a claim — less than 5% of the total settlement. Even more worrisome, Equifax, itself would provide the free credit monitoring service. Talk about a fox watching the henhouse.
An interesting solution was presented by Reuben Metcalfe, founder of Class Action Inc., who created a chatbot tool that automatically files objections for the Equifax settlement at zero cost. Thanks to his device, 911 people objected to the arrangement. Thrash’s decision is about much more than compensation. His response to these objections will reflect a broader conversation in the world of data privacy. Metcalfe stated that Judge Thrash “has agency where 147 million people have none.’’ If companies think that it’s cheaper to get fined than obey the law in the first place, (remember the Federal Trade Commission’s $5 billion settlement with Facebook?), they will fail to invest in security, and continue to deepen their pockets by abusing people’s data.
Opinion | One Man Can Bring Equifax to Justice (and Get You Your Money) (Published 2019)
Companies Are Shockingly Unprepared For Upcoming Data Regulations
In under three weeks, the enactment date of the California Consumer Privacy Act (CCPA) will commence. A staggering 88% of companies responded in a survey they had not reached “an adequate state of compliance.” Over 38% said they would need 12 months to become compliant with upcoming data regulations, with another 70% saying they had no engineering solution for policy compliance. These results are particularly concerning because as soon as the CCPA goes into effect on January 1st, 2020, businesses are granted a mere 30-day timeframe to cure the violation and ensure that no further breaches of the same type occur. Companies that defer tackling the CCPA run the risk of facing steep fines that cause considerably more damage than the GDPR, discussed in a recent article we posted.
Companies who think they can get away with a reactive “wait and see” approach risk severe damages, especially since it may constitute willful non-compliance opening them up to $7,500 in damages per incident per person. Datawallet is easily adaptable based on privacy laws with which you need to comply. It can be used as an end-to-end solution or as an extension to an existing solution. Designed with global compliance in mind, our combination of in-house experts and legal partners comb over each personal data law to ensure continuous compliance. If you’re part of the 88% of companies who are not prepared, reach out to us right here.
Few companies are prepared for upcoming data privacy regulations
Amazon’s Ring Plans For Facial Recognition “Watch Lists”
Amazon’s plans to create AI facial recognition software in its home security cameras to build “watch lists” were revealed by internal documents reviewed by The Intercept. Though it remains unclear who would have access to these “watch lists,” the documents frequently refer to law enforcement, with whom Ring has recently formed 631 partnerships with throughout the US. Mobilization against these partnerships from digital rights activists such as Fight for the Future and other civil rights groups have demanded that new regulations are put in place to stop local governments and police departments from partnering with Ring. From the blueprints, it appears that a Ring camera would be able to capture “suspicious activity,” or “suspicious individuals,” and the Ring owner would be alerted. Ring’s Neighbors app would also provide lists for the Ring owners to discuss possible security threats. Motherboard reported that Ring had urged its users to report any unusual or suspicious activity in exchange for product discounts earlier this fall.
One of the many invasive features detailed in Ring’s plans was the addition of “proactive suspect matching.” There is serious potential for this to turn into an arbitrary system that tracks, profiles, and silently reports individuals based on a network entirely owned and controlled by Amazon. The company’s staff have been wrestling with the same concerns. An anonymous employee told The Intercept, “[it would] maybe catch porch pirates, but more realistically fuck over an innocent person of color.” Researchers and legal scholars have repeatedly confirmed that facial recognition and algorithms are susceptible to racial biases, and in many cases, propagate systemic racial discrimination. In February, Motherboard found that out of “100 user-submitted posts in the Neighbors app between December 6 and February 5, the majority of people reported ‘suspicious’ were people of color.”
Amazon’s Ring Planned Neighborhood “Watch Lists” Built on Facial Recognition
What I'm Reading:
EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk
Your Health Data Isn’t as Safe as You Think
Is ‘Do Not Track’ The New ‘Do Not Sell’? | AdExchanger
Now even the FBI is warning about your smart TV’s security – TechCrunch
Tech’s woke CEO takes the stage
Subscribe to read | Financial Times
SerafinData Digest Consumer PrivacyAd TechDatawallet CCPA GDPRAnalyst Reports Data Breaches