Skip to content

Privacy News Roundup: February 13 mega-post

Data brokers selling Americans mental health data, legal theory, state and federal privacy legislation, and more!

Nexus of Privacy News Roundup

It's been almost two weeks since I did the last privacy news roundup ... and a lot's been happening!

Data Brokers and the Sale of Americans’ Mental Health Data

Joanne Kim on Tech Policy @ Sanford (techpolicy.sanford.duke.edu)

The Technology Policy Lab at the Duke Sanford School of Public Policy looks at data brokers and data on U.S. individuals’ mental health conditions, and finds that data brokers advertise and sell this data.  They argue that "the largely unregulated and black-box nature of the data broker industry, its buying and selling of sensitive mental health data, and the lack of clear consumer privacy protections in the U.S. necessitate a comprehensive federal privacy law or, at the very least, an expansion of HIPAA’s privacy protections alongside bans on the sale of mental health data on the open market."

ALSO:

How US police use digital data to prosecute abortions

Zack Whittaker on TechCrunch (techcrunch.com)

Court records reveal how police in the U.S. use text messages, emails, search history to prosecute people seeking abortions.  This article looks at several cases in detail – critical information when considering new legislation intended to protect people seeking abortions or gender-affirming care (which is also criminalized in an increasing nmber of states).

Distinguishing Privacy Law: A Critique of Privacy as Social Taxonomy

María P. Angel and Ryan Calo on SSRN papers.ssrn.com

A really interesting paper critiquing the approach at the core of 20th-century privacy scholarship.  Angel and Calo highlight both the value of the social taxonomy approach – and it's limitations.  Here's the abstract

What distinguishes violations of privacy from other harms? This has proven a surprisingly difficult question to answer. For over a century, privacy law scholars labored to define the illusive concept of privacy. Then they gave up. Efforts at distinguishing privacy came to be superseded at the turn of the millennium by a new approach: a taxonomy of privacy problems grounded in social recognition. Privacy law became the field that simply studies whatever courts or scholars talk about as related to privacy.
And it worked. Decades into privacy as social taxonomy, the field has expanded to encompass a broad range of information-based harms - from consumer manipulation to algorithmic bias—generating many, rich insights. Yet the approach has come at a cost. This article diagnoses the pathologies of a field that has abandoned defining its core subject matter, and offers a research agenda for privacy in the aftermath of social recognition.

This critique is overdue: it is past time to think anew about exactly what work the concept of privacy is doing in a complex information environment, and why a given societal problem—from discrimination to misinformation - is worthy of study under a privacy framework. Only then can privacy scholars articulate what we are expert in and participate meaningfully in global policy discussions about how to govern information-based harms.

FTC Enforcement

The FTC Is Taking on Telehealth’s Data Sharing Problem—Starting with GoodRx

Todd Feathers on The Markup (themarkup.org)

The action adds to mounting pressure on companies to stop sharing consumers’ health data for advertising purposes—the subject of a recent investigation by The Markup and STAT.

ALSO:

AI and Automated Decision Systems (ADS)

Journalistic Lessons for the Algorithmic Age

Julia Angwin on The Markup (themarkup.org)

A farewell letter from Julia Angwin

ALSO:

Child welfare algorithm faces Justice Department scrutiny

Sally Ho and Garance Burke on Associated Press (apnews.com)

The Justice Department has been scrutinizing a controversial artificial intelligence tool used by a Pittsburgh-area child protective services agency following concerns that it could result in discrimination against families with disabilities.

‘There is no standard’: investigation finds AI algorithms objectify women’s bodies

Gianluca Mauro and Hilke Schellmann on The Guardian (theguardian.com)

AI tools rate photos of women as more sexually suggestive than those of men, especially if nipples, pregnant bellies or exercise is involved

ALSO:

Federal Privacy Legislation

EPIC Urges Financial Services Committee to Strengthen Privacy Bill

EPIC - Electronic Privacy Information Center (epic.org)

The proposed Financial Data Privacy extends the notice-and-choice provisions of the Gramm-Leach-Bliley Act (GLBA).  EPIC says this does little to protect privacy. “The Committee should not advance legislation that purports to be a privacy bill unless it includes a data minimization standard similar to what is set forth in the bipartisan American Data Privacy and Protection Act.”

Privacy Fears, Abuse Allegations Jeopardize Foreign Surveillance Tool

Dustin Volz on the Wall Street Journal (wsj.com)

FISA Section 702 surveillance expires at year end unless it's renewed, and Volz reports that "U.S. intelligence officials are more worried than ever about" its fate due to opposition from both parties.

How the US Can Stop Data Brokers’ Worst Practices—Right Now

Dell Cameron on WIRED (wired.com)

Legal experts say the Fair Credit Reporting Act should already prevent brokers from collecting and selling data that’s weaponized against vulnerable people.

ALSO

State privacy legislation

Bridger Beal-Cvetko, KSL.com on ksl.com (ksl.com)

An effort to prevent kids from using social media without parental approval cleared a Utah House committee last Friday, despite concerns from both sides of the aisle that the bill is a potential violation of privacy.

Texas State Representative Introduces Comprehensive State Privacy Bill Draft

Hunton Andrews Kurth’s Privacy and Cybersecurity on The National Law Review (natlawreview.com)

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act  – which in turn was based on the Bad Washington Privacy Act.

How Big Tech Rewrote the Nation’s First Cellphone Repair Law

Maddie Stone of Grist on The Markup (themarkup.org)

Documents reveal tech lobbyists revised a right-to-repair bill before New York’s governor signed it.  This isn't actually privacy legislation ... but it's a useful window into the techniques tech lobbyists use on all kinds of legislation, including privacy.

ALSO

North of the border

Harper government kills controversial Internet surveillance bill

John Ibbitson on The Globe and Mail (theglobeandmail.com)

Justice Minister Rob Nicholson said “we will not be proceeding with Bill C-30”

Office of the Privacy Commissioner of Canada (priv.gc.ca)

ALSO

Across the pond

Privacy and data protection too often suspended at EU borders

Wojciech Wiewiórowski on EURACTIV (euractiv.com)

Privacy and data protection are part of the human rights too often suspended at the borders of the European Union - as long as we continue treating migration as a ‘problem’, fundamental rights will remain compromised, Wojciech Wiewiórowski writes.

French Senate backs AI-powered video surveillance for Paris 2024 Olympics

Laura Kayali on POLITICO (politico.eu)

A majority of senators voted against introducing facial recognition.

ALSO

And ...

Cedars-Sinai Medical Center Sued for Website Tracking Technology Privacy Violations

HIPAA Journal (hipaajournal.com)

A lawsuit has been filed against Cedars-Sinai Medical Center alleging impermissible disclosures of patient data to Google, Meta, and other third parties

ALSO:

Apple sued for promising privacy, failing at it

Thomas Claburn on The Register (theregister.com)

What’s allowed for Cupertino is verboten for everyone else

Indian social media app Slick exposed childrens’ user data

Jagmeet Singh on TechCrunch (techcrunch.com)

The emerging Indian social media app exposed a database of young users’ private information, including school-going children.

Ian Cohen, LOKKER on VentureBeat (venturebeat.com)

Cookies are everywhere. And, several lawsuits reveal how orgs can misuse them and (inadvertently or no) gain access to highly personal data.

Quantum machine learning with differential privacy

William M. Watkins on Nature (nature.com)

In this study, we develop a hybrid quantum-classical model that is trained to preserve privacy using differentially private optimization algorithm. This marks the first proof-of-principle demonstration of privacy-preserving Quantum Machine Learning (QML).

What does GPT-3 “know” about me?

Melissa Heikkilä on MIT Technology Review (technologyreview.com)

Large language models are trained on troves of personal data hoovered from the internet. So I wanted to know: What does it have on me?

Project Texas: The Details of TikTok’s Plan to Remain Operational in the United States

Matt Perault on Lawfare (lawfareblog.com)

Last week, senior TikTok executives held a private briefing to review the details of Project Texas and the contours of the national security agreement it is negotiating with the U.S. government.

Brazil’s Telecom Operators Made Strides and Had Shortcomings in Internet Lab’s New Report on User Privacy Practices

Karen Gullo and Veridiana Alimonti on Electronic Frontier Foundation (eff.org)

Brazil’s biggest internet connection providers made moderate advances in protecting customer data and being transparent about their privacy practices, but fell short on meeting certain requirements for upholding users’ rights under Brazil’s data protection law.

FTC Finalizes Order with Ed Tech Provider Chegg for Lax Security that Exposed Student Data

the Premerger Notification Office Staff on Federal Trade Commission (ftc.gov)

The Federal Trade Commission has finalized its order with education technology provider Chegg Inc.

Modi Is Muzzling Big Tech

Rishi Iyengar on Foreign Policy (foreignpolicy.com)

Silicon Valley has spent years courting India, but its companies face an increasingly tricky censorship minefield in the world’s largest democracy.

David Hoffman on Lawfare (lawfareblog.com)

Today is Data Privacy Day, an annual event in which I am — rather proudly — personally invested. Data Privacy Day began with a conversation at my dinner table eight years ago, when Leonardo Cervera Navas (then with the European Commission and now with the European Data Protection Supervisor’s office…

Privacy-by-design can be a source of value and opportunity, not cost

Divsha Bhat on Gulf Business (gulfbusiness.com)

Privacy can become a selling point and a source of value, especially when it is implemented by design and not reactively.

States and Counties Making Fresh Progress on Privacy

Thad Rueter on GovTech (govtech.com)

This year’s Data Privacy Week drew attention to the increasing role that cybersecurity is playing for government. Public agencies are responding via new hiring but still face big challenges.

What’s on the Global Horizon for Data Privacy in 2023?

Shannon Knapp on JD Supra (jdsupra.com)

Expect another year of regulatory ambiguity for international data privacy laws in 2023, as the European Commission reviews the EU-US Data Privacy...

Data Privacy Laws and Blocking Statutes: Five Practical Strategies for Counsel

Rob Robinson on JD Supra (jdsupra.com)

Background Note: Data privacy has become a critical issue in the digital era, with laws and regulations constantly evolving. As a result, it’s...

Google Fi says hackers accessed customers’ information

Carly Page on TechCrunch (techcrunch.com)

The virtual cell service said customers’ data was exposed following “suspicious activity” relating to its primary network provider.

How surveillance tech helped protect power — and the drug trade — in Honduras

Anna-Catherine Brigida on Coda Story (codastory.com)

How big-name monitoring software from companies like Cellebrite and Palantir made Honduras a hotbed of spy tech.

Privacy assistant Jumbo tears down its paywall

Romain Dillet on TechCrunch (techcrunch.com)

Jumbo, an app that lets you control your privacy on the web, is hitting the reset button — sort of. While the company is still focused on privacy and security, users can now download and use all features for free as the premium subscription is gone

Could a More Powerful Web Tracker Be Good for Your Privacy?

Thomas Germain on Gizmodo (gizmodo.com)

Full Throttle is launching a new, souped-up tracker as Google moves to kill third-party cookies.

EU vows to get tougher on Big Tech privacy violations

on Engadget (engadget.com)

The EU is taking a tougher stance on Big Tech privacy investigations..

Just 16% of shoppers feel confident in managing data privacy and security

Isabel Cameron on Latest Retail Technology News From Across The Globe - Charged (chargedretail.co.uk)

Just 16% of UK consumers feel completely confident in managing their data privacy and security online according to security company Ring.

Data Privacy and the United Nations Sustainable Development Goals

Abraham Díaz on The National Law Review (natlawreview.com)

In the frame of the International Data Privacy Day celebrated around the world every January 28, it is worthy to remember the relevance gained worldwide by this subject matter as time goes by, as well

Small business spending on data privacy up 17% in 2022, higher than medium, large firms: Cisco study

MSME Desk on Financialexpress (financialexpress.com)

Spending at larger organizations remained relatively unchanged after steep increases from 2019 to 2020, the study said. The average privacy spending was $2.7 million in 2022.

CDT Comments to NTIA on Mobile App Ecosystem Competition

George Slover on Center for Democracy and Technology (cdt.org)

CDT submitted comments in response to the National Telecommunications and Information Administration’s (NTIA) request for input for its report on the state of competition in the mobile apps marketplace. Our comments state that competition is clearly in need of improvement, with just two platform eco…

Google Asks 9th Cir. to Reconsider Child Privacy Law Preemption Ruling

Christina Tabacco on Law Street Media (lawstreetmedia.com)

EU Tightens Oversight of Data-Privacy Regulators to Speed Up Decisions

Catherine Stupp on The Wall Street Journal (wsj.com)

Regulators must report details of large-scale investigations, amid complaints of case backlogs in Ireland, where many tech giants have their European headquarters.

A TikTok Trend You Can’t Ignore: Addressing the Risks by Protecting Privacy and Bolstering Transparency

Allie Funk on Freedom House (freedomhouse.org)

As one of the world’s most ardent defenders of internet freedom, the United States should strengthen requirements for privacy and transparency rather than resort to an outright ban.

We can no longer support the Online Safety Bill

Ellen Judson and Kyle Taylor on Politics Home (politicshome.com)

Around the world, children are being exposed to violent and inappropriate content online with sometimes devastating results.

ACLU, public defenders push back against Google giving police your mobile data

Lucas Mearian on Computerworld (computerworld.com)

Geofence warrants that allow law enforcement to collect location data on mobile device users for criminal probes are under attack by civil rights groups and public defenders; they say the warrants are fishing expeditions that expose personal information.

US lawmakers target TikTok in debate over regulating data privacy

Orange Wang on South China Morning Post (scmp.com)

Concerns are raised that the US is falling behind other countries in enacting a comprehensive federal data privacy and security law.

Are your bosses spying on you? New bill aims to curtail employer surveillance of workers

Candy Woodall on USA TODAY (usatoday.com)

Spying bosses is a side effect of working remotely and a mostly unregulated area of labor law that needs to be addressed, Sen. Bob Casey said.

Ad Blockers Could Be Helpful for Your Privacy

David Edwards on Robotics & Automation News (roboticsandautomationnews.com)

Whether you’re using a mobile device, a computer, or a tablet, ad blockers can help you save time, protect your personal information, and eliminate annoying ads. Among the many benefits, these tool…

Illinois top court endorses five-year window for biometric privacy claims

Daniel Wiessner on Reuters (reuters.com)

The Illinois Supreme Court on Thursday said workers and consumers have five years to sue for violations of the state’s unique biometric privacy law, rejecting a much narrower window pushed by business groups.

Be real or be stalked? Privacy pitfalls of Gen-Z’s favorite app

Isobel Cockerell on Coda Story (codastory.com)

BeReal, the photo-sharing app, puts a new twist on age-old privacy problems.

Compromise required to resolve impasse on data privacy regulation

Cantillon on The Irish Times (irishtimes.com)

Regulation of GDPR rules has become a political, legal and cultural tug of war

Haggard gun privacy bill moves to full House

Staff Reports on Daily Journal (dailyjournal.net)

A bill authored by freshman State Rep. Craig Haggard, R-Mooresville, to limit the information released to the federal government from handgun permits passed out of the committee Wednesday.

Smear campaign targets nominee who would be FCC’s first openly gay commissioner

Kevin Collier on NBC News (nbcnews.com)

The nomination of Gigi Sohn, who would be the FCC’s first openly gay commissioner, languished in a Senate committee. Now, she’s the subject of articles from the Daily Mail and Fox News that even her some of her rivals say are out of bounds.

New York attorney general orders stalkerware maker to notify hacked victims

Zack Whittaker on TechCrunch (techcrunch.com)

The New York-based stalkerware operator also agreed to pay more than $400,000 in civil penalties for facilitating phone surveillance.

Lawmakers stumble on data privacy as another tech CEO to testify

Gopal Ratnam on Roll Call (rollcall.com)

With TikTok’s CEO set to testify before a committee next month, Congress has struggled to fashion data privacy legislation.

Privacy Is a Right. Protecting It Is Not Extreme.

David Morar on New America (newamerica.org)

Sometimes, defenders of the status quo are the most extreme.

Security Principles: Addressing underlying causes of risk in complex systems

the Premerger Notification Office Staff on Federal Trade Commission (ftc.gov)

On December 14th, 2022, in collaboration with technologists on team CTO and attorneys in BCP, I gave a presentation at the Federal Trade Commission’s

Apple facing new lawsuit alleging tech giant failed to provide promised privacy

WRAL TechWire on WRAL TechWire (wraltechwire.com)

A legal complaint filed in the United States District Court for the Northern District of California alleges that Apple does capture data even when a user of an iPhone selects not to share data.

Third Version Of Colorado Privacy Act Draft Rules Published

David Stauss on JD Supra (jdsupra.com)

Keypoint: The draft CPA rules retain the hallmarks of what makes the CPA rules unique but contain some notable revisions and clarifications. On...

Hello from the Dark Side: Dark Patterns in Privacy

John Heckman on American Bar Association (americanbar.org)

Welcome to SciTech’s ePrivacy Committee webinar on dark patterns in privacy. Our expert panel will discuss all that you need to know regarding dark patterns in privacy, including what they are (with…

What US privacy laws do advertisers need to be aware of in 2023?

Confiant on Confiant (thedrum.com)

By John Murphy, chief strategy officer, Confiant January 28th is celebrated globally as Data Privacy Day. It acts as a reminder that several US state privacy regulations become effective during 2023. As a result, privacy could become more important to the ad ecosystem than ever in the United States,…

The privacy pendulum: What can ad tech’s past teach us about the future of tracking?

Yieldmo on Yieldmo (thedrum.com)

By Mark McEachran, VP platform product management The year was 1994. Lou Montulli, a Netscape engineer, had just invented the cookie. Did he mean to build the foundations of a digital ad industry that revolved around audience tracking and targeting? No. He just wanted a shopping cart to work properl…

Apple Privacy Suits Claim App Changes Were Guise to Boost Ad Revenue

Winston Cho on The Hollywood Reporter (hollywoodreporter.com)

Apple’s privacy campaign has driven its climbing ad revenue at the expense of competitors, especially Facebook parent company Meta.

Replika, a ‘virtual friendship’ AI chatbot, hit with data ban in Italy over child safety

Natasha Lomas on TechCrunch (techcrunch.com)

AI chatbot maker Replika has been ordered to stop processing user data in Italy over child safety and data protection concerns.

GitHub CEO on why open source developers should be exempt from the EU’s AI Act

Paul Sawers on TechCrunch (techcrunch.com)

GitHub CEO Thomas Dohmke says that open source developers should be made exempt from the EU’s proposed new AI regulations.

Twitter Circle glitches have users worried about privacy

Amanda Silberling on TechCrunch (techcrunch.com)

As more Twitter features break and glitch, users are becoming increasingly concerned about the platform’s stability.

Privacy and Cybersecurity Issues in Electric Vehicles

Hannah Ji-Otto on JD Supra (jdsupra.com)

This is the second article in a series of alerts that addresses what businesses, organizations and governmental entities should be considering as they...

HR data is now regulated under California privacy law: How to tackle compliance

Christian Auty on JD Supra (jdsupra.com)

2023 will be yet another dynamic year for data privacy regulation. In addition to the data privacy laws in Virginia, Colorado, Utah, and Connecticut...

Career Opportunities - California Privacy Protection Agency (CPPA)

on CPPA (cppa.ca.gov)

Opinion: Chula Vista’s use of automated license plate surveillance threatens everyone’s privacy

Norell Martinez, Nancy Relaford, Margaret Baker on San Diego Union-Tribune (sandiegouniontribune.com)

Use of surveillance technology disproportionately impacts immigrants.

Americans Flunked This Test on Online Privacy

on NYTimes (nytimes.com)

Many consumers want control over their personal details. But few understand how online tracking works, says a new report from the University of Pennsylvania.

ChatGPT is a data privacy nightmare. If you’ve ever posted online, you ought to be concerned

Uri Gal on The Conversation (theconversation.com)

ChatGPT is fuelled by our intimate online histories. It’s trained on 300 billion words, yet users have no way of knowing which of their data it contains.

Ex-Twitter privacy chief takes job at social media app BeReal

Sara Merken on Reuters (reuters.com)

Damien Kieran, who resigned as Twitter Inc’s chief privacy officer in November after Elon Musk took over the social media giant, has joined photo sharing app-maker BeReal as its top lawyer.

A New Draft Privacy Model Blooms From the NAIC Privacy Working Group

Ann Young Black on JD Supra (jdsupra.com)

On February 1, the NAIC’s Privacy Working Group’s new privacy model germinated. After months of development, the exposure draft, titled “Insurance...

ChatGPT is a data privacy nightmare. If you’ve ever posted online, you ought to be concerned

on The Conversation (theconversation-com.cdn.ampproject.org)

ChatGPT is fuelled by our intimate online histories. It’s trained on 300 billion words, yet users have no way of knowing which of their data it contains.

Musk’s Twitter is facing tricky questions over data deletion

Natasha Lomas on TechCrunch (techcrunch.com)

European data protection regulators are “engaging” with Twitter following a series of complaints from users that it’s ignoring requests to delete their direct messages, TechCrunch has learned.

Opinion: This bill would hurt children while trying to help them

Shoshana Weissmann on Deseret News (deseret.com)

Utah lawmakers are considering SB152, which would require children and adults to provide proof of age to internet sites in order to gain access

ChatGPT Is a Disaster for Your Privacy | PIA VPN

Glyn Moody on PIA VPN Blog (privateinternetaccess.com)

ChatGPT has serious privacy issues. It can collect and process highly sensitive details and associate it with your email and phone number.

Amazon is the latest threat to Facebook as ad targeting suffers

Jonathan Vanian on CNBC (cnbc.com)

Brands are shifting ad budgets away from Facebook and toward Amazon now that targeting users across social networks has become more difficult.

Privacy Row Dents Hong Kong Film Awards Celebrating Bumper Year for Local Movies

Patrick Frater on Variety (variety.com)

An unusual five films picked up ten or more nominations for the Hong Kong Film Awards, with court room drama, “The Sparring Partner” picking up 16. But the event was partially overshadowed by a row…

Nobody but your doctor should know your menstrual history

Keren Landman on Vox (vox.com)

The big problem with Florida asking for so much of its student-athletes’ health information.

Apple: No apps circumvented user privacy controls

Andrew Orr on AppleInsider (appleinsider.com)

Apple fixed a potential privacy vulnerability with iOS 16.3 and other updates, but its investigation into an allegation concluded that no apps took advantage of the flaw.

Cerebral Class Action Lawsuit Investigation Over Privacy Violation Concerns

Alan Mansfield, Esq. on LegalScoops (legalscoops.com)

On February 2, 2023, two members of the United States Senate sent a letter to Cerebral, Inc. where they ““express our concern regarding reports that Cerebral is tracking and sharing sensitive and personally-identifiable health data with third-party social media and online search platforms such as Google and Facebook that monetize this data to target advertisements,” using what is known as the Meta Pixel tracking cookie.

Stalkerware Maker Fined $410k and Compelled to Notify Victims

Bill Budington on Electronic Frontier Foundation (eff.org)

Last week, the New York Attorney General secured a $410,000 fine from Patrick Hinchy and 16 companies that he runs which produce and sell spyware and stalkerware. In addition, he and his companies must modify their stalkerware to alert victims that their devices have been compromised. This sends a..…