Privacy News: October 26
A bumper crop of links, from across the country and around the world!
A bumper crop of links, including quite a few updates on state legislation – and international perspectives as well.
18 Books That Will Change the Way You Think About AI and Technology
Mia Dand on Medium (miad.medium.com)
An excellent list of 18 books written by scholars and technology experts. Dand casts a broad net, including privacy-focused books like Helen Nissenbaum's Privacy in Context and Carissa Véliz' Privacy Is Power as well as classics like Safiya Umoja Noble's Algorithms of Oppression, Ruha Benjamin's Race After Technology, and Sasha Costanza-Chock’s Design Justice.
FIND OUT MORE: The weekly AI and Emerging Tech Ethics newsletter from Dand's Lighthouse3 has the latest developments in AI, as well as a list of job opportunities.
Privacy after Roe
Inslee and legislators begin rolling out reproductive freedom policies for 2023 legislative session
Governor Jay Inslee on governor.wa.gov
Gov. Jay Inslee and Democratic lawmakers have begun rolling out their choice-defending agenda for the 2023 legislative session. Rep. Drew Hansen will sponsor a "sanctuary" bill that protects patients and providers from any criminal or civil actions for lawfully receiving or providing reproductive health care services or gender-affirming services in Washington. The bill will help protect patients from states like Texas or Idaho from being punished for lawfully seeking and receiving legal health care services in Washington state.
Sen. Manka Dhingra and Rep. Vandana Slatter announced a health data bill – which prohibits organizations from selling Washingtonians’ health data, prohibits apps and websites from collecting and sharing Washingtonians’ health data without their consent, and prohibits “geofences” from being used at reproductive and gender affirming health care facilities.
Inslee also affirmed he will be requesting legislation to pursue a constitutional amendment that expressly establishes a fundamental right to an abortion and a fundamental right to choose or refuse contraceptives.
Privacy and digital health data: The femtech challenge
Amy Olivero on International Association of Privacy Professionals (iapp.org)
This article examines current laws, latest enforcement actions, and pending legislation around health-relevant data in the U.S. As well as HIPAA and comprehensive state privacy laws like California's CCPA, Olivero also looks at more narrowly-targeted laws (such as data broker regulation in California, Nevada, and Vermont), state Attorney General actions (including California's action against Glow), and FTC enforcement efforts (including Flo's settlement).
Federal privacy legislation
How a federal proposal could undermine California’s privacy rights
Hannah-Beth Jackson on CalMatters (calmatters.org)
The former chair of California's Senate Judiciary Committee weighs in on the proposed American Data Privacy and Protection Act (ADPPA), which would preempt California's privacy laws. Unsurprisingly, she thinks that would be bad.
This potential government loophole threatens more than just reproductive rights. People of color, low-income workers, undocumented immigrants and the LGBTQ community could also be impacted if government agencies can simply buy data. Immigration and Customs Enforcement has weaponized data location to conduct raids, unleashing fears about government tracking that have led to a decrease in the use of services ranging from food stamps to health care.
Other government agencies, including the FBI and DEA, have contracted with data brokers to covertly monitor the location and identity of people who assembled during Black Lives Matter protests.
Under the federal proposal, Californians could also lose the right to strengthen our laws. Unlike a long history of federal privacy laws that let states do more, this one would set a ceiling that no state could improve upon. Privacy rights would be frozen in time while technology develops at lightspeed.
FIND OUT MORE: People in other states and cities have opinions on preemption too surveys other reactions to ADPPA's preemption.
State privacy legislation
Montanans’ privacy is on the ballot
on Daily Inter Lake (dailyinterlake.com)
Montanans will vote on whether to join Missouri and Michigan in strengthening constitutional privacy protection:
Montana C-48 seeks to amend the state constitution to include electronic data and communications in search and seizure protections. As currently written, the search and seizures section of the constitution states that “the people shall be secure in their persons, papers, homes and effects from unreasonable searches and seizures.” The amendment would simply add “electronic data and communications” to that list — essentially updating the constitution to reflect the reality of modern times.
Colorado Consumer Privacy Rules Add to Looming Business Mandates
Brenna Goth on Bloomberg Law (news.bloomberglaw.com)
Draft details of how Colorado intends to implement its new consumer privacy law would add requirements that attorneys say companies should consider well ahead of the July 2023 effective date.
CPPA reschedules board meeting on CPRA draft rules
International Association of Privacy Professionals (iapp.org)
The meetings are now October 28-29 and November 4-5 (see the links for Zoom information). The meeting materials have the proposed regulations and an explanation. Consumer Watchdog is concerned that some of the proposed changes could weaken protections; their Privacy Dawn report goes into detail.
Your 2022 end-of-year privacy ‘to do’ list
Jennifer Ruehr and Sam Castic on International Association of Privacy Professionals (iapp.org)
Here’s a to-do list to help your company address these new privacy requirements for 2023.
Appellate Court Confirms That Monitoring Online Shopping Activity Violates State’s Anti-Wiretapping Law—and the Time to Act Is NOW!
Puja J. Amin on The National Law Review (natlawreview.com)
So we’re launching a new feature on TCPAWorld – CIPA Sunday! CIPA – the California Invasion of Privacy Act – has become shorthand for the MASSIVE wave of wiretapping lawsuits crashing all across the country looking at recording of website interactions. And while CIPA is the most famous of these statutes—authorizing a $2,500.00 per violation statutory penalty—California is hardly alone.
Maximize your minimization and other takeaways from the FTC’s Drizly case
Cobun Zweifel-Keegan on International Association of Privacy Professionals (iapp.org)
The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization. The FTC reached a settlement with Drizly, an online alcohol marketplace, and its CEO, alleging the company knew about its data security shortcomings and failed to take action to protect personal data from a data breach affecting 2.5 million users. Though the case derives from a security breach, privacy pros should pay close attention to the remedial actions in the proposed consent order.
- FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers, Federal Trade Commission (ftc.gov)
- Data security forecast: Drizly with a 100% chance of far-reaching order provisions, Lesley Fair, FTC Business Blog (ftc.gov)
- FTC brings action against CEO of alcohol delivery company over data breach, Cat Zakrzewski, Washington Post (washingtonpost.com)
- FTC-Drizly Saga Reminds Marketers to Limit Data Collection, Trishla Ostwall, Adweek (adweek.org)
‘Immature biometric technologies could be discriminating against people’ says ICO in warning to organisations
on ICO (ico.org.uk)
The Information Commissioner’s Office is warning organisations to assess the public risks of using emotion analysis technologies, before implementing these systems. Organisations that do not act responsibly, posing risks to vulnerable people, or fail to meet ICO expectations will be investigated.
ALSO: Information commissioner warns firms over ‘emotional analysis’ technologies, Alex Hern on The Guardian (theguardian.com)
Is GPC the new ‘do not track’?
Anokhy Desai on International Association of Privacy Professionals (iapp.org)
This article looks at the Global Privacy Control and the comparison between it and the do not track mechanism.
ALSO: GPC under the GDPR, Robin Berjon on berjon.com
Senator questions Mark Zuckerberg over Meta’s healthcare data collection policies
Mike Miliard on Healthcare IT News (healthcareitnews.com)
The letter from Sen. Mark Warner to the Facebook founder comes just days after Advocate Aurora Health notified patients of a potential breach involving a pixel-tracking tool. “Of particular concern are the recent allegations that Meta has used Meta Pixel data to inform targeted advertisements on Meta’s platforms."
ALSO: Senator Questions Meta Over Use Of Hospital Data, Wendy Davis on Media Post (mediapost.com)
Square sells access to your inbox. No one knows if the law cares.
Ben Brody on Protocol (protocol.com)
When my work inbox got flooded with reminders of my most twee shopping habits, I found out the Block-owned service throws up obstacles to getting out of its marketing business.
AlgorithmWatch is offering 5 fellowships in algorithmic accountability reporting
Nicolas Kayser-Bril on AlgorithmWatch (algorithmwatch.org)
Fellows will receive €1,200 per month during 6 months and will report on automated decision-making in Europe.
The Shifting Privacy Left Podcast
Debra Farber on Buzzsprout (shiftingprivacyleft.buzzsprout.com)
Shifting Privacy Left features lively discussions on the need for organizations to embed privacy by design into engineering, devops and the product development processes BEFORE code or products are ever shipped.
We used to get excited about technology. What happened?
Shannon Vallor on MIT Technology Review (technologyreview.com)
Innovation that truly serves us all is in scarce supply. That’s a problem.
Law firm says ex-lawyer is trying to take over Clearview AI lawsuit
David Thomas on Reuters (reuters.com)
Chicago law firm Loevy & Loevy has accused one of its former lawyers of trying to force it out of a class action lawsuit against facial recognition startup Clearview AI Inc just as a potentially lucrative settlement may be in the works.
Hintze Law Global Privacy Updates
By Leslie Veloz on Hintze Law PLLC – Privacy + Security (hintzelaw.com)
Here’s a snapshot of a few privacy developments from the past few weeks.
A Bill of Rights for the Information Age: White House Outlines Principles for Artificial Intelligence Design & Use
Kevin J. White on The National Law Review (natlawreview.com)
It is no secret that legislators and regulatory agencies have taken note of companies' increasing reliance on artificial intelligence (AI).
Spanish ISPs Fall Short of Robust Commitments to User Privacy in New Eticas’ Report
Veridiana Alimonti on Electronic Frontier Foundation (eff.org)
Spanish Internet Service Providers (ISPs) continue to fall short of robust transparency about their data protection and user privacy practices, with many failing to meet criteria that directly builds on Spanish and EU data protection regulations.While highlighting that internet companies in Spain...
EU Lawmakers Must Reject This Proposal To Scan Private Chats
Joe Mullin on Electronic Frontier Foundation (eff.org)
Having a private conversation is a basic human right. Like the rest of our rights, we shouldn’t lose it when we go online. But a new proposal by the European Union could throw our privacy rights out the window. LEARN MORETell the European Parliament: Stop Scanning MeThe European Union’s executive...
Casino Developers Want to Fill Times Square With Surveillance Drones
Thomas Germain on Gizmodo (gizmodo.com)
“If the city makes this high-stakes bet on casino surveillance, I worry they’ll gamble away the future of our public streets,” said one privacy expert.
Towards a data-subject-friendly interpretation of Article 82 GDPR
Hubert Bekisz on Verfassungsblog (verfassungsblog.de)
Under the General Data Protection Regulation (GDPR), Article 82 is the only instrument to claim compensation resulting from data protection infringements. So far, it has not been interpreted by the Court of Justice of the European Union (CJEU or Court)
Better Regulating Drone Use Requires Communication, Not Surveillance
India McKinney on Electronic Frontier Foundation (eff.org)
In 2018, Congress gave the Departments of Justice and Homeland Security sweeping new authorities to destroy or commandeer privately-owned drones, as well as intercept the data it sends and receives. EFF objected to The Preventing Emerging Threats Act of 2018 (S. 2836, H.R. 6401) because, among...
The Wire Retracts Its Meta Stories
The Wire on The Wire (thewire.in)
Given the discrepancies that have come to our attention via our review so far, The Wire will also conduct a thorough review of previous reporting done by the technical team involved in our Meta coverage.
Texas AG sues Google over facial and voice data collection
Lauren Feiner on CNBC (cnbc.com)
The complaint underscores the role of individual states in protecting users’ information on the internet in the absence of a federal privacy law.
Joy Buolamwini saw first-hand the harm of AI bias. Now she’s challenging tech to do better.
Sigal Samuel on Vox (vox.com)
How a personal experience with facial recognition tech sparked a broad campaign for algorithmic justice.
UCSB community highlights concerns over privacy, racial profiling and criminalization at Halloween policing town hall
Nisha Malley on The Daily Nexus (dailynexus.com)
Isla Vista Foot Patrol plans to install two to four street cameras throughout Isla Vista and upstaff its patrol during Halloween weekend.
Black or bot? The long, sordid history of co-opting Blackness online
Morgan Jerkins on Mother Jones (motherjones.com)
Trolls and foreign agents love to exploit African-American culture for political gain.
ARE CHAT BOXES THE NEW CIPA GOLDMINE?: Shifting Plaintiff’s Tactics in California Wiretap Cases Are on Recent Display
Eric J. Troutman on The National Law Review (natlawreview.com)
If there is any statute in America that is potentially set to overrun the TCPA for the title of “most dangerous business killer out there–it is probably the California Invasion of Privacy
TikTok accused of plotting to track specific US citizens
Brandon Vigliarolo on The Register (theregister.com)
China-owned boredom-killing biz issues precision-engineered denial
Texas sues Google in row over biometric data
Thomas Claburn on The Register (theregister.com)
You can kiss my Californian ass, says ad giant
LinkedIn experiment changed job prospects for millions — and it raises red flags: privacy experts
Kiernan Green on CBC (cbc.ca)
A five-year study by LinkedIn on nearly 20 million of its users raises ethical red flags since some unknowing participants in the social experiment likely had job opportunities curtailed, experts in data privacy and human resources suggest.
Tesco barring store entry to people who refuse club cards
Johnny Ryan on Irish Council for Civil Liberties (iccl.ie)
ICCL writes to the Oireachtas (Irish Parliament and Senate) Justice Committee, and MEPs from the European Parliament Justice Committee, about the LIBE mission to Dublin to investigate Ireland’s application of the GDPR.
The Latest Attempt To Address The Online Data And Privacy Crisis
Edward Segal on Forbes (forbes.com)
The online data and privacy crisis could be back in the spotlight thanks to U.S. Senator Edward Markey (D-Mass), who is leading a group of Senate colleagues in asking the Federal Trade Commission to update the Children’s Online Privacy Protection Act.
Data Protection framework to be tabled during the budget session in February
Fortune India Exchange on Fortune India (fortuneindia.com)
The data protection bill which was first introduced in the Parliament in 2019, aimed to tighten the scrutiny across social media platforms.
States Rolling Out Digital Identity Cards Promise User Privacy
Andrea Vittorio on Bloomberg Law (news.bloomberglaw.com)
States launching digital versions of a driver’s license are championing the credentials as a way to keep personal information more private and secure, though nationwide adoption will depend on coalescing around a common standard for how the identification cards are built and used.
Privacy assembly in Istanbul calls for adaptation to new necessities
Eralp Yarar on Daily Sabah (dailysabah.com)
The 44th Global Privacy Assembly (GPA) organized by Türkiye’s Personal Data Protection Authority (KVKK) was launched on Tuesday in Istanbul’s...
The Commission’s gross violation of privacy — endangering encryption
Markéta Gregorová on POLITICO (politico.eu)
The EU has fallen for the myth that it’s possible to keep us safer by weakening the very thing that protects us.
5 Key Takeaways - How GDPR has Impacted American Companies and the Future of Transatlantic Data Transfers
Amanda Witt on JD Supra (jdsupra.com)
The European Union’s General Data Protection Regulation (“GDPR”) marked a turning point in privacy and data protection practices globally and...
Image credit: Daquella manera on Flickr via Wikipedia Commons. licensed under the Creative Commons Attribution 2.0 license.