It's been a while since the last Privacy News, and there's a lot going on!
Privacy After Roe
Shoshana Wodinsky and Kyle Barr, The A.V. Club on Gizmodo (gizmodo.com)
Gizmodo identified 32 different brokers across the U.S. selling access to the unique mobile IDs from some 2.9 billion profiles of people pegged as “actively pregnant” or “shopping for maternity products.” Hundreds of millions more profiles were labeled “interested in pregnancy” or “intending to become pregnant.” Here sthe spreasheet with all thei info.
Gizmodo was able to figure out the likel data sources for 19 of these brokers. For example:
Quotient didn’t make it clear in either of those cases where it was getting that purchasing data from, but Gizmodo’s investigation revealed that the company also owns the popular couponing site, coupons.com. The site has offered coupons for products like Plan B in the past, though it does not currently. Gizmodo also found that Quotient had access to purchasing data from shoppers at Giant Eagle—a chain of small pharmacies in the Northeast and Midwest—via a proprietary ad network the data broker operates.
SEE ALSO: Data brokers shrug off pressure to stop collecting info on pregnant people, by Alfred Ng on Politico, a very good complement to the Gizmodo article.
Cat Zakrzewski on The Washington Post (washingtonpost.com)
A new bill in the South Carolina legislature, modeled after the National Right to Life Committee's model bill, would make it illegal to “aid, abet or conspire with someone” to obtain an abortion.
The bill aims to block more than abortion: Provisions would outlaw providing information over the internet or phone about how to obtain an abortion. It would also make it illegal to host a website or “[provide] an internet service” with information that is “reasonably likely to be used for an abortion” and directed at pregnant people in the state.
Legal scholars say the proposal is likely a harbinger of other state measures, which may restrict communication and speech as they seek to curtail abortion.
Federal Privacy Legislation
Daniel Solove on TeachPrivacy (teachprivacy.com)
Well-respected privacy scholar Daniel Solove follows up on his previous analogy that ADPPA's preemption is a Faustian bargain, responding to comments by Omer Tene. He starts by clarifying that his "B+" grade for ADPPA was on a curve:
As I have argued extensively in my scholarship, I believe that existing privacy laws have some severe shortcomings and must be changed significantly to be up to the challenge of protecting privacy.... Many parts of privacy laws have pretty-sounding rhetoric but ultimately are not any deeper. Further, the ADPPA is being weakened as it winds its way through the federal legislative process, which has a knack for whittling away at the stronger elements of laws.
He also highights an issue with ADPPA's private right of action I haven't seen others mention:
But if ADPPA preempts state privacy laws, then this forces people to use the private right of action in federal court, where people must deal with the dragon of standing. The U.S. Supreme Court has worked its typical mischief upon standing doctrine, altering it to shut out many valid cases involving clear violations of federal privacy statutes with causes of action. The Court has found ways to creatively interpret away statutory damages provisions (Doe v. Chao). And, more recently in its war against plaintiffs, the Court has allowed courts to throw out cases brought under private rights of action if courts don’t think that there’s a harm. Courts have struggled to recognize privacy harms.
And he highlights another important problem with ADPPA's preemption:
There wasn’t as much momentum for a comprehensive privacy law prior to the California Consumer Privacy Act (CCPA). The CCPA was rushed through the California legislature in the summer of 2018 to stave off a referendum. The referendum had widespread popular support, and its existence drove the legislative agenda....
The CCPA’s first referendum was pulled because the CCPA was passed, but a subsequent referendum strengthened the law in 2020. Although the CCPA after the amendments is still not where I’d like it to be, the referendum process is quite valuable. Of course, there are problems with the referendum process, but a virtue is that it gives the people a say in the legislative agenda. The California referendums sent a loud message: People were concerned about privacy and didn’t think existing laws were adequate. No longer could legislatures bury their heads in the sand. No longer could the tech industry and Big Data industry coast on legislative inaction.... Companies actually got off easy, because I think nearly anything would have passed in the referendums, and it was somewhat of a squandered opportunity. But nothing can stop more referendums in the future . . . . except for the ADPPA. The ADPPA could shut the door on this.
- The California Privacy Protection Agency, in a special board meeting, voted unanimously to oppose the current version of ADPPA – or any federal privacy bill that preempts California's CPRA or interferes with CPPA's enforcement. Friday's newsletter went into detail on this with Is there an elephant in the Zoom room? CPPA says no to ADPPA preempting California law
- Julia Angwin of The Markup interviews Brookings' Cameron Kerry in Federal Privacy Law Has Momentum, but There’s a Catch
- Mike Swift looks in detail at the FTC enforcement aspects of ADPPA in Federal privacy legislation would transform US FTC with new Bureau of Privacy on LexisNexis' Mlex.
Alex LaCasse on IAPP's Privacy Advisor (iapp.com)
The Senate Commerce Committee voted to advance the Chidren and Teens Online Privacy Protection Act (CTOPPA), which strengthens and updates COPPA, and the Kids Online Safety Act (KOSA), which requires technology companies to prevent harm to minors while mandating more transparency in their algorithms for users and researchers.
Who Is Collecting Data from Your Car?, Jon Keegan and Alfred Ng, The Markup (themarkup.org)
Sweden to ban unregistered pre-paid mobile phones, The Local SE (thelocal.se)
A Cyberattack Illuminates the Shaky State of Student Privacy, Natasha Singer, New York Times (nytimes.com)
Meta must disclose India’s Human Rights Impact Assessment, Leanna Garfield on Access Now (accessnow.org)
India Delays Introduction of Data Protection Bill Before Parliament, Hunton Andrews Kurth’s Privacy and Cybersecurity on The National Law Review (natlawreview.com)
The DHS Bought a ‘Shocking Amount’ of Phone-Tracking Data, on WIRED (wired.com)
TROPT Ethical, Responsible & Privacy Tech Unconference 2022, September 28, on hopin.com
Intel, SpaceX, Philip Morris, and dozens of other US companies were in a leaked database of users for a Russian facial recognition company, Caroline Haskins , Insider (businessinsider.com)
A Stanford Graduate Raises $2M To Plug Privacy Into The Right Web3 Socket, Frederick Daso on Forbes (forbes.com)
Some popular children’s apps contain ‘risky’ code transmitting sensitive data, audit finds Leonie Thorne on ABC News (abc.net.au)
A Frozen Document in China Unleashes a Furor Over Privacy, Wenxin Fan on WSJ (wsj.com)
ShotSpotter held in contempt of court, Matt Chapman and Jim Daley, Chicago Reader (chicagoreader.com)
California privacy rules target dark patterns through technology design, Robert Freedman on Cybersecurity Dive (cybersecuritydive.com)
UK and US seek out privacy-enhancing innovations, E&T editorial staff on E&T Magazine (eandt.theiet.org)
Indian women shunning Facebook due to safety, privacy concerns: Study, Ayushi Kar on The Hindu BusinessLine (thehindubusinessline.com)
Conceptions of Privacy Shouldn’t Stand in the Way of Privacy Standing, Caprice Roberts on Lex (lex.jotwell.com)
Meta Platforms CEO Zuckerberg to testify in Cambridge Analytica privacy lawsuit, Al Arabiya English on Al Arabiya English (english.alarabiya.net)