“Redline” version of amended ADPPA bill HR 8152
Ball in Pelosi’s and Cantwell’s courts to decide if a national privacy law will end ‘creepy’ targeting; advertisers worrying?
Bipartisan, round-the-clock drafting work by congressional staffers has sent to the floor of the U.S. House — days before a summer recess — a privacy bill that could end opaque data sharing and ad targeting that has dominated the Internet for more than 25 years.
“I believe [that is] the way the legislative process should be,” said Nora Benavidez, a justice and civil-rights lawyer with advocacy group FreePress. “It should be staffers, experts, civil society, coming together to come up with something.” Benavidez was interviewed by Justin Hendrix, of TechPolicy.Press.
She was talking about the American Data Privacy and Protection Act (ADPPA), H.R. 8152, approved 53-2 by the House Energy and Commerce Committee on July 20 and sent to the House floor. The 132-page bill was substantially amended throughout before the vote. (REVIEW RED-LINED VERSION) | READ KEY DEFINITIONS
Chart compares federal proposal vs. California law
Three advocacy groups, the Electronic Privacy Information Center (EPIC), the Lawyers Committee for Civil Rights Under the Law and the Center for Democracy and Technology put together a 11-page chart showing key provisions of California compared with provisions of the bill now headed for a potential U.S. House floor vote. The Washington Post’s Christiano Lima summarized the three groups’ point of view — that the House bill is better for consumers than the CPRA.
The bill contains key definitions of terms like opting out of targeted advertising; covered, derived and sensitive data; service provider, third party, transfer and addresses questions about loyalty programs and pricing.
Advertisers oppose in unison
Seven advertising and ad-tech policy organizations jointly said they oppose the measure, which would appear to largely outlaw — absent explicit user consent — the practice of opaquely collecting and sharing browsing habits and demographics of users across the web. They said H.R. 8152 would “severely damage the U.S. consumer economy.”
The law defines, and somewhat restricts the use of “covered data” and outright prohibits sharing of “sensitive data.” Before a website may show a user an ad targeted to an individual’s web behavior, the user must be given an unambiguous chance to refuse it. Since that is how almost all advertising on the web is now placed, it’s no surprise ad-tech companies are worried.
Publishers — key beneficiaries of “contextual” rather than data-driven advertising — have not commented, so far. Contextual advertising would be unaffected by the measure.
Writing at DigiDay, Marty Swank quoted Lartease Tiffith, evp of public policy at the Interactive Advertising Bureau, whose members include mostly tech and ad-tech companies and some advertisers, publishers and agencies. “If you lose the ability to reach people based on what they’re interested in, you end up getting billboard ads.”
Advertisers aside, the more general consensus seems to be that the just-amended bill does more for consumer privacy — and particularly for marginalized groups — than laws already in effect in Europe, California and several states. A last-minute amendment would allow California regulators to become enforcers of the federal law as well as existing state law — but with some of the teeth removed from the state statutes and replaced by a more detailed federal law.
House Speaker Nancy Pelosi, D-Calif., has said she would not support “pre-emption” of California’s public-initiative privacy laws; she is likely now studying H.R. 8152 to decide if she will let it come to a full House vote this week. And the current language is not acceptable to attorneys general of 10 states including California.
If H.R. 8152 clears the House, it would move to the Senate, where Sen. Maria Cantwell, D-Wash., chairs the relevant committee to hear it. She has been distinctly negative about earlier congressional proposals that preempted state laws and limited the right of citizens to sue over privacy violations. But H.R. 8152 is designed to be a compromise on both points.
Among supporter of the bill’s current language are Common Cause, by Consumer Reports, the Lawyers Committee for Civil Rights Under the Law and the Future of Privacy Forum, which notes the bill’s civil-rights protections in particular. But the Electronic Frontier Foundation is opposing it, seeking additional changes on the House floor. The ACLU also wants changes. One of the closest followers of data privacy is lawyer Justin Brookman, director of technology policy at Consumer Reports. He says the bill would create “dramatic . . . robus” privacy protections for the public if it becomes law. (See QUOTE OF THE WEEK, below, for more of Brookman’s thoughts).
More reaction from ad-tech
The Interactive Advertising Bureau (IAB), which says it cannot support the bill, warned that the legislation will create a less friendly online environment not just for advertisers and small businesses but for the average online user whose speed and convenience of online experience depend on data.
“By some estimates, the proposed legislation is more punitive than EU regulations, which harm investments,” said Lartease Tiffith, EVP of public policy for IAB. “In an effort to ‘rein in Big Tech,’ Congress is stumbling down the same path, despite the consequences to small businesses and a vital industry.”
Perhaps the best-informed reporting on the ADPPA status is coming from Joseph Duball of the International Association of Privacy Professionals (IAPP). He quoted Rep. Jan Schakowsky, D-Ill.: “It’s been a lot of work bringing these stakeholders together. I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a Band-Aid for the American people who are just fed up with the lack of privacy online.”
FTC told to enable “Safe Harbor” entities?
In one features of H.R. 8152 relevant to the Information Trust Exchange Governing Association (ITEGA.org), the sponsor of this newsletter, the measure’s language would authorize the U.S. Federal Trade Commission to seek and sanction private entities that manage data-privacy compliance programs, a concept known as “Safe Harbor.” (See: “Brookings privacy expert sees ‘safe harbor’ as part of bipartisan measure; says ITEGA might ‘fill the bill, but may be premature” (Privacy Beat, May 28, 2021)
CALIFORNIA PRIVACY AND H.R. 8152
Drummond Reed, above, technologist among those behind “Decentralized Identifiers”
Over Google, Mozilla objections, W3C recommends “decentralized identifiers” as user-centric alternative to phone, email, social media IDs
A technology aimed at shifting more control of identity away from tech platforms, telecoms and other web operators and in the hands of individuals was embraced as a new “standard” last week by the World Wide Web Consortium (W3C). It’s called “Decentralized Identifiers (DIDs)” or a form of globally unambiguous identifier.
The idea is to use cryptography — math-based software that includes digital “keys” — to supplement or even replace phone numbers or email addresses as the default way a person is represented across the web. As a result, supporters say, a person’s identity becomes portable and not controlled by some central authority or company.
Most email and social-network addresses are not “owned” by individuals, the W3C said in a July 19 announcement about the DIDs status, while DIDs “can be controlled by the individuals or organizations that create them, are portable between service providers, and can last for as long as their controller wants to continue using them.”
“One of the root causes of phishing (fraud) attacks is that most electronic communications addresses today (caller IDs, SMS, email addresses) are not cryptographically verifiable,” DID co-developer Drummon Reed told the news site PortSwigger. “They are easy to spoof. By contrast, control of a DID is cryptographically verifiable — the sener of a message can prove they control the private key for the DID.”
W3C is an unincorporated consortium hosted by MIT and three other global institutions with about 450 corporate members who’s technologists work on standards to make the World Wide Web more open and trustworthy. It decided to “recommend” DIDs as a standard over the objections of member organizations Mozilla and Google, Reed said.
That’s because there are at least 120 registered methods being tried to implementing DIDs, and no consensus on which will become most common, promoting interoperability. The DID Working Group within W3C decided the market should decide, promoting innovation.
PRIVACY AND ABORTION
- Spurred by Roe overturn, senators seek FTC probe of iOS and Android tracking | Jon Brodkin, ArsTechnica.com | LETTER TEXT | (The letter was signed by Sen. Ron Wyden, D-Ore.; Sen. Elizabeth Warren, D-Mass.; Sen. Cory Booker, D-N.J.; and Rep. Sara Jacobs, D-Calif.) | RELATED STORY | RELATED STORY
- In a Post-Roe World, (Does) the Future of Digital Privacy Looks Even Grimmer? | Natasha Singer and Brian X. Chen, NYTimes.com
- The end of Roe could finally convince Americans to care more about privacy | Sara Morrison, Vox.com
- Lawmakers Question Oracle, Amazon And Others Over Location Data | Wendy Davis, DigitalNewsDaily/MediaPost.com
- Big Tech silent on data privacy in post-Roe America | Jessica Lyons Hardcastle, TheRegister.com
- Data privacy concerns make the post-Roe era uncharted territory | Juliana Kim, NPR.org
- Can US women trust big tech with their data after Roe v Wade? | Alex Hern, TheGuardian.com
- You scheduled an abortion. Planned Parenthood’s website could tell Facebook | Tatum Hunter, WashingtonPost.com
- Scholars question future of privacy rights after SCOTUS Roe decision | Margaret Harding McGill & Ashley Gold, Axios.com
- Period tracker app Flo developing ‘anonymous mode’ to quell post-Roe privacy concerns | Amina Kilpatrick, NPR.org
PLATFORMS AND PRIVACY
- Google Changing Ranking Of Personal Data Websites Based On Privacy Concerns? | Laurie Sullivan, MediaPost.com
- Amazon’s $3.9 billion One Medical acquisition is already raising data privacy concerns | Clint Rainey, FastCompany.com
- Brave says it has a way of collecting your data without undermining your privacy | Joel Khalili, TechRadar.com
- Fourteen privacy groups urge Google to rethink their gathering and use of data | Wendy Davis, DigitalNewsDaily/MediaPost.com | LETTER TEXT
- Google Allowed Russian Ad Company to Harvest User Data for Months | Craig Silverman, ProPublica.org
- Google targeted in fresh EU consumer groups’ privacy complaints | Foo Yun Chee, Reuters PLC
- EU privacy advocates say Google signups “unclear, incomplete, and misleading” | Ashley Belanger, Arstechnica.com
- DuckDuckGo traffic declines as it confirms deal to use Microsoft search engine | Barry Schwartz, Search Engine Roundtable
- Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’ | Kashmir Hill, NYTimes.com
Why data matters — what food retailer Kroger says in its annual report — third-party revenue on 60 million households
It’s isn’t just Google, Facebook, Apple, Amazon and ad-tech companies that realize the value of user data, as is evident in the annual report (10-K) of The Kroger Co., the giant, Cincinnati-based supermarket chain and affiliates. Here’s an excerpt from the report, filed with the U.S. Securities and Exchange Commission and sent to shareholders, which describes Kroger’s marketing strategy, in part, as delivering “billions of personalized recommendations . . . . “
“We are evolving from a traditional food retailer into a more diverse, food first business. The traffic and data generated by our retail supermarket business, including pharmacies and fuel centers, is enabling this transformation. Kroger serves over 60 million households annually and because of our market leading rewards program, 96% of customer transactions are tethered to a Kroger loyalty card.
“Our 20 years of investment in data science capabilities is allowing us to leverage this data to create personalized experiences and value for our customers and is also enabling our fast-growing, high operating margin alternative profits, including data analytic services and third party media revenue.”
“. . . Data governance failures can adversely affect our reputation and business. Our business depends on our customers’ willingness to entrust us with their personal information.”
- Some 75% Of U.S., U.K. Consumers Uncomfortable Buying From Brands With Poor Data Ethics | Karlene Lukovitz, DigitalNewsDaily/MediaPost.com
- Advertisers spent $115 million on clickbait sites, report finds | Ryan Barwick, MarketingBrew.com
- Trade Desk asserts more buy-in on UID 2.0, but no “administrator” yet | Allison Schiff, AdExchanger.com
- AUDIO: Google struggles to get buy-in on Google Analytics overhaul; delays cookie sunset | James Hercher, AdExchanger.com
- BACKGROUND: Inventor of digital cookie has some regrets | Nicolas Rivera, Quartz.com
- Vendor’s data show first-party IDs outperformed third-party cookies in programmatic | Laurie Sullivan, DigitalNewsDaily/MediaPost.com
- AUDIO: Prebid sees its ranks swell as publishers seek shop-talk forum ($$) | Catherine Perloff & Mark Stenberg, AdWeek.com
- As publishers focus on their user data, potential for collaboration with brands, agencies grows | Susie Stulz, AdMonsters.com
- Internal documents show Facebook and Google discussing platform strategies | Makena Kelly, TheVerge.com
- U.S. Antitrust Reform Is Necessary to Defend Global Human Rights | Jennifer Brody, AccessNow via TechPolicy.Press
- Mozilla, in full-page ad ‘co-signed’ by 4,000 people, urges Congress to pass antitrust law curbing platforms | Rebecca Klar, TheHill.com | RELATED STORY | MOZILLA AD IMAGE
- DOJ Poised to Rebuff Google Concessions, Clearing the Way for Antitrust Suit | Leah Nylen, Bloomberg.com
- Lina Khan’s Tight FTC Timetable for Tackling Big Tech | Paul Alexander, TheBulwark.com
- U.S. Chamber of Commerce sues the FTC | Ashley Gold, Axios.com
NEWS, TRUST AND PLATFORMS
EU PARLIAMENT ACTION
EU AND UK PRIVACY
REVIEWING EU STATES’ GOOGLE ANALYTICS BAN
- Italy joins Austria and France in warning about Google Analytics on privacy grounds | Ravie Lakshmanan, TheHackerNews.com | DECISION TEXT (English & Italian)
- Italian data protection authority strikes another major blow to Google Analytics | Luca Burtuzzi, Euractiv.com
- Italian publisher given 90 days to determine if GA can be used with privacy safeguards | Natasha Lomas, TechCrunch.com
- Italy says problem is publisher use of Google Analytics transfer data to United States | Nick Farrell, FudZilla.com
- Google Analytics has fallen afoul of another EU regulator | Leigh McGowran, SiliconRepublic.com
- Google Analytics Has Been Banned in Three European Countries — What’s the Reason? | Lyra Martin, ITechPost.com
- Italian regulator claims Google Analytics use may be illegal | Didi Rankovic, ReclaimTheNet.org
- Report: Is user information “smuggled out to US” by use of Google Analytics? | Nick Booth, MobileEurope.co.uk
- PODCAST: Will Google Analytics be Banned in Europe? Not as easy as it seems | Ignacia Larrain, VisionaryMarketing.com
- EARLIER STORY: About company’s changes in Google Analytics to keep up with privacy issues | James Hercher, AdExchanger.com
QUOTE OF THE WEEK
CR’s Brookman says “framework is great” on H.R. 8152; but with threat to targeting, he expects ad-tech reaction
The following is an excerpt of remarks by Justin Brookman, an attorney and director of technology policy for Consumer Reports, the nonprofit product and service testing organization. Brookman spoke to Justin Hendrix, of TechPolicy.Press, in a podcast that included Nora Benavidez, of FreePress.net. They were discussing provisions of H.R. 8152, the American Data Privacy and Protection Act (ADPPA) as referred to the full House of Representatives on June 20 (see lead blog item, above). A longer excerpt may be found HERE.
“Yeah. I mean, I feel like 70% of privacy bills all kind of look the same, right? They have access rights, and deletion rights, and maybe correction rights. And this has correction rights. They have data security obligations. The trickiest thing is what the law does around secondary use, right? Primary use, we kind of get. I go to Amazon, I buy stuff and they process it and they charge my credit card and they give my information to FedEx, bring it to me. And that’s all directly in service of what I ask for. And that’s fine . . . . .
“It’s all of the other stuff, like the sharing data with data brokers, or for targeted advertising that like the law really needs to get to. And there’s usually three basic ways you can deal with that. You can ban it . . . You can say, this is super illegal. You can require opt-in consent for it. You have to… Someone has to click okay for them to do the extra stuff, or you can have opt-out rights. And like, you can go out of your way to say no, don’t do that. And they all have their flaws, I think . . . .
“But overall, that framework is great. I think the conversation has evolved beyond what we call notice and choice. Like people having to make informed decisions all time. No one wants to make privacy decisions all the time. They just want it to work, and to trust that it works. And I think that this bill was written with that in mind.than we’ve seen in Europe. That’s stronger, certainly, than we’ve seen at the state level . . . .
Consensus on ending targeted advertising?
“This market had been five, 10 years ago, there would’ve been concern about ‘targeted advertising, is the life blood of the internet, and we need our targeted ads.’ . . . But no one’s saying that anymore. There does seem to be the bipartisan agreement that people don’t don’t want their data collected and shared and sold all the time. And that privacy rules really should reign that in. And we shouldn’t buy these arguments that you’re not going to get free content anymore, unless you’re allowed… [unless] we allow hundreds of companies to watch everything we do. That bargain is no longer on the table. So I was really surprised by how little disagreement there was, on the actual substance of the bill . . . .
Expected reaction from ad-tech industry . . .
“They’re going to do everything they can to try to find ways to track, to try to find loopholes. We saw this with the CCPA, the California law that allowed people to opt-out of selling their data.
|ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to firstname.lastname@example.org.