Privacy Insider newsletter:                March 9, 2021

For some time now, it's felt like consumers are starting to pay attention to privacy.

Here's an example: When I started working in the field about a decade ago, I dreaded cocktail parties. Now, that's not because I don't enjoy a nice pour of cabernet sauvignon; especially when it comes in those nice round goblet-like glasses. No, I feared cocktail parties because I always felt nervous explaining my beat as a writer. Telling people I write about data privacy generally resulted in one of two scenarios: The person wanted to know more, only to glaze over when I went into details. Or, the person had no idea what I was talking about, and what could have been a fun chat took a nosedive.

"I'm going to get some more hummus," they might say, quickly moving away from the topic and myself.

Now, when people ask about my job, there are quick references to make. "You know how Facebook got in a lot of trouble for secretly sharing data?" Or, "Have you heard of Edward Snowden?"

There seems to be a recognition — fueled perhaps because mainstream media now dedicate full-time reporters to cover data privacy — that our personal data is at constant threat via invisible forces insider our computer screens. There seems to be more understanding among the populace that if you're not paying for the product, you are the product. And that scares people — rightfully so.

This week, The New York Times Editorial Board called on companies to use an "opt-in" approach when collecting user data, versus the opt-out approach, which is often the default. That is: Companies should ask users for explicit, clear permission to track and collect their data. In most cases today, the default is to take the data unless the user takes action on their own to say, "No."

It feels the tide is turning. It's not just The New York Times' editorial. We hear the calls from the European Data Protection Supervisor to ban targeted advertising in the EU. Or Google's recent decision to phase out third-party tracking cookies. Or Apple's decision to require apps on its store to get opt-in consent from users.

While legislatively, it may be too early to predict mandatory opt-in frameworks, some U.S. states are moving in that direction. Virginia's privacy law, passed this month, requires opt-in consent before companies can collect "sensitive" data. It seems a matter of time before opt-in regimes become best practice. In this writer's humble opinion, organizations that recognize the writing on the proverbial wall and take action are positioning themselves ahead of competitors that aren't paying attention.

Enjoy reading the news we've rounded up for you, and I'll see you next week! 

1. New York Times calls for opt-in approach to data collection

   The New York Times Editorial Board calls for companies to use an opt-in approach in apps and on websites when seeking to collect personal data. That differs from the opt-out approach most companies take now. "It should not be the role of consumers to make marketers' jobs easier. Furthermore, there is evidence that such highly targeted advertising isn't really necessary to support the free web, as technology companies that are against opt-in provisions often argue," writes the board in the op-ed. 
   Read Story

   2. French lobbying group files privacy complaint against Apple

   A French start-up lobbying group has filed a complaint against Apple, alleging the iPhone's operating system breaches EU data privacy rules, CNBC reports. France Digitale told the French data protection authority (CNIL) that Apple's iOS14 software allows the company to collect user data "for ad tracking services without explicitly asking permission," the report states. The group has asked the CNIL to investigate. 
   Read Story

   3. Lawmakers urge Federal Trade Commission to police bad health-app actors

   Three lawmakers are urging the U.S. Federal Trade Commission to better police health apps that "share personal health information with third parties without user consent," Health IT Security reports. The three Democrats, all representing New Jersey, wrote a letter to the agency asking it to use its authority under the Health Breach Notification Rule to punish bad actors. The request follows a lawsuit against Easy Healthcare, whose fertility app allegedly shares personal data with marketing firms. 
   Read Story

   4. Google rejects claim its 'Workspace" suite contains privacy risks 

   Google says its Google Workspace suite does not contain several data protection risks to users, IT Pro reports. Recently, the Dutch government published data protection impact assessments that found "eight highly-rated data protection risks" in Google Workspace. The risks include a "lack of purpose limitation for content and diagnostic data collection, a lack of transparency on the same data types, and a lack of privacy controls for administrators and users, among other glaring issues," the report states.
   Read Story

   5. EU could ban 'microtargeting' with political ads 

   As the European Union continues legislative talks on targeting advertising for political purposes, Euractiv reports there's a chance the European Commission could prohibit it outright. The European Commission is currently considering legislative action on paid political advertising. The head of cabinet for Commission Vice-President Vera Jourova said the measures "may very well hone in on the practice of microtargeting, and could potentially introduce a ban."  
   Read Story

   6. Supreme Court says man can sue Costco for RX disclosure

   An Arizona Supreme Court has said a Phoenix man may proceed with a lawsuit against Costco over alleged violations of his health care privacy, KTAR News reports. The man claims a Costco pharmacist "joked with his ex-wife about an erectile dysfunction prescription" of his. The court said for the man to win, he must "show by 'clear and convincing' evidence that the store and its pharmacist did not act in good faith when the woman was told about the prescription," the report states.
   Read Story