Privacy Insider: October 26, 2021

Last week, I strapped a mask on my face for five full hours and flew to San Diego. While taking sips of water and trying to keep my mouth covered at the same time proved difficult, it was worth the pain. 

That's because I was headed to geek out on privacy with about 1,000 other real live humans. I heard from chief privacy officers at Google, Apple and Microsoft. I hugged people. I heard about the pain points of trying to manage privacy compliance in an uncertain legal framework.

As one speaker said at the International Association of Privacy Professionals' event, "No one is telling us how great it is that there's no PR nightmare or breach, so we need to be a support system for each other." 

Here are the major highlights from last week's meeting of the minds in the privacy space. 

U.S. notice-and-choice model for consent gets put on notice

During her keynote address, Federal Trade Commissioner Rebbeca Kelly Slaughter said that companies need to focus on data minimization and avoid collecting personal data for "secondary services." She said data minimization rules are the key to modern privacy protections. This comes on the heels of the FTC's report last week that several major internet service providers were over-collecting data from consumers. 

"For even the savviest of users, the price of browsing the internet is being tracked across the internet," Slaughter said in her keynote. "Choice is illusory at best." Instead, consumers are forced to choose between accepting a site's terms on tracking or decline and lose access to essential services. 

No one knows what to do about cookies

That's the main takeaway on this one. No one knows what to do about cookies. Not exactly, anyway. We know Google is phasing out third-party cookies. It looks like that's the future. But what will replace them? How will companies that rely on advertising survive if they don't know who their targets are? And what about consumers who like seeing ads tailored to their interests? 

No one knows yet. Sure some ideas are floating around, but no consensus on the way forward. In a session on a "cookieless future," executives said the focus is on moving away from what users and regulators might consider the "bad stuff" without harming the positive parts of cookies, like how they help sites to function. Or how they allow you to fill up a shopping cart, leave the site and then return without losing your haul. I do like that one.  

One thing is sure, said Julia Shullman, chief privacy officer of programmatic advertising firm TripleLift, "For publishers and advertisers in the room, unfortunately, it's going to get a lot harder. You're going to have to ask the tough questions and understand what your vendors are doing." 

Privacy Shield's future is looking ... good-ish?

Apple, Google and Microsoft executives said on the keynote stage that agreements between governments to transfer data across borders despite varying global laws are key to future economic cooperation and development. Later, Chris Hoff, negotiating the Privacy Shield replacement for the U.S. Department of Commerce, said that's a key priority. Despite media rumors otherwise, he indicated talks are going well. 

"As even Max Schrems has said, this is a problem that only government can solve together," adding that last week, European Commissioner Reynders (who is negotiating the Privacy Shield replacement for the EU) met with three cabinet-level U.S. officials. 

Reynders had said in May that an agreement could take years, not months. But the U.S. has sung a more optimistic tune, doubling down on that last week. In a statement that had people talking about it in the hallways afterward, Hull said bluntly to companies in the room, "You should probably stay in Privacy Shield. We're almost done." 

Microsoft's Julie Brill said we need to get "comfortable with being uncomfortable" at the tenuous negotiations over cross-border data flows between the EU and U.S. She said there will be an agreement on Privacy Shield's replacement, "likely by the end of the year." But she said she expects the EU to apply pressure to test any outcome produced. 

Don't expect a federal privacy law this year (or next)

Despite calls last week from FTC Commissioner Rebecca Kelly Slaughter and even Google's Keith Enright for a federal privacy law, Microsoft's Julie Brill said to companies, "Don't hold your breath." 

Lawmakers will still have trouble (as they have for years) finding agreement when Democrats think a U.S. privacy law should include a consumer's right to sue companies that break the law, and Republicans do not. There's a ton of money on the line in that scenario. Allowing consumers to sue would expose major companies to crazy risk. But Brill said it's not just a "yes or no" question. It's more nuanced than that. Allowing consumers "redress" can be done in multiple ways, not just via lawsuits. 

All three tech execs said they don't expect a federal privacy law until 2024. Bummer, non? 

Enjoy reading this week's top privacy news, below, and I'll see you next week!

Mark Zuckerberg added to Facebook lawsuit, could be held personally liable

The attorney general for the District of Columbia has added Facebook CEO Mark Zuckerberg to a consumer protection lawsuit. It's "one of the first efforts by a regulator to expose him personally to potential financial and other penalties," The New York Times reports. D.C. Attorney General Karl Racine said his investigation has revealed Zuckerberg "played a much more active role in key decisions than prosecutors had known." The lawsuit claims Facebook misled consumers about privacy when it allowed Cambridge Analytica to take sensitive data on more than 87 million of them.  
Read Story

A new Federal Trade Commission report found that large internet services providers collect and share more of their consumers' personal data than they'd expect, ABC News reports. The report found that some internet services providers often fail to offer consumers meaningful choices about how their data is used. "We found interfaces that buried or hid certain choices from consumers," FTC Attorney Andrea Arias said. "We even found unclear toggle settings that led to the selection of unintended privacy settings." 
Read Story

Data vendor allegedly collects, sells location data after user opt-out

A data vendor has been receiving GPS coordinates from some Android apps even when users had explicitly opted out, Vice reports. According to researchers and the publication Motherboard, U.K.-based company Huq takes granular location information from phone apps and then sells it. Huq said it's investigating, but that data collection should only happen with consent, and app developers "are the ones responsible for obtaining that consent." Google said it's aware of the report and also investigating. 
Read Story

Facebook reports missing third-quarter revenue goal, blames Apple

On Oct. 25, Facebook reported it missed its third-quarter revenue projections. Snapchat reported the same. Both say the shortcomings resulted from Apple's changes to privacy settings on the iPhone earlier this year. The settings have had a significant impact on advertisers, Marketplace reports. Because users are increasingly opting out of advertisements, that means fewer users to go around, increasing the price of ads they'll see.
Read Story

Australia releases draft update to Privacy Act, increases fines

The Australian government has released a draft Online Privacy Bill that aims to expand the country's current Privacy Act. The bill would allow the federal government to make a binding privacy code that applies to social media platforms, data brokers and large online platforms, ZDNet reports. A code breach could potentially mean a fine worth 10% of an organization's domestic annual turnover or an AU$10 million fine.
Read Story

Snowden warns weakening encryption could have 'fatal consequences'

During a press conference on "Global Encryption Day," Edward Snowden said undermining encryption systems so government agencies can access people's personal messages would be a "colossal mistake," CNBC reports. Speaking via video chat from Russia, Snowden warned that the U.S., EU, Australia, Russia and China's pressure on Facebook and Apple to let law enforcement access encrypted messages to fight crime could have fatal consequences. "Privacy is power," he said.
Read Story