Tag Archives: privacy

CPUC begins process of holding Frontier to account for service outages, but it might be too late

by Steve Blum • , , , ,

Nearly four years after the fact, Frontier Communications is being held to answer for the fumbled cutover of Verizon wireline customers it acquired in 2015. Last month, the California Public Utilities Commission formally opened an investigation into the widespread reports of dead lines and customer service meltdowns that went on for weeks after Frontier closed on its purchase of Verizon’s decaying copper telephone systems and somewhat more modern fiber to the home FiOS territories in California. On top of that, according to the CPUC’s order instituting investigation (OII), Frontier disclosed customer information it was supposed to keep confidential…

Starting April 1, 2016, Verizon transferred (a process it refers to as cutover of services) its California voice, internet, and video services to Frontier. The cutover caused two issues: (1) Many Frontier customers experienced service outages or interruptions between April to June 2016 to their voice, internet, and video services; customers also experienced poor customer support from Frontier in resolving such issues; and (2) during the same period, Frontier published customers’ address records that were designated as blocked from publication in online and printed directories.

As a starting ante, the CPUC order proposes a $2.5 million fine for Frontier, for the unlisted information disclosures alone. And that number could go up, and additional fines for the outages could be imposed, as the CPUC investigation proceeds. Those fines aren’t the sort of debt that Frontier can easily wash away in the bankruptcy filing it’s planning to make in March, according to reports.

The OII is the beginning of a process that will run for a year or two. By the time it’s finished, Frontier could have completely new owners and management, or it might even be out of California altogether. The reports say Frontier wants to reorganise under chapter 11 of U.S. bankruptcy law, which allows for the possibility of keeping the company in one piece, but doesn’t guarantee it.

California’s consumer privacy law is a call to action for federal regulators

by Steve Blum • , , , ,

Flashers

Federal Trade Commission chair Joseph Simons was on the undercard for Consumer Technology Association CEO Gary Shapiro’s “fireside chats” with federal policymakers at CES in Las Vegas on Tuesday. Warming up the audience ahead of Federal Communications Commission chair Ajit Pai’s long awaited CES debut, he urged congress to give his agency the U.S. privacy cop job that California now holds by default. The FTC is already pursuing privacy enforcement actions under existing law “because the big tech platforms are becoming so consequential to our lives and so large”, Simon said.

Simon favors federal privacy legislation over the state by state approach. “Of course, now we’re dealing with California”, he said. There’s a place for state-level consumer privacy legislation, but “it depends on how the states evolve and how the federal law evolves”. So long as a state law tracks with federal requirements he seems to be okay with it, but if it doesn’t he wants congress to step in. In other words, states can tinker with the details so long as they stay in the federal privacy policy sandbox.

There is bipartisan agreement in Washington, D.C. that the sandbox should be built, but democrats and republicans disagree on a couple of key issues. Two FTC commissioners – democrat Rebecca Slaughter and republican Christine Wilson – took part in a separate panel discussion later in the day. They both favor federalising consumer privacy rules. Wilson said that California’s privacy law, along with the European Union’s privacy regulations, makes federal action urgent “because interoperability is needed”.

They disagreed about a couple of key details, which largely define the partisan gap on privacy legislation: whether congress should completely occupy the field and preempt states and whether private individuals – in reality, trial lawyers – should be able to sue companies that don’t follow the rules. Democrats, like Slaughter, tend to say yes to both; republicans, like Wilson, are on the no side.

Privacy is now a Made in California product

by Steve Blum • , , , ,

California’s data privacy law took effect yesterday, although formal regulations and active enforcement by the attorney general’s office don’t kick in until July. Even so, the AG plans to respond to complaints and monitor compliance with the bits of the law that do have teeth now. Until – unless – congress does something, the California Consumer Privacy Act (CCPA) is the national standard.

If you want confirmation, just look in your email inbox. If it’s anything like mine, it’s full of CCPA notifications. A similar flood of messages happened when the European Union’s data privacy regulations took effect last year. The notices were sent regardless of whether a customer lived in the EU or not, because it’s easier and safer to apply a single standard to everyone when it’s practical to do so. In the U.S., the path of least resistance is complying with California’s standard.

Microsoft certainly agrees

We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

Google jumped on California’s bandwagon, too. Its CCPA-compliant tools are available worldwide.

Although there seems to be general agreement in Washington, D.C. that something must be done, there isn’t consensus on what that something will be. The big question is whether or not to preempt state privacy laws and impose a single, national standard. A bipartisan draft produced by a house of representatives committee doesn’t offer an answer, because it’s still a partisan issue. Which means California might set the standard for some time to come.

Contract for the Web addresses virtues and vices of government intervention

by Steve Blum • , , , ,

Contract for the web

The “Contract for the Web” campaign published its manifesto last week, titled, naturally enough, Contract for the Web. It’s a declaration of nine principles, including “make the internet affordable and accessible to everyone”, “respect and protect people’s privacy and personal data to build online trust” and “develop technologies that support the best in humanity and challenge the worst”, which are among the tasks the contract assigns to private companies. Individuals are urged to “be creators and collaborators on the web”, “build strong communities that respect civil discourse and human dignity”, and “fight for the web”.

The Contract was written by a wide range of companies and organisations, ranging from Google to Change.org to the German government, and the effort is led by Sir Tim Berners-Lee, the inventor of the World Wide Web. Even so, it’s been criticised for having no teeth. The likes of Facebook, Twitter and Microsoft have signed on to it, there’s no guarantee that they’ll pay any attention to it.

True enough. There’s more to it, though.

The Contract opens with a clear call for government enforcement, and even intervention. The first three principles state that governments will…

  1. Ensure everyone can connect to the internet.
  2. Keep all of the internet available, all of the time.
  3. Respect and protect people’s fundamental online privacy and data rights.

Simply stating that a government – any government – should do something is of little consequence. But as governments adopt the Contract, in whole or in part, over time, it’ll grow teeth. And governments and subordinate agencies are doing that.

The details of the privacy principle track with the European Union’s general data protection regulation. Tasks to “ensure everyone can connect to the internet” include measures that local governments in California have already adopted, such as “dig once” policies and pole access agreements.

Regulatory agencies are in the game, too. For example, the Contract sets the goal that “1GB of mobile data costs no more than 2% of average monthly income by 2025”. The California Public Utilities Commission is considering affordability standards for broadband and other utilities that are heading in the same direction.

Government is far from being a universally benign force in the world, though, and the Contract recognises that fact too, for example calling for requirements that…

Government demands for access to private communications and data are necessary and proportionate to the aim pursued, lawful and subject to due process, comply with international human rights norms, and do not require service providers or data processors to weaken or undermine the security of their products and services.

That’s a message that the U.S. government needs to hear.

Fitbit deal tests Google’s willingness, ability to follow California privacy law

by Steve Blum • , ,

Fitbit

Google’s $2.1 billion purchase of Fitbit will, if nothing else, be an excellent test case for California’s new consumer data privacy law, which takes effect in January. The California Consumer Privacy Act (CCPA) requires companies above a certain size let their customers know what kind of personal data is being collected and what it’s being used for, and gives individuals a level of control over the collection and use of their data.

The activity, location and health data collected by Fitbit devices is highly personal. It’s also highly valuable to Google’s business model. Which is about collecting, cross referencing and publishing data. Fitbit collects a flood of data from its users, and Google will be sorely tempted to mash it up with geo-referencing, email, search history and every other kind of data it has.

Most users probably won’t care, and will probably see a benefit from the kind of cross referencing Google might do – correlating heart rates to real time air quality data, for example.

But some users won’t like that at all. If Google is transparent about what it’s doing, and figures out a user-friendly process and interface to implement the procedures that CCPA mandates, users should have the knowledge and tools to control who else, if anyone, profits from their data.

That’s a big if, though. The functionality of fitness and activity trackers depends on the ability to transfer the data collected from the device to a platform that can store the data and perform value added analysis. If it’s done well, adding external data will increase the value of the analysis, but it also means commingling data sources, often in a complex way. Users have to understand that interplay in order to give (or withhold) informed consent. Figuring out how to do that with health and fitness data is about as hard as the problem gets.

Privacy is too complicated for California to understand, mobile industry panel says

by Steve Blum • , , , ,

Flashers

California’s consumer data privacy law will be the default privacy standard across the U.S., at least for the coming year, and that’s upsetting the Washington, D.C. crowd. A panel discussion on privacy legislation at the Mobile World Congress trade show in Los Angeles last week featured three industry lobbyists, the head of an industry front organisation and a Federal Trade Commission lawyer. All of them are based in D.C., and shared Beltway-centric advice on who should be calling the shots.

The panel was dismissive of state lawmakers’ ability to deal with the complexities of issues that lobbyists and federal regulators have been dancing with since at least 2012, when the FTC published a lengthy set of consumer privacy protection recommendations. Michelle Rosenthal, a former FTC lawyer who left through D.C.’s revolving door and is now a staff lobbyist for T-Mobile, worked on that report and praised its sophistication and subtlety – they even used a whiteboard!

On the other hand, CCPA “was drafted very quickly and passed very quickly”, Rosenthal said. “A lot of the state legislation – which I won’t get into – you know, unfortunately happened so quickly that that process isn’t a thing”.

The discussion would have been better informed if organisers invited someone from, say, California or Nevada who could explain what their thing is. Electronic privacy has long been a policy issue in California, but Sacramento lawmakers didn’t “jump in” until federal regulators tore up their own rules. Even so, the first attempt to pass a Californian privacy law was shot down by the same big telecoms and tech companies that have been so helpful in D.C.

The panel members offered a not-so-surprising consensus on three points:

  • The federal government should set consumer privacy rules because everything will be complicated and everyone will be confused if state legislatures do it.
  • Congress isn’t going to do anything about it this year, and next year isn’t looking good either.
  • The California Consumer Privacy Act (CCPA), which takes effect in January, will be the de facto privacy rulebook for the rest of the country, at least until something even tougher comes along. Which could easily happen, because other states, including Nevada and Maine, are in the game now.

CCPA “in effect, could become, sort of, the law of the land as it becomes implemented”, said Melanie Tiano, privacy and cybersecurity director for CTIA, the mobile industry’s D.C. lobbying group (and a co-sponsor of the show).

“Firms just ratchet up to the highest standard, and that’s sort of the general rule of thumb, and that seems manageable”, said Jared Ho, an FTC privacy attorney. “It seems like one of the greatest concerns is going to be potential conflict”.

Privacy panel mwc la 2019 23oct2019

Draft rules for businesses add enforcement detail to California’s consumer privacy law

by Steve Blum • , , ,

Gagged by privacy

California’s tough consumer privacy law technically takes effect in January, but enforcement won’t begin until next July. The California attorney general has the job of writing the detailed rules that businesses will have to follow, and then enforcing those rules.

The first draft of those new rules was posted for public review and comment. They apply to businesses with more than $25 million in “annual gross revenues”, or collects or deals in “the personal information of 50,000 or more consumers, households, or devices”, or that deal in people’s personal information for a living.

Such businesses have to let customers know what kinds of information they’re collecting, and give them an easy way to opt out of any sale of their info to third parties. The California Consumer Privacy Act was designed with online businesses in mind – the default assumption is that businesses will post notices and receive opt out orders via their websites – but it applies equally to companies that have no online presence at all, or that only interact with customers in person. The draft rules cover those situations, too.

There are separate and stricter rules about gathering information from children and teens.

Opting out is not supposed to result in higher prices for consumers, unless a discount offered in exchange for permission to sell is “reasonably related to the value of the consumer’s data”. Otherwise, discounts have to be available on a non-discriminatory basis to all customers. The draft doesn’t provide a lot of guidance as to what’s discriminatory and what’s not, but it does offer a couple of examples, such as…

A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

Public hearings are scheduled around California to get input on the draft, and written comments can be submitted by the 6 December 2019 deadline.

California Department of Justice CCPA documents:
Proposed Text, California Consumer Privacy Act Regulations, 11 October 2019
Initial Statement Of Reasons, Proposed Adoption of California Consumer Privacy Act Regulations, 11 October 2019
Notice of Proposed Rulemaking Action, California Consumer Privacy Act, 11 Oct 2019
Economic and Fiscal Impact Statement, California Consumer Privacy Act Regulations, 14 August 2019
Standardised Regulatory Impact Assessment, California Consumer Privacy Act of 2018 Regulations, 14 August 2019

Proposed California initiative would toughen and lock in consumer privacy rules

by Steve Blum • , ,

The man behind California’s new privacy law doesn’t like what lobbyists are trying to do to it in Sacramento, and plans on taking his case directly voters. In 2018, Alastair Mactaggart and his organisation – Californians for Consumer Privacy – collected enough signatures to get a tough privacy law on the ballot, but withdrew the initiative after a deal with was cut with lawmakers to enact most of its provisions. But anything the legislature can do, it can also undo, so Mactaggart is going back to the voters. According to the initiative’s text, filed with the California attorney general’s office yesterday…

Even before the [California Consumer Privacy Act] had gone into effect, however, businesses began to try to weaken the law. In the 2019–20 legislative session alone, members of the Legislature proposed more than a dozen bills to amend the CCPA, and it appears that business will continue to push for modifications that weaken the law. Unless California voters take action, the hard-fought rights consumers have won could be undermined by big business.

If enough valid signatures are collected and it’s approved by Collected voters, the initiative would generally tighten restrictions on the kind of personal information that businesses can collect from consumers and required them to disclose, in advance, “the specific purposes” for which the data will collected or used, and to go back and notify consumers if they want use the information for other reasons. It would ban the collection of personal information from children less than 13 years old without parental permission, and from teenagers between 13 and 16 without their permission. Consumers all ages would gain the right to demand that a business delete or correct personal information, within limits, even if it was collected with permission.

The initiative would also create the “California Privacy Protection Agency”, with an initial budget of $5 million a year. It would be run by a five person, politically appointed board, and have the “power to audit a business’s compliance” with the new privacy law, including the authority to subpoena “books, papers, records or other items”. The agency could issue fines for violations.

If passed, the California legislature’s ability to water down the initiative’s provisions would be severely limited. Mactaggart needs signatures from more than 600,000 registered voters to get it on the 2020 ballot.

California’s consumer data privacy law survives lobbyist blitz, more or less intact

by Steve Blum • , , ,

Sf naked the streets

Big tech, big telecom and big business made a big push in the legislature to water down California’s landmark data privacy law, AKA the California consumer privacy act. They won some minor victories as the 2019 session ended, but did not succeed in making major changes.

A blog post by Christina Hyun Jin Kroll in the National Law Review has a good run down of the bills that did and didn’t make it out of the legislature and onto governor Gavin Newsom’s desk. Companies won a year’s delay in implementation of some of the protections that apply to employment-related information and data collected as a result of some business-to-business transactions, and expanded the scope of what can be considered “public information” that’s not subject to privacy restrictions. “Deidentified” and/or “aggregate” consumer information was also excluded – it’s no longer defined as “personal information”.

The battleground now moves out of the California legislature and into the governor’s and attorney general’s offices, and to federal lawmakers in Washington, D.C. Newsom has to decide whether to sign the bills into law (it’s expected he will). California attorney general Xavier Becerra has to issue detailed rules for complying with and enforcing CCPA. The law technically takes effect in January, but Becerra’s rules won’t kick in until July. His first draft is expected in the next few weeks.

So far, California is out in front of both the federal government and other states on privacy policy, which is making business interests nervous. Dozens of CEOs from major corporations signed a letter addressed to key congressional leaders that urges them to preempt state laws, because otherwise their customers might be confused by “rules that may change depending upon the state in which they reside, the state in which they are accessing the Internet, and the state in which the company’s operation is providing those resources or services”. Their altruism is touching.

There seems to be widespread agreement in D.C. that something should be done, but, naturally, no one can agree on what that something is. For now, California’s data privacy law is on track to become the de facto national standard.

California sits out Google anti-trust investigation

by Steve Blum • , , ,

Attorneys general from forty-eight states, plus the Commonwealth of Puerto Rico and the District of Columbia, launched a joint anti-trust investigation against Google on Monday, looking specifically at how the company handles online advertising. The group isn’t accusing Google of anything in particular yet, but they have their suspicions and if those prove out, an anti-trust lawsuit is sure to follow.

Only two states opted out of the investigation: Alabama and California. The absence of California attorney general Xavier Becerra from the group is puzzling to many, and he isn’t offering any hints. According to a story in the Los Angeles Times by Suhauna Hussain, maybe Becerra has something else up his sleeve…

Citing a need to protect the integrity of “potential and ongoing investigations,” Atty. Gen. Xavier Becerra declined to say why he refused to join the chief law enforcement officers of 48 other states, plus Washington, D.C., and Puerto Rico, in examining the Mountain View-based internet giant’s dominance in online advertising.

Or maybe he has something else on his mind…

As a candidate for the House of Representatives, Becerra was the recipient of considerable largess from Google. From 2010 through 2016, Becerra’s campaign received $23,000 from Google’s corporate political action committee, Google Inc. NetPAC, according to Federal Election Committee records. Two Google executives donated $2,600 and $5,300, respectively, to Becerra’s campaigns over that span. Google also contributed $7,300 to Becerra’s 2018 campaign for attorney general, and $3,000 to Marshall’s, according to data from FollowTheMoney.org.

Another consideration is California’s new privacy law, which is of particular interest to online companies. Becerra is responsible for coming up with new rules and procedures, and enforcing them when the law takes effect in January. So he might be in some kind of legal or policy arm wrestling match with Google already. There are also two days left to go on the California legislature’s 2019 regular session, and there are bills in the hopper that could change that privacy law, in one direction or the other. Or both.