Tag Archives: privacy

Proposed California initiative would toughen and lock in consumer privacy rules

by Steve Blum • , ,

The man behind California’s new privacy law doesn’t like what lobbyists are trying to do to it in Sacramento, and plans on taking his case directly voters. In 2018, Alastair Mactaggart and his organisation – Californians for Consumer Privacy – collected enough signatures to get a tough privacy law on the ballot, but withdrew the initiative after a deal with was cut with lawmakers to enact most of its provisions. But anything the legislature can do, it can also undo, so Mactaggart is going back to the voters. According to the initiative’s text, filed with the California attorney general’s office yesterday…

Even before the [California Consumer Privacy Act] had gone into effect, however, businesses began to try to weaken the law. In the 2019–20 legislative session alone, members of the Legislature proposed more than a dozen bills to amend the CCPA, and it appears that business will continue to push for modifications that weaken the law. Unless California voters take action, the hard-fought rights consumers have won could be undermined by big business.

If enough valid signatures are collected and it’s approved by Collected voters, the initiative would generally tighten restrictions on the kind of personal information that businesses can collect from consumers and required them to disclose, in advance, “the specific purposes” for which the data will collected or used, and to go back and notify consumers if they want use the information for other reasons. It would ban the collection of personal information from children less than 13 years old without parental permission, and from teenagers between 13 and 16 without their permission. Consumers all ages would gain the right to demand that a business delete or correct personal information, within limits, even if it was collected with permission.

The initiative would also create the “California Privacy Protection Agency”, with an initial budget of $5 million a year. It would be run by a five person, politically appointed board, and have the “power to audit a business’s compliance” with the new privacy law, including the authority to subpoena “books, papers, records or other items”. The agency could issue fines for violations.

If passed, the California legislature’s ability to water down the initiative’s provisions would be severely limited. Mactaggart needs signatures from more than 600,000 registered voters to get it on the 2020 ballot.

California’s consumer data privacy law survives lobbyist blitz, more or less intact

by Steve Blum • , , ,

Sf naked the streets

Big tech, big telecom and big business made a big push in the legislature to water down California’s landmark data privacy law, AKA the California consumer privacy act. They won some minor victories as the 2019 session ended, but did not succeed in making major changes.

A blog post by Christina Hyun Jin Kroll in the National Law Review has a good run down of the bills that did and didn’t make it out of the legislature and onto governor Gavin Newsom’s desk. Companies won a year’s delay in implementation of some of the protections that apply to employment-related information and data collected as a result of some business-to-business transactions, and expanded the scope of what can be considered “public information” that’s not subject to privacy restrictions. “Deidentified” and/or “aggregate” consumer information was also excluded – it’s no longer defined as “personal information”.

The battleground now moves out of the California legislature and into the governor’s and attorney general’s offices, and to federal lawmakers in Washington, D.C. Newsom has to decide whether to sign the bills into law (it’s expected he will). California attorney general Xavier Becerra has to issue detailed rules for complying with and enforcing CCPA. The law technically takes effect in January, but Becerra’s rules won’t kick in until July. His first draft is expected in the next few weeks.

So far, California is out in front of both the federal government and other states on privacy policy, which is making business interests nervous. Dozens of CEOs from major corporations signed a letter addressed to key congressional leaders that urges them to preempt state laws, because otherwise their customers might be confused by “rules that may change depending upon the state in which they reside, the state in which they are accessing the Internet, and the state in which the company’s operation is providing those resources or services”. Their altruism is touching.

There seems to be widespread agreement in D.C. that something should be done, but, naturally, no one can agree on what that something is. For now, California’s data privacy law is on track to become the de facto national standard.

California sits out Google anti-trust investigation

by Steve Blum • , , ,

Attorneys general from forty-eight states, plus the Commonwealth of Puerto Rico and the District of Columbia, launched a joint anti-trust investigation against Google on Monday, looking specifically at how the company handles online advertising. The group isn’t accusing Google of anything in particular yet, but they have their suspicions and if those prove out, an anti-trust lawsuit is sure to follow.

Only two states opted out of the investigation: Alabama and California. The absence of California attorney general Xavier Becerra from the group is puzzling to many, and he isn’t offering any hints. According to a story in the Los Angeles Times by Suhauna Hussain, maybe Becerra has something else up his sleeve…

Citing a need to protect the integrity of “potential and ongoing investigations,” Atty. Gen. Xavier Becerra declined to say why he refused to join the chief law enforcement officers of 48 other states, plus Washington, D.C., and Puerto Rico, in examining the Mountain View-based internet giant’s dominance in online advertising.

Or maybe he has something else on his mind…

As a candidate for the House of Representatives, Becerra was the recipient of considerable largess from Google. From 2010 through 2016, Becerra’s campaign received $23,000 from Google’s corporate political action committee, Google Inc. NetPAC, according to Federal Election Committee records. Two Google executives donated $2,600 and $5,300, respectively, to Becerra’s campaigns over that span. Google also contributed $7,300 to Becerra’s 2018 campaign for attorney general, and $3,000 to Marshall’s, according to data from FollowTheMoney.org.

Another consideration is California’s new privacy law, which is of particular interest to online companies. Becerra is responsible for coming up with new rules and procedures, and enforcing them when the law takes effect in January. So he might be in some kind of legal or policy arm wrestling match with Google already. There are also two days left to go on the California legislature’s 2019 regular session, and there are bills in the hopper that could change that privacy law, in one direction or the other. Or both.

Big broadband’s permission for, collection and use of customer info gets a federal review

by Steve Blum • , , , ,

The privacy practices of four major broadband service providers and one big disruptor are getting a hard look from the Federal Trade Commission. Comcast, AT&T, Verizon, T-Mobile and Google Fiber were given 45 days to produce detailed information about their business practices and subscribers, with particular emphasis on how they collect information about customers, whether it’s done with genuine permission, and what they do with it.

The information demanded by the FTC includes statistics on how many people actually read privacy policies, along with what promises to be a tall stack of those policies – every single one that’s been written by the companies, including copies that might be “different from the original because of notations on the copy”.

One particular concern of the FTC is whether the companies treat customers differently based on the degree of privacy they’re willing to surrender…

Has the Company ever offered different levels of service, quality of service, rates, pricing, rewards, or other incentives for consumers who opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice…

Has the Company ever denied service, or otherwise degraded the quality of service, for consumers who fail to opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities, beyond information that is necessary for the provision of Internet or cable services? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice.

AT&T and Verizon will have to produce information about both their wireline and mobile subsidiaries. It’s probably a good assumption that Comcast will have to submit data about its wireless business practices too. One company that’s notably absent from the list is Charter Communications, which has nearly as big a market share as Comcast. Sprint is missing too, but it’s the smallest of the major mobile carriers and might not be around much longer anyway.

Intentional or not, the FTC’s fishing – whaling – expedition is a welcome response to a damning assessment by the federal general accounting office assessment that the agency is largely clueless about the online world.

Federal online privacy cop needs direction, says GAO study

by Steve Blum • , , , ,

Police academy

The federal government’s primary consumer protection agency – the Federal Trade Commission – doesn’t think too hard about policing online privacy violations, according to a report by the General Accounting Office. Generally, the FTC can act when a company engages in unfair or deceptive business practices. Figuring out what’s fair and what’s not in cyberspace is a complete puzzle, and impenetrable terms of service and other digital fine print typically give companies a get out of jail free card to companies, the report notes…

Some stakeholders said that FTC relies more heavily on its authority to take enforcement action against deceptive trade practices compared with the agency’s unfair trade practices authority. This was confirmed in our analysis of FTC’s Internet privacy enforcement actions discussed previously. However, a representative from a consumer advocacy group said that FTC’s ability to take such action is limited practically to instances where a company violates its own privacy policy—companies generally can collect and use data in any way they want if they include language in their policies asserting their intent to do so. According to a former FCC commissioner, a privacy statute could clarify the situations in which FTC could take enforcement action.

The report notes that both California and the European Union have online consumer privacy laws in place, but there’s no federal equivalent in the U.S. It concludes with a recommendation to congress that it “should consider developing comprehensive legislation on Internet privacy”, including identifying which agency is responsible for what and, somehow, balancing “consumers’ need for Internet privacy with industry’s ability to provide services and innovate”.

There’s also an interesting list of FTC privacy enforcement actions at the end of the report. It summarises 101 cases over ten years, between 2008 and 2018. Most ended with no penalties or other meaningful result at all, although a rumored multibillion dollar smack at Facebook would, if true, change that calculus. A few resulted in million dollar-plus penalties but the remainder ended with relative slaps on the wrist. It’s a clear illustration of why the FTC needs better direction and motivation if it’s to be the “nation’s premier consumer protection cop”.

Spreading high tech wealth and restricting self-employment on California governor’s to do list

by Steve Blum • , , , ,

California governor Gavin Newsom took aim at technology companies during his state of the state address on Tuesday. Although bullish on California’s high tech economy, he dangled the possibility of a tax on data…

California is proud to be home to technology companies determined to change the world. But companies that make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it. Consumers have a right to know and control how their data is being used.

I applaud this legislature for passing the first-in-the-nation digital privacy law last year. But California’s consumers should also be able to share in the wealth that is created from their data. And so I’ve asked my team to develop a proposal for a new Data Dividend for Californians, because we recognize that your data has value and it belongs to you.

He didn’t explain what a “data dividend” is, but given his long list of new and expanded state programs, it seems likelier that he’s thinking in terms of taxing tech companies rather than requiring them to send dividend checks to everyone.

Newsom also talked about changes in employment law but, again, was short on details. Referencing a California supreme court decision that limited the ability of individuals to work as self-employed contractors – Uber drivers, for example – Newsom called for…

A new modern compact for California’s changing workforce…to ensure technological advancements in AI, blockchain, big data, are creating jobs, not destroying them, and to reform our institutions so that more workers have an ownership stake in their sweat equity.

He plans to give the job of figuring out how to do that to a new commission that will include representatives from businesses, but also from labor unions, which have actively worked to hinder self-employment in California in the past.

There was no mention of broadband or other telecoms issues in Newsom’s speech, but he did talk about electric utilities, primarily PG&E. He promised to be an active participant in PG&E’s bankruptcy case, saying he’s “convened a team of the nation’s best bankruptcy lawyers and financial experts from the energy sector” to “seek justice for fire victims, fairness for employees, and protection for ratepayers” while never wavering on safety or pursuit of clean energy goals. As with most everything else, Newsom didn’t say how he would do all that, but at least he offered a 60-day deadline for coming up with answers.

New year but old questions for technology and telecoms policymakers

by Steve Blum • , , , ,

Five major broadband issues will top the public policy charts in California and at the federal level in 2019. In no particular order…

  • Net neutrality – The ball is in a federal appeals court in Washington, D.C., where arguments will be heard in February over whether the Federal Communications Commission acted properly in 2017 when it declared broadband is not a telecommunications service. California’s net neutrality law is on hold until that case plays out, which could take years. Congress is unlikely to act. In 2018, house democrats couldn’t even agree amongst themselves whether to overturn the FCC decision.
  • Privacy and data ownership – Big corporations with big political budgets will be urging congress, on the one hand, to preempt state privacy legislation with friendlier federal rules, and on the other hand they’ll be trying to water down California’s new privacy law. A bill that’s already been introduced in Sacramento could do that. The larger debate – who owns customer data, consumers themselves or the companies they share it with? – is just beginning. Congress, courts, regulators and administrators will be involved, but tech companies can get in front of the issue. 2019 is their opportunity to offer answers. If they don’t, governments will decide for them.
  • Monopoly vs. competition – Courts and regulatory agencies will decide whether competition continues to shrink as monopoly model ISPs grow. T-Mobile’s takeover of Sprint is under review by the FCC and the CPUC. The federal justice department gets a look too, and it continues to challenge AT&T’s purchase of Time Warner in court. Cable and telco lobbyists are whispering wishes into compliant republican ears at the FCC, this time with the aim of killing municipal broadband competitors. The CPUC looks at broadband affordability and the future of PG&E, one of the few remaining sources of independent dark fiber. It also has to decide if it’s serious about the conditions it puts on mergers and acquisitions, as it did with Charter’s purchase of Time Warner cable systems.
  • Local ownership and authority – Another federal court fight heats up, as an FCC order regarding wireless facilities is otherwise set to take effect on 14 January 2018. It limits what local government can do with property they own in the public right of way, restricts their authority to review permit applications, and sets shorter shot clocks for decisions. Lobbyists and lawyers for mobile carriers are already using the order to try to force cities to do their bidding, and they’ll be handing out cash to legislators in Sacramento, while asking them to bake FCC rules into California law.
  • Broadband infrastructure subsidies – Applications for grants from the rebooted California Advanced Services Fund (CASF) are due in April, and in a couple of weeks incumbent Internet service providers have a chance to exercise the right of the first night first refusal that California lawmakers gave them in 2017. Cash payments from AT&T, Comcast, Charter and other monopoly model ISPs tilted the playing field. The California Public Utilities Commission tried to level it a bit; we’ll see in the next few months whether CASF will improve broadband access in rural California, or simply be a $300 million slush fund for telcos and cable companies. The federal agriculture department is rolling out a $600 million rural broadband grant and loan program, with billions more on the way, and it’s better designed to benefit rural communities.

The players are changing, too. New CPUC and FCC commissioners will take their seats, and a new administration takes office in Sacramento. Not much has changed at the California legislature, though. Democrats have a super majority in both houses, with familiar faces leading key telecoms committees. Charter, Comcast, AT&T and Frontier know where to send the checks.

Consumer privacy law is back in play in Sacramento

by Steve Blum • , , ,

Sf naked the streets

Monday’s brief meeting of the California legislature didn’t produce any broadband-related bills, with the possible exception of a placeholder introduced by assemblyman Ed Chau (D – Los Angeles). Assembly bill 25 would amend the privacy bill that California lawmakers passed in 2018, but it doesn’t say how.

California’s new privacy law puts tight restrictions on how online companies can use customer data, and how they have to safeguard it. Chau was the author of that bill, which was passed as part of a deal to keep an even tougher privacy initiative off of the November ballot. But what the legislature gives, it can also take away. A coalition of various kinds of advocacy groups sent a letter to lawmakers on Monday, asking them to strengthen the law, and resist attempts to change it…

Irresponsible data practices lead to a broad range of harms, including discrimination in employment, health care, and advertising, data breaches, and loss of individual control over personal information. Technology practices and resulting concerns can limit adoption and use of new technology such as internet-connected devices, threaten e-commerce, and even decrease democratic engagement and speech. Many individuals do not understand and are worried about how their information is used or shared online. They feel that they have lost control of their data and they want government to protect them.

Whether or not consumers are really clamouring for more government protection is an open question. But there doesn’t seem to be much interest in having less, except among the telecoms and online services companies that opposed California’s new privacy law. Some of those companies give millions of dollars to lawmakers, and particularly to senators and assembly members that sit on key committees in Sacramento. With the help of those friend, their lobbyists are adept at carving up laws they don’t like. Chau’s new bill needs to be watched carefully.

California IoT law requires manufacturers to build security into connected devices

by Steve Blum • , , ,

A pair of linked bills passed by the California legislature and signed into law late last month by governor Jerry Brown require manufacturers to preload passwords or install other security features on any kind of device that’s directly or indirectly connected to the Internet, beginning in 2020. Assembly bill 1906, carried by assemblywoman Jacqui Irwin (D – Ventura) and senate bill 327, authored by senator Hannah-Beth Jackson (D – Santa Barbara) are aimed at protecting privacy, and preventing the rise of botnets – networks of online devices that are infected with malware and used by cybercriminals for their own purposes.

The new law isn’t limited to consumer electronics products. Commercial and industrial devices – anything that’s part of the Internet of Things (IoT) – fall under the legislation’s broadband definition…

“Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.

Manufacturers will have to equip a device with “a reasonable security feature” that’s “appropriate” to its “nature and function” and the type of information it collects. Preprogrammed passwords are specifically mentioned as acceptable, as is forcing users to create a password or otherwise “generate a new means of authentication” the first time they use it.

Enforcement of the new law is limited to the attorney general, county district attorneys and city and county attorneys. It doesn’t create a new windfall for contingency fee lawyers.

Up until now, California law hasn’t had much to say about IoT security. A law passed in 2015 requires warnings on Internet-connected television sets with voice recognition features, and prohibits using recorded conversations for advertising purposes. A 2006 bill established similar consumer notice requirements for WiFi access points.

A third IoT-related bill – AB 2167 by assemblyman Ed Chau (D – Los Angeles) – died in the California senate on the final day of the legislative session. It was specifically aimed at “ingestible” sensors used for health monitoring.

California legislature to decide privacy, Internet commerce bills

by Steve Blum • , , , ,

Consumer privacy, police surveillance, online retailing, bots and social media were all targets of bills introduced this year in the California legislature. One major bill already passed, a couple are dead and the rest are queued up for a decision this week, as lawmakers prepare to finish up the 2018 session on Friday.

Assembly bill 375 established strict consumer data privacy rules. It was signed into law by the governor earlier this year. It’s being tweaked, though. Senate bill 1121 exempts some medical, financial and driving record information that’s already regulated by federal and/or state law. It also allows credit reporting agencies to continue to use personal information, whether or not consumers consent, to the extent permitted by federal law. It makes other changes, mostly regarding how the law is enforced.

As far as I can tell, the amendments are technical. But SB 1121 should put everyone on notice, too: the legislature can and will change California’s new data privacy law. Given the influence that lobbyists and their cash payments to lawmakers have in Sacramento, future changes may not be so benign.

Other bills introduced this year include…

  • AB 1906 and SB 327 – aimed at the Internet of things, these two, linked bills require passwords and other security features on Internet-connected devices. Awaiting floor votes in the senate and assembly, respectively. Each will have to go back to its “house of origin” for concurrence votes on amendments made along the way.
  • AB 2167 – defines information gathered by ingestible sensors that collect or send information about an individual, and linked apps and devices, as protected medical information. On the senate floor, with assembly concurrence needed.
  • AB 2511 – requires merchants to “take reasonable steps to ensure that the purchaser is of legal age” of anyone who might purchase or view age restricted products or services. It was originally targeted only at online sellers, but now includes all businesses. The range of products and services covered was narrowed, too. Waiting for a floor vote in the senate, then would go back to the assembly for concurrence.
  • AB 2935 – adds privacy protections to health monitoring programs, online and otherwise. Would have had implications for fitness and athletic social media, such as Strava. It died in a senate committee.
  • SB 1001 – requires bots – computer programs that mimic people, used by companies to chat with customers – to identify themselves as such. Only applies to websites that get 10 million visitors a month. On the assembly floor now, with senate concurrence also needed.
  • SB 1186 – required local governments to disclose the types and uses of law enforcement surveillance technology. Quietly killed in the appropriations committee by assembly leadership.
  • SB 1424 – formerly a far reaching attempt to police free speech on the Internet, it was neutered as it moved through the legislative process and now just calls for the California attorney general to study “the problem of the spread of false information through Internet-based social media platforms”. If someone donates the money to do it. Awaits an assembly floor vote and senate concurrence.