August 25, 2023

Last week's big news in privacy


California aims to take a hot poker to data brokers

California lawmakers have introduced the “Delete Act,” or SB 362, which aims to extend the CCPA’s reach on opt-out requests. The act would allow Californians to click once to indicate their deletion or opt-out requires for all data brokers, as well as their associated service providers and contractors. As JD Supra reports, it would create a “do not sell” list for data brokers targeting the state’s residents.

Under the proposed act, data brokers are defined as a business that “knowingly collects and sells to third parties the personal information of a consumer with hom the business does not have a direct relationship.”

If it passes, data brokers would have to comply with deletion requests on August 1, 2026, and they would be required to continuously delete the consumers’ personal data at least once every 31 days. Really clean things out, you know?

Fines for failure to register as a data broker comply stand at $200 per day, and an additional $200 per day for each deletion request failure.

Obviously, the data broker industry doesn’t like this bill. POLITICO reports that the Interpublic Group, a giant conglomorate of ad networks, is “pulling out all the stops” to fight it.

The POLITICO scoop uncovered an Aug. 14 email from Interpublic Group CEO Sheila Colclasure to executives, “We would like to mount an ‘opposition campaign’ using in-house digital advertising capabilities, targeting California.”

Their campaign method involves using the same personal data that Californians could ask to have deleted to launch targeted ads opposing the bill. Acxiom CEO Chad Engelgau has kindly pledged that his company would provide the data to target the ad campaign.

What a time to be alive!

This week, 404 Media reported a network of hackers have gained access to individuals’ credit history data and are selling it in online messaging groups like Telegram. Because credit bureaus have exceedingly valuable information on people, years ago they decided to share or sell some of it with third parties, like debt collectors, insurance companies, and law enforcement. Now, hackers have tapped into what’s called “credit header data,” the information credit bureaus receives from credit card companies, which includes name, birth date, current and prior addresses, Social Security number, and phone number. The 404 Media journalist, Joe Cox, was able to purchase that data and more in chatrooms aimed at facilitating “swatting” for a mere $15 in Bitcoin. $20 if you want the Social Security number, too.

In the meantime, the Consumer Financial Protection Bureau is looking at the data broker industry to figure out its approach to some new rules under the Fair Credit Reporting Act to deal with the data broker marketplace.

A couple of advocacy groups have asked the FTC to investigate whether Google and YouTube are being naughty by delivering personalized ads on YouTube channels made for kids. As CYBERSCOOP reports, Fairplay and the Center for Digital Democracy want the FTC to investigate if that behavior violated COPPA, as well as Google’s 2019 settlement with the agency in 2019. In that case, as you’ll recall, Google and YouTube paid $170 million for collecting kids’ personal information without parental consent.

The kids’ space is almost on pace with state privacy laws lately. Congress has been considering updating COPPA for awhile now, and then there’s the Kids Online Safety Act. Both are on their way to the Senate floor, having succeeded in getting voted ouf of the Senate Commerce Committee.

Other developments in the space include:

  • Microsoft’s recent $20 million FTC settlement over COPPA violations.
  • Amazon’s recent $25 million settlement over COPPA violations via Alexa.
  • New laws in Utah, Arkansas and Louisiana requiring parental consents for access to children’s accounts on certain platforms.
  • The FTC’s policy statement warning ed tech about forthcoming scrutiny.
  • California’s Age-Appropriate Design Code (in effect).

In addition, the Entertainment Software Rating Board – which is an authorized COPPA Safe Harbor – has asked the FTC to approve a new mechanism for obtaining parental consent under COPPA. Yoti and SuperAwesome have asked the agency to deem their “privacy-protective facial age estimation” software as a verified solution for COPPA compliance. The technology analyzes a users’ facial geometry to determine their approximate age.

The Entertainment Software Rating Board wrote in an op-ed for the IAPP that, “One advantage of privacy-protective age estimation for COPPA and emerging laws is that people like it. SuperAwesome reports, whenever facial age estimation is available as an option for parental consent outside the U.S., more than 70% of parents choose it over other methods.”

For now, the FTC will mull whether to approve Yoti and SuperAwesome, as the debate over the best way to verify ages on websites rages on.