The California Assembly passed two industry-favored bills tweaking the California Consumer Privacy Act. Members voted 73-0 Wednesday for AB-873, tweaking definitions of “personal information” and “deidentified” in CCPA; and 77-0 for an insurance industry exemption under AB-981 (see 1904240037). The bills go next to the Senate.
Florida victims of illegal robocalling by All Us Marketing got refund checks, Florida Attorney General Ashley Moody (R) said Thursday. The FTC is mailing 305 checks totaling $314,945, the commission said. The company allegedly tried to trick consumers into paying $300 to $4,999 upfront for a program that falsely promised to reduce credit card interest rates. Florida and the FTC won a permanent injunction after complaining in 2015.
Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., on Wednesday introduced a bill that would prevent police from conducting warrantless searches of Americans’ phones and laptops through exceptions to the Fourth Amendment’s requirement for probable cause or warrant. The Protecting Data at the Border Act is co-sponsored by Sens. Edward Markey, D-Mass., and Jeff Merkley, D-Ore. Rep. Ted Lieu, D-Calif., is introducing a House companion bill. The legislation would require law enforcement to explain user rights before people consent to giving access to their devices or provide social media account names and passwords.
About one-third of internet users “never” read the fine print and another 39 percent only sometimes read it when agreeing to terms of service from online companies, the Brookings Institution reported Tuesday. Brookings polled some 2,000 adult internet users May 8-10. Nearly 70 percent said online privacy is “very important” to them. About half said there should “definitely” be one consistent standard for handling of data, and 73 percent said companies should “definitely” be required to get consumer consent to collect personal data.
About 15 percent of the tech industry regards security and data privacy as a risk factor, the Internet Association said Thursday, releasing a Q4 report. The report listed the top 5 risks cited by publicly-traded companies in their quarterly and annual filings. Security and data privacy ranked fourth in the top five most commonly cited risks to internet sector companies. Competition ranked third, with 10 percent reporting it as a risk. Product and services development was No. 1, with 49 percent. Economics and financial conditions were No. 2, at 23 percent. Market was fifth at 13 percent.
The California Consumer Privacy Act (CCPA), since it covers Californians no matter where they are and since industry hasn't been able to rally around one alternative, is set to become the default privacy protection rules for the nation, Harris Wiltshire privacy lawyer Becky Burr said Friday at the FCBA annual retreat. CCPA will apply to a broader and deeper data set than the EU's general data protection regulation, meaning "significant" reworking of systems needs to be done before it takes effect Jan. 1, she said. "There's a bit of a scramble going on." There's much industry consensus that federal pre-emption is needed to avoid a proliferation of competing state laws, she said in Hot Springs, Virginia. Among proposals in Congress, most agree on the need for a larger role for the FTC, but they disagree on other topics like private rights of action, she noted. Burr said federal legislation that pre-empts CCPA seems unlikely to come to pass, and meanwhile 30-plus states are kicking around their own form of privacy bills. While the California legislature also is looking at changes to CCPA, a risk is that a significant change could give rise to another ballot initiative like the one that prompted creation of the law in the first place, she said. She said the idea of eliminating the right to cure before fines kick in for violations is dead with state lawmakers, but other provisions moving through the legislature would clarify its non-applicability to employees and contractors, modify its definition of personal information and eliminate the requirement companies maintain a toll-free line for allowing consumer opt-outs.
The major national wireless carriers told FCC Commissioner Jessica Rosenworcel they are no longer selling location information from customers. Rosenworcel posted letters she had received from AT&T, Sprint, T-Mobile and Verizon, in response to her questions. “The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data,” Rosenworcel said Thursday. “That’s unacceptable. I don’t recall consenting to this surveillance when I signed up for wireless service -- and I bet neither do you.” Sprint is “currently only using one location aggregator to provide [location-based service] to two customers with a public interest -- a provider of roadside assistance for Sprint customers, and a provider that facilitates compliance with state requirements for a lottery that funds state government,” the carrier said. The others reported they’re out of or exiting the business. “Except for four roadside assistance companies, Verizon terminated its location aggregator program in November of 2018,” the provider said: “Verizon terminated the arrangements with the four remaining companies at the end of March 2019.” Rosenworcel said the public deserves answers. “It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm,” she said.
AT&T's artificial intelligence "guiding principles" are human oversight; open source "communities whenever appropriate"; and "ethics, safety, and values" including "our privacy principles and security safeguards." The ISP/MVPD uses "varied, validated datasets and diverse human input," it said Wednesday. "We use a transparent approach to algorithms that includes safeguards." The company monitors "outcomes to ensure accuracy and help minimize biases." When "outcomes are owned by people, no one should be able to claim, 'The machine did it,'" blogged Chief Privacy Officer Tom Moore. "No organization will be perfect, but that’s what humans must try to anticipate, catch and repair." Even as many organizations have advanced their own AI and privacy principles, some widely endorsed ones exist, noted Electronic Privacy Information Center President Marc Rotenberg. The "benchmark for AI policy" are the EPIC-established Public Voice coalition's universal guidelines for artificial intelligence, or UGAI, he said in an interview. Possibly later this month, the Organisation for Economic Co-operation and Development may announce its 38 member countries endorsed OECD guidelines, "which reflect many of the principles contained in the UGAI," said Rotenberg, who has worked on the issue. The U.S. would be among the signers. The White House didn't comment. All OECD members and Argentina, Brazil, Colombia and Costa Rica "are due to formally endorse a new set of AI Principles designed by the OECD, next Wednesday" at the group’s annual ministerial meeting, a spokesperson emailed. AT&T meanwhile actively participates "in discussions with industry organizations, such as Linux Foundation, IEEE and Future of Privacy Forum, on a variety of AI topics," a company spokesperson emailed. That includes "AI and ethics, responsible development and deployment of AI" and machine learning, he added.
Congress should pass federal privacy legislation that includes civil and criminal penalties for data misuse and empowers the FTC to police consumer privacy, the Interactive Advertising Bureau said Tuesday. Go beyond calls for do-not-track standards, wrote CEO Randall Rothenberg and Executive Vice President-Public Policy Dave Grimaldi. Critics pushing an end to user tracking are responsible for “an incorrect, noxious notion that consumers are de facto victimized by the use of their data,” they said. Consumer safety issues won’t be completely solved by eliminating tracking, they wrote. Industry should adopt “standardized mechanisms by which they will protect consumers, the way auto manufacturers are required to install seat belts and air bags to protect consumers,” they wrote.
The Assembly passed a proposed tweak to the California Consumer Privacy Act (CCPA) changing a requirement that businesses give consumers two or more ways to submit information requests. Members voted 73-0 Monday to send to the Senate AB-1564, under which businesses would be required to give either a toll-free number or an email and physical address, plus a web form if it has a website, for consumer information requests. The Assembly amended but left pending AB-1138, which would prohibit social media sites from allowing children under 13 to sign up without parental consent. The amendment would let companies use any FTC-verified method to comply. The Senate Appropriations Committee placed another privacy bill (SB-564) in the committee suspense file. The bill lays out when an individual has a cause of action against someone who distributes sexually explicit material depicting the person, and related procedures and requirements. The committee plans to weigh that and Attorney General Xavier Becerra’s (D) proposed tweaks to CCPA (SB-561) at a Thursday hearing. The committee also Monday placed on suspense SB-603, a bill to authorize a small independent phone corporation to initiate a rate case at the California Public Utilities Commission through either an advice letter or application. The Assembly unanimously passed AB-956 Monday to clarify automatic dialing devices may be used once a year to test 911 for data accuracy and emergency alert capabilities. It would let phone companies share personal information without prior consent for the purpose of issuing an emergency alert or testing the alert system.