Bipartisan legislation introduced Tuesday would require a warrant for police to access emails and other digital records, and let providers notify users when officials request data. Introduced by Rep. Suzan DelBene, D-Wash.; House Judiciary Committee Chairman Jerry Nadler, D-N.Y.; and Republican Reps. Jim Sensenbrenner of Wisconsin and Rodney David of Illinois, the Email Privacy Act would amend current law that allows police to “seize any email older than 180 days without a warrant.”

The Association of National Advertisers issued guidance on California Consumer Privacy Act compliance, though CCPA will be replaced in 2023 (see 2011040043). “This is no easy task given the nearly constant modifications ... and the seemingly never-ending compliance finish line,” Executive Vice President-Government Relations Dan Jaffe said Monday. The state DOJ revised CCPA rules Thursday (see 2012100065).

The California Justice Department again revised privacy rules Thursday, saying the fourth set of edits to the California Consumer Privacy Act responds to comments on previous revisions from October. One change clarifies “that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.” Another change involves a uniform button for consumers to opt out of selling personal information. Comments are due Dec. 28.

A Seattle ban on facial recognition remains necessary even as the city responded to one police detective using the technology improperly, said the American Civil Liberties Union in Washington state. Seattle denied using Clearview AI facial recognition last week (see 2012020057). Seattle Police Chief Adrian Diaz further explained in a Wednesday letter to the ACLU that a single SPD officer downloaded the software onto a personal device. “This matter has been referred to the Office of Police Accountability for investigation,” Diaz wrote in the letter shared with us by the city. “SPD does not use Clearview AI and has no intention of using Clearview AI. As Chief, I am committed to upholding the tenets of the Surveillance Ordinance and the civil liberties of our residents. Clearview AI’s business product is at odds with those two central priorities.” ACLU-Washington is glad “the department is addressing the downloading of unauthorized surveillance software,” but “this isolated action is not sufficient to protect Seattle residents from surveillance using this flawed, inaccurate, and racially biased technology,” said Technology and Liberty Project Manager Jenny Lee in a Thursday statement. She urged Mayor Jenny Durkan (D) to ban face surveillance to “clarify that no city employee should be downloading these systems.” A Durkan spokesperson pointed us to the city's 2018 surveillance transparency law.

Michigan voters appeared to approve a proposed constitutional amendment to require search warrants to access electronic data and communications. The proposal would apply the same conditions required for the government to get a warrant to search a house or seize a person’s belongings. With 72 of 83 counties reporting, about 88.8% voted yes. In California, another privacy ballot initiative was on the way to OK (see 2011040033).

Voters approved a sequel to the California Consumer Privacy Act (see 2011040028), as expected (see 2010230040). About 56% of voters supported the California Privacy Rights Act (CPRA), or Proposition 24, showed unofficial returns Tuesday. It would take effect Jan. 1, 2023. “We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” said Prop 24 sponsor Alastair Mactaggart. CPRA “will sweep the country and I’m grateful to Californians for setting a new higher standard for how our data is treated,” said former Democratic presidential candidate Andrew Yang, Californians for Consumer Privacy chair. Opponents conceded Wednesday. “While we came up short, millions of California voters still realized now is not the time to pass a measure riddled with serious flaws that creates a costly new privacy bureaucracy,” said No on 24 Campaign Chairperson Mary Ross and Campaign Strategist Marva Diaz in a statement. They noted they reduced support from a July poll that showed 77% support. In Michigan, a privacy measure appeared to be OK'd (see 2011040040).

NTT Global Data Centers Americas is prohibited from misrepresenting privacy program compliance, the FTC announced with a 3-1-1 vote Wednesday in a settlement with the company over Privacy Shield allegations. Commissioner Rohit Chopra dissented. NTT, formerly known as RagingWire Data Centers, misrepresented its participation in the PS after certification lapsed in 2018, the FTC alleged. The settlement “does nothing to help these businesses or to meaningfully hold NTT accountable,” Chopra said, noting lack of monetary penalty, liability or relief for victims. Commissioner Rebecca Kelly Slaughter, who has been on intermittent maternity leave, didn’t participate. The company didn’t comment.

The Department of Homeland Security inspector general should investigate Customs and Border Protection “warrantless tracking of phones” in the U.S. (see 2009240051), Senate Democrats wrote Friday. “CBP is not above the law and it should not be able to buy its way around the Fourth Amendment,” wrote Ron Wyden, Ore.; Elizabeth Warren, Mass.; Sherrod Brown, Ohio; Ed Markey, Mass.; and Brian Schatz, Hawaii. Citing public contracts, they said CBP “paid a government contractor named Venntel nearly half a million dollars for access to a commercial database containing location data mined from applications on millions of Americans’ mobile phones.” DHS didn’t comment.

Three consumers had their “unique, biometric voiceprints” collected without their consent when they contacted call centers using Amazon Web Services and Pindrop Security voice authentication technologies, violating the Illinois Biometric Information Privacy Act (BIPA), alleged a complaint (in Pacer) Friday in U.S. District Court in Wilmington, Delaware. The suit seeks class-action status on behalf of others who made similar call center contacts. Plaintiffs suffered “significant damage” because their biometric data was “intercepted, collected, and disseminated without their knowledge or consent," substantially increasing the likelihood "they will suffer as victims of fraud and/or identity theft,” said the complaint. It seeks $5,000 in statutory damages for each “intentional and reckless” BIPA violation. AWS and Pindrop didn’t respond to questions Monday.

Customs and Border Protection should update and make privacy notices available for its face-scanning technology, GAO recommended Wednesday. CBP’s privacy notices aren’t always available where the technology is used or online, GAO said, noting CBP deployed the equipment in at least 27 U.S. airports. The Department of Homeland Security concurred with the recommendation.