Maneesha Mithal’s Post

As the House holds a hearing this morning on data privacy legislation, we highlight the significant impact that the current draft of the The American Privacy Rights Act would have on businesses, nonprofits, and government entities that use targeted advertising to reach interested customers - an issue that deserves attention. The bill, "as presently drafted, would significantly hinder beneficial and legitimate data processing activities, such as data-driven advertising, public safety, and important identity and fraud solutions that ensure the security of online transactions, to the detriment of individuals and businesses alike. If APRA is enacted as presently drafted it could create a less competitive and fair marketplace, diminishing the availability of information and offerings for individuals," we write. "We will work with all willing members of Congress to refine the APRA to provide robust protections for consumers while allowing responsible uses of data to continue to benefit consumers and power the data-driven economy."  https://lnkd.in/eW53jPAZ

BREAKING: U.S. Congress is ready to go to work on privacy in a big way and has a date ready for its preliminary work. The House Committee on Energy and Commerce announced this evening that it will hold a subcommittee hearing on a laundry list of privacy and online safety bills April 17. The proposed American Privacy Rights Act tops the list while other notable legislation to be debated includes the Kids Online Safety Act, the Children's Online Privacy Protection Act 2.0. This is not a markup and no votes will take place. This is merely a fact-finding mission for members facilitated by Reps. McMorris Rodgers and Pallone. A first step in what is expected to be a long stakeholder process, especially if multiple bills are being tied together in any way. Here's the E&C hearing notice:

California Attorney General Rob Bonta, Senator Nancy Skinner, and Assemblymember Buffy Wicks introduced the California Children’s Data Privacy Act (AB 1949), landmark legislation seeking to provide more robust protections for kids’ data privacy. See https://lnkd.in/ecxEksgq. AB 1949 would require the California Privacy Protection Agency, on or before July 1, 2025, to solicit broad public participation and adopt regulations, as specified, to further the purposes of the act, including, but not limited to, issuing regulations to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age, or at least 13 years of age and less than 18 years of age, and issuing regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. Aram Zucker-Scharff notes that "It is unfortunate that this would mean a signal that would 1. almost certainly be used by people who are above the target age as a proxy for ad blocking. 2. be leaking that a user is underage (U18) to unscrupulous websites that could and will misuse that information." He adds, "A signal that gives information about a user seems... highly likely to be misused." Robin Berjon Andrew Folks Bailey Sanchez Keir Lamont

Must-read: A Signal for Child Privacy. Robin Berjon. See https://lnkd.in/gx_UhR37. An age-gating system that is basically cookie banners with some kind of age prompt. Needless to say, that’s horrendous from a user perspective. And that’s before you get into issues with the secondary data uses that age-gating management platforms engage in. A signal at the HTTP level (or similar) indicating that the current user is a child, or some similar mechanism flagging users as children. This is terrible on many levels: that type of information should absolutely not be made available to arbitrary parties, and specifically signalling this fact will lead to a degraded experience that will encourage children to seek ways to disable the signal. (At which they will succeed.) What we want is a system that automatically triggers child privacy protections, without a user interface, but that also doesn’t reveal that a person is a child. Is that even possible? Yes, we can use the Spartacus method. Basically, you want to align the privacy rights of children with the privacy rights of any person who is using the Global Privacy Control, or GPC signal (eg. not sale of the data and no use of sensitive data, and there is no reason to believe that this couldn’t work just as well under the GDPR). Note that these privacy rights can be understood broadly for instance to include excessive engagement drivers or unfair nudging methods. You then turn on GPC by default for children, ideally using knowledge that sits at the OS or generally the user agent level thereby signally that the corresponding rights must be afforded. This creates a system in which children benefit from much broader privacy protections but are hidden in a wider group (of privacy-conscious adults) such that no one can tell that they are children. As part of this arrangement, it is important that services must not use the GPC for other types of age gating (eg. porn, alcohol) as that would constitute a loss of service that would violate the rights of the adults in the set. This approach is simple to specify and simple for businesses to implement, especially since it aligns with compliance requirements that many of them already operate under.

The recent passage of the Delete Act in California sheds light on the vast amount of personal data that exists and the various ways it can be monetized. It also highlights the potential for discrimination based on this data. Given the significance of this legislation, it raises the question of when a similar initiative might be implemented in the UK. As privacy concerns continue to grow worldwide, it's plausible that other regions will follow suit to protect individuals' rights and address the potential misuse of personal data. https://lnkd.in/ezaFNyew This development serves as a timely reminder for individuals and businesses to stay informed about data privacy regulations. How will you ensure that your data remains protected in today's digital landscape?

OOPS they did it again! No, it's not Britney, bruh. Last week, California AB 3048 passed out of committee and took one step closer to becoming law. The bill, introduced by CA Assemblymember Josh Lowenthal and sponsored by the California Privacy Protection Agency requires internet browsers to offer support for opt-out preference signals (hence, "OOPS"). OOPS is a browser setting allowing users to easily opt-out of the sale/share of their personally identifiable information in one step, as opposed to making requests to hundreds and hundreds of businesses that a consumer interacts with online. Some browsers supports and offer OOPS, but the vast majority currently do not. California privacy advocates hope that this bill will change all of that. How does your business website respond to OOPS? Do you process opt out requests for sale/share of PII manually or through an automated process? If you have questions about the process and legal expectations, we can help you out. Select the link below to read the bill in its current form. https://lnkd.in/g542RcrQ

New: I honed in on one important component of the American Privacy Rights Act discussion draft bill: the way it handles the largest, most-prolific purveyors of Americans' personal data. In its current form, the legislation would bring some much needed sunlight to an otherwise shady industry, forcing data brokers to identify themselves and their business model prominently on their websites, offer clear opt-out options for data collection and create a national registry to help policymakers and the public better track the industry. But critics said the measures lack the kind of harder regulatory bite that would meaningfully constrain the widespread sharing and selling of American data. https://lnkd.in/ed5PVapk

⚡ This week, the chairs of the House and Senate Commerce released a draft of the much-anticipated bipartisan bill on data privacy. If passed, the American Privacy Rights Act of 2024 would establish a national data privacy and security standard that would override the current patchwork of state legislation created in the absence of a comprehensive privacy bill. 💡 The bill comes at a time when the national conversation around AI and online child safety have raised new concerns around how much control consumers have over their data. https://lnkd.in/dfi6UTTe.

On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act. Husch Blackwell's David Stauss and Brad Hammer note that the Minnesota bill contains several unique requirements and provisions. Learn more: https://lnkd.in/gvHe32Sg #consumerprotection #privacylaw #MinnesotaLegislation

"New bipartisan proposal aims to give Americans control over their data" A new bipartisan proposal called the American Privacy Rights Act (APRA) has been released by key House and Senate committee leaders, bringing Congress closer to passing comprehensive data privacy legislation. The proposal aims to limit the collection, retention, and use of consumer data by companies, giving users the ability to opt out of targeted advertising and have control over their data. It would also establish a national registry of data brokers and allow users to opt out of data sales. The legislation is seen as a landmark move to give Americans control over their information and hold Big Tech accountable. However, it is still uncertain if APRA will receive the necessary support for approval, with ongoing conversations and feedback expected before the bill is introduced. https://lnkd.in/g53ZxiAC Platform: WIRED Author: Makena Kelly #politics #onlineprivacy #dataprivacy #personalizeddata #legislation #bipartisan #privacyrights #techpolicyandlaw #data #congress #technology