On February 25, 2022, the Utah Senate unanimously (28-0) passed Senate Bill 227, also known as the Utah Consumer Privacy Act (Privacy Act). The 2022 session adjourned on March 4, and Utah Governor Spencer Cox has 20 days from that date to either sign (or not sign) the bill, after which it becomes law, or veto the bill, in which case it does not become a law unless the legislature overrides the governor’s veto. The Privacy Act would become the fourth comprehensive state consumer privacy law in the United States. Continue Reading Utah Consumer Privacy Act on the Horizon
Vineet Singal, co-founder and CEO of CareMessage, a messaging platform for health safety net organizations, joins Dominique and David to share why he created CareMessage out of his original work in San Francisco’s Tenderloin neighborhood. He talks about why he turned down a scholarship to medical school to continue this work, and why he is so passionate about helping underserved populations manage their conditions and take responsibility for their health. Vineet describes how CareMessage grew from a Stanford undergraduate project to become the largest patient engagement program in the United States and discusses the types of data held by CareMessage and other healthcare clinics, as well how as how they ensure their HIPAA compliance. Vineet also explores how the COVID-19 pandemic has been a critical component of CareMessage’s growth in ways he could not have anticipated when he started the company in 2012.
Daniella Ballou-Aares, CEO & Co-Founder of the Leadership Now Project and a Senior Advisor at Dalberg, joins David to discuss how corporate CEOs and corporations are taking direct action to support voting rights and how they are looking for an innovative model of sustained and strategic engagement to fix democracy. Most importantly, Daniella identifies with precision and clarity why measuring big data is important in preserving democracy, how supporting voting rights and a sustained democracy serves the interests of corporations and their shareholders, and why private sector leadership in this area is important, not only for democratic principles but for the long term interests of shareholders and business success.
For the second year in a row, amidst a wave of biometric lawsuits in other states, Maryland legislators have introduced a new biometric privacy law mimicking the Illinois Biometric Information Privacy Act (BIPA). In 2021, a similar proposed law (HB 0218) failed to make it past committee hearings and was withdrawn by its sole sponsor, Maryland House Delegate Sara Love. Continue Reading Maryland Legislators Once Again Push for a BIPA-Style Biometric Privacy Bill
Devin Banerjee, editor at large at LinkedIn News, joins Dominique and David to share his passion for business journalism. He discusses how writing business articles and updates for a social media company differs from more traditional publications where writers do not receive instantaneous feedback. He addresses C-suite awareness of the importance of cybersecurity and the damage that ransomware wreaks on an organization. Devin also dives into how LinkedIn identifies influential and high-quality contributors in different industries and brings them into the conversation on the platform.
Listen to “Devin Banerjee: Editor At Large at LinkedIn | The Expanding Interest in Digital Assets – Episode 45” on Spreaker. Continue Reading Devin Banerjee: Editor At Large at LinkedIn | The Expanding Interest in Digital Assets – Episode 45
Nishant Bhajaria, head of technical privacy and governance at Uber, joins David and Dominique to discuss how he has helped companies focus on data privacy. He outlines reputational risk versus better data and governance and why protecting data leads to better products, a more intelligent workforce, and a more engaged customer. They discuss why the amount of data being exchanged by companies and customers today is unlike any we’ve seen before and how transparency to consumers and enhanced data privacy is critical for a company to thrive. Nishant also shares how his newest book, Data Privacy: A Runbook for Engineers, is the first leading text for engineers on how to design, develop, and measure the effectiveness of privacy programs.
Listen to “Nishant Bhajaria: Head of Technical Privacy and Governance at Uber | Making Privacy a Priority – Episode 44” on Spreaker. Continue Reading Nishant Bhajaria: Head of Technical Privacy and Governance at Uber | Making Privacy a Priority – Episode 44
Ben Strick, director of investigations for the Centre for Information Resilience and Myanmar Witness, joins David Biderman and Dominique Shelton Leipzig to share how his team uses investigative techniques to document and expose human rights violations, identify perpetrators and victims, and assist social justice groups from Myanmar to Cameroon and around the globe. He describes why this process serves as a way of holding a mirror to society and forcing us to take responsibility for the hate and violence in the world. Ben also explains how the open source investigative community deals with privacy and General Data Protection Regulation (GDPR) legislation, particularly when using photographs.
On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement , the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.”  Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts. Continue Reading Data Privacy Day Surprise Enforcement for Loyalty Programs
As the use of facial recognition and other biometric technology expands, so too has litigation under the Illinois Biometric Information Privacy Act (BIPA). Nearly 2,000 cases have been filed, the vast majority of them in Illinois. Late last year, the Illinois First District Appellate Court issued two key decisions.
As the world turns anew in 2022, a seismic shift is underway in the AdTech industry as detailed in the first part of this Requiem for a Cookie series: online tracking technology as we know it is likely undergoing a permanent change. More specifically, the third-party cookie, which has been the dominant method for tracking online user behavior, is quickly being phased out—and in many instances pushed out by regulators. Out of the ashes of soon-to-be outdated tracking techniques, however, arise multiple privacy-forward alternatives. Which technique or techniques will ultimately replace third-party cookies, however, is unclear, and 2022 is expected to bring clarity to the plethora of alternative options currently vying for dominance.
Pushing for third-party cookie eradication and leading the charge into new alternatives, Europe is a key incubator for new development in the space. Most notably, the Belgian Data Protection Authority (BE DPA) is spearheading a reanalysis of the Transparency and Consent Framework (TCF) implemented by the Interactive Advertising Bureau (IAB). Broadly adopted within the AdTech industry, the TCF stands today as the dominant consent solution utilized to satisfy EU members’ affirmative consent requirements. But the days of TCF’s prevalence appear to be waning as the BE DPA is expected to imminently release a decision confirming alleged infringements by the IAB arising from use of the TCF—specifically violations of the General Data Protection Regulation (GDPR) consent and transparency principals. As of the date of this article, the BE DPA is awaiting potential feedback from other European data protection authorities on its draft decision regarding GDPR infringements, and it is expected that this will be one of the first major privacy developments in the AdTech space of 2022.
Given the uncertainties around TCF, many AdTech players have been implementing new techniques that are expected to eventually replace third-party tracking cookies. The French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) already released a statement warning individual consumers and data subjects that “the end of the use of third-party cookies does not mean the end of tracking Internet users online.”  To make sense of the array of alternatives that are in development, the CNIL categorized prominent alternative technologies into four categories, as described below:
- First-party cookies and fingerprinting. While the eventual deprecation of third-party cookies is anticipated, the vitality of first-party cookies appears strong. Often necessary for certain operations and for website functionality, first-party cookies are only created and stored on the website a user directly visits. The CNIL cautions, however, that first-party cookies can still be exploited by third parties, as they can be configured to “return data via URL calls on the advertiser’s domain.”  A similar tool is known as “fingerprinting” and is another tracking technique whereby the information provided by a user’s browser regarding the technical specifications of a user’s hardware (e.g., the operating system or screen size) is collected and used to build a user profile. This information, when sufficiently specific, can be used to track users in a manner similar to cookies.
- Single Sign-On (SSO). Primarily used to facilitate a user’s online connection, SSO allows the user’s account to follow the user while browsing other related websites to which the user’s credentials apply. The account can then be used as a tracker across those websites.
- Unique Identifiers. By tracking users via hashed data relating to a unique identifier (for example, Apple’s Identifier for Advertisers or IDFA), third parties can use the login information and email addresses to link usage of various services.
- Cohort-based Advertising Targeting. Primarily pioneered by Google’s Federated Learning of Cohorts (FLoC), cohort-based targeting avoids targeting individuals by instead clustering a large group of people with similar interests and assigning the group a unique identifier. This enables individuals to effectively “hide in the crowd” while allowing advertisers to reach appropriate audiences.
In addition to the above methods identified by the CNIL, several other creative tracking solutions are gaining traction within the AdTech industry and are expected to make gains in 2022. First, on one end of the cohort-based spectrum is micro-grouping, where small groups of users (between three and five users) are tracked as a single entity in real time. Zero-party data, where users intentionally elect to share their preferences and intentions (e.g., a user answering a survey administered by the website host), is data that comes straight from the source, and is regaining popularity in marketing. Conversion measurement is getting an overall facelift, but perhaps most specifically through Google’s Privacy Sandbox, where notably, Google announced that it is seeking to use “privacy-preserving techniques like aggregating information, adding noise, and limiting the amount of data that gets sent from the device.”  Hearkening back to more traditional techniques used for generations within the print advertising industry, contextual targeting relies on the content of the website a user is visiting instead of user data gleaned from third-party cookies; for example, a website concerning parks and recreation may feature advertising for hiking gear or outdoor clothing to all website visitors, not specific, targeted individuals. The above methods appear to be gaining traction in the AdTech industry, and 2022 is expected to not only bring further developments in these techniques, but also to spotlight clear “winners” in the bake-off to replace third-party cookies.
Regardless of which technique or techniques the AdTech industry eventually chooses as the replacement for third-party cookies, it will be imperative that these techniques are designed and implemented with privacy compliance in mind. Along these lines, the CNIL propagated a firm reminder that under existing European privacy laws, any action that creates an individual or group profile and involves targeted advertising will require prior consent of the user–even if no personal data is processed.  Users must be able to “choose freely and in an informed manner” to refuse such tracking, and indeed, public demand for user choice is expected to continue, as recent years have indicated user focus on privacy transparency and choice. Ultimately, 2022 could prove to be a watershed year in the AdTech industry and may signify the final crumble of third-party cookies.
 Alternatives to third-party cookies: what consequences regarding consent? (Nov. 23, 2021), https://www.cnil.fr/en/alternatives-third-party-cookies-what-consequences-regarding-consent.
 Building a privacy-first future for web advertising (Jan. 25, 2021), https://blog.google/products/ads-commerce/2021-01-privacy-sandbox/.
 See Alternatives to third-party cookies, supra at  (citing the ePrivacy Directive and Art. 82 of the French Act on Information Technology, Data Files and Civil Liberties).