Data Digest № 021

Data Digest ¦ September 29th, 2019, 11:00 pm

Welcome to the 21st edition of the Data Digest, where I sum up the most important happening in the data industry. This week: the Nevada Privacy Bill goes into effect, Mactaggart launches a new ballot initiative, Alexa asks for your trust in Amazon, DoorDash dashes away from a data breach, Facebook tries to take over your health care, and more. Enjoy!

The California Consumer Privacy Act (CCPA) Versus The Nevada Privacy Bill (SB 220)

While some companies CCPA compliance efforts focus on avoiding statutory fines, such as the $7,500 damages per person per incident, others invest in building out user friendly compliance infrastructures to build a trusted relationship with their customers― founded in transparency and control. CCPA, the nation’s most comprehensive consumer privacy law ever, is planned to go into effect at the start of next year. However, a much less publicized privacy law will come into effect in Nevada as of tomorrow. Senate Bill 220 (SB-220), which Nevada officially approved on May 29, 2019, amended Nevada’s existing online privacy regulation from 2017 (NRS 603A.300- 603A.360). Since the new law did not provide a specific effective date, under Nevada ruling, SB 220 goes into effect October 1, 2019.

There are two new additions SB 220 introduces. First, consumers have a new right to opt-out of data sales. The Nevada data privacy law previously required companies to post a privacy policy that defined the types of information collected by operators through its website or online service, and the third parties with whom the operator would share the information. SB 220 now extends the existing legislation with the requirement that companies must provide people with the possibility to request a stop of selling data for monetary considerations. This can be achieved either through a dedicated email, toll-free number, or website address where such opt-out requests can be issued. It’s important to note that such opt-out requirements stipulated in SB 220 are much less extensive, as they are limited to the sale of personally identifiable information (PII) that was collected by an operator through a website or online service. CCPA, on the other hand, also includes the sale of any personal information collected about a consumer, regardless of the channel it was collected through, and includes exchanges for any type of valuable consideration. Furthermore, there are no provisions in SB 220 such as the right of access, that would allow customers to understand the data they are creating before issuing an opt-out request. Because it’s unclear that a user cannot specifically limit the opt-out to certain data assets, it’s likely that all opt-out requests will result in full opt-outs. While this might seem like a lower bar for companies to pass, and therefore a blessing, it may actually end up being a dire curse. Instead of customers issuing opt-out requests for very specific data assets and use cases, SB 220 will force a lot of customers to issue opt-out requests preventing companies from processing any of their data, even though that’s not what the customer initially intended.

The second addition to the existing Nevada data privacy legislation is that the law fully exempts healthcare and financial institutions subject to GLBA and HIPAA, among others, from the scope of this law by excluding those institutions from the definition of “operator.” This means that not only will these GLBA- and HIPAA-covered entities be exempt from the consumer rights requirements of SB 220, but once it goes into effect in October, they will not be required to comply with Nevada’s existing privacy notice requirements.

For a side-by-side comparison of the differences between SB 220 and CCPA go to our latest blogpost:

The California Consumer Privacy Act (CCPA) Versus The Nevada Privacy Bill (SB 220)

The California Consumer Privacy Act (CCPA) garnered a lot of attention and appeared in many headlines in the past few months. Most businesses across the United States have already spent a significant amount of time and resources evaluating the CCPA to decide what steps they need to take to become compliant by the end of this year. A much less publicized privacy law is Senate Bill 220 (SB-220), which Nevada officially approved on May 29, 2019, and that amended Nevada’s existing online privacy regulation from 2017 (NRS 603A.300- 603A.360). Since the new law did not provide a specific effective date, under Nevada ruling, SB 220 went into effect on October 1, 2019.

Mactaggart Launches A New Ballot Initiative For 2020 Election

Alistair Mactaggart, whose efforts two years ago resulted in the California Consumer Privacy Act (CCPA), has launched a new ballot initiative for the 2020 election. The initiative would grant internet users in California further rights for their sensitive information, such as their health, location and financial data, specifically targeting the way companies harness data to serve ads or make decisions. The initiative would require that consumers give their permission for such data to be sold and would give consumers the ability to block companies monetizing such data through targeted advertising. Which would be a huge step forward in terms of data privacy, as opt-in puts the burden on companies, not on consumers. To explain this a bit further: in the case of opt-out, the consumer must locate the companies dealing with his/her data. Especially in the extremely complex B2B world of advertising, that is a tremendous undertaking and it’s unlikely that consumers will spend the immense amount required to research and opt-out from all companies processing their data. In the case of opt-ins, the entire equation is changed. Now all companies processing consumers’ data will need to get in touch with these individuals to get their consent to process their data. Now the burden is on the companies! And a lot of these companies, who have done business in the shadows with customers data for years, definitely don’t one thing: for the people whose data they are dealing with to know about them. Therefore, changing from opt-out to opt-in would be a huge leap for data privacy.

The amendments proposed by Mactaggart would also enact the creation of an agency to enforce consumer privacy protections and enforce tougher penalties for data mishaps. Companies would have to disclose and demystify their algorithms when such software is used to profile someone, particularly when applicable to employment prospects, housing, credit cards, loans or other key services. Furthermore, it would require that companies disclose if they ever use data to shape the outcome of an election.

Mactaggart’s first attempt to draw privacy protections into law, with the CCPA, drew wide public support and obtained twice as many signatures that he needed to put the matter to a referendum― forcing legislators tech companies and privacy advocates to compromise. He claims that the bill “now seems insufficient,” in an open letter announcing the new initiative which cites Facebook’s involvement with Cambridge Analytica and the security breach at Equifax. Many businesses, privacy advocates and consumers have pushed for federal regulation to set a national standard for online privacy. Washington, however, seems to be caught in the crosshairs of partisan gridlock, industry lobbyists and pure indecisiveness even after years of daily privacy scandals. Mactaggart estimates that he would need over 1 million signatures to put his proposal in front of voters next November.

Privacy activist in California launches new ballot initiative for 2020 election

The activist who spurred the state to adopt the country's first-ever consumer privacy law is pushing an initiative that would be even tougher on big tech companies.

Using Alexa Requires Your Trust In Amazon

“Every time Alexa expands into some new domain, more trust is required — and every time the service screws up, that trust gets harder to maintain. Seen from that perspective, the new privacy measures could be too little, too late.”

This cutting statement was one of many after Amazon’s hardware event last Wednesday where the e-commerce giant tried to substantiate their stance that “[p]rivacy cannot be an afterthought when it comes to the devices and services we offer our customers. It has to be foundational and built in from the beginning for every piece of hardware, software, and service that we create.” The statement came with several new privacy features rolled out to give their users more control. For instance, a feature on the Echo Show 5 that lets you set “privacy zones” where a part of the camera’s view will be impossible to record or view live. There were several other features put in place to convince you that Amazon was taking its new thoughts on privacy seriously when it came to their set of smart speakers or cameras. However, their message was paired with a roll out of several invasive ways to install networked microphones in an array of personal items, such as glasses, alarm clocks and even jewellery. Therefore to many, their claims appeared to be unsubstantiated. As Russel Brandom put it, “the underlying transaction is the same: data for convenience.”

To use Alexa, you have to trust Amazon

You’re trading privacy for convenience — and the deal keeps getting worse

DoorDash Data Breach Affected 4.9 Million People

Approximately 4.9 million consumers, Dashers, and merchants who joined the DoorDash platform on or before April 5, 2018, are affected by a data breach which occurred in May this year. The type of information accessed included names, email addresses, delivery addresses, phone numbers, hashed and salted passwords, drivers licenses, and in some cases the last four digits of credit card and bank account information, however, not sufficient to make fraudulent charges on a payment card. In response to the breach DoorDash stated, “We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.” If you were affected by the data breach, you should go to ASAP.

Important security notice about your DoorDash account

We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party…

You Don’t Want Facebook Involved With Your Health Care

In the same way you don’t want Facebook involved with your love life, you definitely don’t want them involved with your health care. Correlating data captured by i.a. Facebook and Amazon to medical data, and the ensuing field of “prescriptive analytics for preventable harm,” has an interesting trajectory of making people’s lives a lot better. I.e. linking the emoji one uses to early warning signs of onset burn-out or depression can help intervention at the right time and would tremendously increase the quality of life of a lot of individuals. In an article in the Journal of the American Medical Association from January Facebook’s Head of Health Research, Freddy Abnous, details Facebook’s vision for deploying its data mining business in health care. In it, he argues that “health researchers need to pay more attention to social determinants of health data from social networks and combine that information with health records to improve patient outcomes.” However, the big question is not just whether it’s useful. The question is at what cost it’s useful. And that cost is a direct function of how the underlying data is treated. Which is exactly the question that Facebook generously overlooks. It is paramount that the data leveraged for “prescriptive analytics” is not touched by any of the companies providing and utilizing the data. This means that companies supplying medical data won’t get Facebook data and Facebook won’t get the medical data. Both companies need to place the data in a neutral territory where the computations are performed, namely a Trusted Execution Environment. If any of the companies involved in the development of these new technologies cannot commit to these data standards, it is doubtful that their intentions are solely focused on developing said technology. Especially in the case of Facebook, it must be taken into consideration that what they are actually interested in is capturing even more data on its users in order to better target them with ads. In the case of the $3.85 trillion health care industry, it is easy to see how Facebook would have its eyes set on luring in companies with big budgets advertising their products. If Facebook cannot agree to disintermediating itself from data capture involved in the process of developing these new technologies, its efforts are nothing more than a ‘greenwashing’ of it’s data collection at best, or a land grab of medical data at worst. On the topic of the latter, let’s not forget that Facebook previously already tried to combine social and medical data without patients’ consent, which was also led by Abnousi.

You Don’t Want Facebook Involved With Your Health Care

This new approach to health care data makes us vulnerable to increased surveillance, digital profiling, and manipulation in the most intimate of settings.

What I'm Reading:

How to Make the Most of Apple’s New Privacy Tools in iOS 13 (Published 2019)

We tested the new suite of privacy tools in Apple’s latest mobile software, from minimizing location sharing to silencing robocalls.

Privacy concerns could derail unprecedented plan to use Facebook data to study elections

Funders of unique data-sharing initiative to pull out at end of month

- The Washington Post



Get the Data Digest in your inbox