The Download - July 2019

Introduction

In this issue of The Download, we review hearings held by the House Financial Services Committee's Task Force on Financial Technology and the Senate Commerce Subcommittee on Transportation. We report on the National Institute of Standards and Technology's privacy framework development progress, the Federal Trade Commission's (FTC) 2019 PrivacyCon, and the FTC's request for public comment on the Children's Online Privacy Protection Act Rule. We also cover the passage of four California Consumer Privacy Act amendments in California's Senate Judiciary Committee. Across the pond, we examine happenings in the United Kingdom's Information Commissioner's Office including the release of their first annual report, an update report on adtech, and a speech on the future of advertising regulation.

Contents

Heard on the Hill

• House Financial Services Committee's Financial Technology Task Force Holds Fintech Oversight Hearing
• Senate Commerce Subcommittee Holds Hearing on Examining Technological Innovations in Transportation

Around the Agencies and Executive Branch

• NIST Holds Workshop and Webinar as Part of Privacy Framework Development Process
• FTC Hosts PrivacyCon 2019
• FTC Request Public Comment on the COPPA Rule

In the States

• California's Senate Judiciary Committee Advances Certain CCPA Amendments

International

• ICO Issues Its First Annual Report under GDPR
• ICO Issues Report on Adtech, Real Time Bidding, and GDPR
• ICO Official Delivers Speech on Online Advertising Regulation

Heard on the Hill

House Financial Services Committee's Financial Technology Task Force Holds Fintech Oversight Hearing

On June 25, 2019, the House Committee on Financial Services' (Committee) Task Force on Financial Technology (Fintech Task Force) convened its inaugural hearing titled "Overseeing the Fintech Revolution: Domestic and International Perspectives on Fintech Regulation." The Fintech Task Force, which is chaired by Congressman Stephen Lynch (D-MA) was created on May 9,  2019 alongside the Committee's Task Force on Artificial Intelligence (AI Task Force), which is chaired by Congressman Bill Foster (D-IL). Upon the formation of the AI and Fintech Task Forces, Committee Chairwoman Maxine Waters noted that the Task Forces were established to examine developments in the financial technology (Fintech) and artificial intelligence (AI) spaces, and to ensure that the Committee is equipped to develop AI and Fintech policy.

The hearing featured witnesses representing financial regulatory entities, including: (1) the Consumer Financial Protection Bureau; (2) the Office of the Comptroller of the Currency; (3) the Securities and Exchange Commission; (4) the Conference of State Bank Supervisors; and (5) the Financial Conduct Authority.

Over the course of the hearing, Fintech Task Force Members and witnesses discussed how the development of Fintech applications and AI have contributed to developments in the financial services space, and how the emergence of Fintech has affected consumers. Several Fintech Task Force Members addressed the potential privacy and data security implications of Fintech use among consumers. Fintech Task Force Chairman Lynch expressed concern that Fintech innovation may enable "mostly" unregulated companies to collect and use consumer data. With respect to Fintech development, Fintech Task Force Ranking Member French Hill (R-AR) noted that he hopes that regulatory costs are not overly burdensome and that consumers are protected.

Senate Commerce Subcommittee Holds Hearing on Examining Technological Innovations in Transportation

On June 25, 2019, the Senate Committee on Commerce, Science, and Transportation's (Committee) Subcommittee on Transportation (Subcommittee) held a hearing entitled "Examining Technological Innovations in Transportation." The hearing explored the effects of technological innovation and its deployment in the transportation industry. The hearing included five witnesses from the transportation industry and research institutions.

In her opening statement, Subcommittee Chairwoman Deb Fisher (R-NE) noted that her goal for the hearing was to see how technological innovations enable improvements in safety, efficiency, and mobility across the transportation sector. Subcommittee Ranking Member Tammy Duckworth (D-IL) emphasized Congress' role in supporting research and innovation in the transportation industry. Witnesses discussed the importance of innovation and the need for the development of standards as technological innovations expand in the transportation sector.

During questioning, the witnesses expressed support for the reauthorization of the Fixing America's Surface Transportation (FAST) Act¹ and the development of standards to improve the safety of autonomous vehicles. The witnesses noted that some technologies can be used to improve the safety and overall efficiency of autonomous vehicles, and that the use of these technologies should be part of the discussion regarding reauthorization of the FAST Act. For example, one witness from an industry organization emphasized that the use of blockchain technology in transportation can increase safety, energy, and economic efficiency. Witnesses also stated that the 5.9 GHz spectrum band should be used to support connected vehicle technology, thus facilitating transportation communications. Witnesses expressed concern for the lack of access to innovative transportation technology in smaller, rural communities, and encouraged consideration of this issue as part of the discussion around FAST Act reauthorization.

Members of the Subcommittee noted that discussions that occurred during the hearing would be used to guide reauthorization of the FAST Act.

Around the Agencies and Executive Branch

NIST Holds Webinar and Workshop as Part of Privacy Framework Development Process

The Department of Commerce's (DOC) National Institute of Standards and Technology (NIST) continues to develop and invite comment on the "NIST Privacy Framework: An Enterprise Risk Management Tool" (Privacy Framework), which NIST began as part of a DOC interagency privacy initiative undertaken in response to prompting from the White House's National Economic Council. On June 27, 2019, NIST held a webinar on "Preparing for Workshop #3" in advance of NIST's July 8–9, 2019 workshop entitled "Getting to V1.0 of the NIST Privacy Framework: Workshop #3." During the webinar, NIST officials discussed the development process for the Privacy Framework and highlighted the content and structure of NIST's April 30, 2019 Privacy Framework discussion draft. In particular, the webinar included a discussion of the relationship between cybersecurity risks  and privacy risks and noted NIST's proposed definition of "data" which NIST defines as "a representation of information with  the potential for adverse consequences for individuals when processed." NIST officials noted different ways in which the Privacy Framework may be used, including to review existing privacy practices, create a new privacy program, and communicate privacy requirements to stakeholders.

On July 8–9, 2019, NIST convened Workshop #3. The event featured discussion between NIST officials and industry stakeholders and focused on four objectives: (1) examining the purpose, value, and scope of the Privacy Framework for clarity and to encourage use of the Privacy Framework; (2) ensuring that the Privacy Framework is risk-based and flexible; (3) customizing the Privacy Framework for different organizations and accessibility; and (4) identifying gap areas, such as emerging technologies and privacy risk assessments. NIST officials emphasized that the Privacy Framework is not a checklist and that the objectives do not necessarily need to be completed in full. NIST officials stated that they plan to release a preliminary draft of the Privacy Framework "later this summer," but that they will accept comments throughout the development process. The first official version of the Privacy Framework is scheduled to be released by the end of 2019.

FTC Hosts 2019 PrivacyCon

On June 27, 2019, the Federal Trade Commission (FTC) held its fourth annual PrivacyCon event in Washington, D.C. PrivacyCon is an all-day event hosted at the FTC where privacy and security researchers, academics, industry representatives, consumer advocates, and the government discuss their views and present research on privacy issues. Prior to PrivacyCon, the FTC sought research presentations with a focus on empirical and economic considerations. FTC officials and participants representing industry, consumer advocacy, and academia offered presentations and participated in a series of panel discussions. Among other topics raised during the day, much of the discussion related to the potential development of federal privacy and data security legislation, existing privacy and data security laws, companies' data practices and privacy policies, and consumer behavior and preferences about data privacy and security.

The event was divided into four sessions, each with two moderators from the FTC. The first session focused on privacy policies, disclosures, and permissions. Panelists, which consisted mostly of academics, took the view that there is a need to increase transparency in disclosure practices and to have comprehensive, detailed privacy policies for compliance and accountability purposes. One panelist, Kassem Fawaz, a professor from the University of Wisconsin-Madison, noted that interfaces should be designed to show users unexpected uses of information. Another panelist, Christine Utz, a professor at Ruhr University Bochum, said that she observed the appearance of privacy policies on websites increasing by 5% after the EU General Data Protection Regulation (GDPR) came into effect and that the average length of policies increased by 50%.

The second session addressed consumer preferences, expectations, and behaviors. Part of the discussion centered on the potential development of federal privacy legislation and regulations, with at least one panelist advocating for such legislation. Katie McInnis, of Consumer Reports, expressed support for granting consumers data access, correction, and deletion rights.  The Children's Online Privacy Protection Act was also discussed. Another panelist, Kristen Walker, a professor at California State University Northridge, advocated for establishing a national data privacy education campaign aimed at children and teens.

The third panel focused on online data collection and advertising. Several panelists asserted that the GDPR brought more attention to data privacy, but also argued that inaction on the part of regulators has enabled websites to return to their pre- GDPR practices. On the same panel, sensor data from the "Internet of Things" was also discussed. Anupam Das, a professor from North Carolina State University, stated that there are other beneficial uses for sensor data collection, such as fraud detection, but that control and transparency of sensor data are vital.

In the last session of the conference, panelists discussed vulnerabilities, leaks, and data breaches. A few panelists described studies in which they found that mobile applications allegedly did not adhere to the privacy parameters set forth in the companies' terms. Yixin Zou, a student from the University of Michigan, presented research that most consumers ignore breach notifications due to notification "fatigue."

FTC Request for Public Comment on the COPPA Rule

On July 17, 2019, the Federal Trade Commission (FTC) announced a Request for Public Comment on its implementation of the Children's Online Privacy Protection Act ² through the Children's Online Privacy Protection Rule (the Rule). The Commission's last review of the Rule culminated on January 17, 2013, with the publication of amendments to the Rule.³ The Request for Public Comment explains that the FTC elected to expedite its 10-year review of the Rule in order to address questions about the Rule's application to educational technology, voice enabled connected devices, and general audience platforms. While these issues may have motivated the Rule review, the FTC is requesting comment on all major provisions of the Rule, including definitions, notices, parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision, in addition to standard questions about the effectiveness of the Rule and whether sections should be retained or modified.

Among other topics raised in the Request for Public Comment, Question 14 of the Request for Public Comment asks for input on the "support for internal operations" exception that permits websites and online services to collect persistent identifiers (and no other personal information) for certain activities, without parental notice and consent. The FTC asks whether additional activities, such as advertising attribution, should explicitly be covered by the exception. Question 25 of the Request for Public Comment is directed at the application of the Rule to general audience platforms that offer access to child-directed content uploaded by third parties. One challenge for industry stakeholders interested in responding to this question is that the FTC does not define the term "platform."

Written comments must be filed with the FTC by October 23, 2019.

In the States

California's Senate Judiciary Committee Advances Certain CCPA Amendments

On July 9, 2019, California's Senate Judiciary Committee (Committee) held a hearing to consider a number of bills, including certain legislation that would amend provisions of the California Consumer Privacy Act (CCPA).⁴ The Committee advanced at least four CCPA amendments relevant to the advertising community (AB 25, AB 846, AB 874, and AB 1564), while one notable amendment (AB 873) failed to pass. The contents of each proposed amendment are detailed below:

• AB 25 - Employment-related information.⁵ The Committee passed AB 25, a bill that proposes to temporarily carve out certain employment-related information from the scope of the CCPA. The bill would exempt the following information from the CCPA until January 1, 2021:

1. Personal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, so long as such information is collected and used in an employment context;
2. Personal information collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, so long as such information is collected and used solely within the context of having an emergency contact on file; and
3. Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

• AB 846 - Customer loyalty programs.⁶ The Committee approved AB 846, which would create a new section of the CCPA to clarify that businesses may offer a different price, rate, level, or quality of goods or services to a consumer, including offering goods and services at no fee, as long as such an offering is in connection with a consumer's voluntary participation in a loyalty, rewards, premium features, discounts, or club card program. However, the bill also explicitly states that a business may not sell the personal information it collects through loyalty, rewards, premium features, discounts, or club rewards programs.
• AB 874 - Publicly available information.⁷ The Committee passed AB 874, a bill that redefines "publicly available" to mean information that is lawfully made available from federal, state, or local government records. The legislation would remove the CCPA requirement for such information to be used for a purpose that is compatible with the purpose for which it is maintained and made available in government records. In addition, the bill would clarify that personal information does not include consumer information that is de-identified or aggregate consumer information.
• AB 1564 - Methods for consumers to request disclosure of personal information.⁸ The Committee approved AB 1564, a bill that would amend the CCPA-required methods for consumers to request the disclosure of their personal information. The bill still requires businesses to make two or more designated methods for submitting CCPA requests available to consumers (including, at a minimum, a toll-free telephone number). However, the bill would remove the requirement that businesses must provide an email address for such requests. Under the proposed legislation, only a business that operates exclusively online and has a direct relationship with the consumer from whom it collects personal information is required to provide an email address for receiving CCPA requests.
• AB 873 - De-identified information.⁹ The Committee declined to pass AB 873, a CCPA amendment that would have inserted the word "reasonably" into the statute's definition of "de-identified." This addition would have clarified that information is de identified if does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer. Although the Committee declined to approve AB 873 during its July 9, 2019 hearing, the bill was granted "reconsideration," meaning that upon an appropriate motion, legislators may have a second opportunity to vote on the matter. ¹⁰

Although the Committee passed four out of the five CCPA amendments detailed above, the full State Assembly and Senate still must consider and pass the amendments before they can become law. The California legislature adjourned for its summer recess on July 12, 2019, and legislators are scheduled to return to Sacramento on August 12, 2019. After the legislature resumes its regular session, legislators will have until September 13, 2019 to pass any CCPA amendments. California Governor Gavin Newsom will then have until October 13, 2019 to sign or veto any such legislation passed by the legislature.

International

ICO Issues Its First Annual Report under GDPR

On July 8, 2019, Elizabeth Denham, the United Kingdom's (UK) Information Commissioner and head of the UK Information Commissioner's Office (ICO) issued the Information Commissioner's Annual Report and Financial Statements 2018–19 (Report).¹¹ The Report, published to Parliament, summarizes the ICO's activities during the past year with respect to its duties under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), amongst other legislation.

The Report describes the ICO's efforts in building public awareness of GDPR and the DPA, including the implementation of its "Your Data Matters" campaign, which contributed to a 72% increase in user traffic (9.5 million users) to the ICO's website in 2018.¹² The Report further details how the ICO sought to engage with Data Protection Officers (DPO) and small- and medium-sized enterprises (SME) in relation to the GDPR and DPA. The ICO recognized that "GDPR and DPA 2018 have placed a significant responsibility on DPOs"¹³ but was encouraged by a survey that showed "74% of DPOs said they were satisfied or very satisfied with the airtime they get with the senior leadership at their organisation with data protection issues."¹⁴ To further the goal of helping organizations meet the evolving regulatory landscape, the ICO is "exploring establishing a "onestop shop" for SMEs within the ICO."¹⁵

The Report also highlighted that in the next year, the ICO will be delivering four statutory codes of practice, which are required under the DPA: (1) Age Appropriate Design Code; (2) Data Sharing Code; (3) Direct Marketing Code; and (4) Data Protection and Journalism Code. The ICO further anticipates providing guidance on the use of personal data in political campaigns.

With respect to enforcement, the Report details the ICO's issuance of 11 "assessment notices"16 and high-profile investigations into the Metropolitan Police Service, Her Majesty's Revenue and Customs, and Cambridge Analytica. The ICO also issued over £3 million in fines in the past year under earlier data protection legislation, the Data Protection Act 1998. With respect to reports of personal data breaches (PDB), the ICO received 13,840 PDB reports, an over four-fold increase over the prior year. Notably, the ICO required data controllers to take no further action in 82% of the PDB reports it closed and issued civil monetary penalty in only .05% of cases. The Report states the ICO will continue to "target[] [its] most significant powers on organisations and individuals suspected of repeated or willful misconduct or serious failures to take proper steps to protect personal data."¹⁶

ICO Issues Report on Adtech, Real Time Bidding, and GDPR

On June 20, 2020, the United Kingdom's (UK) Information Commissioner's Office (ICO) issued a report discussing the relationship between the advertising technology (adtech) industry, real time bidding (RTB), and the General Data Protection Regulation (GDPR). The report is titled Update report into adtech and real time bidding (Report). The Report examined the current state of affairs in the adtech ecosystem's compliance with GDPR. The Report focused on transparency, consent, the data supply chain, and the legal basis for processing relied on in the adtech industry. The Report stated that consent is required to engage in RTB, and that the adtech industry is failing to meet consent and transparency requirements set forth in the GDPR.

The Report identified several privacy risk factors related to RTB and the data processing required for the practice to function. Those risks identified by the report are profiling and automated decision-making, large-scale processing (including of special categories of data), use of innovative technologies, matching data from various sources, tracking of geolocation of online behavior, and "invisible" processing. The Report indicated that these risks mean that RTB practices should require a mandatory data protection impact assessment. Additionally, the Report noted that some of the data fields in an RTB request include special data categories (or could be used to infer such data) including location, political affiliation, union membership, race and ethnicity, and health data.

Based on its findings the Report stated that "legitimate interest" is not a lawful basis for processing in the RTB ecosystem and that consent is required. Additionally, the Report called into question the RTB industry's use of a Transparency and Consent Framework (TCF). The Report stated that the TCF vendor list "does not include all RTB actors" and the "services that implement the TCF are still able to use third parties that are not on the list as there is no industry, sectoral, or legal requirement or control preventing this."¹⁷ As a result, the Report concluded the TCF "mechanisms do not provide any controls to individuals about the use of cookies or similar technologies by" organizations who are not part of the TCF vendor list.¹⁸ The Report also noted that "[c]ookies used for the purposes of online advertising (not just RTB, but all types of online advertising) require prior consent" under the GDPR ¹⁹ The ICO made clear that it does not consider RTB technology to be inherently illegal, but that companies using it must do so in a GDPR compliant manner. The ICO stated that its next steps will include continued information gathering, engaging with adtech stakeholders, cooperation with other data protection authorities across the EU, and further review of the industry in six months.

ICO Official Delivers Speech on Online Advertising Regulation

On July 11, 2019, Simon McDougall, the Executive Director of Technology Policy and Innovation from the United Kingdom's Information Commissioner's Office (ICO) delivered a speech on "the future of online advertising regulation." McDougall announced that the ICO has made review of the advertising technology (adtech) sector a priority, focusing on transparency, the lawful basis for this type of advertising, and the security of personal data.

According to McDougall, the ICO is primarily concerned with two areas of the adtech industry: (1) how special category data is processed within real-time bidding (RTB); and (2) the reliance on contracts for sharing data across the supply chain. McDougall explained that certain types of "special category" data such as health data is "highly sensitive personal information" and the General Data Protection Regulation (GDPR) requires explicit consent before processing this type of data.²¹ However, McDougall suggested that many people are likely unaware that this personal information is processed within RTB. The GDPR also requires organizations to be accountable for who they share personal data with; however, McDougall opined that this requirement is not met "when a single real-time bid request can be seen by potentially hundreds of organizations."²² Thus, McDougall stated that many of these RTB practices appear to be unlawful.

Rather than issuing information or assessment notices, the ICO has decided to give the industry six months to review and respond to these concerns. McDougall emphasized that this response should not be mischaracterized as "slow"—rather, this should serve as a "wake-up call" for the industry.²³ The ICO plans to work directly with firms to encourage industry change as it continues to develop an understanding of advertising technology. After this six-month period, the ICO will undertake another review of the industry. If fundamental changes have not been made, the ICO will consider enforcement actions.

Endnotes

[1] P.L. 114–94
[2] Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506 (West 2018).
[3] Federal Trade Commission, Final Rule Amendments, 78 Fed. Reg. 3972 (Jan. 17, 2013).
[4] Cal. Civ. Code §§ 1798.100–199.
[5] AB 25, 2019–2020 Reg. Sess. (Cal. 2019), https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB25.
[6] AB 846, 2019–2020 Reg. Sess. (Cal. 2019), https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB846.
[7] AB 874, 2019–2020 Reg. Sess. (Cal. 2019), https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874.
[8] AB 1564, 2019–2020 Reg. Sess. (Cal. 2019), located at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1564.
[9] AB 873, 2019–2020 Reg. Sess. (Cal. 2019), located at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB873.
[10] See CALIFORNIA LEGISLATURE, Joint Rules of the Senate and Assembly for the 2019-20 Regular Session, Rule 62(a), located at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200SCR1.
[11] Elizabeth Denham, Report Presented to Parliament pursuant to Section 139(1) of the Data Protection Act 2018 and Section 49(1) of the Freedom of Information Act 2000 and Accounts Presented to Parliament pursuant to Paragraph 11(4) of Schedule 12 to the Data Protection Act 2018 (July 8, 2019), available at https://ico.org.uk/media/about-the-ico/ documents/2615262/annual-report-201819.pdf.
[12] Report at 16.
[13] Report at 17.
[14] Report at 18.
[15] Report at 19.
[16] Under the DPA, "[t]he Commissioner may, by written notice (an 'assessment notice'), require a controller or processor to permit the Commissioner to carry out an assessment of whether the controller or processor has complied or is complying with the data protection legislation." Data Protection Act 2018 (c. 12) § 146(1).
[17] Report at 22.
[18] Id. at 19.
[19] Id.
[20] Id. at 18.
[21] Id.
[22] Id.
[23]  Id.