TPC 42: California's New Privacy Law

A new privacy law is being voted on next month in California. It might change the way internet privacy is dealt with in all of the US, maybe even around the world. Plus: Do Not Track is back. Maybe, this time around, it will actually work.

Today on The Private Citizen, I look at some new privacy regulation and technology from the US and discuss what I feel is an inspiring court opinion on the constitutionality of the COVID-19 lockdowns.

But first things first: special thanks to Georges Walther for becoming a producer at the new Showrunner level!

A recording of the live stream of this episode is available on YouTube: Part 1, Part 2.

Proposition 24

As part of the November election in the US, voters in California get the option to expand the state’s privacy law (which I recently covered in episode 40 of the podcast). Like its predecessor, the California Consumer Privacy Act (CCPA), the new law has the potential to be very influential on all of the US.

While most of America is focused on the presidential vote, Californians have another important decision to make at the polls this November. They’re being asked to approve what will likely become the internet privacy law for the United States. Proposition 24, also known as the California Privacy Rights and Enforcement Act of 2020 (CPRA), is supposed to expand a landmark California privacy law that passed two years ago; there’s a good chance Californians will approve this one, too. It’s framed as legislation that will better protect their privacy – in particular, sensitive data such as Social Security numbers, race, religion, and health information. And while the proposed law technically governs the use and sale of data for Californians, California has an enormous impact on the tech industry, which means CPRA will become the de facto law for all of the US.

Among other impacts of the proposed law, it makes a point of protecting young people by mandating triple fines for infringements against consumers under age 16. It will allow consumers to restrict the use of geolocation data by third parties, effectively ending practices like sending targeted ads to people who’ve visited a rehab center or a cancer clinic. And it will fund the creation of an agency to protect consumer privacy.

Now this, as Vox points out, is bad for news publishers. And for the ad people (ie. Google and Facebook).

From targeted advertising to personalization, data does a lot of work online. Unfortunately, two companies dominate data collection and therefore digital advertising. One big question about any privacy laws is whether they actually create more advantages for Google and Facebook instead of leveling the playing field for smaller competitors. We’ve seen this happen before. In Europe, which began enforcing a new privacy law in May 2018, big tech companies have been able to effectively neuter the law by implementing half-measures and exploiting loopholes while enforcement lags.

This is clearly a reference to the GDPR. Now, I had no idea what these loopholes are, that they are criticising in such a vague way. So I looked it up. Here’s a recent example that I found.

The issue is somewhat complex but is worth a recap. It dates back more than seven years, when Austrian lawyer and privacy activist Max Schrems first complained to the Irish Data Protection Commission that the existing data transfer agreement between the EU and US, Safe Harbour, did not provide adequate protection from surveillance by American authorities. Following a long legal battle, in 2015, the European Court of Justice ruled that Safe Harbour was invalid but within a year Brussels and Washington had come up with another pact, Privacy Shield. Schrems argued that this new deal was still not strong enough and in July this year the ECJ agreed, outlawing Privacy Shield too, which had been used by nearly 5,400 businesses including Facebook, Amazon, Google, Experian, Acxiom, LinkedIn and Microsoft.

However, in its ruling on Privacy Shield, the ECJ also put the boot in to alternative transfer mechanisms, including so-called standard contract clauses (SCCs) and binding corporate rules, ordering that these should face greater scrutiny from both data controllers and regulators. At the time, Mishcon de Reya Partner Adam Rose said: “There must now be serious questions as to whether any transfers to the US can be valid. As a result of this, the regime used by some of the world’s biggest international groups must now also be open to challenge. Data protection authorities must intervene to stop transfers which are made to countries without an adequate level of protection.” Now, according to a report in the Wall Street Journal, the Irish DPC has issued a preliminary order to Facebook to stop using SCCs to transfer data to the US. But privacy group NOYB, which is fronted by Schrems, claims Facebook is not using either SCCs or corporate binding rules but a fourth legal basis for data transfers: the alleged “necessity” to outsource processing to the US under the contract with its users (Article 49(1)(b) of GDPR).

This means that any “preliminary order” by the Irish DPC on the SCCs alone will in fact not prevent Facebook from arguing that its transfers are still legal. NOYB claims that in practice Article 49(1)(b) of GDPR may be an appropriate legal basis for very limited data transfers (for instance, when an EU user is sending an message to a American user), but cannot be used to outsource all data processing to the US. Schrems said: “We obviously welcome the notion that the Irish DPC is finally moving towards doing its job after seven years of procedures and five court decisions, all of which upheld our position. However, this move by the DPC may lead to another half-hearted decision. “The leak about a secret ‘preliminary order’ against Facebook shows that the Irish DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case. “We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”

Interesting! And something I will look into in detail for future episodes. For now, let’s get back to the Vox piece on the California Privacy Rights and Enforcement Act.

The good news for consumers and news publishers alike is that CPRA seeks to close any loopholes in the previous privacy law the state passed two years ago. For starters, the law is supposed to more clearly limit data collection and use for third parties – companies you don’t expect to get access to your data when you visit a news site – while allowing publishers to continue to use data they generate on their own sites. That unbridled data surveillance by some big tech companies outside of their own user-facing services – that is, Google and Facebook’s ability to track you even when you’re not on their properties – has undermined consumer trust in the entire digital economy. Giving consumers the ability to control their own data should help restore some of that trust.

Lastly, and maybe most importantly, the CPRA closes loopholes that could be exploited by big tech platforms. One aspect of this is what we’re calling “the switch language,” which clearly aligns the obligations of third parties to serve the interests of consumers. It notes that when a consumer exercises their opt-out rights and a publisher passes their choice along to all the companies with which it works (third parties), those companies must stop reusing that consumer’s data for any other purpose. This essentially forces those companies to revert to the role of a service provider. The “switch language” also prevents any wiggle room by not allowing contracts to override this requirement. As publishers experienced in Europe, platforms like Google and Facebook often use their unbalanced negotiating leverage to force publishers to sign over these data rights, so this section is hugely important for individual publishers that do not have the leverage to force Google or Facebook to stop mining data off their properties. Finally, CPRA clarifies that publishers are not responsible for third parties that violate the previous section as long as they do not have actual knowledge of the violation.

Do Not Track II

This new law might potentially go together quite well with a renewed push to get the Do Not Track (DNT) technology to take off under a different name.

A coalition of technology companies, publishers, academics and advocacy groups this week proposed a web specification to allow internet users to declare whether they agree to have their personal data shared or sold. It’s not called Do Not Track (DNT), a web specification that took shape in 2011 after percolating for several years, and allows internet users to declare whether they agree to third-party web tracking. Instead, it’s called Global Privacy Control (GPC) and its backers believe this time will be different.

The project was spearheaded by Ashkan Soltani, a privacy researcher who helped develop Do Not Track and who served at America’s Federal Trade Commission, and Sebastian Zimmeck, a computer scientist at Wesleyan University. GPC has attracted the support of the usual privacy-aligned suspects – Abine, DuckDuckGo, Brave Software, Disconnect, Mozilla, and the Electronic Frontier Foundation, among others – as well as various publishers like The Financial Times, The New York Times and The Washington Post.

DNT and GPC don’t look very different. Each is expressed as a binary digit in an HTTP header or as an HTTP DOM property, where the value 1 represents the user’s preference not to be tracked or not to have data shared or sold. As conveyed by a user-agent (web browser), DNT involves setting a DNT header field. The GPC specification entails setting a Sec-GPC header field.

So why should it work this time around?

Soltani believes GPC can succeed where DNT failed thanks to changes in the regulatory landscape. California’s Attorney General Xavier Becerra has suggested as much.

While the Federal Trade Commission supported DNT when it took shape a decade ago, there was no enforcement mechanism and thus no reason for companies to respect DNT signaling. The spec went to internet standards body W3C and proceeded to be put through a standards process dominated by industry lobbyists. As Soltani tells it, DNT got co-opted and stalled. Ultimately, the FTC backed away from the project. “So it just sort of flopped,” he said. The 2003 California Online Privacy Protection Act was amended in 2013 to include a requirement that online services disclose how they respond to the DNT signal. However, the state law didn’t require anyone to obey the DNT signal. And so they didn’t.

The California Consumer Privacy Act (CCPA), which took effect at the beginning of this year, and the General Data Protection Regulation (GDPR), which took effect for EU citizens in 2018, have altered the privacy landscape. The CCPA established a right to opt-out of having one’s data shared or sold (§ 999.315. Requests to Opt-Out) and establishes “user-enabled global privacy controls, such as a browser plug-in or privacy setting” as a mechanism that’s acceptable to do so. DNT is not an option because it deals with tracking, not the sale and sharing of personal data. Becerra has said DNT doesn’t clearly signal the intent to opt out of data sharing and selling. GPC has been set up to do just that. And Soltani suggests GPC has the potential to change privacy dynamics from an opt-out default to opt-in, something advertisers have long opposed. That’s because once a GPC declaration has been made, any company seeking to sell or share data will need to obtain user permission to flip the consent switch off. And companies doing business in California, even those outside the state, will be motivated to comply because of CCPA. “The system was left extensible so it could be applicable to GDPR,’ said Soltani.

Presently, GPC has been implemented in the Brave browser, the DuckDuckGo Privacy Browser and DuckDuckGo extensions, and browser extensions like Abine Blur, Disconnect, OptMeowt, and the EFF’s Privacy Badger. And project participants hope to see support expand to other browsers and to mobile operating systems.

I guess I’m still sceptical at this point. This could turn into just another cookie warning.

“When I talk to people at tech companies, it seems they understand that privacy is an important part of their business,” said Zimmeck. “And even if they don’t believe they should offer privacy from a moral or ethical standpoint, it’s a valuable business proposition at this point.”

Yeah, sure. I guess that’s why Facebook and Google are two of the biggest tech companies right now…

The Civil Liberty Issue with Lockdowns

Before I end the show with feedback from my producers, I have to take a quick detour into a COVID-19-related topic. I recently came across this opinion by the US District Court for the Western District of Pennsylvania, which declared the shutdowns enacted by the local state government as unconstitutional. I am sure this decision will be overturned and I’m not reporting on it because of its consequences, some of which you can read up on elsewhere. I want to read some excerpts from the court’s opinion because it is extremely well argued and explains many things clearly that I had in the past struggled with, trying to explain my uneasiness about them on the show.

Good intentions toward a laudable end are not alone enough to uphold governmental action against a constitutional challenge. Indeed, the greatest threats to our system of constitutional liberties may arise when the ends are laudable, and the intent is good – especially in a time of emergency. In an emergency, even a vigilant public may let down its guard over its constitutional liberties only to find that liberties, once relinquished, are hard to recoup and that restrictions – while expedient in the face of an emergency situation – may persist long after immediate danger has passed.

What were initially billed as temporary measures necessary to “flatten the curve” and protect hospital capacity have become open-ended and ongoing restrictions aimed at a very different end – stopping the spread of an infectious disease and preventing new cases from arising – which requires ongoing and open-ended efforts. Further, while the harshest measures have been “suspended”, Defendants admit that they remain in-place and can be reinstated sua sponte as and when Defendants see fit. In other words, while not currently being enforced, Pennsylvania citizens remain subject to the re-imposition of the most severe provisions at any time. Further, testimony and evidence presented by Defendants does not establish any specified exit gate or end date to the emergency situations. Rather, the record shows that Defendants view the presence of disease mitigations upon the citizens of Pennsylvania as a “new normal” and they have no actual plan to return to a state where all restrictions are lifted.

The plain language of the statute makes clear that the lockdown effectuated by the stay-at-home orders is not a quarantine. A quarantine requires, as a threshold matter, that the person subject to the “limitation of freedom of movement” be “exposed to a communicable disease.” Moreover, critically, the duration of a quarantine is statutorily limited to “a period of time equal to the longest usual incubation period of the disease.” The lockdown plainly exceeded that period.

Not only are lockdowns like the one imposed by the Defendants’ stay-at-home orders unknown in response to any previous pandemic or epidemic, they are not as much mentioned in recent guidance by the Centers for Disease Control and Prevention (“CDC”). The fact is that the lockdowns imposed across the United States in early 2020 in response to the COVID-19 pandemic are unprecedented in the history of our Commonwealth and our Country. They have never been used in response to any other disease in our history. They were not recommendations made by the CDC. They were unheard of by the people of this nation until just this year. It appears as though the imposition of lockdowns in Wuhan and other areas of China – a nation unconstrained by concern for civil liberties and constitutional norms – started a domino effect where one country, and state, after another imposed draconian and hitherto untried measures on their citizens. Broad population-wide lockdowns are such a dramatic inversion of the concept of liberty in a free society as to be nearly presumptively unconstitutional unless the government can truly demonstrate that they burden no more liberty than is reasonably necessary to achieve an important government end. The draconian nature of the lockdown may render this a high bar, indeed.

The liberties protected by the Constitution are not fair-weather freedoms – in place when times are good but able to be cast aside in times of trouble. There is no question that this Country has faced, and will face, emergencies of every sort. But the solution to a national crisis can never be permitted to supersede the commitment to individual liberty that stands as the foundation of the American experiment. The Constitution cannot accept the concept of “a new normal” where the basic liberties of the people can be subordinated to open-ended emergency mitigation measures. Rather, the Constitution sets certain limits that may not be crossed, even in an emergency.

I wish we had a justice system in Germany that valued civil liberties and freedoms as high as this court and had the foresight and eloquence of this judge.

Producer Feedback

Fadi Mansour gives a boots-on-the-ground update from the Czech Republic:

A quick update on the COVID-19 situation in the Czech Republic: probably I mentioned in a previous email that in the news they were talking about the increase in cases, the new record now is 5,335 cases in a single day. But with a total of 829 deaths since March. Of course the headlines are always the increased number of cases, but no actual discussion of death rate. There are also some increased restrictions till October 18th, and masks are mandatory indoors.

There’s an application that is being advertised: eRouška, but it’s not being enforced, quote from the website:

Is my data protected? Who is the authority behind eRouška? eRouška 1.0 underwent by several independent audits which confirmed that its source code is secure and complies with the principles of personal data processing. The new eRouška will undergo such audits soon. The app is managed by Ministry of Health along with by National Agency for Communication and Information Technologies.

On another note, I also share your opinion regarding how this “crisis” is being used to set a “new normal”. Unfortunately, regardless of how justified it is, but this is actually happening. My 10 year old girls are now forced to wear a mask to school, and this will be their memories of their childhood (definitively better than growing in Syria with the civil war, but still, I was hoping they’d grow in “normal” circumstances).

He then followed that up with another email:

Just a quick update: In my previous email I mentioned that there’s the eRouška app, and it is not being enforced (yet), but just now there was an interesting development. I just received an SMS telling me to install the application. The sender appears as “www.mzcr.cz” (The Czech Ministry of Health website), but no actual phone number.

I was curious and I searched online, and found this article (sorry, in Czech): In short, by request from the Ministry of Health, all mobile operators are sending a message asking people to install the application. It’s still not an enforcement, but still, pretty big move to push people to have the application.

This comes as the country is going into a state of emergency. Starting from tomorrow, we will have remote learning for my girls (3rd graders). According to the teacher, it is supposed to be till the end of the month only. But let’s see.

Producer Martin also sends me some (well encrypted) feedback:

Just listening to episode 41 and I have to disagree with you about the necessity of a “great reset”. Irrespective of whether or not governments have handled things appropriately, their actions have had a tangible and financial impact that has changed the world and now has to be managed. You seemed surprised that people are taking this as a given, but I think it is. It has already happened.

On top of that, we are still facing a number of existential threats to the survival of our species (never mind others) in the very near future. When I look at the World Economic Forum Great Reset plan, I find their stated goals laudable. I too believe we should be using Covid-19 as a catalyst to remodel our way of life along more sustainable lines. In my view this is not even a choice, but a necessity if we want our civilisation to survive. The fact that Covid-19 is the catalyst is pretty irrelevant when it comes to inequality, sustainability, etc. As the clip you played explained, it’s just about taking the opportunity for positive societal change while we have the chance. Incidentally, the weforum.org agenda website includes dozens of pro-right-to-privacy articles. The World Economic Forum does not appear to be the main problem when it comes to privacy, but rather the actions of individual governments and corporations. I will say the involvement of people like Charles Windsor and Christine Lagarde does make me uneasy though.

I also think it’s worth remembering that the Covid-19 pandemic is not playing out like a scientific experiment – there is no control group and nothing to compare ourselves to. It was a “novel” coronavirus of which we knew very little. Therefore I think conflicting advice, over-reactions, mistakes, changes of plan, and unscrupulous people trying to take advantage of the situation, are entirely to be expected – we just have to make the best of it. All that said, I am very pessimistic about our chances and think it is much more likely we will end our days as serfs in a slowly dying dystopian nightmare, than free and happy in a recovering world with a sustainable circular economy.

If you too have thoughts on the topics discussed in this or previous episodes, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Georges Walther, Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Dave, Butterbeans, Mark Holland, Steve Hoos, Shelby Cruver, Vlad, Kai Siers, Jackie Plage, 1i11g, Philip Klostermann, Jaroslav Lichtblau, Fadi Mansour, ikn, Matt Jelliman, Joe Poser, Dirk Dede, David Potter, Mika, Dave Umrysh, Martin, Vytautas Sadauskas, RikyM, drivezero, S.J., Jonathan Edwards, Barry Williams, silviu, MrAmish and Richard Gilson.