CDD

Publishings

  • The law that lets Europeans take back their data from big tech companies, November 11, 1918, CBS 60 Minutes Click to view video.
  • CDD’s Executive Director, Jeff Chester, on CBS 60 Minutes

    The law that lets Europeans take back their data from big tech companies

    "> " type="application/x-shockwave-flash">
  • 34 Civil Rights, Consumer, and Privacy Organizations Unite to Release Principles for Privacy Legislation Contact: Katharina Kopp (kkopp@democraticmedia.org (link sends e-mail)); 202-836 4621 Washington, DC ----- Today, 34 civil rights, consumer, and privacy organizations join in releasing public interest principles for privacy legislation (link is external), because the public needs and deserves strong and comprehensive federal legislation to protect their privacy and afford meaningful redress. Irresponsible data practices lead to a broad range of harms, including discrimination in employment, housing, healthcare, and advertising. They also lead to data breaches and loss of individuals’ control over personal information. Existing enforcement mechanisms fail to hold data processors accountable and provide little-to-no relief for privacy violations. The privacy principles outline four concepts that any meaningful data protection legislation should incorporate at a minimum: Privacy protections must be strong, meaningful, and comprehensive. Data practices must protect civil rights, prevent unlawful discrimination, and advance equal opportunity. Governments at all levels should play a role in protecting and enforcing privacy rights. Legislation should provide redress for privacy violations. These public interest privacy principles include a framework providing guidelines for policymakers considering how to protect the privacy of all Americans effectively while also offering meaningful redress. They follow three days of Federal Trade Commission hearings (link is external) about big data, competition, and privacy as well as the comment deadline on “Developing the Administration’s Approach to Privacy (link is external),” a request for comment from the National Telecommunications and Information Administration as the agency works to develop privacy policy recommendations for the Trump Administration, and ongoing work (link is external) at the National Institute for Standards and Technology to develop a privacy risk framework. The groups urge members of Congress to pass privacy legislation that ensures fairness, prevents discrimination, advances equal opportunity, protects free expression, and facilitates trust between the public and companies that collect their personal data. New America’s Open Technology Institute, Public Knowledge, Access Humboldt, Access Now, Berkeley Media Studies Group, Campaign for a Commercial-Free Childhood, Center for Democracy & Technology, Center for Digital Democracy, Center for Media Justice, Center on Privacy & Technology at Georgetown Law, Color of Change, Common Cause, Common Sense Kids Action, Consumer Action, Consumer Federation of America, Consumers Union, Customer Commons, Demand Progress, Free Press Action Fund, Human Rights Watch, Lawyers’ Committee for Civil Rights Under Law, Media Alliance, Media Mobilizing Project, National Association of Consumer Advocates, National Consumer Law Center, National Consumers League, National Digital Inclusion Alliance, National Hispanic Media Coalition, Oakland Privacy, Open MIC (Open Media and Information Companies Initiative), Privacy Rights Clearinghouse, Public Citizen, U.S. PIRG, and United Church of Christ, OC Inc. signed the principles. Additional local and national privacy advocates are encouraged to sign on. The following can be attributed to Eric Null, Senior Policy Counsel at New America’s Open Technology Institute: “For decades, privacy regulation has favored the company over the user -- companies set their own rules and users are left to fend for themselves. Worse, companies have even discriminated based on protected classes through algorithmic decision-making. Comprehensive privacy legislation must disrupt this status quo. Legislation that follows the public interest privacy principles will better protect users and give users more control over their data.” The following can be attributed to Allie Bohm, Policy Counsel at Public Knowledge: “It is imperative that any comprehensive privacy legislation reflect the concerns, interests, and priorities of actual human beings. Today, consumer protection, privacy, and civil rights groups come together to articulate those interests, priorities, and concerns. Importantly, these principles address the many harms people can experience from privacy violations and misuse of personal data, including enabling unfair price discrimination; limiting awareness of opportunities; and contributing to employment, housing, health care, and other forms of discrimination.” The following can be attributed to Amie Stepanovich, U.S. Policy Manager at Access Now: “From Europe to India to Brazil, data privacy legislation is becoming the norm around the world, and people in the United States are getting left behind. It is long past time that our legislators acted to protect people across the country from opaque data practices that can result in its misuse and abuse, and any acceptable package must start with these principles.” The following can be attributed to Josh Golin, Executive Director at Campaign for a Commercial-Free Childhood: “What big tech offers for ‘free’ actually comes at a high cost -- our privacy. Worst of all is how vulnerable kids are tracked online and then targeted with manipulative marketing. This has to stop. We need laws that will empower parents to protect their children’s privacy.” The following can be attributed to Joseph Jerome, Policy Counsel at Center for Democracy & Technology: “Debates about national privacy laws focus on how companies should implement Fair Information Practices. The operative word is ‘fair.’ When it comes to how companies collect, use, and share our data, too many business practices are simply unfair. Federal law must go beyond giving consumers more notices and choices about their privacy, and we think it is time for legislators in Congress to flip the privacy presumption and declare some data practices unfair.” The following can be attributed to Katharina Kopp, Director of Policy at Center for Digital Democracy: “To this day, U.S. citizens have had to live without effective privacy safeguards. Commercial data practices have grown ever more intrusive, ubiquitous and harmful. It is high time to provide Americans with effective safeguards against commercial surveillance. Any legislation must not only effectively protect individual privacy, it must advance equitable, just and fair data uses, and must protect the most vulnerable among us, including children. In other words, they must bring about real changes in corporate practices. We have waited long enough; the time is now.” The following can be attributed to Laura Moy, Executive Director at Center on Privacy & Technology at Georgetown Law: “Americans want their data to be respected, protected, and used in ways that are consistent with their expectations. Any new legislation governing commercial data practices must advance these goals, and also protect us from data-driven activities that are harmful to society. We need privacy to protect us from uses of data that exclude communities from important opportunities, enable faceless brokers to secretly build ever-more-detailed profiles of us, and amplify political polarization and hate speech.” The following can be attributed to Yosef Getachew, Director of Media and Democracy Program at Common Cause: “An overwhelming majority of Americans believe they have lost control over how their personal information is collected and used across the internet ecosystem. Numerous data breaches and abuses in data sharing practices, which have jeopardized the personal information of millions of Americans, have validated these fears. Our current privacy framework no longer works, and the lack of meaningful privacy protections poses a serious threat to our democracy. Companies can easily manipulate data to politically influence voters or engage in discriminatory practices. These principles should serve as a baseline for any comprehensive privacy legislation that guarantees all Americans control over their data.” The following can be attributed to James P. Steyer, CEO and Founder, at Common Sense: “Any federal legislation should provide for strong baseline protections, particularly for the most surveilled and vulnerable generation ever -- our kids. These principles reflect that as privacy, consumer, and civil rights advocates, we only want federal legislation that will move the ball forward in terms of protecting kids, families, and all of us.” The following can be attributed to Linda Sherry, director of national priorities at Consumer Action: “Our country has floundered far too long without strong federal regulations governing data collection, retention, use and sharing. These privacy principles, developed by a coalition of leading consumer, civil rights and privacy organizations, are offered as a framework to guide Congress in protecting consumers from the many harms that can befall them when they are given little or no choice in safeguarding their data, and companies have few, if any, restrictions on how they use that information.” The following can be attributed to Susan Grant, Director of Consumer Protection and Privacy at Consumer Federation of America: “We need to move forward on data protection in the United States, from a default that allows companies to do what they want with Americans’ personal information as long as they don’t lie about it, to one in which their business practices are aligned with respect for privacy rights and the responsibility to keep people’s data secure.” The following can be attributed to Katie McInnis, Policy Counsel for Consumers Union, the advocacy division of Consumer Reports: “As new data breaches are announced at an alarming rate, now is the time to protect consumers with strong privacy laws. We need laws that do more than just address broad transparency and access rights. Consumers deserve practical controls and robust enforcement to ensure all of their personal information is sufficiently protected.” The following can be attributed to Gaurav Laroia, Policy Counsel at Free Press Action Fund: “The public has lost faith in technology companies' interest and ability to police their own privacy and data usage practices. It’s past time for Congress to pass a strong law that empowers people to make meaningful choices about their data, protects them from discrimination and undue manipulation, and holds companies accountable for those practices.” The following can be attributed to David Brody, Counsel & Senior Fellow for Privacy and Technology at the Lawyers’ Committee for Civil Rights Under Law: “Protecting the right to privacy is essential to protecting civil rights and advancing racial equity in a modern, Internet-focused society. Privacy rights are civil rights. Invasive profiling of online activity enables discrimination in employment, housing, credit, and education; helps bad actors target voter suppression and misinformation; assists biased law enforcement surveillance; chills the free association of advocates; and creates connections between hateful extremists exacerbating racial tensions.” The following can be attributed to Tracy Rosenberg, Executive Director at Media Alliance: “After a flood of data breaches and privacy violations, Americans overwhelmingly support meaningful protections for their personal information that are not written by, for and in the interests of the data collection industry. These principles start to define what that looks like.” The following can be attributed to Francella Ochillo, Vice President of Policy & General Counsel at National Hispanic Media Coalition: “For years, tech platforms have been allowed to monetize personal data without oversight or consequence, losing sight of the fact that personal data belongs to the user. Meanwhile, Latinos and other marginalized communities continue to be exposed to the greatest risk of harm and have the fewest opportunities for redress. The National Hispanic Media Coalition joins the chorus of advocates calling for a comprehensive regulatory framework that protects a user’s right to privacy and access as well as the right to be forgotten.” The following can be attributed to JP Massar, Organizer at Oakland Privacy: “We must not only watch the watchers, and regulate the sellers of our information. We must begin to unravel the information panopticon that has already formed. This is a start.” The following can be attributed to Robert Weissman, President at Public Citizen: “Internet privacy means control. Either we get to control our own lives as lived through the Internet, or the Big Tech companies do. That's what is at stake in whether the U.S. adopts real privacy protections.” The following can be attributed to Ed Mierzwinski, Senior Director for Consumer Programs at U.S. PIRG: “The big banks and the big tech companies all say that they want a federal privacy law, but the law that their phalanx of lobbyists seeks isn’t designed to protect consumers. Instead, it’s designed to protect their business models that treat consumers as commodities for sale; it fails to guarantee that their secret sauce big data algorithms don’t discriminate; it eliminates stronger and innovative state laws forever and it denies consumers any real, enforceable rights when harmed. We can’t allow that.” You may view the privacy principles (link is external) for more information.
  • CDD submits comments to The National Telecommunications and Information Administration On “Developing the Administration’s Approach to Consumer Privacy (link is external)" CDD argues that - Focus on “outcomes” is good but - Outcomes as defined by NTIA are too narrow and must include a broader discussion on privacy harms. They must include + identification harms (risks of identity theft, re-identification and sensitive inferences), + discrimination harms (inequities in the distribution of benefits and risks of exclusion), as well as + exploitation harms (personal data as commodity and risks to the vulnerable). - Legislation must not only achieve a reduction in privacy harms but must also ensure that “privacy benefits are fairly allocated”. Policy remedies must consider and be effective in addressing the inequities in the distribution of privacy benefits and harms. - NTIA’s list of desired outcomes of transparency, control, reasonable minimization, security, access and corrections, risk management, and accountability is a restatement of all-too-familiar privacy self-management paradigm. Privacy self-management alone is not enough as a policy solution. - Privacy is not an individual, commodified good that can and should be traded for other goods. - Legislation should focus less on data and more on outputs of data processing. So, instead of narrowing the scope of legislation to “personal data”, legislation must focus in on inferences, decisions and other data uses. - A risk-management approach must define risks broadly. NTIA should develop methodologies to assess the human rights, social, economic and ethical impacts of the use of algorithms in modern data processing.
  • Press Release

    Advocates ask FTC to investigate apps which manipulate kids

    Popular games for kids 5 and under lure them to watch ads and make in-app purchases

    A coalition of 22 consumer and public health advocacy groups called on the Federal Trade Commission (“FTC”) to investigate the preschool app market. The advocates’ letter urges the FTC to hold app makers accountable for unfair and deceptive practices, including falsely marketing apps that require in-app purchases as “free” and manipulating children to watch ads and make purchases. The complaint was filed in conjunction with a major new study that details a host of concerning practices in apps targeted to young children. The study (link is external) (paywall), “Advertising in Young Children’s Apps,” was led by researchers at University of Michigan C.S. Mott Children’s Hospital, and examined the type and content of advertising in 135 children’s apps.
  • Blog

    Center for Digital Democracy’s Principles for U.S. Privacy Legislation

    PROTECT PRIVACY RIGHTS, ADVANCE FAIR AND EQUITABLE OUTCOMES, LIMIT CORPORATE PRACTICES AND ENSURE GOVERNMENT LEADERSHIP AND ENFORCEMENT

    The Center for Digital Democracy provides the following recommendations for comprehensive baseline Federal privacy legislation. We are building on our expertise addressing digital marketplace developments for more than two decades, including work leading to the enactment of the 1998 Children’s Online Privacy Protection Act--the only federal online privacy law in the United States. Our recommendations are also informed by our long-standing trans-Atlantic work with consumer and privacy advocates in Europe, as well as the General Data Protection Regulation. We are alarmed by the increasingly intrusive and pervasive nature of commercial surveillance, which has the effect of controlling consumers’ and citizens’ behaviors, thoughts, and attitudes, and which sorts and tracks us as “winners” and “losers.” Today’s commercial practices have grown over the past decades unencumbered by regulatory constraints, and increasingly threaten the American ideals of self-determination, fairness, justice and equal opportunity. It is now time to address these developments: to grant basic rights to individuals and groups regarding data about them and how those data are used; to put limits on certain commercial data practices; and to strengthen our government to step in and protect our individual and common interests vis-à-vis powerful commercial entities. We call on legislators to consider the following principles: 1. Privacy protections should be broad: Set the scope of baseline legislation broadly and do not preempt stronger legislation Pervasive commercial surveillance practices know no limits, so legislation aiming to curtail negative practices should - address the full digital data life-cycle (collection, use, sharing, storage, on- and off-line) and cover all private entities’ public and private data processing, including nonprofits; - include all data derived from individuals, including personal information, inferred information, as well as aggregate and de-identified data; - apply all Fair Information Practice Principles (FIPPs) as a comprehensive baseline, including the principles of collection and use limitation, purpose specification, access and correction rights, accountability, data quality, and confidentiality/security; and require fairness in all data practices. - allow existing stronger federal legislation to prevail and let states continue to advance innovative legislation. 2. Individual privacy should be safeguarded: Give individuals rights to control the information about them - Building on FIPPs, individuals ought to have basic rights, including the right to + transparency and explanation + access + object and restrict + use privacy-enhancing technologies, including encryption + redress and compensation 3. Equitable, fair and just uses of data should be advanced: Place limits on certain data uses and safeguard equitable, fair and just outcomes Relying on “privacy self-management”—with the burden of responsibility placed solely on individuals alone to advance and protect their autonomy and self-determination—is not sufficient. Without one’s knowledge or participation, classifying and predictive data analytics may still draw inferences about individuals, resulting in injurious privacy violations—even if those harms are not immediately apparent. Importantly, these covert practices may result in pernicious forms of profiling and discrimination, harmful not just to the individual, but to groups and communities, particularly those with already diminished life chances, and society at large. Certain data practices may also unfairly influence the behavior of online users, such as children. Legislation should therefore address the impact of data practices and the distribution of harm by - placing limits on collecting, using and sharing sensitive personal information (such as data about ethnic or racial origin, political opinions/union membership, data concerning health, sex life or sexual orientation, genetic data, or biometric data) or data that reveals sensitive personal information, especially when using these data for profiling; - otherwise limiting the use of consumer scoring and other data practices, including in advertising, that have the effect of disproportionally and negatively affecting people’s life chances, related to, for example, housing, employment, finance, education, health and healthcare; - placing limits on manipulative marketing practices; - requiring particular safeguards when processing data relating to children and teens, especially with regard to marketing and profiling. 4. Privacy legislation should bring about real changes in corporate practices: Set limits and legal obligations for those managing data and require accountability Currently companies face very few limitations regarding their data practices. The presumption of “anything goes” has to end. Legislation should ensure that entities collecting, using, sharing data - can only do so for specific and appropriate purposes defined in advance, and subject to rules established by law and informed by data subjects’ freely given, specific, informed and unambiguous consent; for the execution of a contract, or as required by law; and without “pay-for-privacy provisions” or “take-it-or leave it” terms of service. - notify users in a timely fashion of data transfers and data breaches, and make consumers whole after a privacy violation or data breach; - cannot limit consumers’ right to redress with arbitration clauses; - are transparent and accountable, and adopt technical and organizational measures, including + provide for transparency, especially algorithmic transparency, + conduct impact assessments for high-risk processing considering the impact on individuals, groups, communities and society at large, + implement Privacy by Design and by Default, + assign resources and staff, including a Data Protection Officer, + implement appropriate oversight over third-party service providers/data processors, + conduct regular audits - are only allowed to transfer data to other countries/international organizations with essentially equivalent data protections in place. 5. Privacy protection should be consequential and aim to level the playing field: Give government at all levels significant and meaningful enforcement authority to protect privacy interests and give individuals legal remedies Without independent and flexible rulemaking data-protection authority, the Federal Trade Commission has been an ineffective agency for data protection. An agency with expertise and resources is needed to enforce company obligations. Ongoing research is required to anticipate and prepare for additionally warranted interventions to ensure a fair marketplace and a public sphere that strengthens our democratic institutions. Legislation should provide - for a strong, dedicated privacy agency with adequate resources, rulemaking authority and the ability to sanction non-compliance with meaningful penalties; - for independent authority for State Attorneys General; - for statutory damages and a private right of action; - for the federal agency to establish an office of technology impact assessment that would consider privacy, ethical, social, political, and economic impacts of high-risk data processing and other technologies; it would oversee and advise companies on their impact-assessment obligations.
  • Media Advisory – Save the Date FOR IMMEDIATE RELEASE October 3, 2018 Contact: Jeff Chester jeff@democraticmedia.org (link sends e-mail) COPPA--Protecting Children’s Privacy Online for 20 Years Sen. Ed Markey, Advocates and Experts Celebrate COPPA as they focus on future challenges posed by the digital marketplace October 17th, Capitol Hill, Open to Public Washington, D.C. To mark the 20th anniversary of the 1998 Children’s Online Privacy Protection Act (COPPA), Senator Edward J. Markey (DMA) —its principal congressional sponsor—will be joined by key representatives from the consumer, child advocacy, and privacy groups involved in implementing the law, at a public forum on Wednesday, October 17 from 12:30-3:30 pm in Room 385 of the Senate Russell Office Building (SR-385). Senator Markey will deliver a keynote speech followed by two panels featuring representatives from Electronic Privacy Information Center, Campaign for Commercial Free Childhood, Common Sense Media, Center for Digital Democracy, Color of Change, and Institute for Public Representation (Georgetown University Law Center), among others. Prof. Kathryn C. Montgomery, who spearheaded the public campaign that led to COPPA, will moderate. “COPPA is the nation’s constitution for children’s communication. For 20 years it has shielded our nation’s children from invasive practices and encroaching actors on the internet,” Sen. Markey noted. “It puts children and families in control and holds violators accountable when they compromise kids’ privacy. As we celebrate the 20th anniversary of COPPA, we must look to the future.” In addition to discussing COPPA’s impact, speakers will explore the expanding interactive and data-driven world young people face today, which is being transformed by a host of powerful technologies, such as artificial intelligence, virtual reality, and internet-connected toys. “In 2018, children grow up in an increasingly connected and digital world with ever-emerging threats to their sensitive personal information,” explained Sen. Markey. “Two decades after the passage of this bedrock law, it is time to redouble our efforts and safeguard the precious privacy of our youngest Americans.” The event is free and open to the public, but seating is limited. Lunch will be served. Please RSVP to jeff@democraticmedia.org (link sends e-mail).
  • October 1, 2018 Chairman John Thune Ranking Member Bill Nelson Senate Commerce Committee Washington, DC Dear Chairman Thune and Ranking Member Nelson, We appreciate your interest in consumer privacy and the hearing you convened recently to explore this topic. Still, our concerns remain that the hearing, with only industry representatives, was unnecessarily biased. Many of the problems consumers face, as well as the solutions we would propose, were simply never mentioned. There is little point in asking industry groups how they would like to be regulated. None of the proposals endorsed by the witnesses yesterday would have any substantial impact on the data collection practices of their firms. Such regulation will simply fortify business interests to the detriment of online users. And the absence of consumer advocates at the first hearing was also missed opportunity for a direct exchange about points made by the industry witnesses. We understand that you are planning to hold a second hearing in early October. In keeping with the structure of the first hearing, we ask that you invite six consumer privacy experts to testify before the Committee. We would also suggest that you organize an additional panel with other experts and enforcement officials, including Dr. Jelenik, the Chair of the European Data Protection Board, as well as State Attorneys General, who are now on the front lines of consumer protection in the United States. Thank you for your consideration of our views. We look forward to working with you. Sincerely, Access Humboldt Access Now Campaign for a Commercial-Free Childhood Center for Digital Democracy Common Sense Consumer Action Consumer Federation of America Customer Commons Digital Privacy Alliance Electronic Frontier Foundation EPIC Media Alliance National Association of Consumer Advocates New America's Open Technology Institute New York Public Interest Research Group (NYPIRG) Privacy Rights Clearing House U.S. Public Interest Research Group (U.S. PIRG) World Privacy Forum
  • Leading consumer privacy organizations in the United States write to express surprise and concern that not a single consumer representative was invited to testify at the September 26 Senate Commerce Committee hearing “Examining Safeguards for Consumer Data Privacy.”
  • CDD Releases E-Guide to Help Protect Voters From Online Manipulation and False News Washington, D.C.: September 12, 2018 To help fight online political misinformation and false news, which has already resurfaced in the 2018 midterm elections, CDD has produced a short e-guide to help voters understand how online media platforms can be hijacked to fan political polarization and social conflict. Enough Already! Protect Yourself from Online Political Manipulation and False News in Election 2018 describes the tactics that widely surfaced in the last presidential election, how they have evolved since, and deconstructs the underlying architecture of online media, especially social networks, that have fueled the rise of disinformation and false news. The e-guide tells voters what they can do to try to take themselves out of the targeted advertising systems developed by Facebook, Twitter, YouTube and other big platforms. The guide also describes the big picture issues that must be addressed to rein in the abuses unleashed by Silicon Valley’s big data surveillance economy and advertising-driven revenue machine. The e-guide is available for free download at the CDD web site. Journalists, activists and interested voters are urged to spread the guide to friends and colleagues. Contact: Jeff Chester, jeff@democraticmedia.org (link sends e-mail) 202-494-7100
  • The Center for Digital Democracy (CDD), Berkeley Media Studies Group, and Color of Change urge the Federal Trade Commission (FTC) to specifically acknowledge the important issues involving the privacy and welfare of young people by adding this issue to its proposed hearing agenda on competition and consumer welfare.
  • U.S. companies should adopt the same data protection rules that are poised to go into effect in the European Union on May 25, Public Citizen, the Center for Digital Democracy and Privacy International said today.
  • Consumer advocates, digital rights, and civil rights groups are calling on U.S. companies to adopt the requirements of the General Data Protection Regulation (GDPR) as a baseline in the U.S. and worldwide. Companies processing personal data* in the U.S. and/or worldwide and which are subject to the GDPR in the European Union, ought to: - extend the same individual privacy rights to their customers in the U.S. and around the world; - implement the obligations placed on them under the GDPR; - demonstrate that they meet these obligations; - accept public and regulatory scrutiny and oversight of their personal data practices; - adhere to the evolving GDPR jurisprudence and regulatory guidance (*Under the GDPR processing includes collecting, storing, using, altering, generating, disclosing, and destroying personal data.) Specifically, at a minimum, companies ought to: 1. Treat the right to data privacy as a fundamental human right. - This right includes the right to: + Information/notice + access + rectification + erasure + restriction + portability + object + avoid certain automated decision-making and profiling, as well as direct marketing - For these rights to be meaningful, give individuals effective control over the processing of their data so that they can realize their rights, including + set system defaults to protect data + be transparent and fair in the way you use people’s data 2. Apply these rights and obligations to all personal data including to data that can identify an individual directly and indirectly. 3. Process data only if you have a legal basis to do so, including - On the basis of freely given, specific, informed and unambiguous consent - If necessary for the performance of a contract 4. In addition, process data only in accordance to the principles of fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality/security. 5. Add extra safeguards, including explicit consent, when processing sensitive personal data (such as data about ethnic or racial origin, political opinions/union membership, data concerning health, sex life or sexual orientation, genetic data, or biometric data) or data that reveals sensitive personal data, especially when using this data for profiling. 6. Apply extra safeguards when processing data relating to children and teens, particularly with regard to marketing and profiling. 7. Be transparent and accountable, and adopt technical and organizational measures to meet these obligations, including - Provide for algorithmic transparency - Conduct impact assessments for high risk processing - Implement Privacy by Design and by Default - Assign resources and staff, including a Data Protection Officer - Implement appropriate oversight over third party service providers/data processors - Conduct regular audits - Document the processing 8. Notify consumers and regulatory authorities in case of a breach without undue delay. 9. Support the adoption of similar requirements in a data protection law that will ensure appropriate and effective regulatory oversight and enforcement for data processing that does not fall under EU jurisdiction. 10. Adopt these GDPR requirements as a baseline regardless of industry sector, in addition to any other national/federal, provincial/state or local privacy requirements that are stricter than the requirements advanced by the GDPR.
  • The European Union's updated data protection legislation comes into effect in Europe on May 25, 2018. It gives individuals new rights to better control their personal information and strengthens some of the rights that already exist. Enforcement and redress mechanisms have also been strengthened to ensure that these rights are respected. And – importantly – the definition of personal data is wider in the GDPR than in the current EU legislation, and now includes online identifiers, such as an IP address. Read the summary of the eight rights here. The right to information to access to rectify to delete (or “to be forgotten”) to restrict processing to data portability to object to avoid automated decision making and profiling.
  • The European General Data Protection Regulation (GDPR) will take effect May 25, 2018. The Trans Atlantic Consumer Dialogue (link is external) (TACD), of which CDD is a member, published a document detailing 10 things that US citizens and companies need-to-know about the forthcoming General Data Protection Regulation (GDPR).
  • In an open letter to Facebook's CEO Mark Zuckkerberg, members of the Transatlantic Consumer Dialogue urge the company "to confirm your company’s commitment to global compliance with the GDPR".
  • A digital “great awakening” has occurred with unprecedented global attention given to the commercial surveillance (link is external) business model at the core of our collective digital experience. Since the earliest days of the commercial Internet in the 1990s, the online medium has been deliberately shaped (link is external) to primarily serve the interests of marketing. Advertisers have poured in many billions of dollars since then to make sure that our platforms, applications and devices all serve the primary need of gathering our information so it could be used for data-driven marketing. Internet industry trade groups have developed the technical standards (link is external) so that data collection is embedded in new services—such as mobile geo-location applications. Marketers developed new technologies, such as programmatic (link is external) advertising, that enabled lightning-fast decisions about individuals based on their data. Leading ad platforms, especially Google and Facebook, fought against privacy legislation for the U.S. Policymakers from both major parties protected them from regulation, including on privacy and antitrust. U.S. companies tried to derail (link is external) the new EU privacy law that starts on May 24—known as the General Data Protection Regulation (GDPR)—but failed to stop it. Europeans—who understand the threat to personal and political freedom when unaccountable institutions control our information—are now on the privacy front lines. The road to privacy and digital rights for America is likely first to pass through the European (link is external) Union. The Facebook/Cambridge Analytica scandal (and kudos (link is external) to The Observer newspaper for its dogged journalism on all this) is, however, not unique. It is emblematic of the way that digital marketing works every day—all over the world. Huge amounts of our information is scooped (link is external) up, from scores of sources, quickly analyzed, and used to send us more personalized marketing and content. Powerful automated (link is external) applications help marketers identify who we and then engage us at deeper emotional and subconscious (link is external) levels. Facebook, Google and others are continually pushing the boundaries of digital advertising, deploying Artificial Intelligence, Virtual Reality (link is external), Neuromarketing and other techniques. They are laying the foundation for the “Internet of Things” world that will be soon upon us, where we will be further tracked and targeted wherever we go and whatever we do. But it’s the global “Fortune” type companies that will really decide what happens with the online privacy of people all over the world. Google and Facebook basically work for the P&Gs (link is external), Coca-Cola’s (link is external), Honda’s and Bank America’s—the leading advertisers. It’s the advertisers who are really in charge of the Internet, and they have created (link is external) for their own companies a kind of mirror image (link is external) to what Google and Facebook have helped unleash. Fortune-size companies are now also in the data business, (link is external) collecting information on consumers via all their devices; they have created in-house consumer data mining and targeting services; and they deploy advanced digital marketing techniques to directly reach us. Over the last year, major advertisers have forced Facebook (link is external) and Google (link is external) to become more accountable to their needs and interests—rather than to the public interest. What they call the need for “brand safety” online—assurances their ads are not undermined by being placed to hate speech or other content harmful to their brands—is really about seizing greater control over their own digital futures. They deeply dislike (link is external) the clout that both Google and Facebook have today over the digital advertising system. We are at a critical moment in the brief history of the Internet and digital media. There is greater awareness of what is at stake—including the future of the democratic electoral process—if we don’t develop the regulations and policies that ensure privacy, promote individual autonomy, and place limits on the now-unchecked corporate power of digital marketers. It’s time to expand the focus of the debate about Facebook and Google to include those who have been paying for all of this consumer surveillance—namely advertisers and the advertising industry. They need to be held accountable if we are to see a global digital medium that puts people—not profits—first.
    Jeff Chester
  • In a statement issued today, CDD, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order (link is external) when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged (link is external) the FTC to enforce its own legal judgements. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned.