?? Drying ink

Lucid folks,

The winter holidays are almost here. We will be taking a break starting next week, returning to our writing desks in the new year,?refreshed and with an updated format. As we look to make the Bulletin more interesting and relevant to you in 2025, we’d love to hear your thoughts.

Until then, in this issue:

• The FTC has consent fatigue too?
• Blog boomerangs
• No news Roundups -- the cycle needs new tires

…and more.

Happy upcoming holidays, everyone!

From our grateful bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

With Alex Krylov (Editor/Lead Writer), Ross Webster (Writer, EU & UK), Raashee Gupta Erry (Writer, US & World), McKenzie Thomsen, CIPP/US (Writer, Law & Policy)

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

When it Comes to a Federal Privacy Law, the FTC Largely Concurs

Last week saw the FTC announces two more settlements with “sensitive location data” sellers Gravy Analytics and Mobilewalla.?

Why it matters: These enforcement actions are the latest in a series of a strategic moves against data sellers that link mobile users to sensitive places like synagogues and events like political protests. (More on the last one below.)

• The FTC, like the California Privacy Protection Agency and Attorney General, are interested in data brokers and source providers across a Byzantine advertising data supply chain.
• These and the previous raft of enforcement actions do not target adtech companies directly, but rather the up-funnel data brokers who may themselves be buying or licensing data from other companies.

Consent dissent: There is much to unpack with these latest decisions. But how GPS data is sourced and to what degree permissioned -- at the device/OS all the way down to 3rd party end-recipients -- remains an issue of systemic importance for the FTC.?

Yes, the Commission, like many in the global privacy community, is worried about the sustainability of “verifiable user consent” for precise location (and other sensitive) data collection.??

In her response to FTC Commissioner Melissa Holyoak’s dissenting views in the Mobilewalla case, FTC Chair Lina Khan stressed how…

• “[The Mobilewalla] matter further highlights the continued shortcomings of the “notice and consent” paradigm...”?
• “In recent years, the Commission’s orders have moved away from remedies and relief premised exclusively on consumer consent—and included greater reliance on presumptive bans and prohibitions.”

By citing her keynote at the 2022 IAPP Summit, Chair Khan once again calls on Congress to pass comprehensive legislation that can ban certain data collection and not just use.

Zooming out: The FTC wields a bounded set of powers that Commissioner Andrew Ferguson, while agreeing, that Gravy Analytics and Mobilewalla deserved comeuppance, he highlights another important paradox -- the logical limits of the Commission’s unfair business practices authority when enforcing privacy violations.?

• “...the text of Section 5 cannot bear the tremendous weight my colleagues place on it. My colleagues want the FTC Act to be a comprehensive privacy law. But it is not. Comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs.

The incoming Congress is unlikely to be any more conducive to an ADPPA/APRA bill getting, let alone passing, a floor vote. But it is important to see how today’s FTC is more thoughtful and less dogmatic about these fundamental issues than some may think. We know what unworkable ‘privacy fundamentalism’ looks like. Just ask Rie Alexander and Sergio Maldonado.?

-AK

Blog Boomerang

Remember that Lucid blog you loved but totally forgot about? Well, it’s back—because great posts deserve a second spin. It's like déjà vu, but smarter… and with an eclectic bend.

• [Ross Webster] Privacy in the Age of New ID Solutions. Despite Google’s recent delay in phasing out Third-Party Cookies (3PC), the writing is on the wall: online publishers must explore new identity (ID) and first-party data solutions to maintain their targeted advertising capabilities. Universal or alternative IDs, which leverage persistent identifiers like email addresses, phone numbers, or device IDs, have emerged as potential solutions to provide a consistent user experience across platforms…
• [Ben Isaacson] California’s ‘Delete Act’: The Loopholes Swallow The Law. California’s attempt to regulate data brokers through SB 362, aka the CA ‘Delete Act’, is unlikely to have the effect of dramatically reducing third party marketing offers, at least the ones most people see in their mailboxes, email inboxes or online… If you review the CA Data Broker Registry list, you’re likely not going to know most of the companies, but there will also be some surprising names…
• [David Reeves] Artificial Intelligence, Regulation, Privacy. Artificial intelligence has emerged as one of the most transformative technologies of the modern era, with the potential to revolutionize industries and reshape societies in profound ways. Business, media, academia, regulators, legislators, and consumers are beginning to coalesce around the idea that the early 2020’s have marked the start of a new technological paradigm…
• [Raashee Gupta Erry] Burying Behavioral Advertising in Terms of Service Violates GDPR Principles. 2023 started with a serious blow to behavioral advertising. Irish Data Protection Authority (IE DPA) issued a decision to Meta that put its Behavioral Advertising under high scrutiny. This decision was handed down to Irish DPA from the European Data Protection Board (EDPB) and is an outcome of the dispute resolution amongst various EU regulators…
• [Alex Krylov] Fired Pixels Under Fire. The 2010s were a time of ‘novel’ patent lawsuits. It seemed like every company was being sued by Tom, Shrek & Harry LLP for sending hyperlinks to mobile users. You know, to service terms and coupons and such… Today, a polar opposite situation is playing out with another embedded technology. Class action lawsuits du jour have been targeting healthcare providers loading Meta’s tracking pixel on their websites. These cases raise fair and important questions about digital privacy and existing federal laws’ limited reach…

Privacy Lingo

The world of digital privacy and data protection is full of arcane concepts and cross-functional jargon. Here’s another one:

?? consent farming (noun [U]) /k?n?sent ?fɑ.m??/

A controversial lead generation tactic where consumers are led to agree to third-party direct marketing, typically in exchange for information, special offers or chances to win prizes such as a new iPhone. In 2023 the FTC and DOJ filed a joint complaint against lead generation company, Fluent LLC. The company allegedly "tricked people into phony consent" through "owned and operated the lead generation websites, quick-jobs.com and localjobindex.com, that act as consent farms to gather consumers’ personal information along with their supposed consent to receive robocalls."?

Headline Images of Issues Past

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)