?? Everything, everywhere

Lucid folks,

A record-breaking heat wave and dome will bake the Midwest and Northeast through next week. Please stay safe.

In this issue:

• New public resource!
• Choices, choices everywhere
• What will Labour do for UK privacy?
• NOYB strikes at Google Privacy Sandbox

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

Introducing Lucid Privacy’s VSPA Template

We are pleased to offer a new public resource.

As you know,?a Third Party Management Program (TPRM) provides a structure for organizations looking to assess, document and mitigate risks from third party vendors.??

To the extent third parties operate outside of the organization’s walls or need to be let in to provide their product or service, this could expose the service receiver to regulatory, reputational, or operational risks.

• The Lucid Vendor Security and Privacy Assessment (VSPA) offers a lightweight, consolidated worksheet for organizations seeking to document such information and make risk-based decisions about a new or ongoing vendor relationship.?
• At a minimum, the VSPA helps TPRM teams create an initial ‘vendor profile’ that takes both security and privacy factors into account.?

The VSPA incorporates essential guidance from European, Canadian and US state authorities, and standards setting bodies like NIST and our practical experience.

Download it here

We will continue to update this document over time.?If you have questions or comments email us at [email protected]

Frameworks, Signals Everywhere, User Choices if You to Care

Depending on where your business sits within the digital economy you may be creating, sending, listening for, transmitting or reacting to a growing ecosystem of consumer choice signals and intermediated privacy requests… all at once. The situation is not peachy for users either.

Why it’s important: To opt-out of profile-based advertising, you have to navigate an eclectic mix of policies, footer links, forms, banners, industry and regulator-offered tools, apps, add-ons and device settings. Law- and policymakers are looking to change this fragmented dynamic for both sides of the commercial aisle.? ?

Legal recap: California, Colorado, Connecticut, Delaware, Oregon, Montana and Texas now require businesses to honor choice signals sent via Universal Opt-Out Mechanisms (UOOM). The Global Privacy Control (GPC) leads as the specification of choice for CCPA and Colorado PA opt-out signaling.

• After a public comment period, in Feb of 2024 the Colorado AG surprised no-one by approving GPC as the state’s first formally authorized UOOM.
• While California was the first to endorse GPC this was done through enforcement (Sephora).
• California has introduced a bill (AB 3048) to make it easier for users to broadcast OOPS by requiring browsers to ‘own’ the feature, and not push it off on web/app devs. Other states will likely follow suit.

Technical recap: Taking a page from the CO AG, compliant UOOMs should…

• Allow consumers to automatically opt-out with multiple controllers using common formats like HTTP headers or JavaScript objects.
• Enable clear and secure communication of opt-out requests.
• Not hinder controllers' ability to verify the legitimacy of the opt-out, or unfairly disadvantage any other controller.

Easy enough, right? Yet, for digital media,?thorny questions remain regarding signal utility and legitimacy, and what it all means in relation to industry initiatives like WebChoices 2.0 and IAB GPP.

Quasi-Universal OOMs??For adtech in particular, the term ‘universal’ is loaded with years of self-regulatory tooling providing web/app users with advertising transparency and choice. And while some US regulators may feel squeamish about endorsing industry (or fortressed garden) approaches, they exist and deserve robust dialogue.

Non-exhaustively, these are:

Zooming out: There is a tangible movement to make opt-outs easier for online users to send, and for data-driven businesses to operationalize and trust. US state regulators appear more willing to referee the growing UOOM & OOPS field, which could be good for utility and interoperability in the long run. Because right now it does feel like everything, everywhere all at once. (Reminder: the CPPA’s Delete Act mechanism is coming in 2026.)

If you have not already, check out FPF’s excellent survey of current UOOMs/OOPS.

--AK

On the Ground: What’s UK Labour Doing for Privacy?

In the May 28 issue of the Bulletin, we discussed the background and implications to the demise of the UK’s Data Protection and Digital Information (DPDI) Bill.? The Bill sought to wrestle some sort of Brexit dividend by fashioning GDPR into a more pro-innovation and business friendly version.? ???????? ??

Politics, politics?

The Bookies’ odds have a Labour Party to be the next UK Government at 1/41!? So it's probably worth having a look at what a Labour victory might mean for Privacy and Data Protection.

• Surprisingly, there is no detail on Data Protection legislation or specific technology policy in the Labour Party? manifesto signifying that it is not a priority for their initial Parliament.??
• Although most can see, if not equate, the severe penalty of Brexit to the UK - it seems that neither of the big UK political parties vying for election victory are keen to reopen the possibility of closer European relations.??

But by ignoring the necessity of revamping GDPR, there seems to be a realization that, maybe, GDPR is not all bad after all, or at least not worth the effort to prioritize. ?

Push me, pull me?

The Labour Party does still want to wrestle the ‘push me pull me’ of pro-innovation policies, whilst still introducing more regulation.?

• The underlying message is that more needs to be done to regulate emerging technologies and to remove barriers to drive technology growth.?
• Across every sector, stimulating growth has been seen as the panacea to the UK’s considerable debt issue, but the Labour Party can’t shake off their natural political instinct to regulate more as well.

The manifesto outlines plans to regulate AI development and prioritize online safety, whilst removing barriers to technology startups by increasing national data server capacity and creating a National Data Library to centralize existing government research programs.

Oi, AI!?

Post-Brexit, the rotating UK government has been keen to hone UK’s competitive edge. Technology has been the main theme of Labour’s focus in particular.

• Whilst they have not specified how they will balance the increased governance and still being "pro-innovation".
• Labour leader Keir Starmer has emphasized the need for a comprehensive binding regulatory framework to address AI's potential risks and benefits, stating the sector would welcome the certainty regulation provides.
• Starmer supports a new Regulatory Innovation Office (RIO) to sit across all regulators and speed up tech policy decisions and promote innovation across all sectors. (It’s not clear how a ‘Regulators’ Regulator’ will actually function or improve efficiencies.)

Labour also aims to expand the controversial Online Safety Act around inappropriate content for children, misogyny and social media, a populist move that has its own share of privacy risks.

Zooming Out

Election Manifestos are renowned to be vague, and are intended to provide a broad mandate for the successful Political Party.? So we have learnt little of any substance. By prioritizing increased regulation and innovative growth across technology, the Labour party have given themselves a tricky dichotomous balancing act. With memories of past Labour Governments that failed to deliver clear policy, whilst still managing to introduce increased bureaucratic complexity, I think we will need to wait and see.

--RW

Other Happenings

1. NOYB Strikes at Google Chrome and Privacy Sandbox. You've got to admire the sheer capacity (chutzpah?) of the Austrian privacy group NOYB. In last week’s Bulletin we covered NOYB’s complaints concerning Meta’s use of “legitimate interest” to train their AI.? Now NYOB has re-tilted its lance against Chrome browser for ‘allegedly’ tracking users through Google’s Privacy Sandbox initiative. In a classic “Dark Patterns” argument, the complaint targets the use of a popup asking users to "turn on ad privacy feature," which Max Schrems claims tricks users into consenting to tracking in breach of Article 4(11) GDPR. Google disagrees under Article 6(1)(a). #epicrapbattlesofhistory?
2. Colorado Enacts First 'Hybrid' Biometrics Law. Broad bills ahoy. Colorado’s HB 1130 amends the Privacy Act to regulate biometric tech. It imposes significant compliance requirements akin to Illinois’ BIPA and will affect a broader swath of companies -- from online retailers to warehouses using voice recognition. July 2025 is only a year away, so start prepping now: inventory biometric systems, conduct impact analyses, and consult AI warlocks.
3. Vermont Gov Knocks Down Privacy and Kids Safety Bill, Cites Risk to Businesses. In a classic clash of business interests vs individual privacy rights, VT’s Republican Governor Phil Scott ignites controversy by vetoing the Vermont Data Privacy Act (VTDPA), stalling what was poised to be one of the nation’s most robust consumer data privacy laws. His rationale? The very things that make the law strong -- PRA, addictive online content, data minimization etc -- will be too disruptive to business. Back down to a floor vote it goes. #yearswasted
4. Mozilla Acquires Anonym, Enters PET Adtech Fray. Anonym, a startup that ‘reimagines’ digital ad ops for a privacy-centric market, will be joining Mozilla. In particular, Anonym aims to reduce data leakage by encrypting consumer eyeballs and actions, adding ‘differential’ noise to data sets, and doing it all through a fortressed data clean room where no user-level data will be shared. This sounds an awful lot like what Google is doing with Sandbox in Chrome and Android. But Mozilla has stated no plans to reshape Firefox along these line. Yet? Likely reasons: (1) Sandbox has latency problems, (2) FireAdFox may be off-brand, and (3) Moz doesn’t need to be the first mouse at the cheese -- just ask Tim Cook and Satya Nadella about [Open]AI.

--RW, AK

Lucid Resources

• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)