US Consumer Bureau Eyes Data Brokers; Worldcoin's Iris-Scan Venture Questioned Globally

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter tackles the following privacy questions:

• What is the US CFPB, and why does it want to crack down on data brokers?
• Did Worldcoin really ignore an order from the Kenyan data protection authority? And why is Argentina now concerned about this iris-scanning blockchain business?
• How should cookie banners look in the UK, according to the country’s data protection and consumer protection authorities?
• What are three of the best privacy-related reads published in the past week?

US Consumer Protection Agency Plans Crackdown on Data Brokers

Rohit Chopra, director of the US Consumer Financial Protection Bureau (CFPB) appeared in Washington this week to set out the authority’s planned crackdown on data brokers.

• The CFPB enforces federal consumer financial law against companies engaged in unfair and deceptive practices.
• The agency plans to target data brokers as part of an all-of-government effort to tackle AI-associated harms.
• Chopra argued that certain data brokers should be deemed “credit reporting agencies” and held to account under the Fair Credit Reporting Act.

The CFP-who?

As a consumer financial protection agency, the CFPB is not normally associated with investigating privacy violations. Yet director Rohit Chopra’s speech to White House officials on Monday could almost have been made by the Federal Trade Commissioner (FTC)’s Lina Khan.

“After conducting an inquiry into the practices of data brokers in the surveillance industry, we have decided to launch a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data,” Chopra said.

How will the CFPB act against data brokers?

Chopra highlighted two CFPB proposals aimed at reining in data brokers:

• Defining data brokers that sell data such as payment history, income, and criminal records as “consumer reporting agencies”, which would impose obligations around data accuracy and prohibit certain uses of such data.
• Clarifying that certain other types of data, such as name, date of birth, and social security number, can constitute “credit header data” and thus be subject to stricter rules preventing unauthorized disclosure.

Is this stuff actually within the CFPB’s remit?

Whether the CFPB has jurisdiction to regulate data brokers is part of the reason for the agency’s proposed rules.

Many data brokers obtain and sell the types of data that appear in credit reports, which are used to determine consumers’ access to financial products.

The CFPB seemingly wishes to ensure that it can regulate such activities under the Fair Credit Reporting Act, which provides the following consumer protections:

• A requirement to ensure data accuracy.
• An obligation to respond to consumer complaints about errors in their data.
• The right for consumers to access certain types of personal information.
• Rules around disclosing and using certain types of personal information.

By (re)defining certain data brokers as “consumer reporting agencies”, the CFPB would be empowered to enforce against those companies directly rather than enforcing against financial institutions further down the data supply chain.

Does the CFPB have teeth?

The CFPB is a relatively active regulator. Since the beginning of July alone, the agency has brought enforcement action against the following companies:

• USASF Servicing (a loan-servicing company)
• Snap (which offers credit for purchases from merchants on its platforms)
• Prehired (a recruitment firm)
• Bank of America (twice)

As such, data brokers should be paying attention to this proposed rulemaking and enforcement activity.

Kenya and Argentina Investigate Worldcoin’s Iris-Scanning Crypto Venture

Data protection authorities in Kenya and Argentina are investigating concerns about OpenAI CEO Sam Altman’s latest project, Worldcoin.

• Worldcoin offers a digital identity product (World ID), a cryptocurrency (WLD), and an app (World App).
• The company has been operating “Orbs” in cities worldwide, which scan people’s irises and derive biometric information in exchange for a nominal amount of WLD.
• Authorities in Kenya ordered Worldcoin to suspend operations in the country. Argentina is investigating whether Worldcoin complies with the country’s data protection law.

More problems for Worldcoin?

That’s right—Kenya and Argentina are just two of several countries whose data protection authorities are concerned about Worldcoin.?

As noted in a previous edition of the Privacy Corner Newsletter, the UK’s Information Commissioner’s Office (ICO) and other European regulators have made statements about the company, too.

What’s the issue?

Let’s start with Kenya.?

According to a Kenyan news publication, The Star , Kenya’s Office of the Data Protection Commissioner (ODPC) began assessing Worldcoin’s operations last May.

In the course of this investigation, the ODPC ordered Worldcoin to suspend operations for 60 days.?

However, Worldcoin allegedly ignored the regulator.

“Despite the suspension and directive to cease processing of personal data, the respondents continued to process the said personal data,” Kenya’s Deputy Data Commissioner Oscar Otieno told The Star.

On August 2, the ODPC obtained a court affidavit to reinforce its order against Worldcoin.?

But the agency is now concerned that Worldcoin might attempt to hamper its investigation by deleting the biometric data collected since April last year.

What about Argentina?

Argentina’s Agency for Access to Public Information (AAIP) is also investigating Worldcoin, but this investigation is at an earlier stage.

The agency wrote to Worldcoin on August 7, asking the company a series of questions about its operations and its compliance with Argentina’s data protection laws, including Resolution

No. 4/2019 (which covers biometric information) and the Personal Data Protection Act (PDPA).

The Argentian authority’s inquiries focus on whether Worldcoin has a data protection officer, whether its purposes for collecting personal data align with the PDPA’s principles, and whether the company has conducted a data protection impact assessment under the PDPA.

Will Worldcoin survive?

Worldcoin wants to proliferate a unique digital identity based on biometric information and supported by blockchain-based technologies—two fairly contentious areas under data protection law.?

As such, it’s not surprising that the company has attracted the attention of regulators.

Worldcoin’s legal budget is presumably large enough to handle such regulatory scrutiny.?

But with questions over the project’s compatibility with the GDPR—coupled with the increasingly active regulatory environment in the US and elsewhere—Worldcoin’s lawyers should be pretty busy as the company seeks to establish a foothold in the digital identity market.

UK Regulators Warn Against ‘Damaging’ Cookie Banners

The UK’s data protection authority, the ICO, has published a joint position paper with the country’s Competition and Markets Authority (CMA), stating that certain cookie banner designs could break data protection and consumer protection law.

• The regulators form part of the UK’s Digital Regulation Cooperation Forum (DRCF), which aims to facilitate joint regulation across sectors such as data protection, consumer protection, and media regulation.
• The ICO and the CMA’s position paper focuses on “online choice architecture” and takes a clear position on previously ambiguous areas of the UK’s GDPR and Privacy and Electronic Communications Regulations (PECR).
• The paper advises web designers and publishers that cookie banners should have a “reject” button on the first layer, should not use misleading language, and should avoid “harmful nudges and sludge” that can impact user experience.

“Sludge”?

The word “sludge” features 17 times in the regulators’ joint paper and refers to web design that “makes it difficult for the user to get what they want or to do as they wish”.

Other terminology adopted by the ICO and CMA includes:?

• “Confirmshaming”: “Pressuring or shaming someone into doing something by making them feel guilty or embarrassed by not doing it”.
• “Biased framing”: “Presenting choices in a way that emphasises the supposed benefits or positive outcomes of a particular option, in order to make it more appealing to the user.”
• “Bundled consent”: “Asking the user to consent to the use of their personal information for multiple separate purposes or processing activities via a single consent option.”

These are “dark patterns”. We already know those are illegal, right?

It’s fair to say that the ICO and CMA are exploring some seriously well-trodden ground.?

The European Data Protection Board (EDPB)’s Cookie Banner Taskforce reported similar observations in January, and several other regulators have been warning companies against using dark patterns for several years.

However, the paper is still significant in that the regulators take a relatively hardline position on their interpretation of the UK’s EU-derived privacy and data protection laws (which, thus far, remain intact following Brexit).

For example, EDPB members do not unanimously agree that a cookie banner should have “accept” and “reject” buttons on the first layer, with some arguing that placing a “reject” button on the second layer (after a “more options” button) is acceptable under the GDPR’s consent rules.

The ICO and CMA take the stricter interpretation on this issue, stating that such a practice would likely violate the UK’s GDPR’s “consent” definition and “fairness” principle.

But will these regulators actually enforce cookie consent rules?

The ICO has never enforced PECR or the GDPR in the context of cookies or any online tracking. A long-standing investigation into the adtech industry restarted in 2021, but many observers suggest that the project has yet to yield meaningful results.

Still, stranger things have happened—and the ICO has been hiring for some tech-focused enforcement roles in recent months. The regulator’s partnership with the CMA could also prompt a more active enforcement stance.

As such, the position paper is important reading for web designers and compliance teams wishing to understand the UK’s regulatory expectations in this area.

What We’re Reading

Here are some recommendations for the best privacy-related reading published this week.

• Tech lobbyists are running the table on state privacy laws : A well-crafted piece about the tech lobby’s alleged influence on US privacy legislation (although the authors are a little dismissive towards “Virginia-style” privacy laws, some of which are pretty robust).
• Beyond Netflix And Chill: Gaining Control Of Our Digital Lives Via Data Portability : Friend of Privacy Corner Carey Lening wrote this great Techdirt piece about how we could better leverage the right to data portability.
• This Twitter thread by Matthew Lesh sets out the daunting compliance requirements that await companies operating in the UK if the country’s controversial Online Safety Bill passes.