PRIVACY IS A RIGHT Archives - CyberPlayGround Blog

Virginia is about to get a major California-style data privacy law

The right to privacy is an element of various legal traditions to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. In the 1948 Universal Declaration of Human Rights Article 12, the United Nations states . . . .

Virginia is about to get a major California-style data privacy law

If adopted, the Consumer Data Protection Act would apply to entities of a certain size that do business in Virginia or have users based in Virginia. The bill enjoys broad popular support among state lawmakers; it passed 89-9 in the Virginia House and unanimously (39-0) in the state Senate, and Democratic Gov. Ralph Northam is widely expected to sign it into law without issue in the coming days.

The CDPA applies to entities that “control or process” personal information of 100,000 or more Virginia residents in a calendar year or to entities that make 50 percent or more of their gross revenue from the sale of personal data if they hold information about at least 25,000 residents. Basically, the big data brokers and companies with a major online presence would all be covered, but small businesses would not be. Under the law, these entities that determine “the purpose and means of processing personal data” are called “controllers.”

The bill contains wide carve-outs specific types of data and covered entities that are already regulated under laws such as HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and educational privacy law FERPA.

Notably, the Virginia bill does not include any private right of action whatsoever over violations, meaning you can’t sue if your rights are being violated under the law; only the Virginia attorney general’s office can pursue a case.

The Right to Privacy since 1890

FIGHT for Health Care Privacy Rights

COVID-19, privacy, and school recordings by Becky Richards

Prop 24: New CA law makes data gathering harder for Facebook, Google

https://www.businessinsider.com/prop-24-privacy-california-data-tracking-facebook-google-2020-11

California just passed a major privacy law that will make it harder for Facebook and Google to track people and gather data

Everything starts in CA then makes it’s way across the county to the east coast and finally finally finally the whole country will get the privacy protection we deserve.

PRIVACY IS A RIGHT

LinkedIn Sued Over ‘Brazen’ Privacy Breach

A New York resident has filed a class-action lawsuit against LinkedIn over its iOS app, which read data from Apple device users’ clipboards, a feature that LinkedIn says has been disabled in the newest version of the app.

The suit says LinkedIn violated California privacy laws and federal wiretap laws.

Social networking company LinkedIn was hit with a class-action complaint alleging that it engaged in “a particularly brazen, indefensible privacy violation” by reading data from Apple users’ clipboards.

“Until abruptly exposed by Apple and independent developers, LinkedIn had programmed its iPhone and iPad applications to abuse Apple’s Universal Clipboard to brazenly read and divert LinkedIn users’ most sensitive data — including sensitive data from other Apple devices — without their consent or knowledge,” New York resident Adam Bauer alleges in a class-action complaint filed Friday in U.S. District Court for the Northern District of California.

The allegations appear to stem from a report earlier this month by developer Don Morton, who tweeted that Microsoft’s LinkedIn was copying the clipboards on his iPad and MacBook.

The ambiguous privacy policy is on purpose

WE SUPPORT STEVE BELLOVIN

Pass a strong Federal privacy law to protect our data, if you need to protect the population when the next pandemic hits.

As Joel Reidenberg and his colleagues have pointed out, privacy policies are ambiguous, perhaps deliberately so. One policy they analyzed said

“Depending on how you choose to interact with the Barnes & Noble enterprise, we may collect personal information from you…”

“We may collect personal information and other information about you from business partners, contractors and other third parties.”

“We collect your personal information in an effort to provide you with a superior customer experience and, as necessary, to administer our business”

“May”? Do you collect it or not? “As necessary”? “To administer”? What do those mean?

The same lack of clarity is true of location privacy policies.

The New York Times showed that some apps that legitimately need location data are actually selling it, without making that clear:

The Weather Channel app, owned by an IBM subsidiary, told users that sharing their locations would let them get personalized local weather reports. IBM said the subsidiary, the Weather Company, discussed other uses in its privacy policy and in a separate “privacy settings” section of the app. Information on advertising was included there, but a part of the app called “location settings” made no mention of it.

Society is paying the price now. The lack of trust built up by 25 years of opaque web privacy policies is coming home to roost. People are suspicious of what else will be done with their data, however important the initial collection is.

Can this be salvaged? I don’t know; trust, once forfeited, is awfully hard to regain. At a minimum, there need to be strong statutory guarantees:

The information collected will only be used for contact tracing;
It will not be available to anyone else, including law enforcement, for any reason whatsoever;
There are both criminal and civil penalties for unauthorized collection or use of such data, e.g., by a store;
There is a private right of action as well as city, state, and Federal enforcement;
That class action suits to enforce this are permitted, regardless of terms and conditions requiring arbitration.

and this needs to be as iron-clad as a battalion of lawyers can make it.

I don’t know if even this will suffice—as I said, it’s hard to regain trust. But passing a strong Federal privacy law might make things easier when the next pandemic hits—and from what I’ve read, that’s only a matter of time.

(There’s a lot more to be said on this topic, e.g., should a tracking app be voluntary or mandatory? The privacy advocate in me says yes; the little knowledge I have of epidemiology makes me think that very high uptake is necessary to gain the benefits.)

Steven Bellovin on Twitter: “Code isn’t just law, it’s a binding international treaty.
(I’m now waiting for England (no, I didn’t mean Britain or the UK…) to want to pull out of the Apple ecosystem as an infringement on its sovereignty.)