U.S. Senator Edward J. Markey of Massachusetts has introduced the “Algorithmic Justice and Online Platform Transparency Act.”

If signed into law, the bill will impose several new requirements on online platforms:

  • Transparency – including explaining the information collected, how it is used (for advertising and/or content moderation), method by which the type of algorithmic process prioritizes, assigns weight to, or ranks different categories of personal information to withhold, amplify, recommend or promote content
  • Records – retaining a (deidentified) record of the algorithmic process
  • Retaining an advertising library – including copies of all ads, targeting criteria, information provided to the advertisers and identity of the advertisers
  • Data portability – providing the information to the individuals
  • Prohibition of discrimination

The bill would also establish an interagency task force on the algorithmic processes of online platforms that would examine the discriminatory use of personal information by those processes.

Read the bill.

C is for ‘cookie,’ and that’s not good enough for me.

NOYB, the privacy organization based in Vienna, Austria, is moving on hundreds of companies who use unlawful cookie banners. They have sent over 500 draft complaints so far, hoping to end “cookie banner terror.”

Per NOYB, “users must be given a clear yes/no option. As most banners do not comply with the requirements of the GDPR, NOYB developed a software that recognizes various types of unlawful cookie banners and automatically generates complaints. Nevertheless, NOYB will give companies a step-by-step guide (PDF) on how to change software settings to comply with the law as well as a one-month grace period to comply with EU laws before filing the formal complaint.”

“Over the course of a year, NOYB will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe.”

Per Max Schrems, “companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”

Read the full NOYB article.

The UK Information Commissioner’s Office is calling for collaboration with UX and design firms for the implementation of the Age-Appropriate Design Code.

Per the ICO:

“We know that the aims of the design community align with this vision set out in the Children’s Code and can see design practices evolving. Designers are more conscious of societal harms and how the decisions they make impact children’s information rights and digital experiences. And we want to help designers understand, implement and embed the Children’s Code into their practices, helping them to create a better digital world for children.”

“We are currently developing practical guidance to help designers in their day-to-day work. The guidance will help a range of practitioners to apply the Children’s Code; from UX and product designers to service managers and content designers.”

“This is a new approach for the ICO. By working in collaboration with the design community, we can create practical guidance driven by industry needs. For the first iteration of the UX design guidance we’ll focus on Transparency as a key UX design challenge in the code.”

Read the full statement from the UK ICO.

The “Cookie-pocalypse” or the “Identity Revolution.” Whatever you call it, digital advertising is undergoing a massive transition as the deprecation of third-party cookies gets closer. To help marketers successfully navigate this changing ecosystem, it’s clear the role of agencies must evolve, says Larson Banilower, Head of Agency at Criteo.

Three audience targeting approaches agencies can leverage to reach and convert their clients’ customers in this new environment are:

  • Addressable: While third-party cookies still exist, agencies must use all the signals they provide to create meaningful experiences that people want to opt-in to. The more consumers that opt-in today, the larger the addressable audience an agency’s clients will have tomorrow.
  • Cohort: If agencies truly understand the mindset of these cohorts, they can create one-to-many ads that still feel personalized.
  • Contextual: By marrying contextual signals from a webpage and commerce signals from their clients’ first-party data, agencies can deliver impactful (and seemingly personalized) ads to consumers at the right place and time.

Details in Ad Exchanger.

The National Institute of Standards and Technology (NIST) has issued a draft report on Trust and Artificial Intelligence.

“If the AI system has a high level of technical trustworthiness, and the values of the trustworthiness characteristics are perceived to be good enough for the context of use, and especially the risk inherent in that context, then the likelihood of AI user trust increases. It is this trust, based on user perceptions, that will be necessary of any human-AI collaboration.”

“Like any other human cognitive process, trust is complex and highly contextual, but by researching trust factors we stand to enable use and acceptance of this promising technology by large parts of the population.”

“AI system designers and engineers have identified several technical characteristics that are necessary for system trustworthiness. There are, at the time of this writing, nine identified characteristics that define AI system trustworthiness: Accuracy, Reliability, Resiliency, Objectivity, Security, Explainability, Safety, Accountability, and Privacy”

Read the full report.

U.S. Sen. Amy Klobuchar, (D-Minn.) has introduced the Social Media Privacy Protection and Consumer Rights Act.

“Among other things, it requires, social media, search, and other data-centric companies handle user data to give consumers a way to opt out of data collection. This could be as straightforward as someone declining the terms of service. If a person does opt out, the bill says companies are free to deny users access.”

The bill also has requirements regard the UX of terms of use and privacy notices: terms of service must be in a form that is “easily accessible, of reasonable length… and uses language that is clear, concise, and well organized and follows other best practices appropriate to the subject and intended audience.”

Details in Ars Technica.

“When brands use their own data to know customers and prospects better, wonderful things start to happen. This is really about Identity – not cookies.”

“What to do:
  • Assess your current state
  • Embrace the first-party future.
  • Take ownership when it comes to identity and only allow processors (companies like identity providers or adtech partners) to access the data as needed, with strict privacy and security policies governing any sharing or access outside their firewalls.
  • Do not settle for less (than a complete customer view).
  • Prove the value.
  • Be transparent. The brand or “controller” has the greatest responsibility to protect the privacy and the rights of known customers as well as visitors. Processors should act as trusted partners and a direct extension of the brand by providing the people, processes, and technology to build and maintain highly precise and scalable real-time consumer recognition, activation, and measurement that help ensure transparency, privacy and security are held to the highest standard at every step. All this is done within the brand’s private, owned, and dedicated environment.
  • Do it now.”

Details in this MarTech Today article.

In the Connected and Automated Mobility (CAM) ecosystem, cybersecurity … should be seen as a core enabler that protects safety and provides value to products and services, and is integrated in the lifecycles of products’ and services’ activities., says the European Union’s Agency for Cybersecurity (ENISA) in a new report on the cybersecurity challenge in CAM.

Key points:
  • Raise awareness to the top management level.
  • Raise awareness throughout the organization, and especially at the right decision level.
  • Promote the integration of cybersecurity along with digital transformation at the board level.
  • Advise on fast-moving business and technology topics such as cybersecurity on a permanent basis at board level.
  • Promote procurement processes to integrate cybersecurity risk-oriented requirements.
  • Address cybersecurity skills to keep up with the creative (e.g. design thinking) skills that the company’s strategy aims to foster.
  • Define clear roles and responsibilities regarding cybersecurity.
  • Take into regard the cybersecurity needs of both business and supporting processes.
  • Define a risk management process.

diagram

“I strongly support legislation that would provide Connecticut residents with express and — frankly, overdue — privacy rights. My office has always maintained that consumers should have as much notice and control over the collection and use of their personal information as possible. Connecticut residents should be afforded the right to know, the right to correct, the right to delete and the right not to be treated differently if they exercise those rights. They should also have the power to stop businesses from selling their sensitive data,” says Connecticut Attorney General William Tong.

“There is also currently a focus on being proactive. When we are reacting, the damage has been done already — information has been compromised or a privacy violation has occurred. In our view, it is far more efficient to proactively ensure that privacy policies and practices comply with the law and are clear to consumers. We meet periodically with companies to discuss the privacy and security implications of upcoming or new products and services, and we have been able to have concerns addressed up front in a productive and cooperative fashion.”

Details from the International Association of Privacy Professionals.

“Perfect is the enemy of the good where it comes to regulation of data privacy rights,”  agree both Washington State Sen. Reuven Carlyle and California Supervising Deputy Attorney General Stacey Schesser in the International Association of Privacy Professionals panel, “State of the States.”

Per Carlyle
  • The Washington Privacy Act (WPA) is coming back next year and in the meantime will hopefully continue to inspire other states.
  • You need to figure out your focus: enforcement of the right of a particular individual or fixing systemic wrongs.
  • Private right of action calls out the balance between the risk of over enforcement and under enforcement.
Per Schesser
  • This is the “California Consumer Privacy Act” not the California Act of Businesses trying to mitigate risk, but actually pretty much doing the same thing as before.
  • The right to cure has surprisingly proven an effective tool to provide companies with clarity.
  • Dark patterns is a new area of proactive enforcement focus.
Per Colorado AG Phil Weiser:
  • You need to balance between being over prescriptive and too vague when drafting legislation.
  • The enforcement authority should have as many tools as possible, including something similar to the DOJ ‘no action letters’.