Privacy News: January 20

Websites selling abortion pills sharing data with Google, the My Health My Data Act, the "no fly" list accidentally exposed, a state privacy legislation bonanza ... and more!

Privacy After Roe

Websites Selling Abortion Pills Are Sharing Sensitive Data With Google

Jennifer Gollan on ProPublica (propublica.org)

That's bad.  Using the Markup's Blacklight tool, a nonprofit tech-journalism newsroom, ProPublica ran checks on 11 online pharmacies that sell abortion medication to reveal the web tracking technology they use.  At least 9 of them had web trackers.

These third-party trackers, including a Google Analytics tool and advertising technologies, collect a host of details about users and feed them to tech behemoth Google, its parent company, Alphabet, and other third parties, such as the online chat provider LiveChat. Those details include the web addresses the users visited, what they clicked on, the search terms they used to find a website, the previous site they visited, their general location and information about the devices they used, such as whether they were on a computer or phone....

While many people may assume their health information is legally protected, U.S. privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals. Tech companies are generally not bound by the Health Insurance Portability and Accountability Act, known as HIPAA, which limits when certain health care providers and health plans can share a patient’s medical information. Nor does federal law set many limits on how companies can use this data.

Proposed Washington law puts period-tracking apps on notice

Jessica Lyons Hardcastle on The Register (theregister.com)

My Health My Data, a bill currently in Washington's state legislature, would protect health data that collected by apps and websites -- including reproductive health care data.  For some reason, the articles about it so far have focused on period-tracking apps, but that's only the tip of the iceberg.

"Think about period-tracking apps that can sell information about a woman's missed or late period," [sponsor Rep. Vandana] Slatter said. "Or a pregnancy crisis center that someone visits and then learns they can't receive an abortion, but their information can be sold to anti-abortion groups. Or digital advertising firms that set up geofencing around healthcare facilities. This bill is about closing the gap on health data privacy protections from the technological side of it."

I talked more about My Health My Data and its prospects here last week in A much more favorable environment: Washington state privacy legislation 2023, and with a hearing on Tuesday I'll have more to say about it soon!

ALSO:

• Washington state bill would make period-tracking apps follow privacy laws in reflection of post-Roe fears , Shawna Mizelle on CNN (cnn.com)

A pair of articles about My Health My Data, a bill introduced by Democrats in Washington’s state legislature would prevent private health data that is collected by apps -- particularly those that track menstrual cycles -- from being shared without consumers’ consent.

Surveillance

U.S. airline accidentally exposes ‘No Fly List’ on unsecured server

Mikael Thalen on The Daily Dot (dailydot.com)

CommuteAir, a United Airlines subsidiary, left a copy of the U.S. No Fly List on an unsecured server as a file named "NoFly.csv" that could be viewed by anyone.  

The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million.

Little-Known Surveillance Program Captures Money Transfers Between U.S. and More Than 20 Countries

Dustin Volz and Byron Tau on The Wall Street Journal (wsj.com)

Law-enforcement agencies across the U.S. have direct access to over 150 million transactions housed at an Arizona-based nonprofit.

State privacy legislation

States are readying a flurry of privacy bills as Washington stalls

Cristiano Lima on the Washington Post (washingtonpost.com)

A roundup of some of the various laws being proposed, including

• Comprehensive privacy bills in Massachusetts, Iowa, Mississippi, Indiana, Oklahoma, Oregon, Tennessee, New York and Kentucky
• Protections for children’s data in Connecticut, Oregon, West Virginia, Virginia and New Jersey.
• Biometrics, health data, and data broker laws in New York, Mississippi, Maryland, Oregon, New Jersey, Virginia and Washington.

That's a lot!

State legislators aren’t waiting for Congress to regulate children’s online privacy

Tonya Riley on CyberScoop (cyberscoop.com)

More states are following California’s lead in regulating children’s privacy. But experts say the laws raise many tough questions.

Data Privacy ‘Panoply’ Looms as States Move to Fill Federal Hole

Brenna Goth and Skye Witley on Bloomberg Law (news.bloomberglaw.com)

Consumers across the US could gain more control over how companies collect and use their personal information through state legislative efforts to create new data privacy requirements.

And ...

The Future of Manipulative Design Regulation

Felicity Slater, Future of Privacy Forum (fpf.org)

A look at rules and enforcement actions, in the US and around the world, targeting manipulative design practices online.

These efforts are complex and address a range of consumer protection issues, including privacy and data protection risks. They raise thorny questions about how to distinguish between lawful designs that encourage individuals to consent to data practices, and unlawful designs that manipulate users through unfair and deceptive techniques. As policymakers enforce existing laws and propose new rules, it is crucial to identify when the design and default settings of online services constitute unlawful manipulative design that impairs user’s intentional decision-making.

How the Netherlands Is Taming Big Tech

Natasha Singer on NYTimes (nytimes.com)

Dutch privacy negotiators have spurred major changes at Google, Microsoft and Zoom, using a landmark European data protection law as a lever.

Thinking and Reading at the Intersection of Labor, Race, and Tech

Data & Society on Data & Society: Points (points.datasociety.net)

The rise of data-centric technologies is an opportunity for the labor and racial justice movements to build new bridges.

Meta dodged a €4BN privacy fine over unlawful ads, argues GDPR complainant

Natasha Lomas on TechCrunch (techcrunch.com)

A €390M privacy fine against Meta’s behavioural ads issued earlier this month in the EU was several billion dollars smaller than it should have been, argues the original complainant.

The year in UK GDPR regulatory enforcement action

on Privacy Laws & Business (privacylaws.com)

The Battle Over Women’s Data

Chi Onwurah on WIRED (wired.com)

In a post-Roe world, bodily autonomy must include control over personal data.

All the Data Apple Collects About You—and How to Limit It

Matt Burgess on WIRED (wired.com)

Cupertino puts privacy first in a lot of its products. But the company still gathers a bunch of your information.

The big risk in the most-popular, and aging, big tech default email programs

Elizabeth MacBride on CNBC (cnbc.com)

Many individuals and businesses rely on Google and Microsoft email programs created long ago, and big tech email ‘age’ is a big cybersecurity risk.

Irish Data Protection Authority gives € 3.97 billion present to Meta. Authority allegedly unable to assess financial benefit from Meta’s GDPR violations.

on noyb.eu (noyb.eu)

The DPC has turned a blind eye on the revenue generated by Meta from violating the GDPR since 2018. Ignoring the EDPB demand to include the unlawful revenue of Meta, reduced the fine by 3,97 Mrd EUR.

Privacy Fines: GDPR Sanctions Last Year Surged to $3 Billion

Mathew J. Schwartz on bankinfosecurity.com

European data protection regulators last year imposed known privacy and data breach fines under GDPR collectively worth at least 2.9 billion euros, or $3.1 billion,

UK data agency plays down privacy risks of connected tech, as demand for Amazon Alexa and Google Nest show consumer trust

Jess Jones on CityAM (cityam.com)

The UK’s data watchdog has played down potential privacy concerns linked to connected technology, arguing that strong demand for devices like the Amazon

Privacy Shield 2.0 What’s Next for International Data Transfers?

Myriad Interactive on Snell & Wilmer (swlaw.com)

Snell & Wilmer is one of the largest law firms in the western Unites States.

Podcast: Why Privacy Matters

Neil Richards and Danielle Citron on Tech Policy (techpolicy.com)

In a UVA Common Law podcast, privacy law expert Neil Richards, law professor at Washington University in St. Louis, joins University of Virginia law professor Danielle Citron to discuss how privacy regulation could ensure that information cannot be used to gain control and influence others.

CDT and Technologists File SCOTUS Brief Urging Court To Hold that Section 230 Applies to Recommendations of Content

Caitlin Vogus, Emma Llansó, Samir Jain on Center for Democracy and Technology (cdt.org)

The Center for Democracy & Technology and six technologists with expertise in online recommendation systems filed an amicus brief today in Gonzalez v. Google. The brief urges the U.S. Supreme Court to hold that Section 230’s liability shield applies to claims against interactive computer service pro…

Podcast: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

Jen Patja Howell on Lawfare (lawfareblog.com)

Lawfare fellow in technology policy and law Eugenia Lostri sat down with Laurent Richard and Sandrine Rigaud to talk about their new book, “Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy.”

Apple privacy under question as apps get independent checks

Molly Loe on TechHQ (techhq.com)

Question’s around Apple privacy policies as it’s found that Apple’s own applications identify users personally and phone data home.

Meta centralizes more user and privacy settings across its apps, announces changes to ads controls

Sarah Perez on TechCrunch (techcrunch.com)

Facebook parent Meta announced today it’s further centralizing various user settings across its suite of apps — Facebook, Instagram, and Messenger. As a result, several existing settings will be relocated to Meta’s “Accounts Center” feature, first launched in 2020. Specifically, the changes will see…

Publishers are preparing for 2023’s new consumer privacy laws

Melissa Cooper, Sovrn on Digiday (digiday.com)

A new set of state-specific privacy regulations is scheduled to take effect in 2023.

How can breaching citizens’ privacy be lawful?

Kamal Ahmed on Asia News Network (asianews.network)

Without legal safeguards, putting in place such surveillance systems aimed at suspected anti-state activities carries serious risks of innocent victims being harassed.

Obtaining Consent for Privacy Practices

Mallory Acheson on JD Supra (jdsupra.com)

By now, most businesses are aware of the growing requirements to provide notice to consumers regarding how a business uses and discloses personal information.

Image credit: Originally by Nick Youngson, licensed from Alpha Stock Images under CC BY-SA 3.0 via Picpedia