Category Archives: Media

The Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized the Personal Financial Data Rights rule, which moves the United States closer to “an open banking system in which consumers, not dominant firms, control their data.”  The CFPB is generally tasked with “promoting fair, transparent, and competitive markets for consumer financial products and services.”

On October 23, 2024, CFPB Director Rohit Chopra spoke at Georgetown University’s DC Fintech Week.  As shown below, his prepared remarks do a nice job of describing how the new rule will address data ownership and stewardship problems largely ignored by helpless consumers.

Today, I primarily want to focus on the data protections in the rule, which are essential to ensuring the rule works to advance competition in financial markets. This rule will help to dramatically improve privacy and security, ending the problematic credential sharing and invasive surveillance that we too often see.

First, to obtain data on a consumer’s behalf, a bank, fintech, or other financial company will need to adhere to federal data security requirements. This means they can’t have shoddy security like we saw at companies like Equifax. And if they fail to meet their obligations, they can face enforcement actions and can even get shut down by the licensing or chartering authority.

Second, the rule works towards ending the practice of “screen scraping.” This occurs when a company collects a consumer’s username and password to log in to online banking on the consumer’s behalf to scrape away data. “Screen scraping” is risky, since it can involve unencrypted credential sharing and massive overcollection of data.

Third, the rule requires companies to minimize the data they collect, secure it, and, as a default practice, delete it upon revocation. In addition, the rule forbids companies from seeking to obtain a permanent authorization to continually harvest data. These requirements should lessen the amount of data that would be vulnerable to a data breach.

Fourth, the rule allows banks and fintechs that currently hold the consumer’s data to deny access to companies requesting on the consumer’s behalf when they fail to meet minimum standards. Companies making requests will need to prove they have the authorization from the consumer, disclose their legal entity identifier, and more. The rule allows banks and fintech to engage in legitimate blocking, as long as those practices are applied consistently and fairly.

Fifth, and most importantly, the rule puts into place significant limitations on how companies can use data. Right now, financial companies send consumers an annual privacy notice that tells them any parties they reserve the right to share the data with. In theory, consumers review this and then opt out of sharing they don’t want. In reality, almost no one opts out of anything. Many believe this is just another notice that doesn’t meaningfully limit misuse of personal data.

The rule spells out a simple, but much different approach: you can use a consumer’s data to provide the product or service the consumer asked you for, but you can’t use it for unrelated purposes the consumer doesn’t want. In other words, companies can’t engage in a bait-and-switch, where they lure people in with an offer for a loan or an account, but then sell, exploit, or monetize the data for another purpose.

And there’s a lot more. Taken together, these protections improve the privacy and security of our financial data, compared to the status quo. This will help to stop the lurch toward surveillance pricing.

The CFPB has closely studied how Big Tech companies and other firms can combine your search history, browsing history, geolocation history, your contacts, and more to create a detailed profile about you. We also see how large banks are also seeking to harvest more data from their customers without meaningful limits. When this information includes your sensitive personal financial data, this can create the conditions for surveillance pricing.

For example, if a rideshare giant knows that you worked an extra shift and just got a larger paycheck than usual, it might decide to charge you more for a ride home. If a dominant player in search knows that you just made a payment at a fertility clinic, it might start targeting you with ads for dubious treatments you didn’t ask for.

While the CFPB’s Personal Financial Data Rights that implements new statutory rights will help to jumpstart competition, it is also a major step forward for privacy, security, and data protection.

Director Chopra is correct in his optimistic assessment of the rule given the longtime “data slurping” conducted by so many companies has largely gone unabated and this new rule – which solves some but far from every consumer data transgression, is a great beginning.  It only took the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 to establish the CFPB and it then another fourteen years to get the CFBP to promulgate this new rule.  When dealing with the “data industrial complex”, these things take time. 

Indeed, as shown by this new rule’s compliance schedule, it will be years before the individual parts of the rule take effect with possible judicial and governmental intervention in the interim.  See Personal Financial Data Rights Rule (“Data providers must comply with the requirements in subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, depending on the criteria set forth in § 1033.121(c)”). At the very least, the new rule discussed by Director Chopra alerts consumers to the dark “data industrial complex”. Even if the rule eventually gets neutered, its underlying wake up call hopefully doesn’t get unanswered on a state level.

Data Privacy Day 2021

On January 28, 2021, the National Cybersecurity Alliance encouraged individuals this Data Privacy Day to “Own Your Privacy” by “holding organizations responsible for keeping individuals’ personal information safe from unauthorized access and ensuring fair, relevant and legitimate data collection and processing.”  Indeed, the NCSA recognizes “[p]ersonal information, such as your purchase history, IP address, or location, has tremendous value to businesses – just like money.”

The NCSA “data as money” perspective is not a new concept.  In fact, it was hoped that Data Privacy Day 2016 would usher in a system for consumers to easily monetize their private data – a hope that has yet to materialize five years later.   Still, in the same way a bank protects money, there can be no adequate privacy without adequate security.

Richard Clarke – a security advisor to four U.S. presidents, properly recognized in 2014:  “Privacy and security are two sides of the same coin.”  The ransomware epidemic of 2020 should inform everyone why Data Privacy Day 2021 solidly places privacy and security on the same level. There can be little respect for the privacy rights of consumers – whether monetized or not, without an adequate effort at securing such data.  Some companies such as Microsoft – last year’s champion of Data Privacy Day, recognize the need to continually push the security envelope in order to properly protect consumer privacy rights. Accordingly, these companies go the extra distance and often work hand-in-hand with law enforcement to take down online criminal enterprises such as Emotet.

Going forward in 2021, companies safeguarding consumer data must recognize that the lines have blurred between nation state APT attacks – focused on the slow espionage of large companies, and criminal enterprises looking for quick financial hits.  For example, the lateral movement hallmarks of an APT attack are now routinely used during Ryuk ransomware exploits.  Moreover, the recent SolarWinds Orion Platform exploit highlights the need to focus on supply chains when protecting consumer data.

Focused security efforts would quickly stop being left on corporate “to do” lists if there was an applicable federal law in place for companies nationwide – not just the hybrid privacy/security state laws now applicable to only some companies.  Unfortunately, despite high hopes in 2019, there was little bipartisan push for a federal privacy law these past few years.  That dynamic might change in 2021.  

Former California Attorney General Kamala Harris’s 2012 annual privacy report opens with the words:  “California has the strongest consumer privacy laws in the country.”  During her tenure, California enjoyed “a constitutionally guaranteed right to privacy, over seventy privacy-related laws on the books, and multiple regulatory agencies set up to enforce these laws.”   As the new year progresses, the current Vice President may very well prod Congress for the sort of California “privacy pride” she once enjoyed on a state level. Given the current one-party rule, there is certainly no longer any excuse available to politicians looking to continue kicking the “federal privacy law can” around Capital Hill.

Apple’s Consumer Data Aspirations

In a November 19, 2020 letter to various non-profit groups, Apple reaffirmed its commitment to the App Tracking Transparency (ATT) permission feature first announced in June 2020:   “We developed ATT for a single reason:  because we share your concerns about users being tracked without their consent and the bundling and reselling of data by advertising networks and data brokers.”  Slated for release in 2021, the ATT feature requires permission before certain data is accessed by advertisers, namely the identifier for advertisers (IDFA).  Using the ATT feature, consumers will allow or reject tracking on an app-by-app basis.

The IDFA groups different users by similar search or browsing activity in an effort to limit advertisers from reverse engineering personally identifiable information. As described by Apple:   “We create segments, which are groups of people who share similar characteristics, and use these groups for delivering targeted ads. Information about you may be used to determine which segments you’re assigned to, and thus, which ads you receive. To protect your privacy, targeted ads are delivered only if more than 5,000 people meet the targeting criteria.”

When touting its alleged “privacy forward” ATT feature, Apple threw down yet another privacy gauntlet against Facebook:  “Facebook executives have made clear their intent is to collect as much data as possible across both first and third party products to develop and monetize detailed profiles of their users, and this disregard for user privacy continues to expand to include more of their products.”  Letter, dated November 19, 2020.

in a November 20, 2020 statement sent to Business Insider, Facebook counterpunched:  “The truth is Apple has expanded its business into advertising and through its upcoming iOS 14 changes is trying to move the free internet into paid apps and services where they profit. . . They claim it’s about privacy, but it’s about profit. . . This is all part of a transformation of Apple’s business away from innovative hardware products to data-driven software and media.”  

In other words, Facebook suggested that Apple plans on using its dominant market position to prioritize its own data collection efforts while making it difficult for competitors to use the same data.   Two months earlier, Facebook informed its business partners that it would “not collect the identifier for advertisers (IDFA) on our own apps on iOS 14 devices. . . . We may revisit this decision as Apple offers more guidance.”

Surprisingly, Facebook may actually have a point or two regarding Apple’s aspirations.  On November 16, 2020, a group led by privacy activist Max Schrems filed complaints in Germany and Spain over Apple’s online tracking tool claiming a breach of the EU’s e-Privacy Directive.   

According to the German Complaint

Apple defines the IDFA as “an alphanumeric string unique to each device, that you [the third party app developer] only use for advertising. Specific uses are for frequency capping, attribution, conversion events, estimating the number of unique users, advertising fraud detection, and debugging”.  [This IDFA] is “is very similar to a cookie: Apple and third parties (e.g. applications providers) can access this piece of information stored on the users’ device to track their behaviour, elaborate consumption preferences and provide relevant advertising. . . In practice, the IDFA is like a “digital license plate”. Every action of the user can be linked to the “license plate” and used to build a rich profile about the user. Such profile can later be used to target personalised advertisements, in-app purchases, promotions etc. When compared to traditional internet tracking IDs, the IDFA is simply a “tracking ID in a mobile phone” instead of a tracking ID in a browser cookie.

According to Reuters, Apple immediately disputed these claims, stating they were “factually inaccurate”.   Apple curiously also said to Reuters that it “does not access or use the IDFA on a user’s device for any purpose”.  Such a statement is curious only because on its face it means nothing when one considers the fact Apple allows “segmented” use and access to this “license plate” data.   By creating an “identifier for advertisers” form of digital “license plate”, Apple most certainly uses the IDFA by proxy every time one of its ad partners uses it.

Moreover, days before its public Facebook spat, Apple was called out by a cybersecurity expert for perceived privacy shortcomings in Gatekeeper – the Apple system used for managing third-party application security.  Pointing to flaws in how Gatekeeper relays and stores unencrypted information, Jeffrey Paul concluded:  “Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. . . . This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.”

According to a November 15, 2020 editorial in Apple Insider, these perceived risks were illusory.   According to the editorial, “there’s not really much utility in knowing just what app is being launched, realistically speaking.”  And to boot, “ISPs could have that data if they wanted to without the limited info that Apple’s Gatekeeper may provide.”  

By claiming others could gather even more data and that the data in question does not have “much utility”, the editorial did not provide any real refutation of Jeffrey Paul’s basic concerns. Instead, the writer for Apple Insider hopes for the best:  “There’s not even the prospect of Apple pulling a Google and using this data, as Apple has been a voracious defender of user privacy for many years, and it is unlikely to make such a move.”  In other words, just trust Apple to do the right thing.

The very next day Apple actually did do the right thing and stopped collecting IP addresses related to Gatekeeper’s developer checks – likely in difference to Jeffrey Paul’s research.  The  Apple Support Update released on November 16, 2020 states:  “To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.  In addition, over the the [sic] next year we will introduce several changes to our security checks:   A new encrypted protocol for Developer ID certificate revocation checks; Strong protections against server failure; [and] A new preference for users to opt out of these security protections.”  These new safeguards address the exact issues raised by Jeffrey Paul in his blog.

Apple’s aspirations regarding consumer data control will likely cause it to continue butting heads with social media platforms guarding their data oligarchies and privacy advocates protecting consumers. As the world’s largest market cap company, however, Apple may be uniquely positioned to take on such challenges.  Unfortunately, governmental intervention may be the only viable check on Apple should the company ever fully stray from its prior data privacy commitments. Given the current dysfunctional political environment, Apple likely has a long runway should regulators ever come knocking.

Data Privacy Day 2019

January 28, 2019 will mark the tenth anniversary of Data Privacy Day.  Even though the sponsors, messaging and website may have changed from 20102011 and 2012, the overall idea that personal privacy rights should be specifically called out for celebration remains a powerful statement.  In 2014, Congress jumped on board by issuing a Resolution designating January 28th as ‘‘National Data Privacy Day’’.  Two years later, the 2016 celebration of Data Privacy Day crystalized why privacy stakeholders were starting to sound the alarm.  And, by 2019 it has gotten to the point where even large technology companies are calling for regulatory action.

In the coming months, a divided Congress will likely begin a bipartisan effort to address one of the few bipartisan topics out there – data privacy rights.  This effort may succeed if for no other reason next year launches California’s new data privacy regime and companies are feverishly lobbying behind the scenes to preempt this Consent Armageddon from materializing.    In other words, there may soon be a “Data Property Day” coming into focus – the date when privacy rights that were born out of early constitutional and statutory underpinnings first became a basic property right. 

Apple pushes new data regime

In a Time Magazine op-ed piece that is a likely preview of his talk at the “Globalization 4.0” World Economic Forum meeting next week in Davos, Apple’s Tim Cook proposes more government intervention in the digital ad marketplace.   Cook previously railed against the “data industrial complex” at an October EU privacy event.   Apple also recently poked Google in the eye with its massive CES billboard in Las Vegas that reads: “What happens on your iPhone, stays on your iPhone.”  

In his January 16, 2019 Time editorial, Cook suggests that consumers should no longer tolerate “companies irresponsibly amassing huge user profiles.”  He obviously is smart enough to recognize the existing digital ad ecosystem needs to stay firmly in place for his company to thrive – 25% of all persons now check their phones within one minute of waking up largely due to the existing social media landscape he now criticizes.  Rather, he proposes federal omnibus privacy legislation that would ostensibly place more control with consumers who will be allowed for the first time the chance to say, as he put it: “Wait a minute. That’s my information that you’re selling, and I didn’t consent.”

Cook “kicks off” his debate with the following salvo:

That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.

Similar to what is now being enforced in Vermont, Apple apparently advocates for the registration of data brokers but adds the new regulatory requirement of tracking transactions as well as codifying the right of erasure enshrined in GDPR and purportedly also acceptable to Facebook.  Backing up “some” of its rhetoric with action, Apple has recently allowed even users outside GDPR’s purview the ability to learn what data is held by it and to correct any inaccuracies – it still, however, does not allow users to learn how their data is used by other companies:

It is not difficult to cynically consider Apple’s new lobbying campaign simply an attempt at undercutting Samsung and Google – especially given Apple itself will always remain a very integral part of the digital ad ecosystem.  In the near term, Apple faces little economic risk with its privacy-friendly posturing – only a potential increasing of its already lofty brand equity. Given that Apple is not technically a “data broker” the significant added costs to data brokers created by its advocacy will certainly not be absorbed by Apple. 

No matter what its motivation, Apple’s new perspective may one day give consumers a bird’s eye view of exactly how valuable their personal data is to companies lacking any direct relationship with them.  And, after that recognition, it may finally be time for consumers to get paid for their valuable data.

UPDATE: January 18, 2019  
Notwithstanding Mr. Cook’s public stance regarding Apple’s GDPR compliance, Apple Music was hit on January 18, 2019 with a complaint alleging a potential maximum penalty of € 8.02 Billion for various GDPR violations.

Apple’s CEO rails against the “data industrial complex”

Tim Cook was on fire in Brussels giving his October 24, 2018 keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC).  As reported by TechCrunch, Mr. Cook targeted Google and Facebook when he said: “Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. . . These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.”

He played to his appreciative EU audience when he said:  “We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. . . . It is time for the rest of the world, including my home country, to follow your lead. . . . [Apple] is in full support of a comprehensive, federal privacy law in the United States”.

Cook argued for a federal US privacy law that would prioritize four things:

  1. Data minimization — “the right to have personal data minimized” or not collect it in the first place;
  2. Transparency — “the right to know what data is being collected and what it is being collected for” to “empower users to decide what collection is legitimate and what isn’t”;
  3. The right to access — given “data belongs to users” it should be made easy for users to get a copy of, correct and delete their personal data; and
  4. The right to security — given “security is foundational to trust and all other privacy rights”

According to Cook, the creation of extensive digital profiles “is surveillance.  And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us uncomfortable.”

After he dropped his mic, Cook quickly went on Twitter to double down on his speech:

It is not clear how his obviously well-thought out position will ultimately impact Apple’s bottom line.  As previously observed, Apple has a natural symbiotic relationship with the social media platforms given “the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.”

Whether Cook is ultimately bluffing for PR points or believes his company’s lobbying can ultimately finesse any future legislative effort is beside the point.    The most powerful tech company in the world has just thrown down the gauntlet for a unified US privacy regime.  No different from the recently-enacted bipartisan anti-opioid abuse law, consumer privacy is a bipartisan issue so it is likely Congress will eventually come together to pick up Mr. Cook’s heavy glove.  And, for that Mr. Cook deserves another loud round of applause.

Did Facebook close the door to self-regulation?

On April 10, 2018, Facebook’s CEO began his two-day testimony before Senate and House Congressional committees in a quintessential US setting but may have brought with him a groundbreaking privacy regime from across the Atlantic in the process.  Mr. Zuckerberg testified:  “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.”  The Net Neutrality regulations Zuckerberg  may have had in mind may not be what is ultimately in store for Facebook.

GDPR

By way of background, the EU’s General Data Protection Regulation (679/2016/EU) – which recognizes that the “protection of natural persons in relation to the processing of personal data is a fundamental right”, requires the implementation of an EU-wide regime of country-specific laws effective by May 25, 2018.   Despite its current Brexit status, the UK has also voluntarily implemented GDPR .

The GDPR harmonizes to a great degree the privacy laws of every EU country and broadly controls the use of personal data in connection with either the offering of any goods or services to persons in the EU or the monitoring of EU-based persons.  Companies must ensure that they only collect and process the minimum required personal data for the express use given under an unequivocal affirmative consent.  The new consent requirements found in the GDPR bring this privacy regime to compliance levels never before seen.

Companies that collect and use personal data must now clearly explain to data subjects the exact uses made of such personal data – with evidence maintained that demonstrate related processes are compliant and followed in each individual case. Persons must also be afforded the opportunity to easily withdraw their consent to this use of personal data at any time and without suffering any detriment as a result of their request.  Moreover, persons protected under the GDPR have a right to be forgotten, i.e., all their personal data deleted, and a right to reject any data profiling.

Not unlike rights under 15 U.S.C. § 1681c of the Fair Credit Reporting Act when it comes to credit information, persons will also have the right to have their personal data amended and rectified and the right to be informed as to what personal data is currently being retained or used.  Unfortunately, getting Facebook to comply with these subject-access requests has previously been a difficult task.  Some have argued that the right to be forgotten – which is actually now more properly termed a “right to erasure”, can only work when GDPR becomes a global privacy regime having “globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation.”

A “serious breach” of GDPR requirements may result in a fine of up to 4% of the annual worldwide revenue of the impacted company – with the minimum fine set at €20 million. Disregarding the potential lack of enforceability for this extra-jurisdictional law, companies have been prepping for the GDPR privacy regime for years.   Indeed, given the potential downside, multi-national companies based in the US have not surprisingly spent millions of dollars on their GDPR compliance efforts.

Under the GDPR, the EU is for the first time in line with the US as regards data breach notification – but with a uniform and much stricter obligation to notice regulatory authorities within 72 hours of a breach.  Given Alabama has recently enacted its own data breach notification law – one that requires notification within 45 days of a breach if the breach is reasonably likely to cause “substantial harm” to the individual to whom the information relates, all fifty US states now have a data breach notification law.  Nevertheless, the current patchwork standard for breach notice in the US is far from uniform and certainly much less onerous than the blanket one set forth in the GDPR.

GDPR and Facebook

As set forth on its website, “Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. . . Facebook may serve as a data processor.  When Facebook acts as a data processor, businesses are responsible for ensuring data they share with us complies with the GDPR.”  As a data processor who employs more than 250 persons, Facebook is obliged under GDPR to keep detailed records of all of their processing activities.  In other words, GDPR opens up the door to accessing Facebook’s vast data mining activities only hinted at by the recent Cambridge Analytica brouhaha.

On April 11, 2018, Mark Zuckerberg testified before the House Energy and Commerce Committee that GDPR “will be positive” and that requiring companies obtain “affirmative consent” makes sense.  According to Mr. Zuckerberg, there are a few parts of GDPR that are “important and good”.  For example, users should know what data companies have and users should be able to control this data.   When asked if GDPR got anything wrong, however, he could not answer the question and simply said he would have to “think about it”.  He was asked to provide his response to the House Energy and Commerce Committee at a later date.

GDPR, Facebook and Congress

Free-market Republicans who typically shy away from regulatory intervention gave more than passing nods to potential legislative intervention as regards Facebook.  Sen. John Kennedy (R., La.) bluntly recognized that Facebook’s “user agreement sucks.”  And, Senate Commerce Committee Chairman John Thune (R., S.D.) said:  “I’m not convinced that Facebook’s users have the information they need to make meaningful choices.” He also said that while Washington has “been wiling to defer to tech companies effort to regulate themselves. . . this may be changing.”  Mr. Kennedy was again more blunt: “There’s some impurities in the Facebook punch bowl. . . I don’t want to have to vote to regulate Facebook.  But by god, I will. That depends on you.”

Not waiting for Senators Kennedy and Thune to act, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) – two longtime privacy advocates, announced on April 10, 2018 their Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act – proposed legislation requiring the Federal Trade Commission (FTC) to establish specific privacy protections “for customers of online edge providers like Facebook and Google.”  Among other things, the CONSENT Act would require that these “edge providers” obtain opt-in consent from users “to use, share, or sell users’ personal information” as well as notify users about “all collection, use, and sharing of users’ personal information.”  Although on its face the proposed law is not nearly as onerous as the GDPR privacy regime, there is nothing stopping the FTC from promulgating future regulations that not only include opt-in consent and use disclosures but also GDPR requirements that would never had been on the table before Mr. Zuckerberg began his unsworn testimony before Congress.

In a prior interview with the Washington Post, Senator Markey said:  “I think that this [Facebook] privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico.  Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”

GDPR, Facebook, Congress and the Monetization of Consumer Data

On the heels of recent comments from Facebook’s COO regarding the possibility Facebook might one day charge users a fee, Zuckerberg left the door open to the possibility of charging consumers for use of its social media platform.  During his April 11, 2018 House testimony, Zuckerberg again denied that Facebook sells its user data, saying: “That’s not how advertising works.”  A day earlier Zuckerberg repeated numerous times that Facebook did not sell consumer data – prodding Sen. John Cornyn (R-Texas) to exclaim:   “You clearly rent it!”  No matter how Mr. Zuckerberg perceives advertising as working or whether or not Facebook actually “sells” consumer data, one takeaway from these hearings is that perception can quickly morph into reality.

Not surprisingly, California is not waiting for the federal government to act and has percolating its own mini-GDPR.  The proposed California Consumer Privacy Act of 2018 ballot initiative would give consumers the right to ask businesses what of their personal data is collected and how it’s being used.   It will be voted on in November 2018 and already faces opposition from Facebook and other California companies standing to lose significant revenue because there is a private right of action under the proposed law.  Given there is no “opt-in” requirement in this ballot initiative, GDPR will remain the gold standard when it comes to protecting consumer data from unregulated monetization.

Apple’s Tim Cook jumped for higher ground during Zuckerberg’s testimony and publicly said Apple – unlike Facebook, does not monetize its customers and would welcome legislative solutions.  Specifically, Cook said:  “The truth is, we could make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”

Apple’s perspective is either surprisingly narrow or deliberately pinched.  Obviously, the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.  Accordingly if Facebook loses revenue due to legislative intervention, Apple will likely not be far behind.

There is hope for both platform providers and device manufacturers even if that happens.  As recognized by the Project Director at the Georgetown Center for Business and Public Policy, “If the [internet’s] grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services.”

Unbridled data consumption and privacy protection can successfully coexist when immutable and transparent data is bound by a secure and continuous unequivocal affirmative consent.  In essence, user data must be treated like a protected commodity that can actually benefit the owner.   Indeed, Congresswoman Debbi Dingell (R., Mi.) ended her April 11, 2018 questioning of Zuckerberg by opining that data protection was no less important than having “clean air and clear water”.   A company that is able to keep “pure” a user’s data while feeding such data into various digital media ecosystems and compensating the data owner in the process will have found the middle ground previously consciously avoided by existing billion-dollar platforms.

Sometimes all it takes is one door to close for another one to open.

Blockchain in 2018 and beyond

Buoyed by Bitcoin’s latest price and a steady supply of Initial Coin Offerings (ICOs), the blockchain ecosystem in 2018 resembles the Web ecosystem of 1995 – an ecosystem that eventually disrupted advertising and marketing models by having companies such as Amazon, Google and Facebook outplace traditional retail sales and marketing companies.  This time around, however, the financial levers presently held by banks and related financial services firms will be retooled – as well as the present centralized server model so very important to the same companies who previously benefited from the Web ecosystem, namely Amazon, Google and Facebook.

Speculation vs. Utilization

in September 2017, Bitcoin was famously derided by the financial titan Jamie Dimon as “a fraud”.  The JPMorgan CEO went so far as to say he would fire anyone on his trading team who bought Bitcoin.  His gratuitous digs at Bitcoin did not temper the rise of Bitcoin and became noteworthy – and a likely source of friction with his traders, because the Bitcoin cryptocurrency went on to increase in value over three-fold a mere 1Q after Dimon’s public derision.   As of December 31, 2017, Bitcoin sits at a price of near $14,000 whereas when Mr. Dimon’s bold pronouncements were made Bitcoin “only” had a price of $4,115.

Similarly, another banker – Vitor Constancio, the vice president of the European Central Bank, said in July 2017 that Bitcoin “is not a currency but a mere instrument of speculation” – comparing it to tulip bulbs during the 17th century trading bubble in the Netherlands.

In the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.  Even Mr. Dimon acknowledges as much given during his tirade against the speculative nature of Bitcoin he also said he supported blockchain technology for tracking payments.

By way of background, a blockchain is nothing more than an expandable list of records, called blocks, which are linked and secured using cryptography, namely cryptographic hashes that point to each prior block and result in an unbreakable “chain” of hashes surrounding the blocks.  More accurately referred to as a distributed ledger of accounts, a blockchain ecosystem will disrupt more than one industry beginning in 2018.

The inevitable changes that will occur in 2018 spring from several unique attributes of the blockchain ecosystem.  First, because a blockchain ledger is distributed it takes advantage of the vast amount of compute power available in most every computer device.  Similar to how the Mirai botnet distributed denial of service (DDos) attack became the largest DDoS attack by simply using unsecured IoT access, blockchain technology harnesses secure unused compute power in powerful and productive new ways.  Our new IoT ecosystem – which itself is an outgrowth of the Web ecosystem, will only feed into that result.

Secondly, blockchain ledger transactions are the closest thing to an immutable form of transaction accounting we have given the transactions have been verified and cannot be changed once written to the blockchain without evidence of obvious tampering – which was always the reason Bitcoin derived any actual intrinsic value.  In other words, the promise of blockchain coupled with pure speculation has solely driven Bitcoin pricing.  By buying Bitcoin and other cybercurrencies, it is almost as if people were given a chance to turn back the clock and bet on the Web ecosystem in 1995.  Without usage for its intended purpose, namely being a trusted and immutable listing of Bitcoin transactions, Bitcoin would most certainly go to the zero valuation postulated by Morgan Stanley.  The logic is pretty straight forward – without an actual intrinsic store of value, there is no actual intrinsic store of value.  And, without some sort of intrinsic store of value there is no reason to consider Bitcoin an asset.  Accordingly, unless utilized by choice or forced to be used by a government, speculation will never be a sustainable impetus for the pricing of Bitcoin – or any other cryptocurrency for that matter.  Without utilization, tokens/app coins/cryptocurrencies will all die on the vine given external utilization will always be needed to create a store of value.

Utilization by way of Smart Contracts

Disregarding the unlikely scenario of governmental adoption, the future of any blockchain/cryptocurrency ecosystem necessarily ties directly to utilization.  Even though there are several protocols with smart contracts amendable to utilization, there is only one founded by a visionary who understands the issue of scalability and why scalability is the sine qua non of a successful blockchain ecosystem – in the same way a non-scalable Web ecosystem was always a non-starter.  An early December 2017 presentation given by that visionary – Vitalik Buterin,  talks to scalability as being the most important new initiative of Ethereum going forward in 2018.   Mr. Buterin – who will likely take the blockchain ecosystem where Gates took the PC ecosystem and Bezos took the Web ecosystem, suggests that “sharding” using a Validator Manager Contract –  a construct that maintains an internal proof of stake claim using random validators, will eventually solve the problem of scalability.  Simply put, not all blocks/shards will need to be placed under the main chain.  This is a natural evolutionary progression given as it stands now everyone seeking an Ethereum wallet needs to download Ethereum’s entire trove of over four million blocks – hardly a scalable solution for the many app tokens or coins running the Ethereum protocol.  Moreover, each Ethereum block currently also takes about 14.70 seconds to promulgateIn 2014, Buterin anticipated the feasibility of a 12 second block time so has certainly been moving in the right direction.  Given security and propagation issues, work on this remains in the infancy stage with a great deal of work necessary in 2018.  Nevertheless, in 2018 and beyond, smart contracts such as those available under Ethereum will allow for the utilization necessary for the blockchain ecosystem to thrive.

Adoption by financial markets and the Ripple Effect

Ripple/XRP surged at the very end of 2017 and quickly became a rumored stealth initiative by the regulated banking industry to combat unregulated cryptocurrencies.  Ripple promises “end-to-end tracking and certainty” for those banks using its RippleNet closed-loop network.  More than anything, this initiative demonstrates that unregulated ICOs and unregulated “currencies” may have spooked the world’s financial markets sufficiently to justify taking sides by investing in a Ripple contender – a “blockchain-like” service seeking to displace existing cryptocurrency mindshare.  Indeed, Ripple just replaced ETH/Ethereum as the second largest market cap cryptocurrency.   Even though only three financial institutions are listed as investors, that does not mean other financial institutions would not want to prop up use of this “currency” on the open market – the list of “advisory board members” is telling in that regard.  This bank-sponsored cryptocurrency certainly looks like it has more legs than most given there exists budding utilization – banks are currently already using the RippleNet network, coupled with massive speculation given its ballooning market cap.

In 2018, acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry or even the server sector represented by the likes of Google – who has invested in Ripple.  More than likely, upcoming technology developments under the Ethereum protocol will beget future tokens with smarter utilization and even greater potential upside than either Bitcoin or Ripple.  In other words, the blockchain ecosystem in 2018 will be no different than the Web ecosystem as it existed in 1995.

Carpenter may prod monetization of consumer data property rights

On November 29, 2017, the United States Supreme Court heard oral argument in U.S. v. Carpenter – a case involving robbery suspects who were convicted using cellphone tracking data obtained without a probable cause warrant.  Subpoenas and warrants available under the Stored Communications Act (“SCA”) allow for access to such records without any probable cause showing.    As previously pointed out, the ACLU is looking to push the Supreme Court into making a technology-forward decision by stressing how data collection methods have improved since the 2011 arrest of Carpenter.

According to Law360, Justice Samuel Alito said at the hour-long oral argument:  “I agree with [Carpenter] that this new technology is raising very serious privacy concerns, but I need to know how much of existing precedent you want us to overrule or declare obsolete.”  Justice Alito referenced the third-party doctrine that offers no added protections to material freely given to third parties given such material is generally provided without any expectation of privacy.

At oral argument, Law360 reports Carpenter’s counsel Nathan Wessler of the ACLU said that the bank records and dialed phone numbers found in third-party doctrine cases were “more limited” and freely given to a business as opposed to cellphone location records, which many users don’t understand can “chart a minute-by-minute account of a person’s locations and movements and associations.”

Law360 also reported that Justice Sonia Sotomayor raised doubt that the third-party doctrine found in prior precedent was applicable given there are instances when sensitive data freely given to third parties – such as medical records, still require consent.  According to Law360, Justice Neil Gorsuch said:  “It seems like your whole argument boils down to if we get it from a third party we’re OK, regardless of property interest.”   And, finally according to the SCOTUS Blog, Justice Stephen Breyer recognized at oral argument: “This is an open box. We know not where we go.”

Despite the third-party doctrine, it seems the Court is leaning towards carving out Constitutional exceptions to the SCA based on data gathering technologies that may give rise to an expectation of privacy.   As often done, the Justices will likely come up with a result that takes into consideration stare decisis while meshing with new technological capabilities far removed from earlier cases.   As recognized by Justice Sotomayor in the U.S. v. Jones case of 2012, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

To that end, the most interesting aspect of this case involving robberies in Detroit will be how far the decision goes in helping define property rights for consumers of digital services.  In a nod to Justice Breyer’s Pandora’s Box allusion, this decision might eventually give rise to a newfound consumer awareness mandating a change in how consumer data is used by companies.  In other words, property rights acknowledged in this case may help prod consumers into seeking compensation for their consumer data property rights – something the tech amicus might not have envisioned when filing their brief in U.S. v. Carpenter.

First Amendment Does Not Save NJ Teacher from Postings Firing

In a January 11, 2013 ruling, the New Jersey Appellate Division upheld the administrative dismissal of a first grade teacher.  She had argued that the First Amendment precluded her firing — which was based on two Facebook postings.  In the Matter of the Tenure Hearing of Jennifer O’Brien, (NJ App. Div. January 11, 2013).  One of her statements was, “I’m not a teacher — I’m a warden for future criminals!”

O’Brien said she posted the statement that her students were “future criminals” because of “their behaviors, not because of their race or ethnicity.”  She also stated that “six or seven of her students had behavioral problems, which had an adverse impact on the classroom environment.”  Id. at 4 – 5.

In finding that she failed to establish her Facebook postings were protected speech, the Appellate Division found that “even if O’Brien’s comments were on a matter of public concern, her right to express those comments was outweighed by the district’s interest in the efficient operation of its schools.”  Id. at 11.

This ruling sits in contrast to the NLRB’s frequent warnings regarding the sanctity of worker postings — especially when the postings pertain to workplace conditions.  The cringe-worthy nature of these postings, the fact they were directed at first graders, and the deference accorded administrative proceedings certainly all made it easy for the Appellate Division to rule as it did.  In other words, employers should not take great comfort in this ruling when evaluating whether to discipline employees for inflammatory postings.