New “Privacy 101” Video Series Helps School District Leaders Protect Student Data
WASHINGTON, D.C. – In recognition of Safer Internet Day, the Future of Privacy Forum (FPF) today released a new “Student Privacy 101” video series that is designed to help school leaders better understand federal and state privacy laws and protect sensitive student data.
“As technology becomes increasingly prevalent in the classroom, faculty, administrators, and district leaders could benefit from a quick and easy guide to understanding how they can help reduce privacy risks and improve transparency around student data,” said FPF Director of Youth & Education Privacy Amelia Vance. “FPF’s new videos provide an animated overview of best practices and tips on how schools can protect student privacy.”
An introductory video that previews the challenges and opportunities around collecting and safeguarding student data in the digital age.
A short video on legal compliance, providing concise information about the requirements and role of the Family Educational Rights and Privacy Act (FERPA);
A brief overview of the most common privacy risks and how to avoid them.
A discussion on transparency, including advice on collecting community feedback, and engaging and informing parents about a school’s data collection practices.
Vance added, “Safer Internet Day reminds companies to examine how they can use technology more responsibly in support a better Internet experience for everyone, with a special focus on advancing positive practices that protect children and young people under 18. As one of the nation’s leading think tanks focused on privacy issues, FPF is a proud supporter of Safer Internet Day and works to provide year-round resources that support a culture of data security.”
FPF also published a new blog post celebrating Safer Internet Day today with additional information and resources about how schools can protect children’s data privacy.
The video series is based on the Siegl Framework—developed by Jim Siegl, the Technology Architect at Fairfax County Public Schools in Virginia—which advises local education agencies to consider the Venn diagram of legal compliance, privacy and security risks, and perception risks when working on student privacy.
The series was created by Monica Bulger, David Sallay, and Amelia Vance, with the animation magic and brilliance of Thought Café.
The Future of Privacy Forum (FPF) is a Washington, DC-based think tank that seeks to advance responsible data practices. The forum is led by internet privacy experts and includes an advisory board comprised of leading figures from industry, academia, law, and advocacy groups. For more information, visit www.fpf.org.
Privacy Papers 2019: Spotlight on the Winning Authors
FPF recently announced the winners of the 10th Annual Privacy Papers for Policymakers (PPPM) Award. This Award recognizes leading privacy scholarship that is relevant to policymakers in the United States Congress, at U.S. federal agencies, and for data protection authorities abroad.
From many nominated privacy-related papers published in the last year, five were selected by Finalist Judges, after having been first evaluated highly by a diverse team of academics, advocates, and industry privacy professionals from FPF’s Advisory Board. Finalist Judges and Reviewers agreed that these papers demonstrate a thoughtful analysis of emerging issues and propose new means of analysis that can lead to real-world policy impact, making them “must-read” privacy scholarship for policymakers.
by Ignacio N. Cofone, McGill University Faculty of Law
Ignacio N. Cofone is an Assistant Professor at McGill University’s Faculty of Law, where he teaches about privacy law and artificial intelligence regulation, and an Affiliated Fellow at the Yale Law School Information Society Project. His research explores how law should adapt to technological and social change with a focus on information privacy and algorithmic decision-making. Before joining McGill, Ignacio was a research fellow at the NYU Information Law Institute, a resident fellow at the Yale Law School Information Society Project, and a legal advisor for the City of Buenos Aires. He obtained a joint PhD from Erasmus University Rotterdam and Hamburg University, where he was an Erasmus Mundus Fellow, and a JSD from Yale Law School. His full list of publications is available at www.ignaciocofone.com. He tweets from @IgnacioCofone.
by Woodrow Hartzog, Northeastern University, School of Law and Khoury College of Computer Sciences and Neil M. Richards, Washington University, School of Law and the Cordell Institute for Policy in Medicine & Law
Woodrow Hartzog is a Professor of Law and Computer Science at Northeastern University School of Law and the Khoury College of Computer Sciences. He is also a Resident Fellow at the Center for Law, Innovation and Creativity (CLIC) at Northeastern University, a Faculty Associate at the Berkman Klein Center for Internet & Society at Harvard University, a Non-resident Fellow at The Cordell Institute for Policy in Medicine & Law at Washington University, and an Affiliate Scholar at the Center for Internet and Society at Stanford Law School. His research on privacy, media, and robotics has been published in scholarly publications such as the Yale Law Journal, Columbia Law Review, and California Law Review and popular publications such as The New York Times, The Washington Post, and The Guardian. He has testified multiple times before Congress and has been quoted or referenced by numerous media outlets, including NPR, BBC, and The Wall Street Journal. He is the author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies, published in 2018 by Harvard University Press. His book with Daniel Solove, Breached!: Why Data Security Law Fails and How to Improve It, is under contract with Oxford University Press.
Neil M. Richards is one of the world’s leading experts in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society. Professor Richards holds the Koch Distinguished Professor in Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is also an affiliate scholar with the Stanford Center for Internet and Society and the Yale Information Society Project, a Fellow at the Center for Democracy and Technology, and a consultant and expert in privacy cases. Professor Richards serves on the board of the Future of Privacy Forum and is a member of the American Law Institute. Professor Richards graduated in 1997 with graduate degrees in law and history from the University of Virginia, and served as a law clerk to both William H. Rehnquist, Chief Justice of the United States and Paul V. Niemeyer, United States Court of Appeals for the Fourth Circuit. Professor Richards is the author of Intellectual Privacy (Oxford Press 2015). His many scholarly and popular writings on privacy and civil liberties have appeared in a wide variety of media, from the Harvard Law Review and the Yale Law Journal to The Guardian, WIRED, and Slate. His next book, Why Privacy Matters, will be published by Oxford Press in 2020. Professor Richards regularly speaks about privacy, big data, technology, and civil liberties throughout the world, and also appears frequently in the media. At Washington University, he teaches courses on privacy, technology, free speech, and constitutional law, and is a past winner of the Washington University School of Law’s Professor of the Year award. He was born in England, educated in the United States, and lives with his family in St. Louis. He is an avid cyclist and a lifelong supporter of Liverpool Football Club.
by Margot E. Kaminski, University of Colorado Law and Gianclaudio Malgieri, Vrije Universiteit Brussel (VUB) – Faculty of Law
Margot E. Kaminski is an Associate Professor at the University of Colorado Law and the Director of the Privacy Initiative at Silicon Flatirons. She specializes in the law of new technologies, focusing on information governance, privacy, and freedom of expression. Recently, her work has examined autonomous systems, including AI, robots, and drones (UAS). In 2018, she researched comparative and transatlantic approaches to sensor privacy in the Netherlands and Italy as a recipient of the Fulbright-Schuman Innovation Grant. Her academic work has been published in UCLA Law Review, Minnesota Law Review, Boston University Law Review, and Southern California Law Review, among others, and she frequently writes for the popular press. Prior to joining Colorado Law, Margot was an Assistant Professor at the Ohio State University Moritz College of Law (2014-2017), and served for three years as the Executive Director of the Information Society Project at Yale Law School, where she remains an affiliated fellow. She is a co-founder of the Media Freedom and Information Access (MFIA) Clinic at Yale Law School. She served as a law clerk to the Honorable Andrew J. Kleinfeld of the Ninth Circuit Court of Appeals in Fairbanks, Alaska.
Gianclaudio Malgieri is a doctoral researcher at the “Law, Science, Technology and Society” center of Vrije Universiteit Brussel, Attorney in Law and Training Coordinator of the Brussels Privacy Hub. He is Work Package Leader of the EU Panelfit Research Project, about Legal & Ethical issues of data processing in the research sector. He is also external expert of the EU Commission for the ethics and data protection assessment of EU research proposals. He has authored more than 40 publications in leading international law reviews and is deputy editor of Computer, Law and Security Review (Elsevier). He is lecturer of Data Protection Law and Intellectual Property for undergraduate and professional courses at the University of Pisa, Sant’Anna School of Advanced Studies and Strasbourg University. He got an LLM with honours at the University of Pisa and a JD with honours at Sant’Anna School of Advanced Studies of Pisa (Italy). He was visiting researcher at the Oxford University, London School of Economics, World Trade Institute of the University of Bern and École Normale Superieure de Paris.
by Arunesh Mathur, Princeton University; Gunes Acar, Princeton University; Michael Friedman, Princeton University; Elena Lucherini, Princeton University; Jonathan Mayer, Princeton University; Marshini Chetty, University of Chicago;and Arvind Narayanan, Princeton University
Arunesh Mathur is a graduate student in the department of computer science at Princeton University, where he is affiliated with the Center for Information Technology Policy (CITP). Mathur’s research examines how technical systems interface with and impact society in negative ways. His current research focus is dark patterns: empirically studying how commercial, political, and other powerful actors employ user interface design principles to exploit individuals, markets, and democracy. His research has won multiple awards including the best paper awards at ACM CSCW 2018 and USENIX SOUPS 2019.
Gunes Acar is a FWO postdoctoral fellow at KU Leuven’s COSIC research group. His research interests involve web tracking measurement, anonymous communications, and IoT privacy and security. Gunes obtained his PhD at KU Leuven in 2017, and was a postdoctoral researcher between 2017 and 2019 at Princeton University’s Center for Information Technology Policy.
Michael Friedman is a Technical Program Manager at Google. His work focuses on monitoring compliance with privacy regulations and certifications. Michael is broadly interested in the privacy implications of information technology and the enforcement of privacy standards. He earned his Bachelor’s degree in Computer Science at Princeton University with a concentration in societal implications of information technology. While there, he conducted research on the effectiveness of technology privacy policies, with a focus on children’s data privacy. He also collaborated in this work on dark patterns.
Elena Lucherini is a second-year Ph.D. student at the Center for Information Technology Policy at Princeton University. Her advisor is Arvind Narayanan. Lucherini received her bachelor’s degree from University of Pisa and her master’s from University of Pisa and Sant’Anna School of Advanced Studies.
Jonathan Mayer is an Assistant Professor at Princeton University, where he holds appointments in the Department of Computer Science and the Woodrow Wilson School of Public and International Affairs. Before joining the Princeton faculty, he served as the technology law and policy advisor to United States Senator Kamala Harris and as the Chief Technologist of the Federal Communications Commission Enforcement Bureau. Professor Mayer’s research centers on the intersection of technology and law, with emphasis on national security, criminal procedure, and consumer privacy. He is both a computer scientist and a lawyer, and he holds a Ph.D. in computer science from Stanford University and a J.D. from Stanford Law School.
Marshini Chetty is an assistant professor in the Department of Computer Science at the University of Chicago. She specializes in human-computer interaction, usable privacy and security, and ubiquitous computing. Marshini designs, implements, and evaluates technologies to help users manage different aspects of Internet use from privacy and security to performance, and costs. She often works in resourceconstrained settings and uses her work to help inform Internet policy. She has a Ph.D. in Human-Centered Computing from Georgia Institute of Technology, USA and a Masters and Bachelors in Computer Science from the University of Cape Town, South Africa. In her former roles, Marshini was on the faculty in the Computer Science Department at Princeton University and the College of Information Studies at the University of Maryland, College Park. Her work has won best paper awards at SOUPS, CHI, and CSCW and has been funded by the National Science Foundation, the National Security Agency, Intel, Microsoft, Facebook, and multiple Google Faculty Research Awards.
Arvind Narayanan is an Associate Professor of Computer Science at Princeton. He leads the Princeton Web Transparency and Accountability Project to uncover how companies collect and use our personal information. Narayanan is the lead author of a textbook on Bitcoin and cryptocurrency technologies which has been used in over 150 courses around the world. His doctoral research showed the fundamental limits of de-identification, for which he received the Privacy Enhancing Technologies Award. His 2017 paper in Science was among the first to show how machine learning reflects cultural stereotypes, including racial and gender biases. Narayanan is a recipient of the Presidential Early Career Award for Scientists and Engineers (PECASE).
Paul Ohm is a Professor of Law and the Associate Dean for Academic Affairs at the Georgetown University Law Center, where he also serves as a faculty director for the Center on Privacy & Technology and the Institute for Technology Law & Policy. His writing and teaching focuses on information privacy, computer crime law, intellectual property, and criminal procedure. A computer programmer and computer scientist as well as a lawyer, Professor Ohm tries to build new interdisciplinary bridges between law and computer science, and much of his scholarship focuses on how evolving technology disrupts individual privacy.
Professor Ohm began his academic career on the faculty of the University of Colorado Law School, where he also served as Associate Dean and Faculty Director for the Silicon Flatirons Center. From 2012 to 2013, Professor Ohm served as Senior Policy Advisor to the Federal Trade Commission. Before becoming a professor, he worked as an Honors Program trial attorney in the U.S. Department of Justice’s Computer Crime and Intellectual Property Section and a law clerk to Judge Betty Fletcher of the United States Court of Appeals for the Ninth Circuit and Judge Mariana Pfaelzer of the United States District Court for the Central District of California. He is a graduate of the UCLA School of Law.
The Finalist Judges also selected three papers for Honorable Mention on the basis of their uniformly strong reviews from the Advisory Board.
The 2019 PPPM Honorable Mentions are:
Can You Pay for Privacy? Consumer Expectations and the Behavior of Free and Paid Appsby Kenneth Bamberger,University of California, Berkeley – School of Law; Serge Egelman,University of California, Berkeley – Department of Electrical Engineering & Computer Sciences; Catherine Han, University of California, Berkeley; Amit Elazari Bar On, University of California, Berkeley; and Irwin Reyes, University of California, Berkeley
Usable and Useful Privacy Interfaces(book chapter to appear in An Introduction to Privacy for Technology Professionals, Second Edition)by Florian Schaub, University of Michigan School of Informationand Lorrie Faith Cranor, Carnegie Mellon University
Additionally, the 2019 Student Paper award goes to:
Privacy Attitudes of Smart Speaker Usersby Nathan Malkin, Joe Deatrick, Allen Tong, PrimalWijesekera, Serge Egelman, and David Wagner, University of California, Berkeley
The winning authors have been invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey, and Congresswoman Diana DeGette, to present their work at the U.S. Senate with policymakers, academics, and industry privacy professionals. This annual event will be held on February 6, 2020. FPF will subsequently publish a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public. RSVP here to join us.
Award-Winning Paper: "Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites"
For the tenth year, FPF’s annual Privacy Papers for Policymakers program is presenting award-winning research to lawmakers and regulators. Among the papers to be honored at an event at the Hart Senate Office Building on February 6, 2020 is Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites by Arnuesh Mathur, Gunes Acar, Michael Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. Mathur and his co-authors present an analysis of deceptive user interface designs across 11,000 shopping websites to create a taxonomy of “dark pattern” characteristics that harm user decision-making.
Dark patterns are user interface design choices that benefit an online service by coercing or deceiving users into making a decision that, if fully informed and capable of selecting alternatives, they may not make. In Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites, Arunesh Mathur and his co-authors present a new, large-scale analysis of the presence of dark patterns across 11,000 shopping websites, informing our understanding of the prevalence of these patterns and their influence on users. Mathur observes that “at best, dark patterns annoy and frustrate users. At worst, they can mislead and deceive users, e.g., by causing financial loss, tricking users into giving up vast amounts of personal data, or inducing compulsive and addictive behavior in adults and children.” In the context of shopping websites, dark patterns can trick users into signing up for recurring subscriptions and making unwanted purchases, resulting in “concrete financial loss.”
The authors contribute a taxonomy that offers precise terminology to characterize how each type of dark pattern functions and exploits users’ cognitive biases. The authors identify five distinct types of dark patterns: asymmetric, covert, deceptive, information-hiding, and restrictive. Of these, the authors state that “the majority of [dark patterns] are covert, deceptive, and information hiding in nature.” Additionally, the authors observe the effects of user interface design that employs the anchoring effect, the bandwagon effect, the default effect, the framing effect, the scarcity bias, and the sunk cost fallacy to manipulate users’ decision-making abilities.
Through their analysis, the authors discover 1,818 dark pattern instances across 53K product pages and 11K shopping websites, representing multiple types and categories. Interestingly, the authors observe that “shopping websites that were more popular, according to Alexa rankings, were more likely to feature dark patterns.” Based on their findings, the authors suggest that future study should focus on creating empirical evaluations of the effects of dark patterns on user behavior in order to develop better countermeasures against dark patterns to ensure that users can enjoy a fair and transparent shopping experience.
If you’re interested in learning more about how dark patterns in user interface design influence users’ behavior, you’ll want to read Mathur’s paper.
The Privacy Papers for Policymakers project’s goal is to put diverse academic perspectives in front of policymakers to inform the development of privacy legislation. You can view all of this year’s award-winning papers on the FPF website.
CPDP2020 Panel: The Future Is Now: Autonomous Vehicles, Trolley Problem(s) and How to Deal with Them
The premise of the panel was that autonomous and highly automated vehicles are likely the first product that will bring AI to the masses in a life-changing way. They rely on AI for a variety of uses: from mapping, perception and prediction, to self-driving technologies. Their promise is great: increasing the safety and convenience of our cities and roads. But so are the challenges that come with it, from solving life and death questions to putting in place a framework that works for the protection of fundamental rights of drivers, passengers and everyone physically around them. This panel of experts discussed connected and automated technology, law, policy, and proposed a EU-US comparative perspective to discuss essential questions. The panel was moderated byTrevor Hughes (CEO, IAPP), and the panelists were Sophie Nerbonne (Director, CNIL), Andreea Lisievici (Head of Global Data Protection Office, Volvo Cars), Mikko Niva (Group Privacy Officer, Vodafone), and Chelsey Colbert (Policy Counsel, Mobility and Location, FPF).
The speakers answered many questions, including: How much data and what type of data runs through all systems of an autonomous vehicle? What are the benefits of autonomous vehicles and what are the risks to individual rights? How can they be balanced? They also discussed the infamous thought experiment “the Trolley Problem” and its application to connected and automated vehicles in the real world.
Andreea Lisievici (Head of Global Data Protection Office, Volvo Cars) started the panel with demystifying what we are talking about when we are talking about “connected and autonomous cars.” She gave an overview of the levels of autonomy in vehicles: Level 0 – no automation; Level 1 – driver assistance; Level 2 – partial driver automation; Level 3 – conditional driving automation; Level 4 – high driving automation; and Level 5 – full driving automation. Commercial vehicles currently on the market are considered level 2 (or “2+” or 3), while some other companies doing AV testing are reportedly at level 4.
Mikko Niva (Group Privacy Officer, Vodafone) commented on the vast ecosystem of parties in the connected and automated car ecosystem.
Sophie Nerbonne (Director, CNIL) reminded everyone that most of the data in this complex ecosystem is personal data. She recounted that when the CNIL began working with French OEMs a couple of years ago, they weren’t fully aware of how much “technical data” was in fact personal data.
Indeed, the CAV ecosystem is vast and interconnected; we must think beyond the individual car and consider the broader ecosystem that will include city infrastructure, such as streetlights, pedestrians, other vehicles, and even other objects, such as delivery robots. These “V2X” (vehicle to everything) technologies, which includes V2V (vehicle to vehicle), V2I (vehicle to infrastructure), and V2P (vehicle to pedestrian), bring in parties such as car manufacturers, telecom providers, third party apps and services, and local governments. This ecosystem presents challenges and opportunities for not just personal car ownership, but also rental companies, rideshare and ride-hailing companies, delivery robots, micro-mobility such as scooters, and modes of transportation or freight delivery that are underground and in the air.
The majority of this information is likely to be personal data, or capable of being linked to a person, and there are many players and data flows for organizations to consider, including drivers, passengers, pedestrians, and employees. [See here for FPF infographic about data and the connected car]. Data protection impact assessments are an important tool available to organizations, and the speakers agreed that while privacy and ethics by design is important, operationalizing this can be a challenge. Entities must look beyond legal obligations and consider how they will earn and maintain consumer trust.
As for the Trolly Problem, the speakers agreed that… it is not the right problem, since it does not ask the right question. Real life scenarios where connected/autonomous vehicles need to “make decisions” have much more parameters to take into account and many more options than what the Trolly Problem proposes. Watch the full recording of the panel by following this link.
ICYMI: FPF Webinar Examines Policies to Protect Child Privacy Online
As policymakers worldwide reexamine how to more effectively protect children’s privacy online without imposing broad age restrictions across the internet, the Future of Privacy Forum (FPF) recently hosted a webinar to assess diverse approaches to addressing child privacy concerns. The webinar also explored how respective policies can help address the many potential risks children face online, including oversharing, identify theft, physical safety, and exposure to inappropriate content.
“The majority of child privacy laws and proposals are focused on limiting commercialization,” said FPF Director Youth & Education Privacy Amelia Vance. “This includes preventing targeted or behavioral advertising to children, limiting or eliminating the ability to sell or share children’s data, or other protections aimed at limiting children’s exposure to marketing and protecting data from being used in inappropriate ways by companies.”
While two new federal proposals and California’s new consumer privacy law extend the age of COPPA protections to 16, most children in the U.S. are only covered until age 13. Additionally, the ability of the Federal Trade Commission—which is currently reviewing COPPA—to effectively interpret and enforce the law’s standards for determining whether a business has ‘actual knowledge’ that a specific user of their website is a child, or is providing services that are ‘directed’ at children, has varied considerably over the statute’s nearly 20-year history.
“How ‘actual knowledge’ is defined has really changed over time,” Vance said. “We saw in the recent YouTube settlement, for example, the FTC noting that YouTube was telling potential advertisers that there were children on the platform that they could reach.”
FPF’s recent comments to the FTC in response to its ongoing review of COPPA also underscore the need for guidance on the law’s “actual knowledge” definition, as well as for the agency to modernize its policies related to voice-enabled technologies and provide greater alignment with the primary federal student privacy law, FERPA.
When it comes to developing child privacy legislation, Vance cautioned unintended consequences are “incredibly easy to occur.” To mitigate this risk, Vance advised policymakers to be as intentional and clear as possible, and to get input from those on the ground including parents, teachers, school superintendents, attorneys, and children and teens themselves.
“When looking at child privacy, it is important to be focused and ask, ‘what are you trying to regulate?” Vance noted. “Being specific about what potential risks or harms you are trying to mitigate or prevent lends itself to a more targeted bill and one that is more likely to achieve whatever that end goal is.”
Finally, policymakers may need to acknowledge that children today are growing up in a vastly different world. “Look broadly to the stakeholders who you are talking to because schools and homes are very different from how we all grew up as children,” Vance advised. “You want to make sure you’re not limiting some aspect of the digital world that can be important.”
“It’s worth noting that all of this is up for discussion right now,” Vance ultimately concluded. “This is very much an evolving space in the U.S.”
Award-Winning Papers: "Antidiscriminatory Privacy" and "Algorithmic Impact Assessments under the GDPR"
For the tenth year, FPF’s annual Privacy Papers for Policymakers program is presenting to lawmakers and regulators award-winning research representing a diversity of perspectives. Among the papers to be honored at an event at the Hart Senate Office Building on February 6, 2020 are two papers broadly addressing the impact of algorithms on transparency and fairness: Antidiscriminatory Privacy by Ignacio N. Cofone and Algorithmic Impact Assessments under the GDPR: Producing Multi-layered Explanations by Margot E. Kaminski and Gianclaudio Malgieri. Cofone assesses how privacy rules can both facilitate and protect against discriminatory behavior, while Kaminski and Malgieri discuss how impact assessments serve to link the individual and systemic regulatory subsystems within the European General Data Protection Regulation (GDPR).
Law often blocks sensitive personal information to prevent discrimination. In Antidiscriminatory Privacy, Ignacio Cofone, assistant professor at McGill University Faculty of Law, presents a framework for reducing discrimination against minorities. To build this framework, Cofone explored two case studies that “illustrate when rules that regulate the flow of personal information (privacy rules) are compatible with antidiscrimination efforts and when they are not.” Through an analysis of anonymous orchestra auditions and the “Ban the Box” initiative, Cofone reveals how blocking an information flow can be successful at combatting discrimination in some cases, but not all of them. Cofone states that “privacy can protect against discrimination as well as enable a discriminatory dynamic.” He notes that certain data points may serve as proxies for categories that the law aims to protect, arguing that information about certain proxies must be blocked when employing privacy rules to fight discrimination. In the case of the “Ban the Box” initiative, for example, when employers were prohibited from asking about an applicant’s criminal history, they were more likely to discriminate against black applicants they thought might have criminal histories. Cofone found that in the “Ban the Box” case, applicants’ race became a proxy for criminal history, fostering discriminatory behavior. Cofone’s analysis offers a framework for determining the effectiveness of antidiscrimination measures based on information restrictions, including questions to consider to identify proxies for protected information.
In Algorithmic Impact Assessments under the GDPR: Producing Multi-layered Explanations, authors Margot Kaminski of Colorado Law School and Gianclaudio Malgieri of Vrije Universiteit Brussels, propose that impact assessments should link the GDPR’s dual methods of regulating algorithmic decision-making by providing systemic governance and also safeguarding individual privacy rights. The authors state that, in the context of decision-making algorithms, the GDPR’s existing Data Protection Impact Assessment (DPIA) should serve as an Algorithmic Impact Assessment that addresses problems of algorithmic discrimination, bias, and unfairness. Beyond serving as a tool in the GDPR’s systemic governance regime, the authors state that the DPIA should serve as an element of the GDPR’s protection of individual rights, connecting the two regulatory subsystems that underline the GDPR. The way that the DPIA links these two subsystems within the GDPR, the authors note, mandates the creation of “multi-layered explanations” for algorithmic decision-making that are targeted to everything from oversight bodies and auditors to individuals. Privacy professionals will benefit from the authors’ suggestions for improving Algorithmic Impact Assessments in the GDPR context, calling for the expansion of the right to explanation to include a “whole web of explanations…of differing degrees of breadth, depth, and technological complexity.”
If you’re interested in learning more about the relationship between privacy and discrimination, you’ll want to read the full papers from Cofone and Kaminski and Malgieri.
The Privacy Papers for Policymakers project’s goal is to put diverse academic perspectives in front of policymakers to inform the development of privacy legislation. You can view all of this year’s award-winning papers on the FPF website.
ICYMI: Future of Privacy Forum Highlights Potential “Unintended Consequences” of Child Privacy Policies at TechFreedom Event
The Future of Privacy Forum (FPF) recently joined top YouTube creators, FTC Commissioner Noah Philips, and privacy experts from Google, the Georgetown Institute for Public Representation, and others on Capitol Hill for TechFreedom’s event, Will Kids’ Privacy Break the Internet? The COPPA Rule. FPF Director of Youth & Education Privacy Amelia Vance participated in an expert panel discussion about the Federal Trade Commission’s (FTC) ongoing review of the Children’s Online Privacy Protection Act (COPPA).
The event focused on the controversy surrounding the FTC’s September 2019 settlement with YouTube over COPPA, and YouTube’s response in November announcing changes regarding “child-directed” content. To help dispel some of the resulting confusion among creators that has followed, FPF published a “mythbusters” blog post addressing common misperceptions, including that creators could “stop COPPA” by filing comments with the FTC. The FTC received more than 175,000 comments – including from FPF – as a part of the agency’s ongoing review of COPPA. FPF’s comments urged the FTC to modernize COPPA in three key areas: policies related to voice-enabled technologies, guidance on COPPA’s “actual knowledge” definition, and greater alignment with the primary federal student privacy law, FERPA.
As YouTube content creators face this new uncertainty, Vance emphasized the importance of keeping the conversation focused on the facts, and potential solutions. “I think the key here is to provide as much insight about what laws creators, in particular, have to follow,” Vance said. “We should be talking about how to make it more practical for the people who have to actually implement these new provisions.” However, she noted that, at the end of the day, child privacy in the U.S. may be “out of the FTC’s hands,” since rulemaking will take a significant amount of time and both Congress and state legislatures have indicated that they are eager to legislate on child privacy.
Vance, who spoke at the FTC’s COPPA workshops both in late 2019 and in 2017, reminded the audience that a lot has changed since the FTC’s last review of COPPA in 2013. Europe and California have both passed significant new consumer privacy laws with child privacy protections, and some European countries are considering even higher protections for children. Additionally, two new federal proposals call for extending the age of COPPA protections to 16, and one of those bills also includes an update of COPPA’s “actual knowledge” definition, a key enforcement mechanism.
Additionally, Vance cautioned against legislators or regulators expanding child privacy through “opt-in” parental consent, citing the example of students in Louisiana who, under a strict opt-in regime, missed out on the state’s scholarship program because they couldn’t get parental sign off.
“It’s really important to remember that there are unintended consequences here,” Vance noted. “Where we’re going with privacy protections is an underlying framework of protections that would apply across the board, and not protections that parents have to consent to. Exactly what the boundaries of that…remains to be seen.”
Click here to watch to the full TechFreedom event, read FPF’s comments to the FTC about COPPA here, and access additional FPF child privacy resources here.
Privacy 2020: 10 Privacy Risks and 10 Privacy Enhancing Technologies to Watch in the Next Decade
Today, FPF is publishing a white paper co-authored by CEO Jules Polonetsky and hackylawyER Founder Elizabeth Renieris to help corporate officers, nonprofit leaders, and policymakers better understand privacy risks that will grow in prominence during the 2020s, as well as rising technologies that will be used to help manage privacy through the decade. Leaders must understand the basics of technologies like biometric scanning, collaborative robotics, and spatial computing in order to assess how existing and proposed policies, systems, and laws will address them, and to support appropriate guidance for the implementation of new digital products and services.
The white paper, Privacy 2020: 10 Privacy Risks and 10 Privacy Enhancing Technologies to Watch in the Next Decade, identifies ten technologies that are likely to create increasingly complex data protection challenges. Over the next decade, privacy considerations will be driven by innovations in tech linked to human bodies, health, and social networks; infrastructure; and computing power. The white paper also highlights ten developments that can enhance privacy – providing cause for optimism that organizations will be able to manage data responsibly. Some of these technologies are already in general use, some will soon be widely deployed, and others are nascent.
Child Privacy Protections Compared: California Consumer Privacy Act v. Proposed Washington Privacy Act
By Anisha Reddy, Tyler Park, and Amelia Vance
As legislatures consider enacting broad consumer privacy legislation, officials must consider whether, and how, to address children’s and teen’s privacy. The leading models for addressing consumer privacy contain language addressing child privacy that differs in significant ways. Many states have introduced legislation that mirrors the framework of the California Consumer Privacy Act (CCPA). The proposed Washington Privacy Act (SB 6281) has also emerged as an influential framework. CCPA and SB 6281 differ in many respects, including with regard to child privacy. As described below, the frameworks take different approaches to the age of youth protected, the statutory knowledge standards, and the consumer rights granted.
As FPF previously wrote, SB 6281 would create a comprehensive data protection framework for Washington residents that includes both individual rights and obligations on data “controllers,” (both for-profit businesses and nonprofits) that go beyond the rights and obligations in CCPA. A bill similar to SB 6281 failed to pass the Washington legislature in 2019, but SB 6281 is an influential model for states considering alternatives to California’s approach to consumer privacy legislation.
Both CCPA and SB 6281’s approaches to child privacy build on the federal Children’s Online Privacy Protection Act (COPPA), which requires “operators of commercial websites and online services directed to children under 13 or knowingly collecting personal information from children under 13 to obtain verifiable parental consent prior to the collection, use, or disclosure of children’s personal information.” A chart with a full comparison of the relevant language in COPPA, CCPA, and SB 6281 is below.
CCPA adds new consumer rights for children and also extends child privacy protections to teens. SB 6281 would add new consumer rights for children, such as data portability, but would not extend child-centric protections to teens. The approaches differ in how they craft protections for children: CCPA contains specific requirements regarding the sale of children’s data, while SB 6281 would place children’s data in a larger category of “sensitive data” that would enjoy heightened protection – the category would also include types of data not related to age such as biometrics.
CCPA and SB 6281 differ in three key ways:
the age of youth who are protected;
the knowledge standards; and
the consumer rights granted.
Age of youth who are protected: CCPA extends child privacy protections to youth under age 16, while SB 6281 would provide heightened protections for children under 13. Though SB 6281’s approach mirrors COPPA’s age threshold, CCPA’s expansion of special protections to teens is likely to become more common. Most consumer privacy bills introduced since CCPA was passed in 2018 would alsoextend protectionsto teens. Creating special protections for teens’ data is consistent with international trends – Europe’s GDPR sets age 16 as the threshold for special privacy protections, but permits member states to reduce the age as low as 13; many countries have chosen to retain age 16 as the age of consent for data processing. Though SB 6281 would not apply age-based protections to teens’ data, it would apply strong protections to sensitive data for all consumers, not just young people. Therefore, teens using online services in Washington would still experience a meaningful increase in their privacy rights and protections.
Knowledge Standards: CCPA and SB 6281 contain different “knowledge standards” – they have different thresholds for determining when a regulated entity “knows” a user is a child. SB 6281 would categorize the “personal data from a known child” as “sensitive data,” which would require parent permission before a collector could process the child’s data. What constitutes a “known child” in this context is not clear.
In contrast, CCPA adopts the “actual knowledge” standard from COPPA and adds that a business that willfully disregards a consumer’s age has actual knowledge of the consumer’s age. Entities are subject to COPPA if they have “actual knowledge that they are collecting, using, or disclosing personal information from children under 13.” While many experts have traditionally advised companies that this standard was applicable only if the company knew a specific child was using their platform, the FTC’s recent YouTube settlement has raised questions about whether more generalized knowledge that children are using an entity’s service could be interpreted as falling under the actual knowledge standard–for example, the FTC’s complaint noted that YouTube enticed brands to market on YouTube by highlighting that children were using the service.
Consumer rights granted: While CCPA creates protections for children and teens that relate to the sale of their data, SB 6281 would require parental consent before a controller may “process,” meaning perform “any operation” on, data of a known child. Under CCPA, children’s data cannot be sold unless parents (if a child is under 13) or teens (ages 13–15) opt-in to sale. CCPA also provides new protections to all consumers regardless of age: they are given the right to request deletion of personal information, the right to know how their information is used, and businesses may not discriminate against consumers for exercising CCPA rights. While CCPA’s protections for children only currently apply to the sale of data, a ballot initiative to amend CCPA would expand the legal protections to cover the “sharing” of children’s data as well; the initiative will be voted on in November 2020.
SB 6281 would require collectors to obtain opt-in consent from parents before taking a much wider variety of actions than those covered by the child privacy provisions in CCPA. Collectors would not be permitted to process “sensitive data,” a category that includes data from a known child, without obtaining consent from the child’s parent or guardian. “Sensitive data” also includes non-age-related types of data such as religious beliefs, mental or physical health information, sexual orientation, unique biometric or genetic identifiers, and specific geolocation data. While CCPA’s child-specific protections only address sale of children’s data, SB 6281 would govern “any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” This scope of protections for children is wider than the protections included in both CCPA and COPPA.
Preemption? It is important to note that COPPA preempts some child privacy laws, preventing states from enacting requirements that conflict with COPPA provisions. Privacy expert Peter Swire has written that COPPA preempts state’s attempts to regulate activities covered by COPPA. Though the scope of COPPA preemption has not been decided by courts, the Federal Trade Commission, which enforces COPPA, wrote in an amicus brief that it believes Congress did not intend for COPPA to displace state laws that create additional protections for teens. Even if a court finds that COPPA preempts some or all of the child privacy protections in CCPA or SB 6281 (if it is enacted), both frameworks are nevertheless influential as Congress considers how to craft a comprehensive federal privacy law or update COPPA.
Washington state and California share a commitment to youth privacy, but the CCPA and SB 6281 approaches diverge in notable ways that could eventually create headaches for businesses attempting to comply with differing U.S. and international standards. We’ve seen this in student privacy, where edtech companies need to examine more than 100 state and federal student privacy laws to determine their legal obligations. Moving ahead in 2020, we expect to see other states introduce bills based on CCPA and SB 6281 that include additional protections for children, as well as standalone state and federal bills governing child privacy.
Child Privacy Protections in COPPA, CCPA, and SB 6281
COPPA
CCPA
SB 6281
Age
Applies to children under age 13
Applies to children under age 16
Would apply to children under age 13
Who can consent to data collection/use?
Parents or guardians
Parents or guardians (when child is under age 13) or Teen (when they are age 13 or over)
Parents or guardians
Information Covered
Personal information from a child collected or maintained by operators of commercial websites and online services directed to children or with actual knowledge the operator is collecting, using, or disclosing children’s data.
Personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age.
The personal data from a known child.
Rights and Protections
Parental consent must be obtained before data is collected. Parents also have rights to access and delete their child’s information. Operators must also have a privacy policy; maintain information only as long as necessary to fulfill the purpose for which it was created; and maintain the confidentiality, security, and integrity of information.
Children and 13–15 year olds must opt-in for data to be sold; consumers of all ages have rights: to access, delete, opt-out of the sale of their data, be informed of collection, and not be discriminated against for exercising CCPA rights.
Parental consent would need to be obtained before processing data from a “known child.” Consumers of all ages would have rights: to access, correct, delete, port, and opt-out of data processing.
How the Law/Bill Incorporates Child Privacy
Entirely focused on protections for children under 13.
Sale of data is opt-in instead of opt-out for children under 16; all other protections applicable to all consumers, including children.
“Personal data from a known child” would be a type of “sensitive data,” and “sensitive data” requires opt-in consent before processing.
Knowledge Standard
Operators with products that are “directed to children” or that have “actual knowledge” they are collecting data from a child.
Applies to businesses with “actual knowledge” that consumer is under 16; willful disregard constitutes actual knowledge.
Would apply to personal data from a “known child,” with child defined as under 13. “Known” is not defined.
Exceptions
Information used for internal operations is exempt from needed consent
[None applicable]
Collectors in compliance with the verifiable parental consent mechanisms under COPPA and personal data regulated by FERPA
Takeaways from the Understanding Machine Learning Masterclass
Yesterday, the Future of Privacy Forum provided bespoke training on machine learning as a side event during the Computers, Privacy and Data Protection Conference (CPDP2020) in Brussels. The Understanding Machine Learning masterclass is a training aimed at policymakers, law scholars, social scientists and others who want to more deeply understand the data-driven technologies that are front of mind for data protection discussions. The training received a lot of interest from academics, civil society, and key staff from policymakers in Brussels.
The expert speakers consisted of:
Dr. Reuben Binns,Postdoctoral researcher in Computer Science at the University of Oxford
Dr. Richard Tomsett – IBM Emerging Technology; Emerging Technology Specialist
Nicholas Schmidt – Partner, BLDS LLC; Head of the AI/ML Practice
The speakers opened the black box of machine learning step by step. A key question the speakers answered was: How do you get from mathematical regression analysis to (unsupervised) learning and end up with a neural network?
The presentations shed light on the black box by bringing the details of the technology to an audience without an in-depth computer science background. Starting with a primer on the basics of the field, the speakers examined issues of particular consequence to policymakers such as transparency, fairness, bias, and discrimination.
The slides are available for download here. Attendees also received a copy of FPF’s Privacy Expert’s Guide to Artificial Intelligence and Machine Learning, a guide that explains the technological basics of AI and ML systems at a level of understanding useful for non-programmers, and addresses certain privacy challenges associated with the implementation of new and existing ML-based products and services. Learn more about FPF’s presence in Europe.
Jonathan Mayer is an Assistant Professor at Princeton University, where he holds appointments in the Department of Computer Science and the Woodrow Wilson School of Public and International Affairs. Before joining the Princeton faculty, he served as the technology law and policy advisor to United States Senator Kamala Harris and as the Chief Technologist of the Federal Communications Commission Enforcement Bureau. Professor Mayer’s research centers on the intersection of technology and law, with emphasis on national security, criminal procedure, and consumer privacy. He is both a computer scientist and a lawyer, and he holds a Ph.D. in computer science from Stanford University and a J.D. from Stanford Law School.
Marshini Chetty is an assistant professor in the Department of Computer Science at the University of Chicago. She specializes in human-computer interaction, usable privacy and security, and ubiquitous computing. Marshini designs, implements, and evaluates technologies to help users manage different aspects of Internet use from privacy and security to performance, and costs. She often works in resourceconstrained settings and uses her work to help inform Internet policy. She has a Ph.D. in Human-Centered Computing from Georgia Institute of Technology, USA and a Masters and Bachelors in Computer Science from the University of Cape Town, South Africa. In her former roles, Marshini was on the faculty in the Computer Science Department at Princeton University and the College of Information Studies at the University of Maryland, College Park. Her work has won best paper awards at SOUPS, CHI, and CSCW and has been funded by the National Science Foundation, the National Security Agency, Intel, Microsoft, Facebook, and multiple Google Faculty Research Awards.
