Serious Privacy

Quite the week in privacy - analysis of APRA

Dr. k royal and Paul Breitbarth Season 5 Episode 11

Send us a text

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company connect after the IAPP #GPS24 to discuss the US privacy bill being proposed - the American Privacy Rights Act. Join us as we discuss pros and cons along with a little news on #TikTok ban (or not). Good resources on #APRA found at IAPP cheatsheet and here with a section-by-section breakdown.


If you have comments or questions, find us on LinkedIn and IG @seriousprivacy, and on Blue Sky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:30] K: Whereas a week in privacy is usually based on things that are unexpected this week. We actually had a real treat where the American privacy rights act was proposed. Now Paul and I got together to give you a special episode just on the APRA. 

We'll leave it up to y'all as to whether you think it's really going to become a law.

[00:00:36] Paul: So my name is Paul Breitbarth.

[00:00:39] K: and I'm K Royal and welcome to serious privacy. 

Let's see. Is there anything on your bucket list that you are looking to cross off this year?

[00:00:50] Paul: Well, yes, there is moving house tomorrow. Apart from that, going back to Africa.

[00:00:58] K: Oh, wow You're going back to Africa this year?

[00:01:01] Paul: I'm hoping to. There are some things in the pipeline. So I'm hoping that East Africa is in the cards for the fall,

[00:01:10] K: Nice. Fingers crossed. Fingers crossed for that one. 

[00:01:15] Paul: How about you?

[00:01:16] K: I am going to a Cher concert.

[00:01:18] Paul: Wow!

[00:01:19] K: So, I mean, this month actually I've got tickets and we'll be flying on a weekend. I'm dragging Dazlyn with me. I don't know if she's ever wanted to see Cher. I don't care. We're going to see a Cher concert.

[00:01:32] Paul: And,

[00:01:32] K: And of course, I just got through back from traveling and you can't help but pick up a sniffle when you travel, right?

[00:01:38] Paul: of course, whether it's air conditioning or airplanes there's always something.

[00:01:42] K: Always something different, pollen in the air. After IAPP, which was last week we then I went to the Infonext conference over in California in Palm Springs. So, totally different climate, DC to Palm Springs. So, that, that was 

[00:02:00] Paul: DC, Palm Springs, and then back to Carolina.

[00:02:03] K: Yes. Well, I came back to Carolina in between as well.

I thought it'd be too hard to try to make it all the same thing. Although, I was hoping once I was over in Palm Springs, I would just stay the rest of this week in Phoenix and maybe actually go meet the class I teach in person, but I just couldn't do it. This old body just ain't built for traveling anymore, I'm telling you. It just ain't. 

[00:02:25] Paul: well, I still need you over in Europe later this year. I mean, we need to do something

[00:02:29] K: I got a plan on that one I got a plan on that one and and see how we're doing there.

So, okay we have a pretty cool thing to talk about but before we talk about the really cool thing Have you heard about the other really interesting thing going on in the u. s with tick tock? No,

[00:02:45] Paul: Oh, I thought you were talking about FISA 702.

[00:02:50] K: no, that's

not so interesting. It's a cool thing. But the U. S. Congress is looking at banning TikTok or forcing ByteDance to sell TikTok. I say, allegedly. But mostly around national security concerns because it's been banned by most of the government and the militaries and everything like that. So now, and I've been asked if I would be willing to speak about, is this likely to pass?

Well, it might. I have no faith in congressmen whatsoever, congressmen or women whatsoever, to be smart as a group. So there's always a possibility something will pass, but then there's also the possibility it will be challenged in the court to determine whether it's constitutional or not 

[00:03:38] Paul: I wanted to say, this will never be upheld in court. Thank you.

[00:03:42] K: you know, there's, there's laws against monopolies and fair trade and things like this, but. This is 

[00:03:48] Paul: just interfere with, with

[00:03:50] K: Open 

[00:03:51] Paul: property and the ownership, of a company. I mean, you can't just legislate ownership away.

[00:03:58] K: they can, they can ban him. They can ban them. That part I have no doubt of. They can ban them. That's fine. Lots of countries have banned tick tock. I think the number is up to 34 or something now, but forcing them to sell when it's not a monopoly,

[00:04:12] Paul: And then how about your article one your

[00:04:15] K: freedom of speech that, that we don't worry about that. 

[00:04:21] Paul: I mean, there is, they are called fundamental rights, even in the U S they are somehow some form of fundamental rights. We get to my sticky point later in the conversation twice. 

[00:04:32] K: Yeah, 

[00:04:33] Paul: this is censorship. I mean, you may like the company, you may not like the app, create a US alternative, make that popular tell people that TikTok is bad for you, why it is bad put, impose all kinds of limits or reporting obligations or local storage or what have you But just banning the app feels very much like censorship.

And if there is one thing you should ban right now, it's X.

[00:04:58] K: Yeah, yeah,

[00:05:00] Paul: For all the extremism taking place there.

[00:05:02] K: oh my, and well we've already had those cases go up to the United States Supreme Court that you can't require companies to ban or not ban certain content when it's a private company. Freedom of speech doesn't apply to a private company. It applies to the government. The government can't ban freedom of speech or can't restrict freedom of speech except under certain, you know, very, very narrow circumstances, but a private company. 

[00:05:25] Paul: I mean, I would argue that the freedom of speech also implies to the private company. That they also should have fundamental rights.

[00:05:32] K: Yeah.

[00:05:33] Paul: a private company allowed to donate money under freedom of speech to political candidates, but not allowed to have freedom of speech when it comes to actually saying things that you think?

[00:05:46] K: Well, that's, that's actually the exact opposite of what went up in front of the Supreme Court is that people wanted social media to ban certain types of content like recruiting for terrorist organizations and certain content is typically banned. Pornography. You know, things like that. But

[00:06:05] Paul: Well, plain nudity or just showing 

[00:06:07] K: yeah, 

[00:06:07] Paul: is already banned.

[00:06:08] K: yeah. So if, but if Meta wants to let ISIS recruit on their network, the government's not going to tell me that they have to ban it,

[00:06:15] Paul: Okay. 

[00:06:16] K: know? So, so there's issues there. There's some things that fall under morality and ethics that, you know, you, you have questions about, but

[00:06:24] Paul: you can have the debate. There you can have the arguments. But just, Taking away ownership or forcing a company just to, change their place of residence from China to the United States. What, what would U. S. reaction be if the Court of Justice of the European Union or the Supreme Court in Ireland would suddenly say, Hey, Meta we want you to split off your your European entity and just make sure that everything is run out of Dublin.

There would be an outcry in Congress. How dare the European union do something like that?

[00:06:59] K: Right. Right. We like to outcry over everything here, except for maybe the things that you would wish they would.

[00:07:06] Paul: Well, I mean, the Snowden revelations for what? 2013, 20, yeah, 2013. back then Europe cried out and said, Hey we don't like it that you look at our personal data and at all, everything we do online without a proper warrant, and it's taken 11 years. And now during the FISA 702 recertification. Now suddenly U.S. representatives are saying, Hey, we don't want, the security services to spy on us without a warrant. 

But that is, of course, only for Americans. 

[00:07:41] K: Do you think maybe this went too far back when, you know, 9 11 happened and foreign, parties were attacking the U. S. that maybe it shouldn't have carried on for the next 20 something years?

[00:07:52] Paul: Duh.

[00:07:53] K: Yeah.

[00:07:54] Paul: I mean, you're asking for the obvious here, K. And we've had this debate. More than often enough. I won't go into a full rant again about the habitual place of residence and citizenship requirements. 

But hey, look at the American Privacy Rights Act. It only applies to U. S. residents.

[00:08:12] K: Oh, you're so bad. 

[00:08:14] Paul: ever gets passed,

[00:08:15] K: If it ever gets passed, you know, I'm not going to hold my breath on this one. I mean, it's, it's a pretty decent law, frankly. Other than it's 

[00:08:23] Paul: Absolutely.

[00:08:24] K: other than its scope of applicability.

[00:08:27] Paul: well, the, the, the, the person's, I think the carve outs for small businesses are fairly sizable. 

[00:08:32] K: Yeah. 

[00:08:33] Paul: and I think what is considered sensitive data is very surprising.

[00:08:38] K: Yeah, it was right. I, when I looked at that, I'm like, Paul's going to have something to say about that sensitive day.

[00:08:46] Paul: I think after four years we know each other a little bit, right?

[00:08:49] K: Yes, state laws are preempted across the board. 

[00:08:51] Paul: Well, and that makes 

[00:08:53] K: With the exception of an enumerated list of state laws, consumer protection laws, civil rights laws, provisions of laws that address the privacy of employees, provisions of laws that address privacy of students, provisions of laws that address data breach notification, contractor tort laws, criminal laws unrelated to data privacy, criminal and civil laws on cyberstalking and blackmail, public safety laws, Unrelated to privacy provisions of laws That address public records laws provision of laws that address banking and financial records provisions of laws that address electronic surveillance and wiretapping Blah, I'm almost done.

I'm almost to the list of the exemptions of preemption of state law unsolicited email and phone laws healthcare health information medical information Confidentiality of library records and provisions of laws that address encryption. Video was not in here, by the way. Mainly because there's a federal law on video. 

[00:09:47] Paul: that for me. What does it mean that this is an exception to preemption?  Does that mean that these laws will always apply and supersede 

[00:09:56] K: Yeah. 

[00:09:57] Paul: Rights Act, or,

[00:09:59] K: Yes.

[00:10:00] Paul: but

[00:10:00] K: Pretty much. it, but I, I, I, I, we'd have to look at the enumerated list of state laws. Cause you know, that's the reason why the one that they thought was going to pass for where the ad pop up a pot, the dot, the dot thing. California were the ones that opposed it because they didn't want it to preempt.

They say the federal law should be a floor, not a ceiling. And that, that's the thing there. So, but it also

[00:10:22] Paul: So here now, just to help me and probably all the non Americans understand, this provision that you just read out, basically it means that the Privacy Rights Act will be a ceiling, except when California or any of the other laws that you just mentioned are more strict than those provisions apply.

[00:10:45] K: yes, essentially, that's the intention, that they would do that, and then the

[00:10:51] Paul: So that's similar to GDPR 

[00:10:53] K: yeah, there's, there's other laws that are in here as well, COPPA's in here, commercial surveillance and data security different things in here, so there's other things in here as well that are listed.

[00:11:04] Paul: But that is, that is very similar to GDPR because GDPR also sets Sets the ceiling of this is, this is what you need to do, but you have under certain provisions as member states, the possibility to do more, you can get more specific. And of course, there are also the carve outs for sector specific legislation, like e privacy, like we now get with health data, with the European health data act and also at national level with labor laws and things like that, where you can do more.

And those carve outs are created already in the GDPR. So actually that approach from a European perspective would make sense.

[00:11:43] K: mean, we're liking a lot of that, but also entities subject to other specified privacy laws such as Gramm Leach Bliley, HIPAA are deemed to be in compliance other than data security. In compliance with other federal data security requirements shall be deemed to be in compliance with the data security section of the act.

Federal and state common law for civil relief are preserved. And the FCC privacy laws and regulations shall not apply with respect to privacy and data security of all the blah blah blah with the proprietary network information except international treaty mitigation measures, things like that.

So there's a bunch of other things in here. Of course, there's enforcement, but there's enforcement by individuals. So they can file private lawsuits against entities that violate their rights under the act, not for have a breach, but for violate their rights. They can file a lawsuit for substantial harm. or by a minor shall not be subject to mandatory arbitration. They can bring in action to recover actual damages, injunctive relief declaratory relief, reasonable attorney fees. They can recover statutory damages with like Illinois Biometric Act. They can, if the resident in California, they can get statutory damages consistent with California's law.

And if entities are provided an opportunity to do so. if it's injunctive relief or written notice seeking actual damages except for actions of substantial privacy harm. So it's going to be interesting to see. I mean, I kind of really hope it kind of does pass. 

[00:13:18] Paul: I think so too. Also, if you look on the enforcement side, apart from the private right of action, you have the federal trade commission. You have state attorneys general chief consumer protection officers of a state, but also authorized officers or offices of a state. So that would also mean. That, for example, the California Privacy Protection Agency 

[00:13:39] K: Yep. 

[00:13:39] Paul: to enforce legislation. And we may actually see more similar offices pop up 

[00:13:45] K: Right. Yep. I think that would be fascinating as well. I think a lot of what they put in here as well thought out. I really like it. I mean, I, I w you, you've heard my fears that the federal would pass a law that. 

Sucks. 

[00:13:59] Paul: Mm hmm.

[00:14:00] K: That was really 

[00:14:01] Paul: That is just 

[00:14:02] K: did nothing, but this is pretty good.

[00:14:03] Paul: That's an empty, that's an empty jacket. Yeah, I mean, this looks, this looks decent. I'm, I'm, indeed as mentioned, I'm surprised about the sensitive data provision, 

[00:14:12] K: Why does it surprise you? 

[00:14:14] Paul: because it's defined very, very broadly, 

[00:14:17] K: well, 
you know we consider all kinds of things sensitive here We don't want anybody to know anything about us except for what we give everybody on social media.

[00:14:25] Paul: well, true at the same time Online activities over time and across 3rd party websites. So that would include those social media posts that you talk about. They would be considered as sensitive. I'm happy to see financials and geolocation, but for example, log in credentials and calendar address, book data, phone logs, photos and recordings for private use. Intimate imagery, okay, there I can understand. Video viewing activity, so your Netflix statistics are sensitive personal data, let alone your Pornhub statistics.

[00:15:01] K: Right. But they are, they are working in a lot of elements of non consensual pornography in here and everything. So recordings meant for private use. So they're rolling a lot in here that takes into account a lot of the really sensitive data subjects that we talk about. Now some part of it may go a little too far, such as when they say any medium showing a naked or private area of an individual. 

[00:15:28] Paul: So that would also be a painting in a museum. That's a medium. 

[00:15:32] K: famous photography of the, of like the little girl running from, from the bombing, the war the statues, the Greek statues, they're all 

[00:15:40] Paul: Yes, 

[00:15:41] K: mean, look at all the Bibles that have naked imagery in them.

[00:15:44] Paul: that's all sensitive personal data now. 

We don't know who the people are, it is. Well, no, because those people were not Americans. That's, they did not have an American place of residence, so they would not be covered. and then, then everything where the FTC says we consider this to be sensitive personal data is also sensitive personal data.

[00:16:06] K: Yeah. 

[00:16:06] Paul: if the FTC chair says, hey, my lunch order is sensitive personal information. And she would put it in a regulation that it is.

[00:16:15] K: Yeah. So I was looking for the actual language of where it says it only applies to Americans. Yeah. Hold on, let me find it. I have to scroll through. It's a lot of, it's a lot of pages.

[00:16:27] Paul: I have to summary in front of me. Individuals means a natural person residing in the U S

[00:16:32] K: Yeah, that's what I was thinking. It actually has the residence requirement. but a covered entity, a loaner and jointly with others determines the process and means of collecting, processing, retaining, or transferring current data subject to FTC, common carrier under the Communications Act, organization not organized to carry on business for their own profit or that of their members.

Those are the ones that, and includes those, and does not include federal, state, tribal, territory, or local government entities. Does not include those processing data on behalf of those, a small business, the National Center for Missing and Exploited Children except in respect to other things, a non profit whose mission is to do certain things.

And then a non application to serve as provider. So if you're doing something on behalf of a company, and that company is subject, it doesn't mean that you're subject. That was something that also came out of California a long time ago. So there's a lot of things here as they go through here, but they also define dark patterns. dark patterns means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice. So that's interesting. De identified data is in here as well. That's going to be, there's just a lot about this I really like. IAPP did a great job going through, going through and highlighting the different pieces of this and everything.

So that was really good. We'll include the, this is the best summary I've found of it.

Section by section summary that I really, really do like. There's a lot of criticism about it, of course, but I mean, to be frank,

[00:18:11] Paul: not in the least that it was released on the Sunday,

[00:18:13] K: right, right after IAPP, like there might've been 

[00:18:16] Paul: IAPP. Yeah. Like they've been waiting for everybody to leave town and then, Hey, 

[00:18:21] K: handshake surprise. Yeah, that was the biggest criticism is that it flew under the radar for so long. I'm not going to hold my breath. I'm going to be honest. I've seen some promising privacy bills proposed before, and nothing happens. Does this look like it might happen? It looks like it might,

[00:18:41] Paul: So if something were to happen with this bill, then probably it would need to have. a lot of traction before the summer.

[00:18:49] K: Yeah, 

[00:18:50] Paul: and then Congress will come back after the summer for a few more weeks before the election.

[00:18:55] K: yeah. Well, as, as, as we've said before, I didn't expect a heck of a lot to happen when privacy this year anyway, and bam, look at me. Don't listen to me anymore for predictions. I just got knocked out of the water by all the different state laws that have been passing. So, hey,

[00:19:10] Paul: Yeah. But I mean, your crystal ball is somewhere in storage,

[00:19:13] K: Yeah, exactly. Somewhere between here and Arizona.

God only knows where it is. But we'll see what happens. I mean, this has a lot of promise to it. Has a lot of support to it. It addressed a lot of the criticisms that have been hit before. I don't think California is still a big fan. 

[00:19:28] Paul: no, and we'll continue to monitor this this piece of legislation also to warn you because if it does gain traction, and it looks likely that it would pass before the elections, you will only have 180 days before it applies.

[00:19:43] K: Yeah. 

[00:19:44] Paul: so this is PIPL all over again with a little bit more time. But this will be very fast. 

[00:19:49] K: Yeah. 

[00:19:50] Paul: for some of the bigger companies that also means that they need to do a lot of homework. One of the provisions that I sold that. Really surprised me for large data holders, which I would suppose would be something like the very large online platforms 

[00:20:06] K: Yeah. 

[00:20:07] Paul: the Digital Services Act. So Google and Meta who have you, but they need to publish their privacy policies from the past 10 years.

[00:20:15] K: Yeah.

So you can go back and see what was in effect at a particular time. So, it 

[00:20:22] Paul: and that makes sense, but try to find them if you haven't posted them on your website already. Then you're automatically in breach because I doubt that anybody that doesn't have them posted would still have them somewhere else or would be able to find them.

[00:20:37] K: there's a service that can go back and look at websites over certain periods of time. I don't remember what it is, but there is. Yeah, the Wayback Machine can go back and look. That might be the only resource a lot of companies have. But it does.

[00:20:49] Paul: I've actually used it in the past just to find things that indeed from websites that have disappeared, even to find things that I should have from the the Amsterdam privacy conference. For example, we we took the website offline after the event because what, what use would it have to keep it online?

And then Now with Jersey preparing for the global privacy assembly, I thought, Oh, I need to look some things up and

[00:21:15] K: It wasn't there. Ha, ha, ha, ha, ha, ha, ha. 

[00:21:18] Paul: find it on the on the way back machine, 

[00:21:21] K: Yeah. 

[00:21:22] Paul: mainly sponsorship packages and Things 

[00:21:24] K: Things like that, that you could reach out to. But there are great sections on data minimization, transparency, as Paul was just talking about, consumer controls, especially for targeted advertising and tracking over sites and, and rights, opting out, and centralized opt out mechanism. I'm still not a big fan of the centralized opt out mechanism, because I really am not.

sure that that technology is ever really going to work right. Interference with consumer rights, so dark patterns. Prohibition on denial of service and waiving rights. The same standard language people, you can't force people to agree to waive their rights. So, by using our website, you agree to and consent to our data notice.

No, you really don't. And if you hide in there the fact that they waive their rights, you especially don't. So, just do the right thing.

[00:22:17] Paul: that's not valid consent. And in any case, you don't consent to a notice.

[00:22:21] K: Yep. The data security portion and this is one that the FTC can enact some rules on. That will be exciting to see what it is. A lot of people use the The SIS controls that the California Attorney General listed in one of their decisions to go by baseline because we don't have guidance. We don't have guidance on what anyone considers reasonable.

Executive responsibility you have to have a privacy or data security officer. Service providers and third parties. You gotta have contracts, all the good stuff in there. Data brokers have rules. And of course, we covered the civil rights and algorithms and the opt outs for things like that. So there's, there's 

[00:22:58] Paul: There are some accountability requirements as well. So you need to be demonstrating that you meet the provisions. And I don't think you need a full processing activities register, but there are so many transparency requirements that it would be impossible to not have a register. 

[00:23:14] K: Impossible to do it without it, right? 

[00:23:17] Paul: So I know your crystal ball is still locked up somewhere, but say this will pass.

Could something similar happen like we saw in California that at the 11th hour, the entry into effect would be postponed by a year

[00:23:29] K: Oh, heck yeah. Oh, heck yeah. There's going to be so many companies petitioning Congress for a delay in enforcement or, or, you know, submitting or something. Yeah, trust me. Yeah, absolutely. There's a possibility of that. I mean, Americans live by that.

[00:23:46] Paul: So the 180 days will be 450 days or something like that.

[00:23:50] K: Before it goes into effect, HIPAA was delayed years after years after years because companies weren't prepared. But frankly, I mean, let's look at a practical level. Companies should be doing this. They should already be 

[00:24:03] Paul: Yes. Well. 

[00:24:05] K: that they need to beef up and get right Get on it.

[00:24:09] Paul: I mean, a lot of them do business with the European Union, so they would be subject to GDPR to some extent. I think a lot of them will be subject to one of the 15, 16 by now state laws, that will, 

[00:24:25] K: signed I couldn't see whether or not the governor signed Maine or not. So yeah.

[00:24:29] Paul: but I mean, those will be in effect at the latest 1st of January 2026, 

[00:24:34] K: Yep. 

[00:24:35] Paul: so. 

[00:24:36] K: Wait a minute Wasn't there one of them that was like 28 or something 27 or 28?

[00:24:41] Paul: I may have missed that one.

[00:24:43] K: I think I, I think I captured that. There's one of them. I don't remember which one it was, but I will say that one of the things I picked up out of IAPP was Oregon said theirs is not in effect yet, but they have some very specific provisions of their law that are very much different from other state laws and they plan to enforce on those provisions because they are there for a reason.

So now I got to go figure out what parts of Oregon law are different from the others because I don't recall that off the top of my head.

[00:25:13] Paul: So if any of our listeners has a very clear overview, we'll be happy to have you share that on our LinkedIn

[00:25:20] K: Yeah, absolutely. Feel free to do that. I really do like the authority that is giving the FTC. You and I have talked about before that we really do need a federal privacy agency that can make these kinds of decisions and do things. I'm okay if it comes out of the FTC, although not 

[00:25:39] Paul: Yeah, 

[00:25:39] K: entities are subject to the FTC.So, 

[00:25:43] Paul: no, but I think quite a few more may be subject now to the FTC because of the way that the, the scope was formulated. Plus all the other agencies and attorneys general would of course also. Have competence. So it's not like the ones that are not subject to the FTC can just escape compliance because there are so many different ways to enforce the law.

So I think that's a, that's actually a good thing.

[00:26:09] K: I do think it's interesting though that the termination of FTC rulemaking on commercial surveillance and data security will be terminated on the date of enactment. But as you said, it doesn't go into a force until 180 days. But we're going to stop all the rulemaking anyway. Just stop it when this passes.

We're done.

[00:26:30] Paul: That's your position, right? I mean, that's not, that's your desire.

[00:26:37] K: I don't know. I don't know that I've ever really been impacted by the FTC rulemaking on data surveillance or commercial surveillance and data security. But, yeah, just, just in case that was something that y'all were watching very closely, it's going to be gone as soon as this is passed. So, 

[00:26:53] Paul: another way to put out guidance or guidelines

[00:26:56] K: oh, absolutely. 

[00:26:57] Paul: decisions or or whatsoever.

[00:27:00] K: Now, at some point, they'll get to the point where they put out really useful and helpful guidance like the UK ICO does. There's a lot of user friendly Or the issued. European database puts out a lot. Well,

[00:27:17] Paul: It's not always as useful, but

[00:27:19] K: I was going to say, ah, there's a lot of guidance. Whether or not it's really useful and consumer friendly and absorbable is all that they're 

[00:27:29] Paul: At the same time, if I look at the things that the ICO puts out, sometimes I'm missing the legal details.

[00:27:34] K: that could be true. 

[00:27:36] Paul: it's to consumer friendly.

[00:27:38] K: Well, that's why I say very consumer friendly and absorbable. I think FTC kind of meets that happy medium in between. They really do like to put out guidance for companies trying to comply. For example, you can look at their guidance on COPPA. And how they answer a lot of FAQs and they really do their, their goal is they'd rather have companies comply.

It's kind of like if there's an evil person out there doing evil things to you, wouldn't you rather, see an enemy become a friend than die an enemy?

[00:28:06] Paul: That's that's for sure. 

[00:28:08] K: Depending on what they do.

[00:28:10] Paul: no, that is that is absolutely true. you know, it seems like the this legislation is pretty much. GDPR style. 

The Americans will never agree that this is something like the GDPR. 

[00:28:23] K: of course not. 

[00:28:24] Paul: but it is very GDPR style, which means that the fear of some of the big tech companies that at some point the U S would get a GDPR style legislation with FTC level enforcement, that that nightmare for them is becoming reality.

[00:28:42] K: Does not take us near as long to enforce as it does in other locations. 

[00:28:46] Paul: No, that's true. We have something called due process to bear in mind. All right.

[00:28:52] K: Yep, we're pretty quick on that, that whole enforcement stuff. But on the other hand, 

[00:28:57] Paul: somebody sues you. So you have to be quick

[00:28:59] K: I was going to say, yeah, or exactly, we just go and we file a lawsuit and we do something, but we're also really good at settling too. Not very many companies want to take on the federal agencies and fight them to the end.

Although there have been some notable ones and they have made an, an impact, but the FTC then just turns around and does what they need to do. And then like, Go forth And conquer again. 

[00:29:22] Paul: that is when you get those billion with 20 year audit requirements and things like that, they could become a lot more interesting under this piece of legislation.

[00:29:34] K: Now, true. Now that is something. Europe's not really big on the 20 years of oversight of following up with companies and make them do stuff. FTC likes to do that.

[00:29:45] Paul: Yeah. And I think that is something where Europe could be a bit more creative because I don't think it's ruled out that you can impose a sanction like that under the GDPR. I think. Depending on the member state, probably it would require also some some level of administrative procedural law that would allow for similar sanctions. But I guess it can be part of most compliance orders that you need to demonstrate every year that you still need 

[00:30:13] K: right. I mean, why wouldn't it? 

[00:30:16] Paul: of course, a resource issue for the DPAs. They 

[00:30:18] K: Yeah, 

[00:30:20] Paul: to pick up new cases, let alone to review the old cases on a year to be based.

[00:30:24] K: yeah. Very true. And here in the U S we like to be very creative about how we get along those restrictions. When Facebook is told they can't sell data, they lease it. So there you go. 

[00:30:39] Paul: is that not a sale under the CCPA?

[00:30:42] K: Well, this was before the CCPA had their definition of sale. But you know that's why the CCPA had to then pass a definition of sharing. It's cause all the ad networks kept saying, well, it's not really selling. The company's not giving it to us. We're scraping it up off their website.

[00:31:00] Paul: Yeah. And how is that legal again?

[00:31:02] K: Right. We just pushed the envelope cause we're the wild, wild west over here. but no,actually. Right, well, yeah, I guess I'm back in the south now. South of the Mason Dixon line, east of the Mississippi, that now makes it the South, with a capital S. Not the Southeast United States, it's some people. But I'm also not in that landmass between Louisiana and Alabama. In case you happened to catch that in the news years ago, that landmass between Louisiana and Alabama. That landmass has a name. It's called Mississippi. Okay. So no, so final, final statement is there's some pretty cool things happening here in the U. S., which is shocking the heck out of me for an election year.

Color me shocked. But this one actually looks pretty promising, but I am not holding my breath. I, I absolutely refuse to get completely optimistic about it. But if they pass it, I wouldn't be disappointed.

[00:32:03] Paul: Well, that's a, that's a good note to end on, but I have one final question and,  Because this is, this is a bipartisan bill. Yeah, so there is a Democrat, it's a Senate, it's a Senate bill, so there is a Democratic senator, a Republican senator, both, 

[00:32:19] K: yep. 

[00:32:20] Paul: this bill. Has there been any response from known MAGA Republicans already, whether they would support this?

[00:32:28] K: I haven't really seen any, but I'm going to be honest, I haven't really gone out looking for it. Now, if you ask me about the TikTok story, I got all kinds of people against it and for it and news stories out there. But on this one, I'll be honest, I haven't really seen a lot. I mean, most of the people I talk to and follow are all privacy people anyway. So they have it. But yeah, it's not getting as much media attention as some of the other things going on are.

[00:32:54] Paul: I was just curious whether if the big orange guy says no, we are not going to do this, whether it will still make a chance or not. But, 

[00:33:03] K: I did see a story where his financial advisor was just sentenced to four more months, five more months in jail for perjury, financial officer or something. I mean, the guy's in his seventies. I mean, hopefully they're treating them well in prison. I know that sounds bad, but I mean, it is federal but regardless.So,

[00:33:25] Paul: Well, on that happy note, we'll end up, we'll wrap up another episode of Serious Privacy.

[00:33:30] K: And next week. Paul will be recording, Paul will be recording, from a brand new house.

[00:33:35] Paul: Yes, a brand new house, a brand new studio. Well, we'll see whether there is a studio already or whether it will still be EarPods. But, we'll see. indeed, next week from the new house this week, if you want to join the conversation join us on LinkedIn or join any of the IAPP discussion threads on the American Privacy Rights Act.Because 

[00:33:54] K: APRA 

[00:33:55] Paul: said about this this legislation. 

[00:33:57] K: APRA 

[00:33:58] Paul: it's in any case, an acronym that we can pronouncethe APRA. 

[00:34:03] K: APRA 

[00:34:04] Paul: that's what I say. The APRA. If 

[00:34:06] K: APRA 

[00:34:07] Paul: you want to find K on social media, you'll find her on her @heartofprivacy and myself as @EuroPaulB until next week. Goodbye. 

People on this episode