Michael Young’s Post

New technique makes lengthy privacy notices easier to understand by converting them into machine-readable formats

Luis just rejected the invitation from Keir Lamont to visit Sacramento: 2,100 bills? By Andrew Folks, The 16 Feb. deadline for California legislators to introduce bills for the current legislative session saw state senators and assembly members introduce more than 2,100 bills intended to address topics ranging from bingo to reparations and everything in between. Relevant to the work of privacy and artificial intelligence governance professionals, legislators largely focused on laying ground rules for the use of AI while also supplementing California's maturing regulatory framework for consumer and children's privacy. Following the California Privacy Protection Agency's legislative proposal, Assembly Member Josh Lowenthal proposed AB 3048, requiring all browsers to include settings enabling consumers to send opt-out preference signals like the Global Privacy Control. Currently, none of the three most-used browsers — Chrome, Safari or Edge — offer such signals. Universal opt-out mechanisms have been one of the CCPA's more influential exports; currently eight comprehensive state bills include language requiring businesses to honor opt-out preference signals. Wary that opt-out preference signals will go the way of similar choice signals in the past, legislators mandating that all browsers act as a conduit for consumer opt-outs would go a long way toward easing the ability of consumers to express their privacy rights at a mass scale. Elsewhere, Bauer-Kahan — chair of the Committee on Privacy and Consumer Protection — put forth AB 2877 to amend the CCPA by heightening the requirements for membership on the CPPA board to include qualifications, experience and skills in consumer rights. This proposal follows the announced departure of board member Lydia de la Torre, the only consumer privacy practitioner to have served on the CPPA board to this point.

At the recent U.S. Senate Committee on Commerce, Science, and Transportation Majority hearing, the importance of protecting American’s privacy online was front and center. As the application of #AI grows, securing personal information and guarding healthcare data is increasingly critical. HLC appreciates the bipartisan work of Chair Maria Cantwell and others on this issue and urges Congress to establish a nationwide uniform privacy standard to guard health data. The growing patchwork of state laws is unworkable and exacerbating operational complexities. HLC stands ready to help policy makers understand the real-world impacts privacy and AI related legislation will have on patients across the care continuum. Click below for our memo to Members of Congress outlining suggested edits to the draft of the American Privacy Rights Act:

New academic work: "Privacy decision-making and the effects of privacy choice architecture: Experiments toward the design of behaviorally-aware privacy regulation" (with Stephan Tontrup). The current notice and choice privacy framework fails to empower individuals in effectively making their own privacy choices. In this Article we offer evidence from three novel experiments showing that at the core of this failure is a cognitive error. Notice and choice caters to a heuristic that people employ to make privacy decisions. This heuristic is meant to distinguish between a party's good or bad intent in face-to-face-situations. In the online context, it distorts privacy decision-making and leaves potential disclosers vulnerable to exploitation. From our experimental evidence exploring the heuristic's effect, we conclude that privacy law must become more behaviorally aware. Specifically, privacy law must be redesigned to intervene in the cognitive mechanisms that keep individuals from making better privacy decisions. A behaviorally-aware privacy regime must centralize, standardize and simplify the framework for making privacy choices. To achieve these goals, we propose a master privacy template which requires consumers to define their privacy preferences in advance—doing so avoids presenting the consumer with a concrete counterparty, and this, in turn, prevents them from applying the intent heuristic and reduces many other biases that affect privacy decision-making. Our data show that blocking the heuristic enables consumers to consider relevant privacy cues and be considerate of externalities their privacy decisions cause. The master privacy template provides a much more effective platform for regulation. Through the master template the regulator can set the standard for automated communication between user clients and website interfaces, a facility which we expect to enhance enforcement and competition about privacy terms. https://lnkd.in/dZWv2hAq

I invite you to read this recent blog on navigating AI-related privacy disputes, written by my colleagues Gillian Kerr, Connor Bildfell and Nico Rullmann

As Congress begins to tackle policies regarding #AI and #dataprivacy, it is important to listen to the voices of those in the healthcare industry who work on behalf of patients everyday.

Clients tell us it is hard to find people with experience doing PIAs, many are paying for tools that don’t work, and most have a backlog of PIAs to do. Last year, we launched The Privacy Pro Academy to empower privacy pros with hands-on experience completing the PIA that we use in our practice. It is a simple tool that just works. Now, we have updated the PIA and released version 2.0 to: -- Expand coverage. New questions and options reflect US State requirements for assessments, such as the Colorado Privacy Act, as well as AI Governance considerations. -- Refine the risk assessment. A more nuanced understanding of high-risk scenarios makes sure that PIAs are not unnecessarily triggered. -- Simplify the workflow. Reflects how our clients have used this tool to collaborate between privacy and business teams, particularly when it comes to examining the relevant privacy requirements. There are several ways to check it out! Registration links for each are available on our website, https://lnkd.in/gD6GmM4M. -- See it in action during the Free Webinar on October 16 -- Learn by doing in the Hands-on PIA Workshop on October 24 -- Join an info session on October 8 or 24, or book a call at a time that works for you.

Just published my latest article on "Digital Privacy in the Age of Big Data: Balancing Innovation and Individual Rights." Dive into the delicate balance between leveraging data for progress and safeguarding individual privacy rights. Your feedback would be invaluable as I continue this journey. Read and share your thoughts!

Great overview on the building momentum for the American Privacy Rights Act from a hearing this week about how concerns about the demands for data to feed LLM data models are driving a push for enforcement. An insightful set of comments by John Hickenlooper on the tension between companies that have practiced or espoused data minimization but now need that data to feed their models. Also, great to see allies like Prem M. T. bringing knowledge and understanding through the work of New America Open Tech Institute. https://lnkd.in/eQeUK54g

1 lesson I’ve learned after working in privacy for 5+ years? Nothing is black and white; Context is everything. Privacy can’t be measured in simple terms. Its practicality must be constantly reassessed; what may be acceptable in one scenario may be completely inadequate in another. And what makes it so complex? Context. Context is critical. Just because information is accessible doesn't imply that it was intended for all uses. There is no one-size-fits-all solution in privacy— it’s a different cut, color, size and look per case. So to manage privacy effectively you must understand the nuances of each context. Privacy is not a static concept but a fluid one, it changes with: - different scenarios, - cultural norms, - technological advancements, and - what people expect. Approach privacy with this mindset, and you'll develop effective, flexible, and user-centric practices that respect privacy in all its complexity. As I always love to point out, privacy is not just about the rules—it's about nurturing a culture of respect for individual rights, context, and diversity. I wish you a privacy friendly week! ----------------------------------------------------------------- 🙋♀️ I'm Tanya, Founder of Privacy Rules ⚡ I help companies maintain the highest standards of privacy Like this post? Want to see more? Follow / connect with me 🔔