Strengthen consumer protections in the California Consumer Privacy Act, said DuckDuckGo, Brave Software and 21 other privacy-focused tech companies in a Tuesday letter to California Assembly Privacy Committee Chair Ed Chau (D). They urged support for AB-1760, a bill by Assemblymember Buffy Wicks (D) that’s backed by multiple consumer privacy groups (see 1902270037). “Our relationship with our users is built on trust -- trust that the data they provide to us and other companies will be used only in the ways they understand and expect,” wrote DuckDuckGo CEO Gabriel Weinberg and the other tech executives. “A.B. 1760 holds all covered companies to that standard and makes sure that Californians’ information is protected by default.” The Privacy Committee has a hearing on AB-1760 and other proposed CCPA changes on April 23 at 1:30 p.m.

Sen. Jerry Moran, R-Kan., questioned whether a new privacy law should include “strong guardrails” to limit FTC rulemaking authority. Such limits might preserve certainty for consumers, Moran wrote small-business representatives in questions for the record related to a recent Senate Consumer Protection Subcommittee hearing (see 1903260068). Consumers would benefit from Congress “providing clear and measureable requirements in statutory text” while also including FTC rulemaking authority “to account for evolving technological developments,” he wrote. Is there value in including guardrails around rulemaking authority “to preserve the certainty to the consumers that we aim to protect?” Moran asked witnesses. Moran also asked for “resource-based recommendations … to ensure that the FTC has the appropriations it needs to execute its current enforcement mission.” As a Senate Appropriations Subcommittee member, Moran said he wants to understand resource needs better before “providing additional authorities.” Moran also asked about defining entities that small businesses share data with. Small businesses share information with third parties that provide “essential business services, like credit card processing,” he said, asking if there should be a distinction between service providers and other third parties.

Sen. Ed Markey, D-Mass., Friday introduced privacy legislation to provide the FTC rulemaking authority and establishes a private right of action. The Privacy Bill of Rights Act would bar industry from using data to discriminate; require an FTC website and easy-to-read industry notices to inform consumers of privacy rights; and require industry to collect only data it needs to offer services. The legislation “puts discriminatory data uses out of bounds and tells companies that they can only collect the information that is necessary to provide the product or service requested by the consumer,” Markey said. The bill has no co-sponsors.

Congress should enact a federal privacy framework that emphasizes user control of data and requires opt-in consent for collection, said Charter Communications Senior Vice President-Policy and External Affairs Rachel Welch Wednesday. The new policy should strengthen the current notice and consent regime, not replace it, Welch wrote, emphasizing a need for transparency. Consumers will lose confidence in their online experience if they don’t have direct control of data, she said. She spoke Wednesday at an FTC privacy hearing (see 1904090073).

Verizon seeks a U.S. privacy law, as the FTC continues hearings this week on privacy. Those discussions aren't "happening in a vacuum," blogged the company's Chief Privacy Officer Karen Zacharia Tuesday. "The call for Federal privacy legislation has never been louder, and we have previously explained why it is so important for Congress to pass strong privacy legislation. The FTC’s workshops can help inform how Congress can best embody critical privacy concepts in a federal law, including 'accountability' requirements." Related comments to the FTC are here, including from Verizon, as Zacharia appears on its behalf Wednesday. The FTC's chief was to have spoken there Tuesday (see 1904090085).

The FTC voted 5-0 to issue orders to Google, AT&T, T-Mobile, Verizon, Comcast and related entities, initiating a study on broadband provider collection and sharing of user data. The study, authorized by Section 6(b) of the FTC Act (see 1903200073), allows the agency to collect internal information from the companies. The study will help the agency “better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content,” the commission said Tuesday. Orders were sent to AT&T, AT&T Mobility, Comcast (dba Xfinity), Google Fiber, T-Mobile, Verizon and Cellco Partnership (dba Verizon Wireless). The agency is seeking details on what personal data is collected about users and their devices; how long the data is retained and if it’s shared with third parties; and whether the data is aggregated, anonymized or de-identified. The FTC also requested copies of the companies’ notices and disclosures to consumers about data collection practices; information on whether consent is offered and obtained; and processes for allowing user control of data. The companies didn’t comment.

House Democrats asked FTC Chairman Joe Simons how the agency might spend an additional $50 million to $100 million in funding on consumer protection and privacy issues. Commerce Committee Chairman Frank Pallone of New Jersey and House Consumer Protection Subcommittee Chair Jan Schakowsky of Illinois, who are crafting privacy legislation, asked what the agency would do with 100 new privacy and data security attorneys or technologists. For every high-profile case, there are many more that don’t get media attention and FTC priority, the lawmakers wrote Wednesday: “Nevertheless, consumers may face significant harm from these less well-known privacy and data security incidents.”

Wireless companies seek flexible California privacy rules, CTIA commented last week to the California attorney general on implementing the 2018 California Consumer Privacy Act. The state didn't post comments, so we obtained some (see 1903110042). AG Xavier Becerra (D) should “bring clarity to the unclear or ambiguous statutory provisions that otherwise will operate to the detriment of consumers and businesses,” wrote CTIA. Don’t prescribe how companies verify authenticity of consumer requests for information, it said. Don’t require businesses give consumers information that may risk privacy and data security, it said. Exempt businesses from having to provide information that may reveal trade secrets, CTIA said. Companies should be considered as complying with rules barring discrimination based on what data consumers provide “if there is a reasonable basis for the difference in price or rate, or the level or quality of goods and services it offers to a consumer in exchange for the consumer’s data,” the association said. Consumers should be able to choose which data may be sold rather than an all-or-nothing choice, it said. If a consumer already opted into sale of certain data, global opt-out shouldn’t reverse that, it said. The AG says written comments are available under the California Public Records Act. We filed a PRA request Tuesday after the AG office declined to provide documents voluntarily.

Facebook wants to shift to a more “privacy-focused messaging and social networking platform,” blogged CEO Mark Zuckerberg Wednesday. Zuckerberg envisions a platform where communication shifts to private, encrypted services with data that remains secure and eventually disappears. “Private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication,” Zuckerberg wrote, saying he wants the company to shift from a “town square” to more of a “living room.”

The “potential effects” of the new California Consumer Privacy Act “are far-reaching” and may force Roku to modify its “data processing practices and policies and to incur substantial costs and expenses” to comply, said a 10-K SEC filing Friday. The CCPA (see 1812070054) was recently amended and may be amended again before it takes effect in January, said Roku. The legislation “places additional requirements on the handling of personal data,” it said. It gives residents “expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used,” said the company. It stipulates civil penalties for violations, plus “a private right of action for data breaches” that might raise Roku’s exposure to litigation, it noted: “We are continuing to assess the impact of the CCPA and proposed amendments to the law on our business.”