The National Institute of Standards and Technology extended comments for developing a privacy framework (see 1809050043) from Dec. 31 to Jan. 14.

Regulating data privacy “makes a lot of sense,” and Silicon Valley should keep an open dialogue with Congress and the federal government, Microsoft founder Bill Gates said on Fox News Sunday. There’s nothing inappropriate about officials talking to big tech companies, he said, citing regrets about addressing Microsoft investigations in the 1990s. “I was naive,” he said. “I didn’t have an office in Washington, D.C. ... and even bragged about it. I later came to regret that. I’m sure these guys are learning better than I did that they need to come back here and start a dialogue.” Gates was asked about the backlash against big tech and criticism that companies don’t properly protect consumer data.

Facebook discovered an application programming interface bug that let third parties access as many as 6.8 million users’ photos, some not officially posted online, the platform announced Friday. The Facebook Login bug allowed unauthorized access Sept. 13-25 on as many as 1,500 applications built by 876 developers. The company will launch tools “early next week” to help inform affected users. “We will be working with those developers to delete the photos from impacted users,” Facebook said.

Brian Schatz, Hawaii, and 14 other Democratic senators introduced a bill Wednesday that would set parameters for companies collecting data online. The Data Care Act would require “reasonable efforts” to secure data and notify users of breaches, prohibit companies from using data to “harm” users and set confidentiality guidelines for third-party sharing of data. It would give the FTC limited rulemaking and civil penalty authority. Schatz told reporters Wednesday his office discussed the bill with Internet Association, with some IA members voicing displeasure for the content, and with Republican lawmakers. The tech industry looks forward to working with lawmakers including Schatz on "our shared goal of passing an economy-wide law that protects consumer privacy and allows companies to innovate," said IA CEO Michael Beckerman. The bill will “complement,” not compete with, any overarching bill produced by the Senate Commerce Committee, he said. Having state privacy laws bolsters Democrats’ bargaining position, he added, saying he has no problem with a state patchwork if the ultimate privacy package isn't a progressive law like California’s. He noted the bill isn't one of the items under consideration by a bipartisan working group that includes Schatz, Sen. Richard Blumenthal, D-Conn., likely Chairman Roger Wicker, R-Miss., and Sen. Jerry Moran, R-Kan.

Google-Plus suffered a second privacy breach impacting as many as 52.5 million users, the platform confirmed Monday (see 1810100066). Information exposed included name, email address, occupation and age.

California’s data privacy law differs from the EU’s due to the former’s focus on transparency obligations and limitations for the sale of personal information, the Future of Privacy Forum and DataGuidance reported Friday. The California Consumer Privacy Act requires companies to include a homepage link allowing users to opt out of selling personal data.

The U.S. needs a uniform national privacy law that allows for “contextual” user consent, the Business Roundtable said Thursday, offering a framework. The organization, which includes AT&T, Comcast and Verizon, called for varying degrees of consent for data collection. “Opt-in consent may be required as part of a risk-based privacy practice for data processing that presents higher risks to the rights and interests of individuals,” the framework said.

Sometimes, law enforcement needs outweigh the right to online privacy, said DOJ Criminal Division Deputy Chief-Computer Crime Michael Stawasz Wednesday, citing child sex-trafficking and copyright infringement. There has been a constructive discussion about privacy, but platforms don’t get a pass to aid and abet, Stawasz said during an International Institute of Communications panel. Providers should take privacy seriously but need to allow a space where effective investigations root out illegal behavior, he said, arguing law enforcement isn't asking for “back doors” but responsible conduct. Asked if anything of value was gained from DOJ’s recent tech-related meeting with state attorneys general (see 1809250033), Stawasz said he wasn’t invited, but the gathering was recognition of shared responsibilities by different levels of government. The U.S. system means state and local government handle most criminal law, but “I do see that changing to some degree because of the internet,” he said. FTC Commissioner Noah Phillips said in a keynote markets work properly when consumers have the information they need. It’s not clear how companies can share mass data with competitors and adequately protect privacy, said Software & Information Industry Association Senior Vice President-Public Policy Mark MacCarthy. One-size-fits-all regulation for content moderation will drive smaller companies out, said Engine Executive Director Evan Engstrom. The U.S. needs to create a healthy internet ecosystem without a regulatory regime only large platforms can comply with, he said. The expectation is for companies to be “socially responsible” now, said Oath Global Head-Business and Human Rights Nicole Karlebach.

Internal Facebook documents released by a British lawmaker Wednesday suggest CEO Mark Zuckerberg wasn't forthcoming with Congress when claiming the platform doesn’t sell user data, said Sen. Ed Markey, D-Mass. British MP Damian Collins, chairman of Parliament's Digital Committee, released some 250 pages of seized internal documents showing Facebook discussing requirements for companies to buy a certain amount of digital ads to continue accessing user data. “Any evidence of a pay-for-data model would fly in the face of the statements Facebook has made to Congress and the public,” Markey said. The trove also included emails from Facebook Product Management Director Yul Kwon supporting questionable methods for accessing Android call history data without user consent. In February 2015, he discussed a change that “would allow [Facebook] to upgrade users without subjecting them to an Android permissions dialog at all.” Facebook’s 2011 FTC consent decree requires affirmative user consent for the collection of certain user data. “This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it,” Product Manager Michael LeBeau wrote. The Android feature in question allows users “to opt in to giving Facebook access to their call and text messaging logs,” Facebook blogged Wednesday, addressing controversial issues cited in the documents. The data is used to “make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite.”

Verizon's Oath agreed to pay $4.95 million for advertisements targeting youngsters under 13, New York Attorney General Barbara Underwood (D) announced Tuesday. Oath, formerly AOL, “conducted billions of auctions for ad space on hundreds of websites the company knew” were used to target underage users, the announcement said. The settlement requires Oath adopt “comprehensive reforms to protect children from improper tracking.” It's the largest penalty in Children's Online Privacy Protection Act enforcement history, Underwood’s office said. “We are pleased to see this matter resolved and remain wholly committed to protecting children’s privacy online,” an Oath spokesperson said.