Privacy Insider: August 3, 2021

In this week's Privacy Insider, I share the story that Amazon has expanded its biometric palm print plan. Now, at Amazon stores across the U.S., you can pay for your purchases by holding your palm over a scanner. Now, to do this, you must first take a scan of your palm and upload it to your Amazon account. But if you do, Amazon will give you $10 toward an Amazon purchase.

When I read this story, my heart dropped. I immediately thought of my close friend who is disabled, forever unemployed as a result and utterly broke. A couple of weeks ago, he decided to try and make some quick cash by selling his blood plasma. His blood pressure was too high, given the stress of his current reality, and the clinic sent him away untapped. But he was willing to sell his body fluid, his very DNA, to get $100 in return. Hey, he's in a corner.

Now that Amazon is offering $10 for some of the most sensitive data we own, the unique coding of our very hand, who will take that deal?

I'm sadly a privacy geek, so I immediately know the risks of entering into that agreement. What if Amazon sells that data to their partners or vendors? What the U.S. government comes knocking for it? What if hackers steal it?

But the average consumer probably isn't thinking about those risks, especially if they're struggling financially. A $10 coupon might mean they can order a cheap blanket or some baby wipes or a book.

And that means Amazon's strategy could set us up for a dire reality we should fight to avoid: Privacy is only for the privileged.

As I've ranted before when I talk to you about biometric data, it's so important because it's so identifying. No one shares your exact face, eye structure or palm print. They are uniquely yours. And that's a powerful acquisition for any data-hungry company to have. It's also unchangeable. If you give a company your biometric information, and then hackers breach a system and steal it, no one can issue you a new hand.

As someone financially stable, I can look at that deal and call it garbage. But what about folks who can't? What about my friend? He would absolutely upload his palm print for access to a product he needs.

In discussing this with my colleague, he pointed out that putting a money value on customer data gives the public insights as to how much their data is worth. And I agree that that's a valuable consumer tool. But it also exposes the wild inequality in the consumer-to-company relationship. The profits a company could make from precious biometric data are unknowable, mainly because those profits aren't public knowledge. But we know that the company with the most data has the most power (see recent antitrust cases asserting so), and the richer the data, the more valuable it is.

It worries me that these kinds of financial incentives are giving consumers a raw deal. It doesn't seem fair that those already struggling could feel compelled to give over an essential part of themselves in desperation. Or, if we agree that cash-for-data should be an accepted business transaction, the compensation should match the sacrifice. But that's going to take a consumer education campaign on just how much the product they're selling is worth.

How much would you charge for your data? Because it's worth more than $10 coupon, I promise. After all, how great are you?

Enjoy reading, and I'll see you next week! 

Amazon says $886 million fine is 'without merit' 

Last week, Luxembourg's privacy authority (CNPD) fined Amazon $886 million, claiming it violated the EU General Data Protection Regulation (GDPR). The CNPD filed the fine with the U.S. Securities and Exchange Commission, but the specific violations are unclear. The CNPD cites Luxembourg's local laws in declining to comment on the ongoing matter. Amazon said the decision is "without merit" and that it intends to defend itself "vigorously." 
Read Story

Court: DSAR responses must include 'internal communications' about the data subject

Last week, Germany's highest civil court published a decision clarifying the scope of data subject access requests (DSARs) under the EU General Data Protection Regulation (GDPR), and it's broader than previously understood in the country. The court said responses to DSARs must include "previous correspondence and notes of internal processes or internal communications related to the data subject," according to Data Protection Report. Meaning: You must disclose those Slack communications and emails about the data subject, too.
Read Story

Zoom agrees to $85 million settlement over alleged privacy violations

On August 2, Zoom agreed to settle a lawsuit alleging it violated users' privacy for $85 million. The case cited "Zoombombing," a term describing uninvited users gaining entry into a private Zoom meeting to disrupt it. During the early days of the COVID-19 lockdown, when Zoom exploded in popularity, hackers targeted businesses, online classrooms and others enough that the company stopped developing new features to fix the problem, Mashable reports. 
Read Story

Amazon offers users $10 to upload their palm prints as payment method

Amazon has expanded its biometric palm print scanners in its stores across the U.S., including New York, New Jersey, Maryland and Texas. Last year, the company introduced its scanner program, Amazon One, asking customers to upload their palm prints and link them to their Amazon account for $10. By connecting it to an account, "Amazon can use the data it collects, like shopping history, to target ads, offers and recommendations to you over time," TechCrunch reports. 
Read Story

If Apple's pro-privacy, why doesn't it support a Global Privacy Control? 

Privacy advocates' call for a legally enforceable opt-out mechanism across the web is close to becoming a reality. A coalition of companies and publishers released a technical specification for a Global Privacy Control (GPC) control at the browser level last year. And while the California Consumer Privacy Act doesn't specifically call for a GPC button, in his 2020 guidance on the law, the California Attorney General states that businesses must honor it. But Apple "despite its stated (and heavily advertised) commitment to privacy, has not incorporated the global privacy control into Safari …. Nor has it built it into iOS," WIRED reports.
Read Story

Google unveils plans for Play Store' safety section'

Google has unveiled design plans for its Play Store's upcoming safety section, which will feature information about an app's data collection, privacy and security practices, The Verge reports. Developers have from October 2021 to April 2022 to describe how they do things, and the safety section will begin appearing in app descriptions in the first quarter of 2022, the report states. Google has said apps that don't comply could see their updates blocked. 
Read Story