Read on Twitter
Disagree with this post from @jdp23 on the #WPA. It's useful to consider the @WIRED report of Muslim prayer apps sharing location w/ICE - I agree, if this wouldn't be stopped, what point of a privacy law, right? But I think it would be (or could be). Here's why. 1/ https://twitter.com/jdp23/status/1353827709768482817
First the liability standard in Sec. 110. #WPA doesn't hold companies liable for the misdeeds of future controllers after data has been lawfully transferred and is out of their hands (a good thing). However, the data has to have been processed & transferred *lawfully.* 2/
(here's the current language) 3/
This is where consent and other obligations in #WPA could be very powerful. In order to collect precise location data (+ any other data if it's a Muslim prayer app, presumably) the app must get consent for each purpose. 4/
#WPA (because of similarity to #GDPR) probably would not allow #consentbundling, e.g.: "Please consent to sharing location so we can give you sunrise/sunset times, and oh btw we also share it with partners for personalized ads."). Each purpose would require separate consent. 5/
(Right away that's a major industry-wide impact: right now, apps get opt-in permission for location through iOS/Android, but usually they "bundle" it - i.e. don't let users accept/reject the different purposes for which it will be used, if they disclose extra purposes at all.) 6/
But, let's assume a small % of users do give consent to location being shared for advertising because the app gives enough info and makes it sound good (localized ads, discounts, etc.) without running afoul of #WPA's anti-Dark Patterns rule(!). What then? 7/
The DMP, SSP, or other third party would then possess sensitive data they received for a narrowly defined purpose (ads, or maybe something like "location intelligence" e.g. transportation planning). If ads, likely it gets processed by numerous entities in an #RTB auction. 8/
(side note: a motivated AG could perhaps make a case for #RTB or extensive profiling to be an incompatible secondary use even within the scope of 'serving personalized ads' - but that's analysis for another day) 10/
Anyone in the ads ecosystem would be restricted to that purpose - i.e. serving the ad, and basic measurement & attribution. Sharing with hedge funds, insurance companies, ICE, law enforcement, or anyone else would be incompatible (illegal). 9/
Thus IMO clear under #WPA what happens to most downstream location entities: 1) they see a major 
in supply (from fewer ppl consenting); & are still 2) subject to same minimization, purpose limits, security, retention etc. limits. Any violator could be held liable. 11/
in supply (from fewer ppl consenting); & are still 2) subject to same minimization, purpose limits, security, retention etc. limits. Any violator could be held liable. 11/
As for the #WPA right to cure (Sec. 210) - this wouldn't let companies off the hook either. Right to cure requires the AG to issue a 30-day warning letter prior to bringing actions. This is super helpful for things that are, in fact, easy to fix, for example... 12/
... posting an opt-out link, or complying w/access requests. However, important to recognize that some things cannot be cured. Best example is a data breach resulting from poor security that puts people at permanent 
risk of ID theft. In these cases, AG retains full powers. 13/
risk of ID theft. In these cases, AG retains full powers. 13/
It's subject to interpretation, but IMO the collection of sensitive data without consent - and certainly any widespread use/sharing/profiting from it - is, itself, a dignitary or rights-based violation, and cannot be cured. (of course, guidance would help here.) 14/
(I defer to civil rights experts on the interesting wrinkle about discrimination "on the basis" of religion - but agree in most cases probably not applicable to what we're describing). 15/
Wrapping up.. #WPA isn't a panacea.. but it's cool to see a US law modeled on #GDPR; protections it does have, esp. for location/sensitive data, are strong; & concerns about loopholes strike me as non-issues.. (in contrast to say, differences in policy goals for enforcement). 16/
However, I do think the case study approach is useful. It's the right question to ask: would this law address specific ongoing, egregious privacy violations that fall outside the reach of #CCPA and other US law? Or not? 17/17
