Harry Chambers of OneTrust gave a far-reaching overview of the worldwide state of privacy legislation this morning. Chambers covered a ton of topics, but I’m going to focus on proposed changes to the California Invasion of Privacy Act, or CIPA.
“CIPA was originally enacted in 1967 to combat traditional wiretapping and eavesdropping, primarily in the context of telephone communications. It was never designed to address the complexities of the digital age or regulate how businesses track user interactions on the internet.”
But that didn’t stop the lawyers. As Chambers noted, a ton of lawsuits tried to apply 1967 law to modern use cases, including (Fisher Phillips) “routine website technologies such as cookies, pixels, search bar/form, chatbots, and session replay tools.”
Heck, back in 1967 cookies made you high. Whoops, that’s brownies.
Imagen 4.
You can imagine how California technology businesses felt about this. Chatbots as illegal wiretapping? Ouch.
Imagen 4.
Enter California SB 690 to stop what Fisher Phillips called a “shakedown” (settle or you’ll go to court). It proposed to align CIPA with the “commercial business purposes” definition under CCPA as amended.
Imagen 4. For the story behind this picture, see “AI Still Has Bias.”
On June 3, the California Senate unanimously approved SB 690.
But submission to the California Assembly is delayed:
“On July 2, the author of SB 690, State Senator Anna Caballero (D-14), announced she was pausing SB 690, holding it in the Assembly until at least 2026. Caballero cited ‘outstanding concerns around consumer privacy,’ and acknowledged continued opposition from consumer privacy advocates and attorneys’ groups.”
So the lawsuits can continue until morale improves.
If you ignore what Yves-Alexandre de Montjoye et al said about the validity of 12 fingerprint minutiae points in their 2013 study (cited in phys.org), their conclusions about cell phone locations deserve consideration.
“By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual’s approximate whereabouts at the approximate time when they’re using their cell phone) are all that’s needed to uniquely identify 95% of the individuals.”
Why?
“[T]he researchers’ data shows that just four spatio-temporal points are needed to uniquely identify the mobility trace of an individual. In other words, it’s not likely that someone else will be in the same locations as you are at four different times of day.”
And once you perform multi-factor authentication by combining geolocation with another factor, such as an address or a social media post, privacy disappears.
Perhaps you’ve heard the joke about an anonymous survey managed by a company’s personnel department. In the joke, one employee received two emails:
The first was from HR, announcing the anonymous survey.
The second was from the employee’s supervisor, reporting that HR says that the employee is the only person who hasn’t completed the “anonymous” survey.
But maybe it’s not a joke.
Is the zero knowledge/World dream of one unique identity per person actually a curse? According to Biometric Update, Vitalik Buterin of Ethereum fame claims it REMOVES privacy.
“[U]nder one-per-person ID, even if ZK-wrapped, we risk coming closer to a world where all of your activity must de-facto be under a single public identity….
“[T]here can’t be an easily legible hard limit on how many identities you can easily get. If you can only have one identity, you do not have pseudonymity, and you can be coerced into revealing it.”
Buterin believes multiple identities, managed separately, provide concurrent identity and privacy.
Biometric marketing leaders already know that I’ve talked about reader personas to death. But what about WRITER personas? And what happens when you try to address ALL the reader and writer personas?
Reader personas
While there are drawbacks to using personas, they are useful in both content marketing and proposal work when you want to tailor your words to resonate with particular types of readers (target audiences, or hungry people).
I still love my example from 2021 in which a mythical Request for Proposal (RFP) was issued by my hometown of Ontario, California for an Automated Biometric Identification System (ABIS). The proposal manager had to bear the following target audiences (hungry people) in mind for different parts of the proposal.
The field investigators who run across biometric evidence at the scene of a crime, such as a knife with a fingerprint on it or a video feed showing someone breaking into a liquor store.
The examiners who look at crime scene evidence and use it to identify individuals.
The people who capture biometrics from arrested individuals at livescan stations.
The information technologies (IT) people who are responsible for ensuring that Ontario, California’s biometric data is sent to San Bernardino County, the state of California, perhaps other systems such as the Western Identification Network, and the Federal Bureau of Investigation.
The purchasing agent who has to make sure that all of Ontario’s purchases comply with purchasing laws and regulations.
The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.
The mayor (Paul Leon back in 2021, and still in 2025), who has to deal with angry citizens asking why their catalytic converters are being stolen from their vehicles, and demanding to know what the mayor is doing about it.
Probably a dozen other stakeholders that I haven’t talked about yet, but who are influenced by the city’s purchasing decision.
Writer personas
But who is actually writing the text to address these different types of readers?
Now in this case I’m not talking about archetypes (a topic in itself), but about the roles of the subject matter experts who write or help write the content.
I am currently working on some internal content for a Bredemarket biometric client. I can’t reveal what type of content, but it’s a variant of one of the 22 types of content I’ve previously addressed. A 23rd type, I guess.
But what would happen if someone in a role other than product marketing consultant wrote this content?
An engineer would emphasize different things. Maybe a focus on the APIs.
A finance manager would emphasize different things. Maybe an ROI focus.
A salesperson may focus on different things. Maybe qualification of a prospect. Or eventually conversion.
So the final content is not only shaped by the reader, but by the writer.
You can’t please everyone so you’ve got to please yourself
With all the different reader and writer personas, how should you respond?
Do all the things?
Perhaps you can address everyone in a 500 page proposal, but the internal content Bredemarket is creating is less than 10 pages long.
Which is possibly already too long for MY internal target audience.
So I will NOT create the internal content that addresses the needs of EVERY reader and writer persona.
Which is one truth about (reader) personas in general. If you need to address three personas, it’s more effective to create 3 separate pieces than a single one.
Which is what I’m doing in another project for this same Bredemarket biometric client, this one customer-facing.
And the content targeted to latent examiners won’t mention the needs of Paul Leon.
In which I address the marketing leader reader persona
So now I, the biometric product marketing expert writer persona, will re-address you, the biometric marketing leader reader persona.
You need content, or proposal content.
But maybe you’re not getting it because your existing staff is overwhelmed.
So you’re delaying content creation or proposal responses, or just plain not doing it. And letting opportunities slip through your fingers.
People can use forged government identities to scare you, rob you, or kill you. How can you protect yourself from fake law enforcement officers, or fake ICE agents? And how can police agencies and ICE protect THEMSELVES from these fakes?
I’ve already shared the story of the person driving around Delaware with flashing lights. Nothing terrible happened in that encounter, but similar impersonation encounters have been more critical.
The visitor, wearing an American flag-adorned baseball cap and a tactical vest with the words “Security Enforcement Agent,” announced the single word “Immigration,” implying that he was from Immigration and Customs Enforcement (ICE).
Several employees fled the scene, but the cashier did not and was immediately zip-tied.
So what happened next?
The so-called ICE agent took $1,000 and was gone 30 seconds later.
Vance Boelter is alleged to have shot Minnesota State Senator John Hoffman and his wife Yvette at their home, then shot and killed State Representative Melissa Hortman and her husband.
In both cases Boelter presented himself as a police officer.
“[C]all 911 from your cell phone. Tell the 911 dispatcher that you are concerned that someone…may not be a police officer.”
Of course a person in a car is generally safer than a person at the front door of a home or business, but in any case you can call 911 and ask for confirmation.
“Do not flee.”
This appears to be sound advice if the person is a real police officer. But if the employees hadn’t fled from the fake ICE officer in Philadelphia, perhaps they would have been robbed also.
“If the dispatcher cannot confirm that you are being [visited] by a police officer, stay on the line with the dispatcher, and ask for police assistance.”
Wise to get the real cops on the scene.
“Do not provide personal documents – driver’s license, insurance information or other documents – to someone who you suspect of being a police impersonator.”
No need to add identity fraud on top of everything else.
How do you know if it IS ICE?
Unfortunately, telling true ICE agents from fake ones is a little more difficult. Your local 911 dispatcher isn’t going to know if that’s a real ICE agent at your door.
5NBCDFW published some tips for those who receive an email, call, or visit from ICE. In regards to personal visits, the station offered this advice:
“ICE agents carry official badges and credentials. They may have identification cards with their name, photo and the department logo. You can ask them to show you their badge or ID.”
“If they refuse to show their identification, you are under no obligation to open the door.”
This of course is not foolproof, since anyone can print a fake business card (perhaps on their own printer, avoiding a commercial business such as the UPS Store), create a fake ID, or create a fake badge.
Challenges of identifying police officers or ICE agents
It’s a challenging identity problem. Especially since police officers may NOT be required to identify themselves. Uniformed officers are required to identify themselves in California (California Penal Code Section 830.10), but plainclothes officers obviously don’t wear badges, and California identification laws don’t apply in other states.
“Hey,” someone suggests. “Why not create a database of all the police officers and ICE agents so that can immediately prove their authenticity?” Unfortunately, that runs into a huge privacy problem, because what happens when (not if) that database is hacked? Or if the data is intentionally leaked?
(And before you say “not my problem, those people need to be in a database,” what if it WAS your problem? In my case, what if all marketing/writing sole proprietors were required to be in a database managed by the Department of Commerce? You’d be worried if it affected YOU.)
The only way that this will change universally is when the police officers, ICE, and other agencies have to deal with impersonators. For example, if fake ICE agents cause problems for the real ones, then ICE itself will insist on positive identification of real ICE agents.
Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.
So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?
When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.
Here are some questions you must answer:
What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…
As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.
“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.
“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”
You would think the IRS had a process for this…but apparently it doesn’t.
Dead on arrival (DOA).
But I’m not the IRS!
I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?
Do you know what questions to ask?
Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.
Normally when states adopt a new technology, one state will first adopt it, followed by other states, until eventually all states adopt it. (Take REAL ID.)
It’s rare that a state adopts an emerging technology and then trashes it.
“The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.”
This year
But hey, I’m sure Florida is working behind the scenes to develop a new mDL. After all, digital identity remains a federal priority.
“At the forefront of the Trump administration’s cybersecurity shift is the categorical removal of Biden-era digital identity initiatives which had encouraged federal agencies to accept digital identity documents to access public benefit programs and promoted federal grants to help states develop secure mobile driver’s licenses.”
But if states aren’t receiving federal funding to develop mDLs, and if states decide that only physical driver’s licenses are in their interest, then will mDL adoption slow?
Or may other states follow Florida’s lead and let their contracts with mDL vendors expire?
I have observed that we are living in a time of uncertainty, in which surprises happen every day.
This week has been no exception. As I type this, Donald Trump and Elon Musk are feuding, with accusations of pedophilia leveled against Trump, threats to yank the government contracts of Musk, and who knows what all. Just a typical week in Washington.
But that’s nothing compared to the shocking news I learned Friday morning.
Sit down and don’t bother to bring out your CHF wallet
It’s not shocking that ISO has published a standard. It does this all the time.
It’s also not shocking that ISO published a standard on consent. Consent is required by many privacy regulations, and therefore a standard information structure for consent requests is beneficial throughout the European Union, California, Illinois, and elsewhere.
“This document builds upon ISO/IEC 29184 by addressing the concept of giving the PII principal a record for their own recordkeeping, which includes information about the PII processing agreement and interaction. We call this record the “consent receipt”.
“This document specifies a structure that is used by both principals in consent management: namely a specification for data to be held by the organization to allow record-keeping with good integrity (subject to the defined controls), and an artefact (the “consent receipt”) that is given to the individual whose PII is being processed.”
No, none of this is the shocking part. I’ll let Chris Burt reveal the surprise, but please sit down before you read this. Emphasis mine.
“The International Standards Organization has published a standard for obtaining and recording consent, as is necessary to legally use people’s biometric data in a number of jurisdictions, and is making it available for free.”
Yes, you read that correctly. FREE. As in ZERO CHF.
ISO doesn’t normally give standards away, but there’s an exception for this one.
As a result, I have “purchased” this ISO standard—the first one that Bredemarket has ever owned.
You know the razor and blades business model, where you can buy the razor very cheaply, and then you spend a lot of money over the years buying the blades.
Of course, this business model also applies to other complementary products, such as game consoles and video games, and printers and ink.
Ink as a Service
And companies can extend the business model. Rather than buying individual razor blades, video games, and ink cartridges, you can obtain the complementary products “as a Service.”
“HP Instant Ink is the hassle-free, money-saving ink subscription service that automatically delivers ink only when you’re running low. Plans start at $1.79 a month.”
Of course that price assumes you only print 10 pages a month, but whatever.
I won’t dwell on the specifics on the plan (charging by the page rather than the ink used, reducing your privacy by letting HP and whoever else know when you print 900 pages, etc.).
Vendor benefits from as a Service
But I will note that HP instant Ink has the same vendor advantage as any other “as a Service” offering:
Increased customer lock-in.
I will speak from my own experience.
When my company sold on-premise solutions to government agencies, they paid from their capital budget and the contract was for a fixed term. After 5 or 7 years or whatever when the contract term expired, the agency’s hardware would be antiquated and it would have to go out to bid again.
Later, when my company sold cloud solutions, there was more budgetary flexibility. Some agencies didn’t have to use capital funds; this was a service, after all. And if the vendor was really fortunate, there was no contract term limit either, so the agency could stay with the vendor forever. Obsolescence wasn’t an issue because Amazon or Microsoft took care of that behind the scenes.
HP Instant Ink isn’t a perfect parallel, since it doesn’t include obsolete printer replacement. (But it could.) But the Ink as a Service (IaaS) offering certainly helps lock you in to HP…and to using HP ink rather than third-party ink.
And it’s yet another move from people owning things to people licensing things.
But if it provides a benefit (HP Instant Ink claims “up to” 50% cost savings), then it may be worthwhile.
Bredemarket 