Privacy Beat

Your weekly privacy news update.

GDPR turns 1!

The infant hit its first birthday this week, and how is its world changing?  A year ago the European General Data Protection Regulation took effect. This week you can learn that the U.S. Senate is paying attention to baby GDPR, and states like Massachusetts and California are readying  siblings. Big companies like Apple, Google and Microsoft are watching and responding to the infant warily and regulators in Ireland are starting to test the baby’s strength. This week, on the Privacy Beat.

1. Key AdTech Inventor Says Consumers Need Protection As Senate Panel Probes Privacy and Competition

The inventor of real-time bidding (RTB) and other online ad tech has told a U.S. Senate committee that it’s time to give consumers a bill of rights to protect their personal data and make it portable.

“I think you can draft that user agreement,” Brian O’Kelley, founder and former CEO of AppNexus Inc., testified to the Senate Judiciary Committee during an April 22 hearing, “Understanding the Digital Advertising Ecosystem and the Impact of Data Privacy and Competition Policy.”

O’Kelley said that RTB initially created a “virtuous cycle” for advertisers and publishers, who adopted programmatic advertising and fueled explosive growth of his company until 2016. Then, he said, behaviors by Google which he claimed were anticompetitive cost AppNexus business and prompted its 2018 sale to AT&T. As for Google and Facebook, O’Kelley testified: “Either break them up, or force them to act fairly,” commenting later in the hearing: “I had to sell my company. I couldn’t wait for that.” He said Google used its bundled services to “unfairly attack my startup and cripple our growth.”

Unlike earlier congressional hearings, the questions from senators were generally thoughtful, revealing of some knowledge of how Internet advertising works, and were notably nonpartisan. Members from both parties spoke of recognizing digital privacy as an important issue for which they seek legislative action soon. Other key points in the hearing:

  • Behavioral targeted based not on real-time bidding but rather on first-party data should not be considered inherently bad, argued witness Johnny Ryan, of Brave Inc., the browser maker tha seeks to have users store their data within their browser and selectively release it. 
  • Back-and-forth discussion about why there is no subscription alternative to Facebook.  There is, one person argued — LinkedIn.  Others debated whether marketers will pay for consumer data.  Conclusion: Eventually the premise will be tested. 

Sen. Lindsey O. Graham, R-S.C., committee chairman, declared that the issue of “federal pre-emption” – the notion that federal law should supersede state law on matters of consumer online privacy. He asked the five witnesses – two academics, two industry experts and a lawyer – if they believed federal law should dominate.   Three did not respond, indicating assent.

“Let me suggest an exception, Mr. Chairman,’ responded Ryan. “And that is if the California Consumer Privacy Act and the Vermont law and so on – if these things are floors, it’s fine, but if pre-emption is to undermine [them] the that’s a problem.”

“I would say as long as it gets the job done then that’s right,” responded witness Fiona M. Scott Morton, a Yale University professor and former chief economist for the antitrust division of the U.S. Justice Department. She added: “The states are going to want to regulate more if the federal law doesn’t protect consumers.”  


2.  Apple Outlines Plan for Privacy-Preserving Ad Click Attribution

What it Is: Apple has announced a new feature for Safari that will stop ads from tracking you across the web. They say that advertisers will still be able to measure the effectiveness of ad campaigns without compromising user privacy.

Why it matters:  The browser becomes a middleman of sorts, preventing data exchange directly between sites. The technique will create a time delay between relaying conversion data back to ad providers and will make it a lot more difficult to track individual users across the web. 

And/But: Apple is also pushing the technology as a standard to the World Wide Web Consortium so that other browsers can implement. The question is if it will take off, as other Do Not Track technology has failed to be honored by publishers. Also, how are adtech giants going to react to being cut off from data?

For more:

3. Proposed Massachusetts Law Allowing Up to $750 per Consumer for Online Privacy Violations Seen As Troublesome by Law Firm

A proposed online privacy bill sitting in committee in the Massachusetts Legislature was described this week by a key law firm as setting a high bar for a so-called “private right of action.” The bill, (S.120) introduced by the Democratic majority leader of the Massachusetts Senate, Cynthia Stone Creem,  (who represents three of the wealthiest suburbs of Boston) would allow $750 per person, plus attorney’s fees and costs, for a privacy-law violation, no matter whether it is unintentional.

Silicon Valley companies are fighting in California to reduce or eliminate the opportunity of individuals — acting alone or represented in a class action — from suing over privacy violations on the grounds that it would impose unreasonable defense costs on them.  At the same time, California’s attorney general is warning that he may not have enough staff to effectively enforce the California Consumer Privacy Act if only he and other regulators are permitted to commence litigation. At the same time, industry lobbyists in Washington, D.C., are trying to make sure a “private right of action” is not included in federal law.  Thus a conflict with Massachusetts law, if enacted, could emerge.

“Based on these key provisions, it is difficult to overstate the magnitude of class-action litigation risk the proposed law may create for businesses collecting data from Massachusetts consumers,” write three attorneys with the Portland, Maine-based law firm of Pierce Atwood LLP.  As proposed, they write, S.120 would apply to for-profit businesses that collect personal information from Massachusetts consumers if they either have annual gross revenues over $10 million or derive more than 50% of annual revenues from third-party disclosures of consumer information. It defines personal information as “any information relating to an identified or identifiable consumer” and any other information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” It includes “DNA, palm and vein patterns, voice recordings, keystroke rhythms, gait patterns, and sleep, health or exercise data that contains identifying information,” write attorneys Peter G. Guffin, Don Frederico, and Melanie A. Conroy.

Collectively, the authors say this definition of personal information is broader than even the strict the Illinois Biometric Information Privacy Act, (BIPA) which becomes effective Jan. 1, 2020, on the same date as the California Consumer Privacy Act. (CCPA).  It provides exceptions for things like clinical trials, news-gathering protected by the First Amendment, aggregated information from which individual consumer identities have been removed (and can’t be re-identified or linked to an individual), and compliance with legal proceedings and obligations.

For More:

4. San Francisco-based Quantcast Under GDPR Investigation for Breach of Privacy

What it is: Adtech company Quantcast is currently being investigated by the Irish Data Protection Commission (DPC). This comes after a November 2018 breach of privacy complaint by Privacy International with the European data protection authorities. The complaint cited the practices of 7 major companies (Quantcast, Acxiom, Oracle, Citreo, Tapad, Equifax, Experian).

Why it Matters: Quantcast and others work together to build detailed profiles of web consumers in order to serve ads. Quantcast uses AI and tracking technology across approximately 100 million websites and cross referenced with data from credit reporting agencies and data brokers.

And/But: The investigation calls into question transparency in practices for capturing user consent and marks a turning point in that regulators are beginning to go after non-consumer facing companies.

For More:

5. Google Tracking Purchase History Through Gmail

What it is: CNBC reported this week on Google’s detailed tracking of purchase history through Gmail. Google says that they don’t use the data to serve ads, only to “help you easily view and keep track of your purchases, bookings and subscriptions in one place.” 

Why it matters: While Google says in their privacy policy that only you can view your purchases, it also says that “Information about your orders may also be saved with your activity in other Google services.” When CNBC reporters attempted to follow instructions for turning off the tracking, they found it didn’t work in entirety.

And/But: Being that most consumers don’t know about this feature and it is difficult to turn off or delete data, transparency is called into question. They only way to remove the data is to delete each individual purchase receipt email. You can view what they have on you using this link:

For more:


A year after GDPR, mobile notifications are up, location sharing is down:

Microsoft details what it wants in a federal privacy law.

Microsoft deputy general counsel Julie Brill posted on Monday: “the ever-growing number of people using our privacy dashboard is a clear sign that people want to be empowered to control their data.” Her post details what Microsoft would want in a U.S. federal privacy law.

Business Roundtable tech policy wonk Denise Zheng tells CNBC that “opt-in” banners can hurt the user experience. She says industry supports much of GDPR on transparency, correction, deletion and data access but wants a global privacy framework not a “patchwork.”

DigiDay’s Jessica Davies talked to folks in the advertising industry this week and says some are worried that the slow ramp-up in enforcement of GDPR has lulled them into complacency. “What is absolutely significant — and the GDPR roll-out was part of it — is there is now global not just European attention on the intersection between their [Google’s] dominance as an advertising business and the rules they play by for their use of data,” Jason Kint, CEO of U.S. publisher trade body Digital Content Next, told Davies. “The data policy and competition policy is now a global discussion. That is by far the most material change.”

Verge columnist Nilay Patel sees AT&T as positioning itself for what he terms “a terrifying vision of permanent surveillance” through ad tracking and data collection:

FTC joins calls for national privacy law.

Forbes breaks down the next wave of privacy changes.

Like what you see? Then recommend to a friend.




Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.

Our mailing address is:

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.