Privacy Beat

Your weekly privacy news update.

1.  Aspects of third-party ad-tech data sharing could likely be forbidden under CCPA unless user is offered “opt-out,” attorney says

Brands are “past the denial stage” and realize GDPR and CCPA privacy restraints represent a fundamental shakeup in the way advertising will work on the web — including changes in some approaches to third-party data sharing, says an experienced DC privacy lawyer.

“Certain applications of ad-tech are going to be considered ‘sales’ under GDPR, most ad tech will be considered sales, the point being that it is not prohibited, but you have to offer an opt-out,” says Brett E. Cohen, who leads the tech-privacy practice at the firm of Hogan Lovells International LLP.

Cohen fielded questions on Wednesday from several hundred clients and other participants in a webinar entitled, “Operationalizing the California Consumer Privacy Act (CCPA).”

A publisher website that carries programmatic advertising may have responsibility for advising users of each of  ad network that is acquiring, through cookies, personal information about the user if the ad network is then going to “sell” it.  The publisher might have to ensure the user is presented with an opportunity to “opt out” of such use. But Cohen says the situations will be fact-specific and it is difficult to generalize.

“But models are going to have to change,” Cohen says. “I think there are also lots of other marketing initiatives news organizations have undertaken that don’t rise to the level of ad-tech – like connectivity to social media and things like that – that will be impacted.”

BACKGROUND: How the CCPA defines sale and personal information.

Among amendments positioned to pass the California Legislature this summer or in early fall is AB 1355, which clarifies that personal information that has been “de-identified” and used in the aggregate does not require the offering of an opt-out, says Cohen. “But if you are targetting individuals it is hard to argue it is not covered.”

AB1355 removes from the definition of  personal information “consumer information that is deidentified or in the aggregate consumer information.”  The effect of the provision would be to exempt from regulation such aggregate deidentified information. The act defines “deidentified” as information “that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided the data’s controller “has implemented technical safeguards that prohibit reidentification of the consumer…implemented business processes that specifically prohibit reidentification…[and has] business processes to prevent inadvertent release of de-identified information…[and] makes no attempt to reidentify the information.”


A slide-show guide to the CCPA by  Stacey Brandenburg, an attorney with ZwillGen in Washington, D.C.

2. Major publisher group DCN says “sky won’t fall” if RTB switches to non-personal data; calls for evolution from status quo

The head of the biggest group that represents digital operations of major U.S. publishers says not to heed the “sky is falling” message from ad-tech companies and turn instead to “evolving” from the status quo of real-time bidding.

“Ad market is unhealthy, lots of challenges,” Jason Kint wrote in a “Tweet” posted on June 19. “Trust is eroding, both consumers and publishers. Enforced GDPR helps, especially against G and FB. Don’t believe ad-tech lobby, the sky won’t fall. Fighting for status quo, only makes worse. Evolve.”

Kint’s Tweet came after the browser maker Brave made public a June 17-dated letter sent by Kint to Brave’s London-based lawyers who are pursuing the company’s adtech complaint against Google for alleged violations of the GDPR. LETTER FULL TEXT. The letter offers a thorough overview of the operation of real-time bidding — how it handles user data, how ad revenues are diverted from publishers to ad-tech and fraud, and why publishers can’t easily act individually.

“It is important to note that reducing the amount of personal data in RTB requests would not lead to the demise of the digital advertising marketplace,” Kint’s letter says. “If less personal data were available for behaviorally targeted advertising, advertisers would rely on other ways of tailor advertising, which could include the type of content on the website or app or privacy-friendly methods of developing audience segments which do not rely on tracking across multiple contexts through data leakage to third parties.”

3. A Wall Street Journal story suggests Google and FB are big current winners because of first-party data

Two Wall Street Journal reporters have surveyed advertising agencies and others watching the European digital advertising marketplace and their reporting seems to confirm that Google and Facebook’s dominance has surged as a result of GDPR. The reason: Their direct, first-party relationship with millions of users.

In the June 17 article headlined, “GDPR Has Been a Boon for Google and Facebook,” they quote Mark Read, CEO of advertising giant WPP PLC: “GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data…[it has] entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”

But academic researcher Alessandro Acquisti of Carnegie Mellon University, told the WSJ that over the long term it is not clear who will benefit, because the level and nature of enforcement of GDPR and CCPA is still subject to interpretation, regulation, and litigation. Tough enforcement might hurt Google and Facebook, he said.

Facebook COO Sheryl Sandberg confirmed at a February conference that GDPR has made things easier for big companies “to put in place things that adhere to regulation,” the article says.

“Anecdotally, Facebook and Google benefited, and what we see in the data reinforces that,” the paper quoted Brian Wieser, strategy chief at WPP’s media-agency conglomerate GroupM, as saying.

Cosmetics company L’Oreal SA’s chief digital officer, Lubomira Rochet,  told the WSJ they have decided to focus spending on Google, Facebook, and Inc. because “those guys have the capabilities to really treat the data in the way that it should be treated.”

4. Two ex-Apple engineers offer data-privacy certification regime for applications to supplement privacy policies

Two former Apple engineers went public this week with, a plan to rally support for a data-privacy certification service, envisioning that someday users will check the “privacy rating” of an app before downloading it.

Co-founding engineers Johnny Lin and Rahul Dewan are considered whether the project should be housed in a for-profit or not-for-profit entity. So far, they have been funding their prototype with proceeds from an unrelated for-profit security application, Lin says, since both left Apple after about two years. Lin was concerned about apps and privacy.

“Our primary goal right now is to get people to recognize the problem and teach them they can’t rely on aesthetics, or even a privacy policy alone,” Lin said in a telephone interview from his San Francisco home/office.  “You need full, verifiable transparency.” Lin’s undergraduate computer-science degree is from Brown University; his partner has CS degrees from Georgia Tech and Stanford Univ. They met at Apple.

“We built this website, the entire specification, and we want this to be free and open for a long time,” said Lin. “We want it to be understandable for people.”  Lin is hoping mainstream media will report on their initiative. So far, The Verge has run a story:

“Openly Operated is a set of guidelines for auditing how apps and web services deal with user data, like a combination of a report card and a seal of approval. But it’s also a bid to change the terms of the privacy debate — as Lin puts it, to get past the sense that when ordinary users think about privacy, they figure “I’m screwed anyway, so why should I care?”

Writing on June 17 in a Medium post, “Why You Can’t Trust Apps Today — And How to Fix It,”  the duo describes how applications hijack personal data without disclosure to the user. They argue for creating a public marketplace for “trust through transparency” so that developers will have an incentive to create privacy-respecting applications:

5. Brave browser spokesman seeks federal law at least as tough as California; says RTB isn’t legal in Europe and NYT makes more money not using it

The current “black box” real-time bidding ad-tech system is now illegal in Europe, commodifies publishers’ users and diverts billions of dollars of advertising spending from their websites and into the hands of criminals, says an executive of Brave, the alternate web-browser maker.

Johnny Ryan’s assertions are contained in a lengthy written testimony filed with a U.S. Senate Judiciary subcommittee in response to questions from lawmakers. In the testimony, Ryan says real-time bidding (RTB) is a “dysfunctional market” and can’t comply with the EU’s GDPR. (Brave is pursuing an alternative model in which user data is stored in the browser that decides – within the browser — which ads to show to a consumer.)

Ryan, speaking for Brave, says a federal law of an equal or higher standard than state laws is necessary to restore trust and protect the online industry in the United States. It should use definitions common to those used in the GDPR, he says.

The testimony is complete with data and diagrams and footnotes.  It shows what Ryan says are the current system’s failings and, by inference but not stated, the value of Brave’s approach. His testimony calls for the Interactive Advertising Bureau (IAB) and Google to put an end to “hundreds of billions of broadcasts every day” of individual-user profile data via RTB.

“Monopsony/cartel practices in the €19.55 billion ‘programmatic online behavioral advertising’ market disadvantage publishers,” Ryan’s testimony states. “A publisher loses the ability to monetize its unique audience, and pay enormous—and generally opaque—percentages to distribution intermediaries when selling its ad space.”

Answering questions from U.S. Sen. Patrick Leahy, D-Vt., Ryan provided a set of suggestions for language in a proposed federal law governing use of personal data. And among assertions made by Ryan in his written testimony:

  • The French data protection authority has ruled Google’s approach to consent in Europe doesn’t comply with GDPR. Google is appealing.

  • When The New York Times decided in early 2019 to end RTB-style bidding on its web pages seen in Europe, the paper saw an increase in ad revenue rather than a decline.

  • The IAB’s  “Transparency and Consent Framework” for ad-serving does not comply with the EU’s GDPR, although it has become a de facto” standard.  He asserts that with real-time bidding, it is not technically possible for a user to give “granular” real-time consent to all the bidders for use of data.

  • The GDPR, if enforced, will seek to prevent big-data companies like Facebook or Google from acquiring user data within one business for one purpose and then transferring to subsidiaries for another purpose.  This will benefit competitors, Ryan asserts. “Brave does not compete with Facebook, WhatsApp, or Instagram for users,” Ryan writes. “However, as a general point, the problem of cascading monopolies is a real one, and purpose limitation should be enforced to create a level playing field for all companies, and to empower users with the freedom to decide what services they choose to reward with their data.”

  • Answering a question from U.S. Sen. Corey Booker, D-N.J., Ryan said the cartel-like operation of the adtech sector forces publishers to agree to use unique identifiers in RTB bid requests “that enable companies that receive these to turn each publishers’ unique audience into a commodity that can be targeted at cheaper sites and apps. This strips a reputable publisher of their most essential asset.”

  • The GDPR is merely a codification, with tougher enforcement provisions, of the 1995 EU Data Protection Directive.  Therefore, companies asserting compliance difficult or confusion are not looking at history, says Ryan.

6. The interim way that U.S. companies have been able to use EU consumer data may get struck down in court in the fall, lawyers say

A European Union General Court case to be heard on July 1 could set in motion the disruption of a trans-Atlantic deal allowing U.S. companies to export and use data of European residents, according to an analysis by two lawyers at a Raleigh, N.C., firm.  

Saad Gul and Michael Slipsky of the law firm Poyner Spurill LLP write in “Privacy Sheild Goes to Court” that the case brought by a French privacy group, La Quadrature du Net, claims that self-enforcement under Privacy Shield doesn’t work.  A decision is expected in the late fall, they say. More than 4,000 U.S. companies are self-certified in the Privacy Shield program, including The Washington Post, but few other media companies.

Meanwhile, the U.S. Federal Trade Commission announced on June 14 that it had fined one company and sent warnings to a dozen others for falsely claiming participation in international privacy agreements such as Privacy Shield. It announced similar action last fall.

7. Browsers seen as now competing over privacy

Wired’s David Nield this week penned a thorough comparison of tracking-protection and other privacy options emerging in current and forthcoming versions of multiple web browsers, including those offered by Apple (Safari), Mozilla (Firefox), Ghostery, DukcDuckGo, Tor and Brave.   Nield calls it “a new battleground in the browser wars: user privacy.” His piece doesn’t cover the browser that has most of the market — Google’s Chrome. We’ve noted some of these features in previous weeks’ of Privacy Beat.

8. Target: Surveillance capitalism, McNamee says

Veteran venture capitalist (and musician) Roger McNamee is continuing his about-face on Facebook — he was once an early investor and a Mark Zuckerberg confidante but has now written a book and is speaking out repeatedly about the company’s handling of personal data. “You have to go after what the Harvard scholar Soshana Zuboff calls surveillance capitalism,” McNamee says in a June 14 Bloomberg Technology video interview. “The issues go to the heart of their business models, but there is no easy fix.”  He said Facebook and Google “capture a data avatar, really a data voodoo doll, for each person in the population and then use that for their own gain, over the objections, or without the knowledge, of the consumer. I think that business model is extremely dangerous.”

FTC PrivacyCon 2019

On June 27, the Federal Trade Commission is holding their annual PrivacyCon—aimed at bringing together a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss the latest research and trends related to consumer privacy and data security.

“The FTC’s annual PrivacyCon event seeks to spur new research on privacy and security issues,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “It helps us keep our finger on the pulse of important developments in technology, economics, and consumer privacy so that we can ground our policymaking in real data.”

PrivacyCon is free and open to the public, and will be held at the FTC’s Constitution Center Office, located at 400 7th St., SW, Washington, DC. PrivacyCon will also be webcast live.

“The GDPR provides a useful model for consent, and this model should not be judged on the basis of the unlawful consent notices deployed by the IAB, Google, Facebook and others in defiance of clear guidance from data protection regulators . . . Distribution is controlled by advertising technology companies (Google is the largest) that extract 55%-70% of every advertising dollar. Publishers of websites and apps are the sellers, but have their audiences commodified and arbitraged on low-rent sites, and suffer further from the diversion of revenue away from their sites to fake sites by ad fraud scammers. . . . The New York Times stopped broadcasting personal data in “real-time bidding” advertising auctions, because Article 5 (1) f of the GDPR forbids the broadcast of personal data without control over where the data may end up. We anticipate that a market in which all publishers make the same transition will yield far higher revenues to publishers. However, we also understand that for most publishers this is impossible to do alone.”

Johnny Ryan, spokesman for Brave browser maker, in written testimony to the U.S. Senate, June 17, 2019.


AT&T, Sprint, Verizon, T-Mobile Hit With FCC Complaint Over Sale of Phone Location Data  

Federal Agencies Need to Strengthen Online Identity Verification Processes 

Wall Street Reacting to New Regulations

Data Privacy Compliance Pushes Costs Higher

IBM Report on Vendors and Tools in the Data Security Marketplace

Facebook Data Sharing With Mobile Carriers Raises New Privacy Concerns

Best Practices for Strategic Meetings on Data Protection & Management

EU Campaigns to Raise Data Privacy Rights Awareness

FTC Releases Agenda for 4th Annual, PrivacyCon on June 27

Watchdogs Say FCC Should Stop Sale of Location Data

Opposition to Texas privacy bill

Misconceptions UK businesses have about GDPR

U.S. State Legislation Updates

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – June 2019

Like what you see? Then recommend to a friend.

Follow ITEGA’s Facebook page for additional links and insights:




Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.

Our mailing address is:

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.