PRIVACY BEAT: Aspects of third-party ad-tech data sharing could likely be forbidden under CCPA unless user is offered “opt-out,” attorney says

1.  Aspects of third-party ad-tech data sharing could likely be forbidden under CCPA unless user is offered “opt-out,” attorney says

Brands are “past the denial stage” and realize GDPR and CCPA privacy restraints represent a fundamental shakeup in the way advertising will work on the web — including changes in some approaches to third-party data sharing, says an experienced DC privacy lawyer.

“Certain applications of ad-tech are going to be considered ‘sales’ under GDPR, most ad tech will be considered sales, the point being that it is not prohibited, but you have to offer an opt-out,” says Brett E. Cohen, who leads the tech-privacy practice at the firm of Hogan Lovells International LLP.

Cohen fielded questions on Wednesday from several hundred clients and other participants in a webinar entitled, “Operationalizing the California Consumer Privacy Act (CCPA).”

A publisher website that carries programmatic advertising may have responsibility for advising users of each of  ad network that is acquiring, through cookies, personal information about the user if the ad network is then going to “sell” it.  The publisher might have to ensure the user is presented with an opportunity to “opt out” of such use. But Cohen says the situations will be fact-specific and it is difficult to generalize.

“But models are going to have to change,” Cohen says. “I think there are also lots of other marketing initiatives news organizations have undertaken that don’t rise to the level of ad-tech – like connectivity to social media and things like that – that will be impacted.”

BACKGROUND: How the CCPA defines sale and personal information.

Among amendments positioned to pass the California Legislature this summer or in early fall is AB 1355, which clarifies that personal information that has been “de-identified” and used in the aggregate does not require the offering of an opt-out, says Cohen. “But if you are targetting individuals it is hard to argue it is not covered.”

AB1355 removes from the definition of  personal information “consumer information that is deidentified or in the aggregate consumer information.”  The effect of the provision would be to exempt from regulation such aggregate deidentified information. The act defines “deidentified” as information “that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided the data’s controller “has implemented technical safeguards that prohibit reidentification of the consumer…implemented business processes that specifically prohibit reidentification…[and has] business processes to prevent inadvertent release of de-identified information…[and] makes no attempt to reidentify the information.”

RELATED LINK:

A slide-show guide to the CCPA by  Stacey Brandenburg, an attorney with ZwillGen in Washington, D.C.

2. Major publisher group DCN says “sky won’t fall” if RTB switches to non-personal data; calls for evolution from status quo

The head of the biggest group that represents digital operations of major U.S. publishers says not to heed the “sky is falling” message from ad-tech companies and turn instead to “evolving” from the status quo of real-time bidding.

“Ad market is unhealthy, lots of challenges,” Jason Kint wrote in a “Tweet” posted on June 19. “Trust is eroding, both consumers and publishers. Enforced GDPR helps, especially against G and FB. Don’t believe ad-tech lobby, the sky won’t fall. Fighting for status quo, only makes worse. Evolve.”

Kint’s Tweet came after the browser maker Brave made public a June 17-dated letter sent by Kint to Brave’s London-based lawyers who are pursuing the company’s adtech complaint against Google for alleged violations of the GDPR. LETTER FULL TEXT. The letter offers a thorough overview of the operation of real-time bidding — how it handles user data, how ad revenues are diverted from publishers to ad-tech and fraud, and why publishers can’t easily act individually.

“It is important to note that reducing the amount of personal data in RTB requests would not lead to the demise of the digital advertising marketplace,” Kint’s letter says. “If less personal data were available for behaviorally targeted advertising, advertisers would rely on other ways of tailor advertising, which could include the type of content on the website or app or privacy-friendly methods of developing audience segments which do not rely on tracking across multiple contexts through data leakage to third parties.”

3. A Wall Street Journal story suggests Google and FB are big current winners because of first-party data

Two Wall Street Journal reporters have surveyed advertising agencies and others watching the European digital advertising marketplace and their reporting seems to confirm that Google and Facebook’s dominance has surged as a result of GDPR. The reason: Their direct, first-party relationship with millions of users.

In the June 17 article headlined, “GDPR Has Been a Boon for Google and Facebook,” they quote Mark Read, CEO of advertising giant WPP PLC: “GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data…[it has] entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”

But academic researcher Alessandro Acquisti of Carnegie Mellon University, told the WSJ that over the long term it is not clear who will benefit, because the level and nature of enforcement of GDPR and CCPA is still subject to interpretation, regulation, and litigation. Tough enforcement might hurt Google and Facebook, he said.

Facebook COO Sheryl Sandberg confirmed at a February conference that GDPR has made things easier for big companies “to put in place things that adhere to regulation,” the article says.

“Anecdotally, Facebook and Google benefited, and what we see in the data reinforces that,” the paper quoted Brian Wieser, strategy chief at WPP’s media-agency conglomerate GroupM, as saying.

Cosmetics company L’Oreal SA’s chief digital officer, Lubomira Rochet,  told the WSJ they have decided to focus spending on Google, Facebook, and Amazon.com Inc. because “those guys have the capabilities to really treat the data in the way that it should be treated.”

4. Two ex-Apple engineers offer data-privacy certification regime for applications to supplement privacy policies

Two former Apple engineers went public this week with OpenlyOperated.org, a plan to rally support for a data-privacy certification service, envisioning that someday users will check the “privacy rating” of an app before downloading it.

Co-founding engineers Johnny Lin and Rahul Dewan are considered whether the project should be housed in a for-profit or not-for-profit entity. So far, they have been funding their prototype with proceeds from an unrelated for-profit security application, Lin says, since both left Apple after about two years. Lin was concerned about apps and privacy.

“Our primary goal right now is to get people to recognize the problem and teach them they can’t rely on aesthetics, or even a privacy policy alone,” Lin said in a telephone interview from his San Francisco home/office.  “You need full, verifiable transparency.” Lin’s undergraduate computer-science degree is from Brown University; his partner has CS degrees from Georgia Tech and Stanford Univ. They met at Apple.

“We built this website, the entire specification, and we want this to be free and open for a long time,” said Lin. “We want it to be understandable for people.”  Lin is hoping mainstream media will report on their initiative. So far, The Verge has run a story:

“Openly Operated is a set of guidelines for auditing how apps and web services deal with user data, like a combination of a report card and a seal of approval. But it’s also a bid to change the terms of the privacy debate — as Lin puts it, to get past the sense that when ordinary users think about privacy, they figure “I’m screwed anyway, so why should I care?”

Writing on June 17 in a Medium post, “Why You Can’t Trust Apps Today — And How to Fix It,”  the duo describes how applications hijack personal data without disclosure to the user. They argue for creating a public marketplace for “trust through transparency” so that developers will have an incentive to create privacy-respecting applications:

• An app should fulfill specific, auditable requirements for full transparency, including references to source code infrastructure that prove privacy or security claims, and adherence to an “identity operation.”

• Posting in public of an “Openly Operated” audit kit that anyone can publicly view and verify.

• Matching of the developer with independent auditors who verify the Audit Kit to produce audit reports detailing their verifications and providing a summary.

5. Brave browser spokesman seeks federal law at least as tough as California; says RTB isn’t legal in Europe and NYT makes more money not using it

The current “black box” real-time bidding ad-tech system is now illegal in Europe, commodifies publishers’ users and diverts billions of dollars of advertising spending from their websites and into the hands of criminals, says an executive of Brave, the alternate web-browser maker.

Johnny Ryan’s assertions are contained in a lengthy written testimony filed with a U.S. Senate Judiciary subcommittee in response to questions from lawmakers. In the testimony, Ryan says real-time bidding (RTB) is a “dysfunctional market” and can’t comply with the EU’s GDPR. (Brave is pursuing an alternative model in which user data is stored in the browser that decides – within the browser — which ads to show to a consumer.)

Ryan, speaking for Brave, says a federal law of an equal or higher standard than state laws is necessary to restore trust and protect the online industry in the United States. It should use definitions common to those used in the GDPR, he says.

The testimony is complete with data and diagrams and footnotes.  It shows what Ryan says are the current system’s failings and, by inference but not stated, the value of Brave’s approach. His testimony calls for the Interactive Advertising Bureau (IAB) and Google to put an end to “hundreds of billions of broadcasts every day” of individual-user profile data via RTB.

“Monopsony/cartel practices in the €19.55 billion ‘programmatic online behavioral advertising’ market disadvantage publishers,” Ryan’s testimony states. “A publisher loses the ability to monetize its unique audience, and pay enormous—and generally opaque—percentages to distribution intermediaries when selling its ad space.”

Answering questions from U.S. Sen. Patrick Leahy, D-Vt., Ryan provided a set of suggestions for language in a proposed federal law governing use of personal data. And among assertions made by Ryan in his written testimony:

• The French data protection authority has ruled Google’s approach to consent in Europe doesn’t comply with GDPR. Google is appealing.

• When The New York Times decided in early 2019 to end RTB-style bidding on its web pages seen in Europe, the paper saw an increase in ad revenue rather than a decline.

• The IAB’s  “Transparency and Consent Framework” for ad-serving does not comply with the EU’s GDPR, although it has become a de facto” standard.  He asserts that with real-time bidding, it is not technically possible for a user to give “granular” real-time consent to all the bidders for use of data.

• The GDPR, if enforced, will seek to prevent big-data companies like Facebook or Google from acquiring user data within one business for one purpose and then transferring to subsidiaries for another purpose.  This will benefit competitors, Ryan asserts. “Brave does not compete with Facebook, WhatsApp, or Instagram for users,” Ryan writes. “However, as a general point, the problem of cascading monopolies is a real one, and purpose limitation should be enforced to create a level playing field for all companies, and to empower users with the freedom to decide what services they choose to reward with their data.”

• Answering a question from U.S. Sen. Corey Booker, D-N.J., Ryan said the cartel-like operation of the adtech sector forces publishers to agree to use unique identifiers in RTB bid requests “that enable companies that receive these to turn each publishers’ unique audience into a commodity that can be targeted at cheaper sites and apps. This strips a reputable publisher of their most essential asset.”

• The GDPR is merely a codification, with tougher enforcement provisions, of the 1995 EU Data Protection Directive.  Therefore, companies asserting compliance difficult or confusion are not looking at history, says Ryan.