Privacy Beat

Your weekly privacy news update.

1.  Facebook quietly releases new privacy settings after Sandberg talk at Cannes

Last week at Cannes, Facebook COO Sheryl Sandberg said the company needed to be clearer on how users data is being used.  

Almost in sync, in a move toward transparency, Facebook began promoting a data-privacy educational campaign of sorts through the Axios newsletter. In the video, Facebook explains that online advertising uses the data you create on the web to target relevant ads, because “Studies show that people want to see ads that are relevant.” This is what keeps services like search engines and social media going, the video argues. Also mentioned are new legislative efforts to give people more control of their data.

While the video itself provides information that is non-specific to Facebook and doesn’t detail what changes they are making, it ends with a call to action to learn more. 

The subsequent landing page contains detailed information specific to how their ad network works, with links to manage privacy settings. They even go so far as to address the question of “Does Facebook listen to my conversations?” in their FAQs.  The privacy-setting pages are a highly granular look at what data Facebook gathers about you. After a check, these settings cannot be found yet as a regular user through the platform itself.

Upon reviewing my own ad preferences, I was able to now see how much they had right about my interests, but more importantly how much they had wrong (which was a lot). Then there was a list of 80+ advertisers, mostly 3rd party companies that I had never even heard of, who had uploaded an email list with me on it. One of the politicians on the list, who I have never given my email address to, was U.S. Rep. Joe Kennedy — someone who has touted his support for data privacy. Not to be left out, the GOP was on the list too. While not surprising, this highlights how most advertisers—even the legislators creating the laws—are complicit in profiting off the free-flowing days of user data exchange. 

While all of this feels like a step in the right direction, I’m left wondering how much trouble I want to go through correcting what Facebook has wrong about me and how the heck to get my name off these 80+ email lists? Also, when is Facebook going to promote these options more broadly?


2. EU RTB report fallout: Brave “I told you so”; IAB willing to talk about TCF modifications

Reaction to last week’s 35-page report by Britain’s top digital privacy watchdog is highlighting the GDPR’s challenge to the incumbent Real-Time Bidding service that has dominated web advertising for about a decade.  

The clear implication of the report and reactions from the IAB and its protagonist, the browser maker Brave, is that personal data sent around ultimately has to become much less personal to be legal in Europe.  And the public is becoming aware.

UK Information Commissioner Elizabeth Denham wrote in a forward that researchers “found an industry that understood it needed to make improvements to comply with our law.” She said the Information Commission Office (ICO) report found “the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening.”

One visit to a website, prompting one auction among advertisers, can result in personal data seen by hundreds of organizations, Denham says.  

The ICO commissioned Harris to undertake research into online advertising. The research documented that 63% of the 2,300 participants indicated initially they found it acceptable that ads funded free content. But when they were given an explanation of how RTB works, this fell to 36%. 

IAB Europe, along with Google, are the key industry voices seeking to find a way to avoid fines and censure for practices regulators say are forbidden by the General Data Protection Regulation (GDPR).  IAB Europe CEO Townsend Feehan responded to Denham’s “Adtech Update Report.”  

“The ability to address the ICO’s concerns is near impossible to achieve without a standardized industry solution,” Feehan wrote, pledging IAB would work closely with the ICO and other privacy authorities on making unspecified changes in its Transparency and Control Framework (TCF) to ensure less privacy risk and more user trust “to ensure the sustainability of this innovative sector which underpins the ad-funded internet.” 

Feehan’s detailed response is found at the bottom of this TechCrunch post.

An early and frequently critical of ad-tech’s response to GDPR has been Johnny Ryan, a former Irish journalist and ad-tech researcher who now works for Brave, a California company. Brave’s business promotes the idea that user information should stay within their web browser and that advertising selection should occur there, rather than as the result of a bidding process that sends user data to millions of points.  Thus, Brave argues for disruption of RTB.  

Ryan released this week a blog with point-by-point analysis of the ICO report, saying it “vindicates” Brave’s concerns about RTB.  The core problem cited by both Brave and the ICO report is that bid requests send as part of the RTB process, sensitive information about individuals and that cannot comply with GDPR. 

Audience segments are described by the IAB as “subsets of user data signifying specific facts, interests” in the IAB 2016 Data Segments & Techniques Lexicon, on page 4. There is also an overall content taxonomy published by the IAB in 2017 and announced in an IAB news release in November of that year.  

The ICO report asserts “the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (ie processing relating to the placing and reading of the cookie and the onward transfer of the bid request).” It adds: “Our work has established that, at present, some parts of the ad-tech industry are unaware of this advice.”  ICO’s report says ad-tech and publishers involved within it have to understand, document and be able to demonstrate how their user-data processing operations work, what they do, who they share data with and how they can enable individuals to exercise their rights under GDPR. 

“This report is rather unhelpful for the thousands of publishers and ad-tech vendors involved in RTB and the online advertising industry,” concludes London-based media-tech attorney Lara White, in a Norton Rose Fulbright report. “It sets out a number of deficiencies, but leaves open how many of these can be addressed, especially in the absence of a widespread change in the way the industry works.” 


3. UK Parliament, other researchers, see emergence of privacy as a human right with important repercussions for the poor

Increasingly a right to privacy is being seen as a human right that should extend to people regardless of their economic status. 

The UK Parliament’s human-rights committee recently published oral and written evidence as part of its “inquiry into whether new safeguards to regulate the collection, use, tracking, retention and disclosure of personal data by private companies are needed in the new digital environment to protect human rights.”

“The key human right at risk is the right to private and family life (Article 8 ECHR), but freedom of expression (Article 10 ECHR), freedom of association (Article 11), and non-discrimination (Article 14 ECHR) are also at risk.

The Joint Committee on Human Rights seeks written evidence on the threats posed to human rights by the collection, use and storage of personal data by private companies and examples of where they have been breached.”

In the U.S this week, Michele Gilman, Venable Professor of Law at University of Baltimore published an article,  “Data Insecurity Drives Economic Injustice And Sharpens Financial Distress For Low-income Families,” highlighting how data protection issues disproportionately affect the poor. She cites lessons learned from GDPR to protect the data privacy needs of low-income people, including the right to be forgotten and prohibiting certain kinds of automatic profiling. 

Fast Company is also reporting on this topic in The Privacy Divide, “a series that explores the fault lines and disparities–cultural, economic, philosophical–that have developed around digital privacy and its impact on society.”

Data & Society researcher Mary Madden has been researching data and economic equity since a 2017 report, “Privacy, Security and Digital Inequality”,  and also wrote about it in a New York Times op-ed in April entitled: “The Devastating Consequences of Being Poor in the Digital Age.”


UK Parliament: The Right to Privacy (Article 8) and the Digital Revolution inquiry

Human rights committee publishes evidence on data privacy rights

Guest opinion: Americans deserve real data privacy rights



The British law firm Norton Rose Fulbright is among those tracking the status of state privacy-law action in the United States. This week they say there is data-breach activity in at least nine statehouses — Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington. 



Technology senior reporter Jon Swartz at MarketWatch surveyed partisans as big tech tries to seek clarifications and perhaps a watering-down of the California Consumer Privacy Act (CCPA).  The lobbying is frenzied because there is a Sept. 13 legislative deadline on any amendments to the law before it takes effect Jan. 1, 2020.  “Tech has taken an anthill approach of supporting a number of amendments with carve-outs for businesses and changes in definition,” MarketWatch quoted Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group, as saying, “I don’t see much prospect for CCPA getting any stronger.”  Investors are watching because the law could have a profound effect on the business of companies like Facebook, Uber, Google, Microsoft, and Amazon.

Hundreds of links to scholarly papers about aspects of privacy are found on one page of Carnegie-Mellon University Prof. Alessandro Acquisti’s web presence, including papers on the economics of privacy, on personal data markets, on the limits of privacy, transparency and control and one on the impact of targeted advertising. 

The Washington Post looked at public records in Vermont to see which data brokers have registered and described what they do in response to the state’s unique disclosure law.  The Post came up with more questions than answers, found some companies had yet to file, and a couple rushed to do so after hearing from the newspaper.  The law, summarized by the state’s attorney general, defines data brokers, and brokered personal information and requires disclosure of how brokers permit consumers to opt out of collection, sale or storage of their information.  Meanwhile, in Washington, the Senate Banking Committee is considering hearing testimony on consumer data-vendor practices.   


“[Real Time Bidding] involves the creation and sharing of user profiles within an ecosystem comprising thousands of organisations. These profiles can also be ‘enriched’ by information gathered by other sources, eg concerning individuals’ use of multiple devices and online services, as well as other ‘data matching’ services. The creation of these very detailed profiles, which are repeatedly augmented with information about actions that individuals take on the web, is disproportionate, intrusive and unfair in the context of the processing of personal data for the purposes of delivering targeted advertising. In particular when in many cases individuals are unaware that the processing takes place and the privacy information provided does not clearly inform them what is happening. ”

Excerpt, Page 20, “Update report into adtech and real time bidding,” of the UK Information Commissioner’s Office, June 20, 2019.


As Cookies Crumble, Expect More First-Party Data And Privacy-Compliant Solutions

The 5 Best Browsers for Protecting Your Privacy, 2019 Edition

UAE data protection law, similar to GDPR, likely landing this year 

Be careful! These major companies are not protecting your personal data 

Google Turns To Cryptography To Ensure Data Privacy

US Privacy Law: What’s happening at state level?

Data Privacy and Blockchain in the Age of IoT

Like what you see? Then recommend to a friend.

Follow ITEGA’s Facebook page for additional links and insights:




Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.

Our mailing address is:

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.