Privacy Beat

Your weekly privacy news update.

1. Ad-tech companies fighting over who gets control of first-party “cookie” or identity; a role for ITEGA?

A competitive war is underway among titans of the ad-tech industry — and at least one scrappy startup — over who will emerge in control as the era of third-party cookie matching is squelched by tough European and U.S.-based privacy regulation.

The goal is to create a universal identity infrastructure for the web to compete with the first-party data ecosystems build by Facebook, Google, and Amazon.  Each has billions of user email addresses and the ability to track user activity across wide swaths of the web. 

The battleground — who will control the “first-party domain” for the purpose of synchronizing user data for ad targeting. The goal is to present marketers — advertisers —  with a quality source of user demographics competitive with the terabytes of first-party data and email addresses stored by the Facebook, Google and Amazon platforms. 

If one of the four options gets to scale, the programmatic ad industry would become dependent on having access to a first-party domain system whose non-publisher, ad-tech industry stockholders or member-owners could profit by being in a dominant control position of the web’s emerging identity infrastructure. 

NO PUBLISHER-LED EQUIVALENT?

So far, there is no equivalent effort to lead by publishers, and no effort within the ad-tech industry to move away from targeting individuals in the direction of a contextual advertising approach that would benefit publishers.  However, the Local Media Consortium is working with ITEGA, which is a public-benefit, 501(c)3 nonprofit corporation with no owners.

Without a widely adopted universal solution in place, industry players continue to drop their own unique cookies on users to enhance ad targeting and scale business, says Albert Wang of SpotX. “As the identity webs of users become increasingly entangled, more and more of the ecosystem has come around to the idea of adopting a universal ID.”

WHAT IS AT STAKE

One of the simplest visual explanations of why identity management is important for the current system of targeted “programmatic” advertising is this video prepared by ID5 and presented on its website. Just over one year after its launch, ID5 says it reaches one billion devices per month in Europe and provides matching capabilities with more than 35 ad tech platforms. 

A longer video has IndexExchange VP of product Mike O’Sullivan walking through a white-board summary of an idea to create a “hashed email” as a universal ID to cross-site link user data.

Read Full Article

2. Privacy advocates appear to win — for now — over tech-industry efforts to water-down CCPA in committee

Privacy advocates were evaluating this week the outcome of a Tuesday session of the California Senate Judiciary Committee, which took action on several amendments to the California Consumer Privacy Act (CCPA) at a marathon hearing which ran into the evening on July 9.  

The Electronic Frontier Foundation had opposed all the measures on privacy grounds and praised the committee for rejecting, for now, AB 873 which the EFF said: “would make it easier for businesses to force consumers to pay for their privacy rights under the guise of loyalty programs.” The measures defeated or sidetracked by the committee would have “eviscerated” the CCPA, the group said. It has been joined by the ACLU and Consumer Reports in its opposition to weakening the law by amendment. 

One report on the 12-hour hearing by Cheryl Miller at Law.com was headlined: “Tech’s Efforts to Diminish Landmark Privacy Law Fizzle, for Now” — the first significant defeat for tech companies.” The amending bills are AB 1416, AB 25, AB 873, AB 846 and AB 1564

Attorney Alexia C. Chapman of the firm of Ballard Spahr LLP summarized in a National Law Review post the outcomes on four key measures.  She wrote that the committee modified but advanced AB25, to exempt certain employment data from CCPA. It also amended and approved AB1564, which now reduces the situations in which a web service has to provide a phone number — in addition to an email address — for consumers to discuss or opt-out of data use.  

Chapman wrote that the committee deadlocked 3-3 on AB873 — a tech-industry effort to de-regulate some types of personal information and make it easier to define other information as “de-identified”. That means the measure — for now — is stuck in committee. And it tabled AB1416, which would have allowed third parties to sell user data for purposes of detecting security incidents or to protect against malicious actors. 

AB873 would eliminate data such as IP addresses from being included in its definition of “personal information.” And it had been amended to define “de-identified” information as: 

“[I]nformation that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: 

  • Ensure that the data is de-identified. 

  • Publicly commit to maintain and use the data in a de-identified form. 

  • Contractually prohibit recipients of the data from trying to reidentify the data. 

The Legislature has a self-imposed July 12 deadline for committees to report bills to the floor. But there are already other measures related to the CCPA which could be extensively amended by floor action based on the outcome of negotiations among lobbyists, industry, and lawmakers. That could allow a revisit of all aspects of the law, which takes effect Jan. 1.  Ryan Johnson, writing at StateScoop, quoted an American Civil Liberties Union statement as saying the effect of the measures considered by the Senate committee, if all had passed, would have been to sell “vast amounts of data, purportedly for anti-fraud purposes.” 

3. Approaches to use of third-party cookies in advertising increasingly scrutinized; risks, rules outlined in ICO paper

Britain’s Information Commissioner’s Office (ICO) last week released a document providing guidance on how it will interpret GDPR rules on the use of “cookies” and other identification methods in programmatic and real-time bidding advertising applications. It’s stressing that user consent has to be obtained explicitly for each cookie set.

Norton Rose Fulbright attorneys Lara White and Marcus Evans analyzed the ICO’s guidance in a July 10 blog post warning “this is an area that regulators will increasingly focus on and where ignorance of the legislative requirements will not be tolerated.” The post makes the following points: 

  • Consent requirements apply to device fingerprinting as well as cookies. 

  • A consent requests that lists of all the cookies being set and descriptions of what they do will be necessary to meet a “clear and comprehensive information” standard.

  • A user must take clear and positive action to give consent to non-essential cookies. Continuing to use the site is not valid consent

  • For third-party cookies, the third parties must be clearly and specifically named and an explanation of what they will do with the information must be provided.

  • Pre-ticked boxes or “on” sliders are not permitted. 

  • Publisher websites may have legal responsibility for how cookies set by Facebook, Google or other third parties are used by those third parties. 

The ICO report was followed this week by two announcements of giant fines against British Airways and the Marriott Corp. for data breaches that affected European consumers. DigiDay’s report on the two fines noted the amount of user data transferred across real-time-bidding.

RELATED LINKS:

4. Next week top EU court will hear a landmark case against Facebook

On Tuesday the European Court of Justice will begin hearings to look at the legality of the methods companies like Facebook use to transfer personal data, including social media posts, from the EU to the United States and other countries. The case stems from the 2013 release of information by Edward Snowden that revealed tech companies were being forced to turn over data of EU users to American spies, and subsequent complaints brought by Austrian lawyer Max Schrems. In the end, the case could decide if the transatlantic flow of data can continue.

A 2000 agreement between the US and the EU called Safe Harbor, initially protected tech companies from investigation. Under the agreement, American companies could self-certify that they were following the EU’s privacy rules. However, Safe Harbor was struck down in 2015 by the Court of Justice of the European Union (CJEU), on the basis that EU privacy rights were not being protected under American mass surveillance laws. In 2016, a new agreement called Privacy Shield was introduced, with the U.S. placing new restrictions on intelligence agencies’ access to EU users’ data. Next week, the validity of this agreement will also go under scrutiny, as well as other standard contractual clauses that govern data transfers.

The court’s decision, which is expected by the end of the year, could have far-reaching implications for U.S. and European businesses.

RELATED LINKS:

5. House lawmakers target September, October for Data Privacy bill, aides say

An aide told Morning Consult that some members understand that pre-emption language to override state laws would be necessary to pass a bill in this Congress. Republicans in both chambers have expressed strong interest in passing a federal statute that would override any state-level laws, such as California’s Consumer Privacy Act (CCPA).

Another sticking point also lies in whether or not the bill should give consumers the right to sue companies for data breaches, the two aides said. One of them said that although his office expects the language to be included in the bill, it could upset moderate Democrats involved in the discussions.

READ MORE: House Lawmakers Target September, October for Data Privacy Bill, Aides Say

QUOTE OF THE WEEK

“Any industry-wide ID solution needs to be standard and commoditized to gain broad adoption across our intensely dynamic space. The standard must be neutral. It must not pick winners. And it must be free from risk of change in control and strategic or competitive conflict. It should not be profit-driven but rather designed for reinvestment in the standard for the good of all constituents: advertisers, publishers, technology vendors and consumers. Today, proprietary identity solutions being offered in the guise of consortium approaches actually perpetuate the fragmentation of identity and buttress the status quo.”

John Slocum, VP, DMP at MediaMath, writing in an April 5 column at AdExchanger.

TIDBITS

Facebook’s Libra Cryptocurrency Could Have Profound Implications for Personal Privacy (CPO Magazine)

Demanding Users Fight for Data and Privacy Protections, Wikipedia Co-Founder Calls for #SocialMediaStrike (Common Dreams)

Technology industry criticizes states’ data privacy laws (Washington Times)

Parks Associates: 79% of Consumers are Concerned About Data Security or Privacy Issues (Yahoo Finance)

Podcast: Cvent’s General Counsel Larry Samuelson is here to discuss the shifting global data privacy regulations and the profound impact they have on meetings and events. Special Guest: Larry Samuelson.

Privacy-first browsers look to take the shine off Google’s Chrome (NBCNews.com)

For student privacy, this Austin-area district is one of the best (EdScoop News)

How to Protect Our Kids’ Data and Privacy  (WIRED)

The Gold Rush for Private Health Data (The New York Times)

Sen. Mike Crapo: You deserve real data privacy rights — Government should help you get them (Fox News)

Brazil to add digital data protection to fundamental rights (ZDNet)

Majority of Popular Mobile-Only VPNs Are Run by Chinese Nationals or Located in China (CircleID)

Apple once again under investigation for GDPR data practices (MSPoweruser)

European Privacy Laws May Be Hampering Those Catching Terrorists (Bloomberg)

Seven out of 10 Brits want tougher penalties for breaching privacy rules (BetaNews)

Apple is Our Role Model For Customer Data Privacy, Says Huawei CEO (News18)

Security Think Tank: Embrace data protection as a necessary business process (ComputerWeekly.com)

Like what you see? Then recommend to a friend.

Follow ITEGA’s Facebook page for additional links and insights: https://www.facebook.com/itega.org

Subscribe to Privacy Beat

Share

Tweet

Forward

Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.
*|IFNOT:ARCHIVE_PAGE|* *|LIST:DESCRIPTION|*

Our mailing address is:
*|HTML:LIST_ADDRESS_HTML|* *|END:IF|*

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

*|IF:REWARDS|* *|HTML:REWARDS|* *|END:IF|*