PRIVACY BEAT: Ad-tech companies fighting over who gets control of first-party “cookie” or identity; a role for ITEGA?

1. Ad-tech companies fighting over who gets control of first-party “cookie” or identity; a role for ITEGA?

A competitive war is underway among titans of the ad-tech industry — and at least one scrappy startup — over who will emerge in control as the era of third-party cookie matching is squelched by tough European and U.S.-based privacy regulation.

The goal is to create a universal identity infrastructure for the web to compete with the first-party data ecosystems build by Facebook, Google, and Amazon.  Each has billions of user email addresses and the ability to track user activity across wide swaths of the web. 

The battleground — who will control the “first-party domain” for the purpose of synchronizing user data for ad targeting. The goal is to present marketers — advertisers —  with a quality source of user demographics competitive with the terabytes of first-party data and email addresses stored by the Facebook, Google and Amazon platforms. 

If one of the four options gets to scale, the programmatic ad industry would become dependent on having access to a first-party domain system whose non-publisher, ad-tech industry stockholders or member-owners could profit by being in a dominant control position of the web’s emerging identity infrastructure. 

NO PUBLISHER-LED EQUIVALENT?

So far, there is no equivalent effort to lead by publishers, and no effort within the ad-tech industry to move away from targeting individuals in the direction of a contextual advertising approach that would benefit publishers.  However, the Local Media Consortium is working with ITEGA, which is a public-benefit, 501(c)3 nonprofit corporation with no owners.

Without a widely adopted universal solution in place, industry players continue to drop their own unique cookies on users to enhance ad targeting and scale business, says Albert Wang of SpotX. “As the identity webs of users become increasingly entangled, more and more of the ecosystem has come around to the idea of adopting a universal ID.”

WHAT IS AT STAKE

One of the simplest visual explanations of why identity management is important for the current system of targeted “programmatic” advertising is this video prepared by ID5 and presented on its website. Just over one year after its launch, ID5 says it reaches one billion devices per month in Europe and provides matching capabilities with more than 35 ad tech platforms. 

A longer video has IndexExchange VP of product Mike O’Sullivan walking through a white-board summary of an idea to create a “hashed email” as a universal ID to cross-site link user data.

2. Privacy advocates appear to win — for now — over tech-industry efforts to water-down CCPA in committee

Privacy advocates were evaluating this week the outcome of a Tuesday session of the California Senate Judiciary Committee, which took action on several amendments to the California Consumer Privacy Act (CCPA) at a marathon hearing which ran into the evening on July 9.  

The Electronic Frontier Foundation had opposed all the measures on privacy grounds and praised the committee for rejecting, for now, AB 873 which the EFF said: “would make it easier for businesses to force consumers to pay for their privacy rights under the guise of loyalty programs.” The measures defeated or sidetracked by the committee would have “eviscerated” the CCPA, the group said. It has been joined by the ACLU and Consumer Reports in its opposition to weakening the law by amendment. 

One report on the 12-hour hearing by Cheryl Miller at Law.com was headlined: “Tech’s Efforts to Diminish Landmark Privacy Law Fizzle, for Now” — the first significant defeat for tech companies.” The amending bills are AB 1416, AB 25, AB 873, AB 846 and AB 1564. 

Attorney Alexia C. Chapman of the firm of Ballard Spahr LLP summarized in a National Law Review post the outcomes on four key measures.  She wrote that the committee modified but advanced AB25, to exempt certain employment data from CCPA. It also amended and approved AB1564, which now reduces the situations in which a web service has to provide a phone number — in addition to an email address — for consumers to discuss or opt-out of data use.  

Chapman wrote that the committee deadlocked 3-3 on AB873 — a tech-industry effort to de-regulate some types of personal information and make it easier to define other information as “de-identified”. That means the measure — for now — is stuck in committee. And it tabled AB1416, which would have allowed third parties to sell user data for purposes of detecting security incidents or to protect against malicious actors. 

AB873 would eliminate data such as IP addresses from being included in its definition of “personal information.” And it had been amended to define “de-identified” information as: 

“[I]nformation that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: 

• Ensure that the data is de-identified. 

• Publicly commit to maintain and use the data in a de-identified form. 

• Contractually prohibit recipients of the data from trying to reidentify the data. 

The Legislature has a self-imposed July 12 deadline for committees to report bills to the floor. But there are already other measures related to the CCPA which could be extensively amended by floor action based on the outcome of negotiations among lobbyists, industry, and lawmakers. That could allow a revisit of all aspects of the law, which takes effect Jan. 1.  Ryan Johnson, writing at StateScoop, quoted an American Civil Liberties Union statement as saying the effect of the measures considered by the Senate committee, if all had passed, would have been to sell “vast amounts of data, purportedly for anti-fraud purposes.” 

3. Approaches to use of third-party cookies in advertising increasingly scrutinized; risks, rules outlined in ICO paper

Britain’s Information Commissioner’s Office (ICO) last week released a document providing guidance on how it will interpret GDPR rules on the use of “cookies” and other identification methods in programmatic and real-time bidding advertising applications. It’s stressing that user consent has to be obtained explicitly for each cookie set.

Norton Rose Fulbright attorneys Lara White and Marcus Evans analyzed the ICO’s guidance in a July 10 blog post warning “this is an area that regulators will increasingly focus on and where ignorance of the legislative requirements will not be tolerated.” The post makes the following points: 

• Consent requirements apply to device fingerprinting as well as cookies. 

• A consent requests that lists of all the cookies being set and descriptions of what they do will be necessary to meet a “clear and comprehensive information” standard.

• A user must take clear and positive action to give consent to non-essential cookies. Continuing to use the site is not valid consent

• For third-party cookies, the third parties must be clearly and specifically named and an explanation of what they will do with the information must be provided.

• Pre-ticked boxes or “on” sliders are not permitted. 

• Publisher websites may have legal responsibility for how cookies set by Facebook, Google or other third parties are used by those third parties. 

The ICO report was followed this week by two announcements of giant fines against British Airways and the Marriott Corp. for data breaches that affected European consumers. DigiDay’s report on the two fines noted the amount of user data transferred across real-time-bidding.

RELATED LINKS:

• The Brief: data privacy vs surveillance transatlantic clash (Euronews English)

• GDPR: Record British Airways fine shows how data protection legislation is beginning to bite

• Can Technology Solve the Data Security Problems Caused by Technology? (Caixin Global)