PRIVACY BEAT: As GDPR fines loom, regulator says ad-tech privacy problems unsolved; ‘special category’ use challenged

Privacy Beat

Your weekly privacy news update.

1. As GDPR fines loom, regulator says ad-tech privacy problems unsolved; ‘special category’ use challenged

The person leading Britain’s investigation of data privacy and the programmatic-advertising world says he’s been connecting well with the industry, but that with regulatory deadlines looming none of the problems he sees have been solved and he’s getting “vague, immature and short answers” on solutions.

Simon McDougall commented in an interview with The Financial Times, published on Wednesday (Aug. 28).  He is lead investigator for the British Information Commissioner’s Office (ICO), which is charged with enforcing the European Union’s General Data Protection Regulation (GDPR) and other privacy laws.  In the interview he said he is focused on two challenges: 

  • The use by programmatic ad-tech of legal “special category” data about individuals, without permission, involving things such as health, sexuality, religious beliefs and political views, to target ads. “This is not an arcane or small point over here,” he told the newspaper. “This is pretty fundamental stuff — if you are processing special category data, then you need explicit consent.”

  • The passing of user data across business chains, involving thousands of parties and billions of queries, without parties checking if there has been any consent or proper security. “What we’re seeing is blind reliance on contracts and no real attempt to assess whether the counterparty you’re using is likely to have controls in place around security, retention,” McDougall said. “That’s just now how the rest of the world works.” 


So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.


2. Tech and privacy observers reacting to Google’s plan to limit some cookies in Chrome; some criticism

Given that the data which drives most programmatic advertising runs through Google-owned servers in some way or another, and given that Google controls the browser (Chrome) with the largest market share, it wasn’t surprising to see fast reactions to its announcements last week about cookies and “tracking.”  (BACKGROUND

Analysis and some criticism focused on whether the blocking of all third-party cookies by a browser would make it harder for publishers to sell advertising, and whether that advertising could be sold at higher prices, or not at all. “Ad-tech companies and some digital publishers are wary of a major crackdown on cookies, saying it would hurt their businesses,” The Wall Street Journal’s Patience Haggin wrote in her piece on Google’s plan, entitled: “Google Warns Against Blocking ‘Cookies’ Entirely, Triggering Criticism.”  

“I interpret the announcement as giving Google an opportunity to try to show forward momentum on privacy while at the same time not doing anything that would negatively impact its own business interests,”  the WSJ article quoted Jason Kint as saying. Kint heads Digital Content Next, the trade group of major online publishers. 

That prompted a reply from the Google senior project manager who wrote one of the key posts, Chetna Bindra. She told the WSJ said Google is just trying to “broaden the conversation beyond cookies,” to encompass other technologies that track user actions on the web such as “fingerprinting.”  Google says it wants to crack down on that. 

Google said it was motivated by a desire to protect user privacy. But if Chrome is engineered to block other tracking mechanisms besides cookies, and Chrome focuses on allowing only cookies helpful to Google’s ad business, where does that leave the companies advertising competitors, including publishers? 

Point-by-point criticism came in a blog by two Princeton University computer scientists, Jonathan Mayer and Arvind Narayanan, who said cookie blocking does not undermine web privacy. “Google’s claim to the contrary is privacy gaslighting,” they wrote in a blog post, “Deconstructing Google’s excuses on tracking protection.”

The International Association of Privacy Professionals (IAPP)  report on the Google initiatives emphasized Google’s proposal to engineer Chrome so that a user can establish a “privacy budget” for themselves — limiting tracking from certain parties. Google’s pitch suggests grouping users into cohorts of people with like interests, but without personal identifying information. (For an example of this, see UDEX.)

“With this, a browser could allow websites to make enough API calls to get enough information about you to group you into a larger cohort but not to the point where you give up your anonymity. Once a site has exhausted this budget, the browser stops responding to any further calls,” Frederic Lardinois wrote in IAPP’s report. 



3. Privacy groups ask key California lawmaker to check anti-CCPA lobbying by group that now includes direct-response fundraisers

Tech writer Ina Fried at Axios picked up on a significant piece of lobbying this week over the California Consumer Privacy Act (CCPA). She was the reporter who first wrote that a coalition of consumer groups asked a key lawmaker not to allow watering down of the CCPA’s privacy features before it takes effect Jan. 1. Their request was contained in a letter to California State Senate leader Toni Atkins, encouraging legislators, the story said, to explore the background of the Nonprofit Alliance, a group said to be pushing to have the law weakened. 

In particular, the group called out a group it identified as the “Nonprofit Alliance” and asked that it release its financial information, explain its ties to corporate donors “and clarify their leadership, mission and membership…”

The Association of Direct Response Fundraising Counsel (ADRFCO) announced Aug. 22 that it had merged into The Nonprofit Alliance (TNPA).  ADRFCO says it works to protect the interests of direct-response fundraising consultants. 

The groups signing the letter, according to Fried’s story, included the ACLU of California, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, Consumer Action, Common Sense and the Privacy Rights Clearinghouse. 



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

4. How will CCPA impact small organizations?

While organizations of all sizes should be preparing for upcoming privacy legislation to go into effect, CCPA will not apply to all businesses and nonprofits. That doesn’t mean it won’t affect them though.

Section 1798.140 of California Consumer Privacy Act defines businesses as operating for-profit and with either gross revenues in excess of $25,000,000, deriving 50 percent of revenue from selling personal information, or having personal data of 50,000 or more consumers, households, or devices. Even if a company doesn’t meet these thresholds, they could be considered a service provider of a larger organization and therefore the laws would still apply. It also expected that larger organizations will push out new requirements when working with vendors, including additional insurance. 

According to attorney David A. Zetoony, unlike GDPR, non-profit organizations are exempt from CCPA and enforcement by the Federal Trade Commission. Although, attorneys at Farella Braun + Martel LLP say there are some cases in which a non-profit would be obliged to comply, because of affiliation with a for-profit entity.

“In most situations, nonprofits won’t be subject to the law—but in some cases, they necessarily will be and/or will otherwise need to comply. By turning attention to the issue now, nonprofit organizations can ensure, if necessary, compliance with the new law without significant business disruption.” 


5. ProjectVRM listserv explores concepts of data use, sale, ownership, “agency” and control in lively give and take

Followers of a listserv hosted by the Berkman-Klein Center at Harvard Law School have been treated over the last week to a wide-ranging debate about the nature of data — what does it mean to control it, or “own” it, or manage it as an “agent” for individual users. 

The definitions important as enterprises learn how to comply with interpretations of the EU’s General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act (CCPA). 

Started by attorney Jon Neiditz, of of the Kilpatric Townsend firm in Atlanta. He linked to two articles, “Five Privacy-Focused Data Marketplaces” and “Personal Data Marketplaces Might Not Be the Best Solution for Data Privacy.”

Commentator Elizabeth Renieris, a privacy attorney who is a Berkman-Klein fellow, said she had soured on the perspective of “control” over data inherent in the “self-sovereign identity” (SSI) movement. She said individual control isn’t the issue, that GDPR talks about core principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability and does not talk about control over data. Rather, she suggested it is more useful to talk about how technology is asserting control over our humanness. 

Commentator Brian Behlendorf, an original author of the Apache webserver who now works at the Linux Foundation, said control might be better understood as a synonym for “agency” — the ability of an individual to have some agency to delegate how their data is acquired, stored, shared and used. 

He added: “…I would vastly prefer a world where we recognized individuals as having the foundational ability to get a copy of everything about them, and can opt to delegate, rather than presume the most important case is delegation and wishing the individual good luck pulling it all together into a zone they control.”

Other commenters talked about a distinction between “agency” and “sale’.

Eventually, ProjectVRM founder Doc Searls, a former ad-agency executive, editor and entrepreneur, weighed in with this comment: “We may disagree about how we empower individuals, or about the roles of individuals in relationships, or in communities; but if we [ever] stop focusing on empowering individuals—whether we call individual empowerment “agency” or “sovereignty” or “autonomy” or “independence,” or whatever—we might as well fold up the tent we’re all in here. Because empowering individuals is what ProjectVRM was created to foster in the first place, and is still about.”


“I think the more salient framing is to try to figure out how to manage human dignity at scale…It isn’t about ownership. It isn’t about “my data”. It’s about how we enable a healthy society in the face of new and uncertain technology. How do we correct from overeager entrepreneurs when they cross the line rather than how do we lock down everything that is “mine” so nobody else can abuse it? The latter job is a fool’s game, in the pantheon with DRM and shrink-wrap licenses. The former is more reasonable—IF we can establish that line.”

– ProjectVRM stalwart and Association of Internet Professionals co-founder Joe Andrieu



UK regulator warns online advertisers over use of personal data Industry has given ‘vague answers’ to query on how it safeguards information, says (Financial Times) 

Five ad-tech applications—casualties  of the pivot to privacy? (Jessica Davies, DigiDay)


Facebook’s new privacy tool comes with a crucial caveat—it doesn’t erase (Kate O’Flaherty, Forbes)

Apple Tightens Privacy Rules on Siri Recordings After Backlash (Wall Street Journal)

Government wants your data while it pushes privacy (Ina Fried, Axios)

Facebook Unveils New Data Privacy Tool (Newsy)

Instagram Data Scraping by HYP3R Raises Privacy Concerns (CPO Magazine)

The spy in your wallet: Credit cards have a privacy problem (Geoffrey Fowler, Washington Post)

The Online Privacy Echo Chamber: Is Anything Really Changing? (Forbes)

Is Data Privacy Real? Don’t Bet on It (Knowledge@Wharton)

When tech companies continuously invade our privacy, what is the last straw? (Grand Valley Lanthorn)


A closer look at CCPA’s private right of action and statutory damages (Patterson Belknap)

Navigating the CCPA’s notice-and-cure provision (Sidley Austin LLP)

Five steps companies can take to mitigate CCPA class-action risk (Barbara Wong, Fenwick & West LLP)

CCPA requires disclosure of “specific pieces” of personal info when consumer asks (Goli Mahdavi, Bryan Cave Law Firm)

Addressing emerging data privacy risks at the board level (Wisconsin Law Journal)

Now Is the Time to Future-Proof Your Data Privacy (Entrepreneur)

Europe’s top data protection regulator, Giovanni Buttarelli, has died (TechCrunch)

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp