PRIVACY BEAT: Report calls era of unimpeded personal data over, opening investment opp | Last chance to comment on IAB “framework”

Privacy Beat

Your weekly privacy news update.

1. Report says era of unimpeded personal data is over, opening investment opportunity for trust, identity, privacy and information commerce 

A valuable new market for investors has opened up around digital trust, identity, privacy and information commerce, according to a report aimed at venture-capital firms and prepared for one of the industry’s leaders, Omidyar Network.
“Global data protection regulations combined with large-scale data breaches and revelations about corporate data misuse have seeded this market and prompted worldwide conversations about the role of technology and technology companies in society,” says the report by privacy-consultant Michelle de Mooy.
Entitled, “The Emerging Market in Digital Trust: New Obligations and New Opportunities for Venture Capital,” the report was unveiled at a meeting in Seattle on Oct. 24.  De Mooy is a consultant to the Information Trust Exchange Governing Association (ITEGA.ORG), the author of this blog.
The report asserts the era of unimpeded use of personal data is likely over, upended in recent years by scandals, regulations, and greater public awareness and education. To become market leaders, it says, companies and investors must embrace a new paradigm of data governance, balancing growth and revenue with gains in user trust and social good.
The report was prepared for Omidyar’s “Race to the Top” Initiative, which is aimed at helping investors understand the risks and opportunities they face in this market. It first analyzes trends in the data-driven marketplace, reviewing business models and technologies that have raised concerns and prompted shifts in consumer preferences and public opinion around privacy. The initiative’s next meeting is Nov. 22 in New York. 
Through a review of relevant case studies, the report next examines successful start-ups with business models that reflect core “Race to the Top” Principles, such as fairness and inclusion, privacy and trust, transparency and accountability, and civic benefit.
“These companies’ extraordinary growth is driven in part by their ability to differentiate themselves as trustworthy and ethical in a crowded and unprincipled marketplace” de Mooy writes.

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

2. Last chance to comment on IAB’s effort to bring real-time bidding into compliance with the CCPA

Tuesday, Nov. 5, is the deadline for submitting comments to the Interactive Advertising Bureau (IAB) about its draft Compliance Framework for Publishers & Technology Companies (the Framework) which seeks to rescue the real-time-bidding system from becoming illegal when the California Consumer Privacy Act takes effect Jan. 1.  

Over a four-month period, the IAB organized a multi-stakeholder effort to create a framework for publishers and technology companies across the data supply chain to comply with the CCPA when engaged in programmatic transactions. The draft for public comment was released Oct. 22, with a 14-day public comment period.

The IAB — composed largely of ad-tech companies including Facebook and Google — is trying to figure out how a system which currently leaks user data to hundreds of third parties can be patched up.  The idea advanced in the Framework — and related technical specifications —  is that original collectors of user data will have a method for “signaling” the data-use permissions of the original user up and down the data supply chain. The specs suggest some technology to do so. 

One requirement of the Framework is that publishers include a ‘Do Not Sell My Personal Information’ link that will use a technical mechanism, currently in development by the IAB Tech Lab, that will signal to downstream technology companies to cease the sale of personal information. Opting out of the sale of information does not exclude the customer from advertising, including some interest-based ads.

In their analysis, lawyers Keri S. Bruce and Gerard Stegmaieer of the ReedSmith law firm said the IAB framework “contemplates a technical framework that will help enable information interoperability subject to real constraints focused on compliance.”  But they said it doesn’t “make the overall programmatic or digital ecosystem better or more trustworthy through enforcement mechanisms. It is instead designed to facilitate the information flow within the ecosystem similar to the way business is done now.”
The Agreement would also require Framework participants to submit to audits to confirm they have complied with their obligations and satisfied their representations and warranties, says a thorough analysis of the Framework posted by five lawyers at the law firm of Hogans Lovells. They say if  a publisher uses the Framework for a particular bid request, then downstream Framework participants would be prohibited from sending that bid request to non-participating entities.

“Participants will be held accountable through required audits on the handling of consumers’ personal information upon opt-out, ensuring any continued data usage is strictly pursuant to the Applicable Business Purposes — as defined in the agreement and permitted under CCPA,” the Hogans Lovells attorneys write. 

Again, the detailed analysis by the Hogans Lovells firm may be found HERE



3. “Privacy Shield” still protects U.S. firms from EU regs, but report says pending decision could change that

The European Commission released its third-annual review of the interim “Privacy Shield” regulations which protect U.S. tech companies from having to comply with some aspects of euro-privacy law.  But in its analysis, one law firm warns that data collectors are still on notice that could change. 

“[The] Court of Justice of the European Union raises questions regarding the validity of Privacy Shield,” says BakerMcKenzie’s legal analysis, adding: “The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgment.”



4. Impact of CCPA documented in visual by prominent privacy scholar Daniel Solove 

A prominent academic and legal expert on privacy has developed a comprehensive slide visualization of the impact of the California Consumer Privacy Act (CCPA). The handiwork of Prof. Daniel J. Solove of the George Washington University law school is posted at his website,, which has information about his privacy and cybersecurity training service.    

It covers key aspects of the CCPA, including its scope and enforcement, its impact on individual rights and personal information, and the responsibilities it places on data handlers.

Solove is the author of multiple books on privacy and security law. He also blogs at Privacy+Security.


5. Three studies shed light on effect of privacy rules and tech on markets in both Europe and the United States

Three studies shed light on the effect of privacy rules and tech on markets in both Europe and the United States
First, a paper by Boston University marketing professor Garrett Johnson and Scott K. Shriver of the University of Colorado Boulder assserts the GDPR  is decreasing competition among vendors that provide data-driven services to websites, according to Allison Schiff’s report at on the study.  The two academics collected panel data on the web technology vendors selected by more than 27,000 top websites internationally. They found that the advertising market share of Google and Facebook went up, but the overall pie shrank.
Meanwhile, a cybersecurity firm, Checkpoint, said it questioned 1,000 CTOs, CIOs, IT and security managers in EU countries who had stronlgy positive felings about GDPR.  Seventy-four percent of organizations said it has had a beneficial impact on consumer trust, and 73 percent said it had boosted their data security.  Fifty-three percent of respondents say their organization has set up a GDPR working group, another 45 percent have allocated budget to cover the costs of implementing GDPR, while 41 percent have employed GDPR consultants.
Finally, the New York-based ad-agency giant GroupM released a long narrative analysis of “The Media Landscape” — the traditional and digital advertising marketplace in the United States.  The report bullet points the ways that Google and Facebook dominate markets and get most of GroupM’s business — but it details many other players, too. Digital-publishing industry commentator Jason Kint of Digital Content Next tweeted about the report. “These are dangerous days for advertisers,” the GroupM report says. “At least for those who have used television as the foundation of their communication strategy.” It also says Google and Facebook are now in “the bull’s-eye of regulatory interest around the world.”

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat










So-called permissioned blockchains borrow ideas and terms from Bitcoin, but cut corners in the name of speed and simplicity. They retain central entities that control the data, doing away with the central innovation of blockchains . . . Hype and lavish funding fueled many such projects. But often, the same applications could be built with less-splashy technology. As the buzzwords wear off, some have begun asking, what’s the point?

Computer scientist Gregory Barber, writing Oct. 28 at, about an evolution in thinking about the efficacy of so-called “blockchain” technologies, titled, “What’s Blockchain Actually Good for, Anyway? For Now, Not Much.”

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp