CRUMBLING COOKIES?

Reaction after Google drops a bomb: Within two years Chrome browser likely won’t support third-party cookies; balancing privacy, antitrust and competition

Google Inc. finally dropped a ticking virtual bomb on the advertising and publishing industries this week, posting a discrete blog post declaring that within two years it’s Chrome browser will stop supporting the use of so-called “third-party” cookies.  The move had been anticipated.

The news came in a blog post by Justin Schuh, director of Chrome engineering at Google, entitled: “Building a more private web: A path towards making third party cookies obsolete.” He said Google wants to encourage the creation of open data-exchange standards that replace such cookies for behavioral advertising. He seemed to imply that Google wouldn’t act until, as he put it, “once these approaches have addressed the needs of users, publishers, and advertisers…”

Why is Google acting? Speculation focuses on privacy, competition — and antitrust.

• “Google is bowing to pressure to shore up privacy standards across its online advertising platforms and freely available web tools, which will affect more than half of all web users,” wrote reporter Ronan Shields at AdWeek, without attribution.

• “Google doesn’t want to force the death of the cookie too quickly in case it attracts antitrust attention,” Shields quoted “a source inside a major holding group — who requested anonymity for fear of professional retribution” as saying. DigiDay reporter Lara O’Reilly added in her own words: “As is the case for almost every move Google makes, antitrust regulators will be watching closely.” 

• Google may have felt it had to promise more definitive action about tracking cookies because of moves by browser makers Apple (Safari), Mozilla (Firefox) and Microsoft (Edge), all of which have announced or are implementing moves which restrict tracking seen as privacy-invading. And it may have concluded that its business would be hurt less than that of its cookie-dependent competitors. 

With his call for industry thinking about how to re-invent advertising technology for the web, Google’s Schuh spotlights the work of the World Wide Web Consortium (W3C), a Cambridge, Mass. nonprofit that has been at the center of collaboration on Internet and Web standards for at least 40 years. Google has already proposed some ideas to a web-advertising standards working group, but it has not yet proposed anything.

“This is going to be tough on publishers if they don’t engage in this conversation soon,” said former Google and Guardian UK employee and consultant David Gehring, who tweeted a reaction to the Google announcement. 

RELATED LINKS:

• Google also working to mitigate covert tracking and ‘fingerprinting’ | Laurie Sullivan, DigitaNewsDaily

• Google seeks to ‘kill’ TP cookies in Chrome within two years | Lara O’Reilly, DigiDay

• Chrome will phase out third-party cookies by 2022 | Ronan Shields, AdWeek 

• Google will phase out most invasive Internet tracking | FT.com (PAY) 

• Five ways advertising changes if Chrome blocks cookies | Ari Lewine, AdWeek

• Wyden urges FTC to investigate AdBlock Plus passthrough payments | Wendy Davis, DigitalNewsDaily/MediaPost

• Sen. Wyden calls for investigation of the ad-blocking industry | Makena Kelly, The Verge

• Axel Springer pushes on its legal fight against ad blocking | Lucinda Southern, DigiDay

CCPA: WEEK THREE

CCPA isn’t only new data-privacy law in California: Now “data brokers” have to tell the public what they are doing; meanwhile, more thoughts about ‘sale’ definition

The public will soon know more about the opaque world of data brokers. On or before Jan. 31, any organization which “knowingly collects and sells to third party the personal information of a consumer with whom the business does not have a direct relationship” has to file with a public registry maintained by the California Attorney General.

There are already some who have registered since the list became public on Jan. 13. A similar law took effect in Vermont a year ago, but only 165 data brokers have registered. California estimates many more will file there, in part, according to attorneys Daniel Goldberg and Elliott Siebers, the California registration law has a more expansive definition of both “sale” and “personal information.”

Meanwhile, both a prominent law firm, and the digital ad industry’s Network Advertising Initiative (NAI) have been weighing in with opinions on how the CCPA defines the ‘sale’ of personal data.  Facebook signaled in December it might play legal hardball over the definition of data “sale”.

“Several of the largest players in the digital advertising industry have taken conflicting positions on whether digital advertising is a ‘sale’ under the CCPA,” write attorneys Austin Mooney, Amy Pimentel and Wendy Zhang of the law firm of McDermott Will & Emery. They write that it “remains to be seen” whether some approaches are interpreted to satisfy the law’s requirements.  They argue that clarifying the situation should be among California Attorney General Xavier Becerra’s “highest priorities” in providing CCPA enforcement guidance.

The NAI’s guidance on sale came out in November. In the guidance released under the signature of NAI’s counsel, Tony Ficarrotta, the NAI wrote that the CCPA’s definition of sale “is broader than an everyday meaning, and “includes merely ‘making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

RELATED LINKS:

• Sovrin Foundation assesses in white paper whether its identity ecosystem is GDPR compliant | Sovrin Foundation 

• Getting reading for son of CCPA — the CPRA initiative | Jonathan Ende, McDermontt Will & Emery  | (CCPRA TEXT) 

• California issues statement advising consumers of CCPA rights | Attorney General, State of California

• Implementing CCPA in the enterprise: Five tips | Erin Illman & Steven Snyder, Bradley Arant LLP

• Enforcement: CCPA fines can add up quickly | Morgan Lewis law firm 

• Legal analysis: Most likely, CCPA won’t appy retroactively | Sean Solis, BakerHostetler Law Firm

• Could the ‘dormant commerce clause” threaten CCPA’s legality outside California? | Jonathan Ende, McGermott Will & Emergy law firm 

• Wrapping up CCPA: What we’ve learned so far | Eric Goldman, The Hill 

• LINK: Survey of privacy policies of Fortune 500 companies | David Zetoony, Bryan Cave Law Firm

LEGISLATIVE WATCH

A compromising idea: Study state privacy laws and see which could be reasonably preempted and which not; meanwhile, Washington state tries again

A key holdup to gaining bipartisan consensus on U.S. federal online privacy regulation has been a dispute over whether federal law should be written to preempt — override — state laws.  California Democrats, including House Speaker Nancy Pelosi, say they won’t vote to override the California Consumer Privacy Act (CCPA). Senators and congressmen in other states are cautious about having federal law invalidate the work of statehouse colleagues. 

But a blog post by two writers on the International Association of Privacy Professionals takes a more nuanced view. Attorneys Peter Swire and Pollyanna Sanderson write that a solution might be to carefully study state laws, and narrow down the areas of potential conflict. “If the negotiators get to a small subset of issues, then an overall deal becomes more likely,” say the lawyers. “Where there is consensus, have congressional experts in legislative drafting create language to implement the consensus.” Swire is with the law firm of Alston & Bird and Sanderson is policy counsel at the nonprofit Future of Privacy Forum, which is supported by major tech companies, retailers, financial institutions, start-ups, media companies, foundations and others.

IN WASHINGTON

• Dissecting Cantwell’s measure on “algorithmic decision making” | Nicole Mormilo, et al., Davis Wright Tremaine LLP law firm

• WRAPUP: Tracking the status of various federal privacy initiatives | Wendy Zhang, McDermmott Will & Emergy

• OPINION: California’s privacy law failed to spur Congress to action | Editorial Board, The Washington Post 

IN THE STATES

• With the CCPA in effect, will other states follow? | Jedidiah Bracy, IAPP editor

•  NCSL updates its listing of state privacy bill and proposals status | NCSL Website 

• Washington state lawmakers revive privacy bill | Wendy Davis, DigitlaNewsDaily 

• Washington state takes another run at own privacy act | Colin Wood, StateScoop.com

• Washington state to try again for a comprehensive privacy law | Hogan Lovells law firm

• ANALYSIS of the Washington State bill | David Stauss, Husch Blackwell LLP

• OVERVIEW: It’s Raining Privacy Bills | Polyanna Sanderson, Future of Privacy Forum