PRIVACY BEAT: The New York Times takes the plunge to drop out of 3rd-party data ad ecosystem

Privacy Beat

Your weekly privacy news update.


The New York Times takes the plunge — reportedly is planning to drop out of 3rd-party data ad ecosystem

The New York Times is reported to be planning to drop out of the 3rd-party advertising ecosystem in a move that would help them to be compliant with emerging privacy law by targeting advertising only with data they collect. 

The move is described by reporter Sarah Fisher in a May 19 report this week at Axios that quotes Allison Murphy, senior VP of ad innovation at The Times. The report says the effort is part of a greater push to a privacy-friendly experience.  She writes that other publishers such a Vox Media and The Washington Post, are developing advertising solutions based only on first-party data that they collect in a consensual process with their users.

Beginning in July, the Axios report says, The Times plans to introduce a set of 45 first-party audience segments for ad targeting. They’ll be broken into at least five categories (1) age range/generation (2) household or investable assets (3) work industry or role (4) gender, education or marriage demographic and (5) topical interests, with another 30 interest segments later in the year.

“This can only work because we have six million subscribers and millions more registered users that we can identify and because we have a breadth of content,” Axios quoted Murphy as saying.

The Times move comes as the major global digital advertising platform — Google — joins moves by other browser software makers to disallow third-party tracking cookies, which is generally believed to enhance Google and Facebook abilities to target advertising to their known users. The Times thus is shoring up its ability to live without the platforms.

The Local Media Consortium has been working with ITEGA, the sponsor of this newsletter, to create an independent, non-profit governed privacy-and-identity service that could grow to be an independent source of first-party user data. In an unrelated comment this week, the South China Morning Post’s (SCMP)  VP-digital, Ian Hocking, supported such an idea. “I think this is a massive opportunity for publishers to come together and create a unified single sign-on and SCMP would like to lead that initiative. SCMP is uniquely placed to drive this in Asia.”



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

In a word — conundrum — as ad-tech, agency and publisher lawyers consider terms, enforcement of CCPA

The California Consumer Privacy Act (CCPA)  remains a definitional conundrum, according to lawyers for the organizations that must comply with it — even down to figuring out when compliance will really be necessary and whether a new ballot proposal could alter the rules. 

That’s the impression conveyed by six participants in an Interactive Advertising Bureau (IAB) webinar recorded this week, and available for streaming viewing, entitled “The California AG’s Draft Regulations & the Road to CCPA Enforcement.”  (See PDF of slides)

The CCPA took effect Jan. 1, but it specified the California attorney general could not begin enforcing it until July 1 and also until a set of enabling regulations were final. Observers now believe the July 1 date will stretch to Oct. 1 because of delays in the rule-making process. But at the same time, a new privacy initiative may soon qualify for California’s November ballot and its terms would make further changes.  (See RELATED LINKS, below).

The webinar revealed these areas of uncertainty:

  • What constitutes a “sale” of personal information?

  • What constitutes “use” of personal information? 

  • What supposedly pseudonymous data is still within the scope of “personal information” 

  • Is it the publisher or the data-processor who must tell the consumer as data is collected? 

  • When is an ad-tech vendor a data processor or acquirer, either or both? 

The questions are of greatest concern to companies that process or use any of 11 categories of personal information.  An entity such as a data broker or ad-tech supplier that is a contractual “service provider” to a publisher or web service has different notice, disclosure and usage obligations under the law than a “business” which has a direct relationship with a consumer.

“You cannot be a business that collects personal information and a third-party receiving personal information, in the same transaction for the same user,” webinar participant Michael Hahn, SVP and general counsel of IAB observed. “It’s just not possible.”  He added later: “What the [rulemaking] does is it closes off gamesmanship by making it clear that when you function as a service provider, CCPA is going to treat you as a service provider regardless of whether you meet the statutory threshold for being a business.”

The law and draft regulations do seem to largely allow programmatic advertising to continue to function with new disclosures and practices, said webinar participant Alysa Hutnik, of the law firm of Kelley Drye & Warren LLP. “Current language makes clear that the service provider can use the personal information to provide its services and not just the services of the business [it is serving]. The rule permits service providers to process the personal information on behalf of multiple businesses when they are directed to do so in their service-provider agreements.

Company privacy statements under CCPA have to make a blanket disclosure of the sources of personal data and how it is used, said Monika Jedrzejowska, Hearst Corp. chief privacy officer and counsel. But information about any sale or disclosure of such data has to be described for each of  11 personal-information categories.

A data broker doesn’t have to notify a consumer before collecting information unless it plans to “sell” it, said Julia Shullman, general counsel and chief privacy officer of ad-tech company TripleLift.  “So we see that carve-out as very helpful for companies that don’t believe they’re selling data…”

Earlier this year, Facebook asserted that it does not “sell” user data when it sells advertising that has been targeted using the data. So the carve-out mentioned by Shullman may be a “safe harbor” for Facebook if it wins an eventually legal battle over the CCPA’s definition of “sale.”



Standard seeking: Should consumers indicate their privacy preferences with a web-browser signal?

This week’s Interactive Advertising Bureau webinar on the California Consumer Privacy Act (CCPA), included a brief discussion about a hot topic — user-enabled privacy controls within web-browser software such as Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Edge, the Brave browser or others.

The core question broached both there and in recent meetings of a World Wide Web Consortium (W3C) community group — there’s a need for a web standard on what constitutes user expression of privacy preferences.

In the IAB webinar, TripLet General Counsel and Chief Privacy Officer Julia Shullman spoke to the subject.  First of all, she observed there is not yet consensus on what constitutes a data “sale” that a user needs to say “yes” or “no” to. The second question is whether a browser setting sent automatically by the browser at a time after the user has set it, should be legally valid as “consent.”

“Do we all take a step back and start honoring those signals where all the browser are in the middle of changing the way they function,” she asked fellow panelists. “A lot of us in the ecosystem are still hoping we can convince our clients or others to rally around a standard method of signaling consumer opt outs. Otherwise it is a patch work creating consumer confusion and difficulty in honoring.”

Sebastian Zimmeck, a Wesleyan University computer-science professor, has raised the same topic in the W3C discussions and reached a similar conclusion. “At this point, it seems worthwhile to have a discussion of these developments with the goal of converging to a standard,” Zimmeck wrote in an April W3C post. “In particular, a Do-Not-Sell signal could be implemented similar to the Do-Not-Track (DNT) signal via an HTTP header.” He added: “Internet users, publishers, privacy organizations, and ad networks are some of the stakeholders in this question. Ultimately, there needs to be a consensus because the proposed task here is not only one of technology but also one of policy.”

The notion that browser software should be enshrined by the CCPA for managing user privacy settings appears to be opposed by the Association of National Advertisers in a letter sent to U.S. Sen. Adam Schiff, according to a story by John Eggerton of

MediaPost’s Wendy Davis quoted the letter from the ANA’s Bob Liodice asking Schiff to express concerns about the proposed regulations, in order to “prevent the codification of these dangerous gatekeeper standards for browsers into state regulations.”  Davis wrote that the CCPA as interpreted by regulators would require companies to honor do-not-sell requests sent through browser-based tools — regardless of whether consumers affirmatively activate the tools.









Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


In Brazil, three-quarters of users try to remove personal data from web but a quarter don’t know how

“A global study on data privacy by cybersecurity firm Kaspersky found 74% of Brazilian internet users have tried to remove personal data from websites and social media, ZDNet reports. Of the more than 15,000 consumers surveyed, 24% of respondents in Brazil reported not knowing how to remove information available online, 58% said they took steps to hide their information from cybercriminals, and 35% took measures to ensure websites could not access their data.”

IAPP blog, summarizing a ZDNet account of a Brazilian study, published May 15


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp