Ten Congress members ask FTC to investigate alleged ad-tech privacy violations in use of “bidstream” data

Ten members of the U.S. Congress, including most influential Democrats on tech and privacy issues, have urged the Federal Trade Commission to investigate alleged ad-tech privacy violations through the application of cookies and Real Time Bidding (RTB).  The call came in a July 31 letter made public by Sen. Ron Wyden, D-Oregon. Also signing the letter was Sen. Bill Cassidy, R-La.

“Few Amerians realize that companies are siphoning off and storing that ‘bidstream’ data to compile exhaustive dossiers about them,” says the letter. 

The FTC did not respond to a Privacy Beat request for comment.

“For each ad,” the letter says, “an auction takes place milliseconds before it is shown in an app or browser. The hundreds of participants in these auctions receive sensitive information about the potential recipient of the ad — device identifiers and cookies, location data, IP addresses, and unique demographic and biometric information such as age and gender.” 

PB COMMENT: The letter about so-called “bidstream” data appears to parallel many of the claims made by privacy advocate Johnny Ryan, as well as Brian O’Kelley, one of the inventors of the Real Time Bidding system.  The idea of industry-self regulation or technology limiting the “illegal” use of such data has been broached by Randall Rothenberg, president of the Interactive Advertising Bureau.  

It’s not clear what “illegal” means. Could the IAB adopt rules of membership that would forbid the caching and/or use of bidstream data acquired by a losing RTB bidder? Could the IAB then devise some method of monitoring behavior so that the sanction of losing IAB membership status would have teeth?

WASHINGTON BEAT

• Twitter could face a $250 million FTC fine for using phone numbers to target ads | Rishi Iyengar, CNN Business 
• Twitter Sees $150 Million-$250 Million Hit From FTC Data Security Complaint | Jill Goldsmith, Deadline.com
• Twitter says identifiers were ‘inadvertently’ used for advertising | Jacob Kastrenakes, TheVerge.com
• Does Twitter fine show why privacy law needs “purpose limitation”? | Ashkan Soltani via Twitter  (second Tweet)
• What’s juicy in hundreds of documents subpoenaed from Google, FB, Amazon? | Lauren Feiner, CNBC.COM
• “Lies” Google and Facebook told Congress about privacy? | Soshana Wodinsky, Gizmodo.com
• FCC seeks public comment on Trump’s Section 230 petition | Matthew DelNero, Covington & Burling LLP (law firm)
• With Section 230, Sen. Ron Wyden helped create the Big Tech industry. Now he wants to hold it accountable | Sara Morrison, Recode/Vox.com
• Wyden proposal would ban government agencies from buying personal info from data brokers | Katie Canales, BusinessInsider.com 

ADVERTISING AND PRIVACY 

Squeezed by Google, browsers, and ad-tech, brands seek balance between “addressability” and privacy; where are publishers, public in governing mix?  

Squeezed by the initiatives of Google, browser makers, lawmakers and the ad-tech industry, major advertisers are now setting the table to try and look for a balance between targeting and privacy.   The vehicle is called the “Partnership for Responsible Addressable Media” and it was announced this week. 

Bill Tucker, who is Group EVP leading the Data, Technology, and Measurement Practices at the Association of National Advertisers (ANA),  will serve as the partnership’s executive director.  It has established initial principles. (See Quote of the Week, below).

The “governing group” list includes a lone publisher, NBCUniversal, among collaborators, and nobody representing consumers per se.  Also not part of the group yet — Google and Apple, the two biggest browser makers.  

Included, however, are four major advertising-industry trade groups, two ad-agencies (including Publicis Media), four of the biggest ad-tech companies (Adobe, LiveRamp, MediaMath, The Trade Desk) and five brands (Ford, General Motors, IBM, Procter & Gamble, Unilever).  Not listed is the American Advertising Federation, or the influential “4A’s” — the American Association of Advertising Agencies.

Google has said that its Chrome browser will block third-party cookies for ad tracking within two years.

• Chrome, Mozilla, Safari, Brave and Edge browsers, talking via the World Wide Web Consortium (W3C) have initiatives deployed or in the works which to varying degrees will block the tools of ad-tech that have allowed opaque tracking and profile-buildling of users.
   
• In Washington, six U.S. senators and four congressmen have asked the Federal Trade Commission to launch an investigation of ad tech for privacy violations (see story, above)
   
• The IAB Tech Lab, which is backed in part by some publishers and advertisers, but mostly by ad-tech vendors, is pushing its “Project Rearc” initiative to replace the third-party cookie.  However, it dropped its “DigiTrust” initiative and says it is now part of the new partnership. 

RELATED LINKS

• STATEMENT: Ad industry launches partnership to ensure future of digital media for businesses and consumers | PR Newswire 
• Facing Pressure, the Ad Industry Bands Together to Build New Standards for Targeted Advertising | Andrew Blustein, AdWeek.com
• Ad Industry Launches New Organization, Will Push Google And Apple On Tracking | Wendy Davis, DigitalNewsDaily/Media Post
• Some ad industry groups push for “addressable” media standards | Ginny Marvin, SearchEngineLand.com
• Q-and-A: “Our industry” needs all stakeholder groups involved | Dennis Buchheim & Jordan Mitchell, IAB Tech Lab 

Brave’s Johnny Ryan moves to Open Markets Institute and Irish NGO; to continue privacy, journalism advocacy 

Johnny Ryan, the Dublin-based ex-journalist and privacy activist who claims programmatic real-time bidding for advertising is incompatible with EU law, is becoming a senior fellow at the Washington, D.C.-based Open Markets Institute and its Center for Journalism & Liberty.  Ryan, who is leaving Brave, the browser maker, will also work with the Irish Council for Civil Liberties.

In his new roles, Ryan says he will focus exclusively on:

• Uncovering and challenging data misuse, particularly by ‘big tech’ and ‘adtech’ that jeopardize privacy and data protection rights, undermine the business of journalism, and prevent innovation from nascent competitors.
• Holding enforcers responsible to account where they have failed to act.

PERSONAL PRIVACY 

• Meet Joy Buolamwini — the computer scientist and activist who got Big Tech to stand down |  Amy Farley, Fast
• Apple’s privacy “nutrition labels”, transparency, and data protection as a corporate social responsibility | Paolo Balboni, ICT Legal Consulting 
• San Diego’s ‘smart’ streetlights with cameras spark surveillance reform | Sarah Holder, CityLab/Bloomberg.com 
• Is the panopticon here? China using AI to advance (and export?) totalitarianism |  Ross Andersen, TheAtlantic.com
• No, your phone isn’t ‘listening’ to you — but it’s probably tracking you | Simone Scully, UPWorthy.com
• Google is sending a complicated privacy email to everyone — here’s what it means | Dieter Bohn, TheVerge.com

CALIFORNIA PRIVACY

• Privacy advocates battle each other over whether California’s Proposition 24 better protects consumers | Geoffrey A. Fowler, The Washington Post 
• TEXT: Official title and summary of CPRA | California Secretary of State website 
• TEXT: California Consumer Privacy Act ballot initiative | California Attorney General website
• Will CPRA “catch” ad-tech companies in definitional net? | Johnny Ryan via Twitter
• How CPRA defines “cross-contextual behavioral advertising”  | Johnny Rian via Twitter
• Kramer law firm’s summary of key CPRA provisions | Samantha Ettari & Austin Manes, Kramer Levin law firm
• Facebook’s Limited Data Use and CCPA subject of webinar | Kathy Bushman, SearchEngineLand.com
• CCPA implications for high-growth small businesses | Alicia Hope, CPO Magazine
• Explainer: Why CCPA may not be enforceable until late August | Zach Willenbrink, Godfrey & Khan SC (law firm)  (PDF)

FACIAL RECOGNITION

• Portland, Maine,  Bans Government Use of Facial Recognition Tech | Chantal da Silva, Newsweek.com
• Heathrow airport is developing a facial recognition check-in| Naomi Leach & Ben Sigler, Stephenson Harwood law firm 
• ICO signals an extended runway for Heathrow’s facial recognition plans | Georgian Hoy, Slaughter & May law firm (Background)

Image credit: Digital News Report 2019, Reuters Institute for the Study of Journalism, University of Oxford 

TRUST AND JOURNALISM

Scroll founder Tony Haile urges local publishers to bundle subscriptions to compete with NY  Times; what about a collaboration  via LMC-ITEGA? 

Tony Haile, the founder of the ubiquitous Chartbeat content-measurement service has been pushing his new enterprise, Scroll, for a couple of years and has now launched it.  A consumer can enroll with Scroll for $5/month and get advertising-free access to a bundle of news services.   Now Haile has written an argument on the Columbia Journalism Review website for why local-news organizations should band together with a subscription package — as a way of competing with The New York Times

At the same time, The Times has been saying it wants to find ways to help sustain journalism at the grassroots, it is just looking for a way to do so.  So why not figure out a way for those two aims to be collaborative, not competitive?  (DISCLOSURE: The Information Trust Exchange, sponsor of Privacy  Beat, has been working with LMC sports initiative  the Local Media Consortium on a federated Single Sign On service to do just that. It would permit a user to have one account from their chosen news organization (The Times or smaller entities) and provide access to a network of services).  The LMC has started in on the idea with sports.)  

• Americans are losing faith in an objective media, Knight study says | Knight Foundation website
• REPORT: Die-hard print-media users best informed about news | Pew Research Center via MediaPost  (STUDY LINK) 
• In search of common ground: How to avoid polarizing narratives in your reporting | Cynthya Gluck, TheGroundTruthProject.org
• NSA Warns Cellphone Location Data Could Pose National-Security Threat | Byron Tau & Dustin Volz, Wall Street Journal via Benton institute 

EUROPE AND SCHREMS 

• Irish Data Protection Commission faces judicial review challenge for slow process | Naomi Leach & Ben Sigler, Stephenson Harwood law firm 
• The Atlantic is now an ocean for personal data to cross | Rohan Massey, Ropes & Gray (law firm) 
• Schrems II: The impact of GDPR on data flows and national security | Joshua P. Meltzer, Brookings Institution 
• FAQ: U.S. government publishes FAQs about Schrems II impact | U..S. Commerce Dept. via Security Law Blog  (FAQ LINK) 
• FAQ: European Data Protection Board’s guidance on Schrems II decision | EDPB website 
• New York law firm’s assessment of implications of Privacy Shield decision | Anna Mercado Clark, Phillips Lytle LLP law firm 
• After Schrems II, learning about “standard contractual clauses” | Lara O’Reilly, DigiDay.com
• Schrems II – the judgment and practical next steps for your business | Chris Ingram & Jonathan McDonald, Charles Russell Speechlys law firm
• EU-U.S. Personal Information Transfers: Where Are We, and What’s Next? | Elizabeth Hodge, Montaye Sigmon and Christy Hawkins, Akerman law firm

GLOBAL PRIVACY

• New Zealand Privacy Act 2020 to become law on 1 December 2020 | Sebastien Aymeric, James & Wells law firm 
• Internet search services: Europe’s quest for online privacy | Nils Zimmermann, DW.com 
• ICO admonishes police practice on mobile phone extraction | Naomi Leach & Ben Sigler, Stephenson Harwood law firm 
• Brazil enacts “LGPD” — comprehensive data-protection law | Bret Cohen & Isabel de Costa Carvahlo, HogansLovell (law firm)

ADVERTISING TECH 

Vidakovic explains how Google will shut off cookies and tracking absent consent of European Union users 

Ratko Vidakovic, of AdProfs Inc., always does a great job of putting ad-tech permutations in plain English and in his email newsletter this week he did just that to explain how Google is going to start on Aug. 15 handling programmatic advertising with the European Union’s strict privacy rules.   Here’s what he writes, based in part on a reading of Google’s blog on the subject. 

He notes that the change comes as Google integrates with the standard Interactive Advertising Bureau’s “Transparency and Consent Framework (TCF)”.   Writes Vidakovic.  The core issue — what happens if an end user doesn’t want to be tracked? 

Vidakovic writes: “If users don’t give permission for Purpose 1 (‘store and/or access information on a device’), which is required for publishers and ad tech vendors to use cookies, Google will ‘drop the ad request and no ads will be served’ . . . ”   Vidakovic continues: “If users don’t give permission for Google to profile them (Purpose 3), publishers will only get non-personalized ads from Google, and any bid requests or cookie syncing with any third-party vendor will be denied.”

Sign up for Vidakovic’s weekly ad-tech blog from here.

• How To Learn To Stop Worrying And Love The Cookie-Less Future | Rob Williams, MediaPost/PublishingInsider 
• Latest take on Dutch NPO results: “Can killing cookies save journalism?” | Gilad Edelman, Wired.com
• Sen. Josh Hawley wants to strip legl protections from sites with targeted ads
• ‘Behavioral’ ads would disqualify sites from Section 230 | Adi Robertson, TheVerge.com
• Facebook says Apple’s iOS 14 changes could kill some ad targeting | Salvador Rodriguez, CNBC.com
• Facebook’s Limited Data Use and CCPA subject of webinar | Kathy Bushman, SearchEngineLand.com
• OPINION:  What years of subpoenaed emails and texts reveal about tech companies | Tim Wu, NYTimes op/ed

BROWSER PRIVACY 

• Mozilla’s Firefox takes new step to stop tracking by ad-tech companies | Wendy Davis, PublishersDaily/MediaPost 
• Mozilla’s announces shipping of “Enhanced Tracking Protection 2.0” blocking some redirection | Steven Englehardt, Mozilla Security Blog 
• Mozilla’s Firefox now doubling down on cookie-based tracking tech | Thomas Claburn, TheRegister.com
• A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin | Maud Nalpas, Google Developers Blog 
• Google’s ‘trust tokens’ are here to take cookies down a peg | Kim Lyons, TheVerge.com