|
W3C moves Google, Apple, Microsoft identity ideas to privacy group; meets privately with ad-tech dissidents
Two developments involving the World Wide Web Consortium (W3C) seem to suggest the standards-development group is paying attention to broad stakeholders on a key challenge — how to manage cross-site identity and privacy absent the so-called “third-party cookie.”
First, the W3C’s Advisory Board, which includes key managers of the Cambridge, Mass.-based unincorporated collaborative, spent more than an hour in a virtual meeting last week with a group of mostly advertising-technology affiliated stakeholders responding to a letter challenging the openness of its processes to smaller companies other than large platforms.
(See: Ad Tech Petitions W3C Board For More Fairness In Cookie Debates | Allison Schiff, AdExchanger.com)
One of the participants, Joshua Koran of Zeta Innovation Labs, confirmed the scheduled call had taken place, but he said the W3C group required all participants to sign a non-disclosure agreement about what transpired. It is believed one item on the agenda addressed the heart of how proposals are considered by W3C working and interest groups. Typically a proposal is reviewed without a formal “impact assessment” of how it would affect multiple stakeholders. The discussion may have included ideas for changing that.
Second, it appears that the W3C’s Privacy Community Group is emerging as the focal point of the privacy and identity discussion. On Thursday (Aug. 13), formal work began on two important proposals, one initiated together by Apple and Microsoft and a second initiated by Google. Both would make changes in how web browsers store and handle data about users.
It’s not yet clear if they compete and whether all three major browser makers would ultimately embrace either or both. Also, the Privacy CG, as it is called, is focused primarily on browser behavior. One issue raised by ad-tech dissidents is whether browser software should be the last word on web privacy and identity standards.
The Google-proposed idea is called “First Party Sets.” It would add code to browser software that would declare a collection of domains related by corporate or other control collectively as “first parties” for the saving and sharing of data about a user, such as their interest or subscription attributes and whether they are “logged in.” Kaustubha Govind and David Benjamin of Google’s Chrome engineering group, discussed “First Party Sets during Thursday’s virtual meeting of the W3C privacy group.
The Apple-Microsoft idea is called “IsLoggedIn” and it would coded browser software so that when a user logs in at a website, the fact of their log in — or log out — (but no data sharing) could be known to other sites. In addition, the service would allow the end-user to specify how long particular bits of information about them can be retained by the service they’ve logged into. Melanie Richards of Apple discussed “IsLoggedIn” during Thursday’s virtual meeting.
Notes of the meeting may be found HERE.
ADVERTISING TECH
ANTITRUST
|
|
Does your organization need customized privacy compliance solutions? ITEGA can help.
|
|
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
|
|
|
KPMG find 56% of North American consumers want companies to give them more control over their data; 9 of 10 want right to control and understand use of their data
A new survey of 1,000 North American consumers by the consulting firm KPMG finds a significant shift toward concern about corporate use of personal data, even as the public recognizes sharing data gives them access to valuable services. Nine out of ten (91%) respondents agree that the right to delete personal data and the right to know how their data is being used should be extended to all US citizens, ZDNet reported.
The survey and report, “The New Imperative for Corporate Data Responsibility” was conducted in the spring and released last week by the firm’s cyber-security practice and Orson Lucas, a principal in that practice. “Consumers believe data privacy is a human right. Corporations need to raise their game,” Lucas writes in the report.
A total of 56% of survey respondents say companies should prioritize giving consumers more control over their own data in 2020 and the majority of Americans (87%) characterized data privacy as a human right.
TechRepublic’s Marcy Bayern summarized the report: “Overall, consumers are increasingly suspicious of what companies are doing with their personal data. Consumers said they don’t trust companies to ethically sell personal data (68%), to use personal data in an ethical way (54%), to ethically collect personal data (53%), or to protect personal data (50%).”
“With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies. Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices,” Lucas says in the report.
KPMG, according to MobileIndustryEye’s account, found that:
-
Nine in 10 Americans insist companies (91%) and the government (90%) have a responsibility to protect consumer data
-
Almost all (91%) agree the following data privacy rights of the California Consumer Privacy Act should be extended to all US Citizens: the right to delete personal data, and the right to know how their data is being used
-
More than nine in 10 Americans say companies should put data privacy guidelines and policies in place, be held responsible for corporate data breaches, take corporate data responsibility seriously, and take the lead in establishing corporate data responsibility.
‘U.S. consumers are finally paying attention to how brands use their data and many distrust how it’s being used,” wrote MediaPost’s Laurie Sullivan in her analysis of the KPMG report. She added: “Some 83% say they are worried about data breaches and the potential theft of their social security number. About 54% do not trust companies to use their personal data in an ethical way. Half do not trust companies to protect personal data.”
PERSONAL PRIVACY
COVID AND PRIVACY
PRIVACY BUSINESS
|
|
|
Who should be in charge of how sensitive user data is shared or stored? Ideas play out across Twitter-stream
A robust dialogue among a principal executive of the Interactive Advertising Bureau Lab (IAB Lab), the founder of a upstart browser software company, a publisher technologist and an ad-tech expert is playing out in a series of Twitter exchanges.
Some underlying subject matter: Who is to be in charge of how sensitive user data is shared or stored — publishers, advertisers, ad-tech companies, browser companies, or someone else?
“We believe in work towards #PredictablePrivacy for consumers, via open industry standards and frameworks for compliance/accountability,” Tweets Jordan Mitchell, the IAB Tech Lab VP of consumer privacy, tech and data who is managing its “Project Rearc” initiative to replace the use of third-party cookie tracking in programmatic advertising. “The alternative is proprietary and fragmented consumer privacy run by for-profit, shareholder-driven companies.”
“Don’t try open-washing me,” replies Brendan Eich, CEO-founder of Brave Software, which is trying to take control of user profiling within the browser. “I’ve been doing open standards work for 35 years (NFS, TCP/IP; Web for 24 years). “PredictablePrivacy could mean anything: users can predict they are being tracked across sites for anything, even malware distribution. No thanks.”
Chiming in is Robin Berjon, on the data-governance-and-privacy tech team at The New York Times who piles onto Mitchell: “What does “Predictable Privacy” even mean? Is that just a rebranding of the transparency & choice gimmicks? Do you mind explaining where this newfound passion for accountability comes from and why it’s been absent over the past two decades? What changed?” (Berjon’s additional Tweet).
Reponds Mitchell: Now is NOT the time for continued proprietary, fragmented approaches for tracking that circumvents consumer transparency and choice, entrenches our industry deeper into the “addressability arms race”, and puts app publishers in further violation of app store terms. Now is the time for our entire industry to insist on open standards that enable #PredictablePrivacy for consumers across devices, supported by trustworthy accountability mechanisms that move our industry forward.”
Adds Berjon in another Tweet: “…[S]ome of the adtech folks have what may seem like strange positions, for instance that browsers have a duty to share data with them despite user preference.” Said Berjon in a third Tweet: “When users have to opt out of something in order to get privacy, they are being forced.”
Jumps in Augustine Fou, an ad-tech analytics consultant: “don’t pretend the @IAB and any of your specs and policies actually help consumers. You’ve had more than a decade to show any such results. But alas, NONE, despite lots of busy-ness and committee meetings. I’D RATHER HAVE GOOGLE AND APPLE PROTECT MY PRIVACY than the @iab and [Jordan Mitchell].
The debate comes a few days before an Aug. 19 webinar organized by Mitchell in which experts will discuss now the end of cookie-based identifiers will affect advertising and funding of web services. The discussion will include Mitchell, executives of two major publishers (Meredith and News Corp.) and an ad-tech company (LiveIntent).
CALIFORNIA PROP 24
CALIFORNIA PRIVACY
|
|
Verizon Media, owner of Yahoo, appears to make it tough to opt-out of tracking
If you use Yahoo Mail on your mobile device, good luck figuring out how to opt-out of tracking by Verizon Media.
First, you have to navigate through several screens. The first gives you two choices: “Agree” to tracking or “Learn More.” There is no “decline” or opt-out option given. Click “Learn More” and you come to a second screen, “How Verizon Media and its partners collect and use data.” Choices are “I agree” or “Manage partners.” Still no opt-out choice.
The third screen gives you two more “choices.” One is “I agree” to default tracking by Verizon and its partners. The other choice is to scroll through a list of a dozen or more Verizon partners and select privacy preference with each one individually. “All our foundational partners require you to manage your choices directly through their privacy policies,” the screen says, adding: “Click on each partner below to access their privacy policy.”
Might this experience may illustrate why privacy regulation based upon the “opt-out” concept is pretty much useless for all but the most patient or determined privacy-minded consumer? The CCPA requires the “Do Not Sell My Information” prominent link. And if you’re living in the European Union, you are “opted out” by default because of the General Data Protection Regulation (GDPR). So unless you’re in Europe or California, this is how Yahoo/Verizon treats your privacy. Any only when you agree does the sequence then link to you the Verizon privacy policy to read.
WASHINGTON BEAT
STATEHOUSE BEAT
EU AND PRIVACY SHIELD
-
Will EU launch a market “trust” for personal data? Here’s what that would mean for privacy | Anna Artyushina, York University via MIT Technology Review (EU white paper)
-
Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance | Sylvie Delacroix, Neil D Lawrence, International Data Privacy Law
-
U.S. Regulators Continue to Administer and Enforce the Privacy Shield | Elizabeth Canter et al., Covington law firm
-
EU, US initiate talks on potential ‘Enhanced’ Privacy Shield | Jedidiah Bracy, IAPP Privacy Advisor (JOINT STATEMENT)
-
After Schrems II, Privacy Shield obligations are still binding | Adam Schlosser, IAPP Privacy Perspective
-
ANALYSIS: Privacy Shield seen as dead in practice; even though EU-US negotiating | Natasha Lomas, TechCrunch.com
-
So the Shield Is Gone? Lots of analysis to do before relying on SCCs | Jennifer Baker, CPO Magazine
-
What Privacy Shield organizations should do in the wake of ‘Schrems II’ | Brian Hengesbaugh, GlobalComplianceNews.com
-
How big data broker Acxiom is adapting to the invalidation of Privacy Shield | David Meyer, Fortune.com
-
Will Schrems II open a data war between US and EU, creating a European data silo? | Ted Claypoole, Womble Bond Dickinson law firm
-
What happens to data held in the United Kingdom after Schrems decision? | Vicki Bowles, Veale Wasbrough Vizards LLP
-
What happens now that the UK has a left the EU? | ICO website
GLOBAL PRIVACY
TRUST AND JOURNALISM
UPCOMING EVENTS
|
|
QUOTE OF THE WEEK
RTB termed “outrageous privacy violation” by 10 U.S. Congress members seeking FTC probe of “bidstream” use
“According to major publishers, companies are participating in RTB auctions solely to siphon off bidstream data, without ever intending to win the auction and deliver an ad. In a June 16, 2020, open letter of concern to the digital advertising industry, a group of major publishers, whose websites and apps supply the bidstream data to the RTB industry, wrote that ‘the current system allows for a significant data breach by companies gaining access to the real-time bidding (RTB) infrastructure (i.e. the ‘bid stream’) for the sole purpose of harvesting both publisher-specific and audience-specific data.’
“Americans never agreed to be tracked and have their sensitive information sold to anyone with a checkbook. Furthermore, there is no effective way to control these tools absent intervention by regulators and Congress. Technological roadblocks, such as browser privacy settings and ad blockers, are routinely circumvented by advertising companies. This outrageous privacy violation must be stopped and the companies that are trafficking in Americans’ illicitly obtained private data should be shut down. Accordingly, we urge the FTC to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.”
- Excerpt from July 31 letter to U.S. Federal Trade Commission Chairman Joseph J. Simons from U.S. Rep. Ron Wyden, D-Oregon, and nine other members of Congress. (See last week’s Privacy Beat for story).
|
|
ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to newsletter@itega.org.
|
|
|
|
|
|