|
Belgian investigation said to find real-time-bidding ‘infringes” GDPR; refers for litigation follow up in 2021
Irish-based privacy advocate Johnny Ryan said this week that Belgian data-protection authority investigators think the programmatic advertising ecosystem used by Google and sanctioned by the Interactive Advertising Bureau (IAB) infringes the EU’s General Data Protection Regulation (GDPR).
He says the Belgian Data Protection Authority (APD-GBA) is referring its investigatory findings for litigation followup in early 2021. It’s findings, which Ryan selectively discloses — which he said are not yet public — concluded “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects.”
Ryan works for the nonprofit Irish Council for Civil Liberties and he formerly was with Brave Inc., the U.S. web-browser maker. The Belgian proceedings are the result of a complaint Brave brought in 2018. It focuses on the practice called “Real Time Bidding,” as well as the “Transparency and Consent Framework” (TCF), devised by the IAB Europe
The Belgian DPA “concluded that the IAB Framework allows companies to swap sensitive information about people even when this has not been authorized,” Ryan writes in an Oct. 16 blog post headlined, “Data Protection Authority investigation finds that the IAB Transparency and Consent Framework infringes the GDPR.”
IAB Europe responded in a statement that the investigatory finding “has no binding effect with regard to any breach of the law by IAB Europe.” It called for “an opportunity for a constructive, good-faith dialogue on how the TCF can be improved . . . . “
TechCrunch’s Natasha Lomas picked up Ryan’s blog post and her story is headlined “IAB Europe’s ad-tracking consent framework found to fail GDPR standard.” She writes: “A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.” She writes that the still-private report was “reviewed by TechCrunch.”
Both Ryan and Robin Berjon, a data-policy exec at The New York Times, Tweeted extensively about the Belgian investigators’ conclusions. Also commenting was Jason Kint, CEO of Digital Content Next, a U.S.-based quality-digital-publisher trade group.
Berjon called the Belgian action good for publishers. “Broadcasting personal data also means broadcasting audience data,” Berjon Tweeted about the RTB system. “In turn, this leads to devalued audiences and lower revenue since the adtech companies in the RTB system can target high-value news audiences without paying news outlets.”
EU PRIVACY
ADVERTISING TECH / ID
- Ad-tech group warns against use of CCPA service-provider loophole | Wendy Davis, DigitalNewsDaily/MediaPost.com | Related blog post
- Agencies, brands, publishers warned: Service provider approach risky | Leigh Freud, Network Advertising Initiative
- A plea to open ad-tech software in bid for transparency | Erick Fang, TechCrunch.com
- OPINION: An ad industry veteran likes Universal ID approach of TransUnion acquisition of Tru Optik | Bill Harvey, via MediaVillage.com
- Zeotap joins Prebit with ID+ universal ID; Publicis on board also | MarTechSeries.com
- Social contract for the digital age: Problems, solutions | Don Tapscott, Coindesk.com
- Digital identification must be designed for privacy and equity | Alexis Hancock, Electronic Frontier Foundation
- Vendor LoginRadios touts Federated SSO cloud servicer | LogInRadius Inc., via EINPressWire
- Google Analytics gets privacy upgrades ahead of third-party cookies halt | Allison Schiff, AdExchanger.com
BROWSERS AND PRIVACY CONTROL
|
|
Does your organization need customized privacy compliance solutions? ITEGA can help.
|
|
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
|
|
accountability-agent”
|
accountability-agent
Legal think tank suggests third-party “accountability agent” could certify and jump start U.S. privacy rules
A trio of privacy lawyers has an idea for jump-starting a uniform privacy framework in the United States without waiting for Congress to act — form a nonprofit certification organization for creating and enforcing model privacy policies. The idea appears to be similar in part to the work of the Information Trust Exchange Governing Association (ITEGA), publisher of this email blog.
The “Concept Proposal” is outlined by attorneys Markus Heyder, Sam Groga and Matthew Starr in an eight-page white paper published to the web on Sept. 26 without fanfare. The three practice law at the Washington, D.C., office of Hunton Andrews Kurth LLP in what it calls its “Centre for Information Policy Leadership,” a corporate-member think tank.
“There is a lot of interest among our member companies,” Heyder told Privacy Beat this week. “We want to see if there is enough interest among federal government stakeholders and member companies to build a working group and develop this code.”
The nonprofit third-party organization would manage certifications “enabling enforcement or regulatory bodies with otherwise-limited investigative and enforcement resources to leverage certifying bodies’ review and monitoring of organizations’ compliance with the code.” They term the third-party certifier an “accountability agent.”
Currently only California, Maine and Nevada have digital data-privacy laws in place, they say, and the European Union’s General Data Protection Regulation (GDPR) still lacks many implementing codes or certification requirements. The National Conference of State Legislatures tracks privacy proposals.
The lawyers suggest a “multistate privacy interoperability code of conduct or certification” as a way small businesses coil more easily comply with diverse state privacy requirements. Emergence of and compliance with such a code could increase accountability, privacy protection and consumer trust, they write.
Noncompliance could ultimately be legislatively defined as an unfair or deceptive business practice and thus prosecuted by the U.S. Federal Trade Commission, they say. They also suggest that fast development of such an interstate code could “mitigate the slow pace at which the GDPR codes and certifications are being developed” and serve as a model for them.
WASHINGTON WATCH
STATEHOUSE BEAT
WORLD PRIVACY
|
|
|
Industry has until Oct. 28 to comment on latest CCPA rules easing “opt-out” for consumers; Prop 24 news
In an unexpected development, California Attorney General Xavier Becerra has proposed additional tweaks in language enforcing the California Consumer Privacy Act (CCPA) designed to make it harder for websites to fool or challenge consumers about exercising their privacy rights. Comments on the proposed wording changes are due by Oct. 28.
Becerra’s regulations have already been revised twice since the law took effect in early 2020. Enforcement kicked in recently, but there have been no high-profile announcements by Becerra yet of any actions.
“Well done,” Tweeted Ashkan Soltani, one of the principal authors of language which became the CCPA and a proponent of Proposition 24, a second digital-privacy initiative on the Nov. 3 California state ballot. Soltani’s Tweet lists ways in which the right of consumers to “opt-out” of data sale or sharing can’t be manipulated.
Meanwhile, with just over two weeks before California voters consider Proposition 24, the California Privacy Rights Act, news organizations are stepping up coverage. By far the best summary of the politics and positioning on the proposed law is authored by reporter Sam Dean of the Los Angeles Times. A support/opponent fault line continues to be around whether websites, including publishers, should be allowed to financially or service-wise penalize a consumer for refusing to share their personal data.
CCPA ENFORCEMENT
- CHART (above): Customer consultant creates pie chart of GDPR/CCPA overlaps | CompliancePoint.com blog
- Becerra regulations would outlaw wording buttons which hoodwink | Kieren McCarthy, TheRegister.com
- Newly Proposed CCPA Opt-Out Rules Would Ban Buried Links, Misleading Language | Wendy Davis, DigitalNewsDaily/MediaPost.com
- Comments on CCPA regulation changes due by Oct. 28 | Brandon Robinson, Blog4Good/LexBlog.com
- Four regulatory mods proposed by Becerra for CCPA | Eric Rosenkoetteer, Maurice Wutscher LLP law firm
- Becerra proposes reg changes to off-line notice and request submissions | Bethany Gayle Lukitsch, McGuireWoods LLP law firm
- CCPA enforcement rules evolve in confusing fashion? | Philip N. Yannella & Katie Morehead, LexBlog.com
- New regs requires “easy” and “minimal steps” opt-outs | David Stauss, Husch Blackwell LLP law firm
- LINK TO MULTIPLE ADDITIONAL STORIES
- Why marketers must pay attention to CCPA | Rohail Abrahani, DataVersity.net/
- Businesses prepare for fall surge in data-subject requests | Stephanie Miles, StreetFightMag.com
PROP 24 COUNTDOWN
|
|
Cafe Media exec sees detente possible among browsers, ad tech and publishers — in a long time
A key executive at the intersection of publishing and ad tech thinks a new approach to personalizing advertising that is more “privacy friendly” than today may be worked out among browser software companies, ad tech and publishers but it may take more than two years.
Google declared in early 2020 that it would cease carrying or supporting third-party cookies in the Chrome browser in two years. It has been vague about the exact deprecation date.
Paul Bannister, chief strategy officer of publishing ad manager Cafe Media, commented in an interview with Privacy Beat after an Oct. 6 meeting of the member-only Improving Web Advertising Business Group of the World Wide Web Consortium’s (W3C). The group is debating a standards proposal from Google called “DoveKey.” (See Privacy Beat, Oct. 2). A key feature of DoveKey appears to be that data for advertising auctions would reside on a trusted third-party server rather than inside a user’s web-browser software.
“I think (Google’s) Chrome will figure out a pretty good cohort-based system of targeting that increases user privacy and takes a lot of work to make it happen but makes advertising work OK,” Bannister said. “In the flip side, I think (Apple’s) Safari will continue its drive to disintermediate advertises and publishers from readers and I do wonder at what point publishers start saying to use a different browser.”
COVID-19 AND PRIVACY
PERSONAL PRIVACY
PRIVACY BUSINESS
UPCOMING EVENTS
|
|
QUOTE OF THE WEEK
Famous tech-industry consultant Don Tapscott sees individual ownership of personal data as needed to end era of data “feudalism” by “digital landlords”
PROBLEM:
“Commandeering of our data. Decades ago, I had hoped the internet would support our rights to life, liberty and the pursuit of happiness in the process. Instead, the digital economy created a system of what I called “digital feudalism,” wherein a tiny few appropriated the largesse of this new era of prosperity. Data, the oil of the twenty-first century, was not owned by those who create it. Rather, it was controlled by an increasingly centralized group of “digital landlords” who collect, aggregate, and profit from the data that collectively constitutes our digital identities. By exploiting our personal data, they achieved unprecedented wealth, undermining our privacy and revenue potential in the process . . . . “
SOLUTION:
“New models of identity. Let’s move away from the industrial-age system of stamps, seals, and signatures we depend on to this day. We need to protect the security of personhood and end the systems of economic exclusion and digital feudalism. Individuals should own and profit from the data they create from the moment of their birth.”
|
|
ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to newsletter@itega.org.
|
|
|
|
|
|