Belgians: GDPR infringed by RTB; call for privacy “accountability agent”; new CCPA rules?

Privacy Beat

Your weekly privacy news update.



Belgian investigation said to find real-time-bidding ‘infringes” GDPR; refers for litigation follow up in 2021

Irish-based privacy advocate Johnny Ryan said this week that Belgian data-protection authority investigators think the programmatic  advertising ecosystem used by Google and sanctioned by the Interactive Advertising Bureau (IAB)  infringes the EU’s General Data Protection Regulation (GDPR).

He says the Belgian Data Protection Authority (APD-GBA) is referring its investigatory findings for litigation followup in early 2021. It’s findings, which Ryan selectively discloses — which he said are not yet public — concluded “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects.”

Ryan works for the nonprofit Irish Council for Civil Liberties and he formerly was with Brave Inc., the U.S. web-browser maker.  The Belgian proceedings are the result of a complaint Brave brought in 2018.  It focuses on the practice called “Real Time Bidding,” as well as the “Transparency and Consent Framework” (TCF), devised by the IAB Europe

The Belgian DPA “concluded that the IAB Framework allows companies to swap sensitive information about people even when this has not been authorized,” Ryan writes in an Oct. 16 blog post headlined, “Data Protection Authority investigation finds that the IAB Transparency and Consent Framework infringes the GDPR.” 

IAB Europe responded in a statement that the investigatory finding “has no binding effect with regard to any breach of the law by IAB Europe.”  It called for “an opportunity for a constructive, good-faith dialogue on how the TCF can be improved . . . . “

TechCrunch’s Natasha Lomas picked up Ryan’s blog post and her story is headlined “IAB Europe’s ad-tracking consent framework found to fail GDPR standard.”  She writes: “A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.” She writes that the still-private report was “reviewed by TechCrunch.”

Both Ryan and Robin Berjon, a data-policy exec at The New York Times, Tweeted extensively about the Belgian investigators’ conclusions. Also commenting was Jason Kint, CEO of Digital Content Next, a U.S.-based quality-digital-publisher trade group.

Berjon called the Belgian action good for publishers. “Broadcasting personal data also means broadcasting audience data,” Berjon Tweeted about the RTB system. “In turn, this leads to devalued audiences and lower revenue since the adtech companies in the RTB system can target high-value news audiences without paying news outlets.”




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More




Legal think tank suggests third-party “accountability agent” could certify and  jump start U.S. privacy rules

A trio of privacy lawyers has an idea for jump-starting a uniform privacy framework in the United States without waiting for Congress to act — form a nonprofit certification organization for creating and enforcing model privacy policies.  The idea appears to be similar in part to the work of the Information Trust Exchange Governing Association (ITEGA), publisher of this email blog.

The “Concept Proposal” is outlined by attorneys Markus Heyder, Sam Groga and Matthew Starr in an eight-page white paper published to the web on Sept. 26 without fanfare.  The three practice law at the Washington, D.C., office of Hunton Andrews Kurth LLP in what it calls its “Centre for Information Policy Leadership,” a corporate-member think tank.

“There is a lot of interest among our member companies,” Heyder told Privacy Beat this week. “We want to see if there is enough interest among federal government stakeholders and member companies to build a working group and develop this code.”

The nonprofit third-party organization would manage certifications “enabling enforcement or regulatory bodies with otherwise-limited investigative and enforcement resources to leverage certifying bodies’ review and monitoring of organizations’ compliance with the code.”  They term the third-party certifier an “accountability agent.”

Currently only California, Maine and Nevada have digital data-privacy laws in place, they say, and the European Union’s General Data Protection Regulation (GDPR) still lacks many implementing codes or certification requirements. The National Conference of State Legislatures tracks privacy proposals.

The lawyers  suggest a “multistate privacy interoperability code of conduct or certification” as a way small businesses coil more easily comply with diverse state privacy requirements. Emergence of and compliance with such a code could increase accountability, privacy protection and consumer trust, they write.

Noncompliance could ultimately be legislatively defined as an unfair or deceptive business practice and thus prosecuted by the U.S. Federal Trade Commission, they say.  They also suggest that fast development of such an interstate code could “mitigate the slow pace at which the GDPR codes and certifications are being developed” and serve as a model for them.




Industry has until Oct. 28 to comment on latest CCPA rules easing “opt-out” for consumers; Prop 24 news

In an unexpected development, California Attorney General Xavier Becerra has proposed additional tweaks in language enforcing the California Consumer Privacy Act (CCPA) designed to make it harder for websites to fool or challenge consumers about exercising their privacy rights.  Comments on the proposed wording changes are due by Oct. 28.

Becerra’s regulations have already been revised twice since the law took effect in early 2020. Enforcement kicked in recently, but there have been no high-profile announcements by Becerra yet of any actions.

“Well done,” Tweeted Ashkan Soltani, one of the principal authors of language which became the CCPA and a proponent of Proposition 24, a second digital-privacy initiative on the Nov. 3 California state ballot. Soltani’s Tweet lists ways in which the right of consumers to “opt-out” of data sale or sharing can’t be manipulated.

Meanwhile, with just over two weeks before California voters consider Proposition 24, the California Privacy Rights Act, news organizations are stepping up coverage. By far the best summary of the politics and positioning on the proposed law is authored by reporter Sam Dean of the Los Angeles Times. A support/opponent fault line continues to be around whether websites, including publishers, should be allowed to financially or service-wise penalize a consumer for refusing to share their personal data.



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Cafe Media exec sees detente possible among browsers, ad tech and publishers — in a long time

A key executive at the intersection of publishing and ad tech thinks a new approach to personalizing advertising that is more “privacy friendly” than today may be worked out among browser software companies, ad tech and publishers but it may take more than two years.

Google declared in early 2020 that it would cease carrying or supporting third-party cookies in the Chrome browser in two years. It has been vague about the exact deprecation date.

Paul Bannister, chief strategy officer of publishing ad manager Cafe Media, commented in an interview with Privacy Beat after an Oct. 6 meeting of the member-only Improving Web Advertising Business Group of the World Wide Web Consortium’s (W3C).  The group is debating a standards proposal from Google called “DoveKey.”  (See Privacy Beat, Oct. 2). A key feature of DoveKey appears to be that data for advertising auctions would reside on a trusted third-party server rather than inside a user’s web-browser software.

“I think (Google’s) Chrome will figure out a pretty good cohort-based system of targeting that increases user privacy and takes a lot of work to make it  happen but makes advertising work OK,” Bannister said. “In the flip side, I think (Apple’s) Safari will continue its drive to disintermediate advertises and publishers from readers and I do wonder at what point publishers start saying to use a different browser.”









Famous tech-industry consultant  Don Tapscott sees individual ownership of personal data as needed to end era of data “feudalism” by “digital landlords”

“Commandeering of our data. Decades ago, I had hoped the internet would support our rights to life, liberty and the pursuit of happiness in the process. Instead, the digital economy created a system of what I called “digital feudalism,” wherein a tiny few appropriated the largesse of this new era of prosperity. Data, the oil of the twenty-first century, was not owned by those who create it. Rather, it was controlled by an increasingly centralized group of “digital landlords” who collect, aggregate, and profit from the data that collectively constitutes our digital identities. By exploiting our personal data, they achieved unprecedented wealth, undermining our privacy and revenue potential in the process . . . . “

“New models of identity. Let’s move away from the industrial-age system of stamps, seals, and signatures we depend on to this day. We need to protect the security of personhood and end the systems of economic exclusion and digital feudalism. Individuals should own and profit from the data they create from the moment of their birth.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp