Who will lead Calif. CPRA? Ad tech seeks DC help; Apple requires “privacy nutrition label”

Privacy Beat

Your weekly privacy news update.



Jockeying begins to lead California’s new privacy enforcement agency; ad tech turns to DC for relief; new definitions

Wanted: Five people expert at — or intrigued by — privacy and digital-commerce to join the governing board of the California Privacy Protection Agency. To start within 90 days.

Also wanted — by ad-tech companies — federal legislation rather than more state laws like California’s — or those under consideration in up to 17 states.

Those are the most immediate impacts after California voters’ approval this week of Proposition 24 — the California Privacy Rights Act (CPRA).  Although enforcement won’t begin until Jan. 1, 2023, and data control not until Jan. 1, 2022, there’s a lot of work to do to write regulations that implement the first-in-the-nation comprehensive digital-privacy law.

And that will be the job of the agency’s board.  So who gets named is going to be of keen interested.  Appointments are made by the governor, state attorney general, state Senate rules committee, and speaker of the state Assembly.

A bevy of news stories, and analyses by privacy lawyers, rolled out following Tuesday’s ballot approval, by a not-yet-finally-counted vote of at least 56% in favor.  The CPRA will replace the current California Consumer Privacy Act (CCPA), which only took effect this year.

DigiDay’s Lara O’Reilly’s account focused on what publishers need to know.  When CCPR is effective, its no longer share not just sell or track The legislation also specifically refers to the sharing of data for what it calls “cross-context behavioral advertising.” Publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link.

Privacy advocates, who felt the law doesn’t go far enough, plan to lobby the Legislature to amend it, particularly around the question of “paying for privacy.”

“Now is the time for the California Legislature to build on Proposition 24,” California ACLU attorney Jacob Snow said in a statement, “to make sure that companies get permission before using or sharing our personal information, prohibit companies from charging us more for exercising our fundamental rights, and impose substantial consequences on companies that break the law.”

Among key changes the law makes that affect the programmatic advertising industry — clear definitions of “sharing”, “selling”, and whether a company is a “service provider” or a mere “contractor” when handling personal identifying information.  Depending where a company falls, the rules for use of data will vary, once clarifying regulations are finalized next year. Also covered: When data is sufficiently “de-identified” as to be not of concern under the law.

Ad industry groups that had opposed the measure — including the American Association of Advertising Agencies, American Advertising Federation, Association of National Advertisers, Interactive Advertising Bureau, and Network Advertising Initiative — on Wednesday reiterated their support for a federal privacy law, Wendy Davis wrote at MediaPost.

“In the absence of federal action, consumers and businesses face a conflicting patchwork of privacy laws that offer uneven protection, confuse consumers and businesses, and create uncertainty that stifles marketplace innovation,” said Dave Grimaldi, IAB’s executive vice president for public policy, said in a joint statement from the ad-tech industry’s Network Advertising Initiative, a draft of which was posted to its website on Friday and then later removed.




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Apple requires explicit privacy disclosure notice on all App Store uploads after Dec. 8, including for advertising and tracking

Apple Computer is tightening the noose further around privacy infractions, announcing this week that, starting Dec. 8, any application loaded to its App Store will have to have the equivalent of a “privacy nutrition label”. The label must set forth clearly what the app maker intends to do with user data and, in Apple’s words “whether that data is linked to them or used to track them.”   (Read Apple’s announcement and details). 

The notice will require an app developer to disclose not only their use of data but, Apple writes, “the practices of third-party partners whose code you integrate into your app . . . . “   The rules define collection as “transmitting data off the device in a way that allows you and/or your third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time.”   Partners include analytics tools, advertising networks, third-party SDKs, “or other external vendors whose code you’ve added to your app.”

The policy details make a point of citing “third-party advertising” as a use for which transfer off device is categorically prohibited.  But there are some data uses which Apple says are permitted, such as collecting an email address to “authenticate the user and personalize the user’s experience within your app.”



Ownership of “universal identity” emerging as touchy subject for ad tech’s Unified ID 2.0, report says

On the heels of announced alliances with LiveRamp and Criteo S.A.,  ad-tech demand-side platform (DSP) giant The Trade Desk Inc., picked up press-release support from Nielsen Holdings plc this week for its Unified ID 2.0 effort to replace third-party cookie syncing for web and connected TV ad targeting.

The newfound ad-tech alliances around Trade Desk’s Unified ID 2.0 appear to be aligning with LiveRamp’s two-year promotion of the Advertising ID Consortium, Inc. initiative, which has yet to announce support from any publishers, or much governance detail. Publishers have direct relationships with readers and viewers and are presumably trying to figure out how they sell advertising without being dependent on Google, Facebook, Amazon or a consortium of ad-tech companies.

“[The Trade Desk] is touchy on the subject of who owns the Unified ID 2.0 initiative,” wrote knowledgeable reporter Allison Schiff in her AdExchanger story Nov. 5. “It’s designed to be an industry effort. But the digital ad ecosystem is littered with the bodies of failed and/or aborted identity consortiums and attempts at a universal ID. (See: DigiTrust and the Advertising ID Consortium backed by LiveRamp.)”

The idea of Unified ID is to collect email addresses with permission from users, then hash and encrypt them and turn them into IDs that will allow following of users among participating websites for targetted advertising.  Nobody’s explained yet how the system will comply with European Union or pending California privacy law.  Meanwhile, data services provider Lotame appears to be in the game, too, with “Panorama ID”, which is explicited asserted in its Oct. 28 unveiling is GDPR and CCPA compliant.

In announcing collaborations, The Trade Desk said it developed initial product code for its Unified ID 2.0 “to be non-commercial, open-source, interoperable, and administered by an independent organization” — with no details on the organization. LiveRamp’s independent organization has said it is a non-stock Delaware corporation, a 501(c)6 industry association, whose board was initially populated  by representatives of ad tech.

There are no details on the Delaware Secretary of State’s website for LiveRamp’s Advertising ID Consortium. The entity’s website says: “Currently, the Consortium membership includes supply-side and demand-side technology platforms who represent a large share of programmatic transactions in the open web. In 2018, the Consortium opened its membership to marketers and publishers to participate in shaping the Consortium’s priorities.” The are no details about joining on the one-page governance document.  (See also: Tech workflow)

In her story, Schiff continued: “The Trade Desk is spearheading the development of Unified ID 2.0, company executives are always very quick to point out that multiple companies are contributing code.Even so, most marketers don’t fully realize that the Unified ID 2.0 is a Trade Desk product, said [Nicole] Perrin [a principal analyst at eMarketer].”



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Short reference to privacy suggested by Cantwell as solution to journalism funding crisis; platforms accused

A 66-page advisory report by U.S. Sen. Maria Cantwell, D-Wash., suggests privacy may be one way to help stem the decline of local journalism — although details aren’t provided.

“Federal privacy protections can also serve to empower consumers to provide more support to local news organizations that provide them with more trusted and relevant information,” concludes the report,  entitled “Local Journalism: America’s Most Trusted News Sources Threatened” and released in late October.  There is no other reference to privacy in the report.

The Seattle Times, covered the report’s release on Oct. 27, focusing on report language declaring “local news has been hijacked by a few large news aggregation platforms, most notably Google and Facebook which have become the dominant players in online advertising.”  The report says Google’s ad revenues exceed those of all U.S. TV and radio stations combined.

“How do you compete against the likes of Facebook, who mine a phenomenal amount of data to provide much better targeted advertising than we can?” The Times’ account quoted its own president, Alan Fisco, as saying. “We spend millions and millions of dollars on news-gathering costs. The likes of Google and Facebook take that content for free to keep people on their sites.”

In reply, a Google spokesman told The Times the platform sends 24 billion views per month to news sites and “publishers make money with our advertising products.” A Facebook spokesman said it allows free post of news on its Facebook and publishers “have full control over how that content is accessed and monetized.”





Privacy lawyer worries new CPRA could lead to a “pay-for-access” content model on the web — a resulting form of inequality?

Even the concept of offering financial incentives, I think, from the perspective, particularly of the civil rights agencies, sets up a structure where people might be in the position to have to pay for privacy. So privacy might be something that’s afforded to people who can pay for it as opposed to people who can’t  . . .  I mean, we’ve kind of bought into this concept of an ad-supported internet. We get access to a lot of content for free, because our data is used for advertising purposes.  And so if we have to opt out, if the way that we protect our privacy is that we have to opt out of sharing or opt out of selling, well, then the response might be companies will start to put up paywalls or put together subscription models . . . .

Molly Wood: Do you think it is inevitable that we will begin to create a system of haves and have-nots around data and privacy?

“I do, unless we take some thoughtful steps to correct it, because there’s a fundamental right to privacy. I definitely agree to that. But there’s no fundamental right to the content you have access to online. And I think if the business models shift and the current advertising model becomes less profitable, companies will have to look to other models. And those other models might require a pay-for-access, resulting in a good amount of inequality, unless we can start to get ahead of it. And I think we haven’t really seen any strong proposals to address that issue.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp