Jockeying begins to lead California’s new privacy enforcement agency; ad tech turns to DC for relief; new definitions

Wanted: Five people expert at — or intrigued by — privacy and digital-commerce to join the governing board of the California Privacy Protection Agency. To start within 90 days.

Also wanted — by ad-tech companies — federal legislation rather than more state laws like California’s — or those under consideration in up to 17 states.

Those are the most immediate impacts after California voters’ approval this week of Proposition 24 — the California Privacy Rights Act (CPRA).  Although enforcement won’t begin until Jan. 1, 2023, and data control not until Jan. 1, 2022, there’s a lot of work to do to write regulations that implement the first-in-the-nation comprehensive digital-privacy law.

And that will be the job of the agency’s board.  So who gets named is going to be of keen interested.  Appointments are made by the governor, state attorney general, state Senate rules committee, and speaker of the state Assembly.

A bevy of news stories, and analyses by privacy lawyers, rolled out following Tuesday’s ballot approval, by a not-yet-finally-counted vote of at least 56% in favor.  The CPRA will replace the current California Consumer Privacy Act (CCPA), which only took effect this year.

DigiDay’s Lara O’Reilly’s account focused on what publishers need to know.  When CCPR is effective, its no longer share not just sell or track The legislation also specifically refers to the sharing of data for what it calls “cross-context behavioral advertising.” Publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link.

Privacy advocates, who felt the law doesn’t go far enough, plan to lobby the Legislature to amend it, particularly around the question of “paying for privacy.”

• AUDIO: Does CPRA create data privacy “haves” and “have nots”? | Jessica Lee via Marketplace.com (SEE QUOTE OF THE WEEK, BELOW)
• Paying for privacy was at core of CPRA debate | Laura Mahoney, BloombergLaw.com
• CCPA 2.0 expands companies’ opportunity to make you pay for privacy? | Caleb Chen, Privacy News Online

“Now is the time for the California Legislature to build on Proposition 24,” California ACLU attorney Jacob Snow said in a statement, “to make sure that companies get permission before using or sharing our personal information, prohibit companies from charging us more for exercising our fundamental rights, and impose substantial consequences on companies that break the law.”

Among key changes the law makes that affect the programmatic advertising industry — clear definitions of “sharing”, “selling”, and whether a company is a “service provider” or a mere “contractor” when handling personal identifying information.  Depending where a company falls, the rules for use of data will vary, once clarifying regulations are finalized next year. Also covered: When data is sufficiently “de-identified” as to be not of concern under the law.

• IAB lawyer explains CCPA, CPRA hitten “third party business” classification | Michael Hahn & Sundeep Kapur, IAPP.org

Ad industry groups that had opposed the measure — including the American Association of Advertising Agencies, American Advertising Federation, Association of National Advertisers, Interactive Advertising Bureau, and Network Advertising Initiative — on Wednesday reiterated their support for a federal privacy law, Wendy Davis wrote at MediaPost.

“In the absence of federal action, consumers and businesses face a conflicting patchwork of privacy laws that offer uneven protection, confuse consumers and businesses, and create uncertainty that stifles marketplace innovation,” said Dave Grimaldi, IAB’s executive vice president for public policy, said in a joint statement from the ad-tech industry’s Network Advertising Initiative, a draft of which was posted to its website on Friday and then later removed.

CPRA DEEP DIVE

• INFOGRAPHIC: The CPRA’s 10 most impactful provisions | International Association of Privacy Professionals
• CPRA’s core principles cited | Ronan Shields, AdWeek.com
• CPRA makes it harder for Google, Facebook to track, collect or share data | Aaron Holmes, BusinessInsider.com
• Attorney provides key touchpoints triggering CPRA for companies | Brian Rinker, San Francisco Business Times
• The Consumer Privacy Rights Act – CCPA 2.0 – Passes In California | Allison Schiff, AdExchanger.com
• Key new feature of CCPA 2.0 — a $10M funded enforcement agency | Jedidiah Bracy, IAPP Staff 
• With Prop 24, Californians get more data control | Pymnts.com
• Why digital advertisers are concerned about CPRA/Prop 24 | Garrett Sloane, AdAge.com
• Here’s what changes with approval of Prop 24 / CPRA | Greg Sterling, SearchEngineLand.com
• CPRA passage imposes new regs on info-security officers | Joe Uchill, SCMagazine.com

ANTITRUST AND SECTION 230 

• ANTITRUST: To save the free press, bust the tech monopolies’ control over advertising | Phillip Longman, Washington Monthly
• ANTITRUST: Corporate think-tank panelist criticizes Cicillini report research | Mark Jamison, American Enterprise Institute
• Sen. Wyden defends his Section 230 against “government speech police” | Tyler Olson, Fox News
• ANALYSIS: The loser of the election: Section 230 | Owen Thomas, Tech Insider/San Francisco Chronicle
• What were we thinking in 1996 when we approved Section 230? | Roger J. Cochetti, TheHill.com
• Digital policy expert says FCC can’t regulate Section 230 | Gigi Sohn via Benton Foundation

STATEHOUSE BEAT

• Maine voters double down on facial recognition ban in win for privacy | ITEK Host Blog
• “It’s Your Data Act” introduced in NY Legislature | Heather McArn et al., Hinshaw & Culbertson law firm
• ROUNDUP: Privacy election results from Maine, Mass. and Michigan | IAPP Daily Dashboard

Apple requires explicit privacy disclosure notice on all App Store uploads after Dec. 8, including for advertising and tracking

Ownership of “universal identity” emerging as touchy subject for ad tech’s Unified ID 2.0, report says

On the heels of announced alliances with LiveRamp and Criteo S.A.,  ad-tech demand-side platform (DSP) giant The Trade Desk Inc., picked up press-release support from Nielsen Holdings plc this week for its Unified ID 2.0 effort to replace third-party cookie syncing for web and connected TV ad targeting.

The newfound ad-tech alliances around Trade Desk’s Unified ID 2.0 appear to be aligning with LiveRamp’s two-year promotion of the Advertising ID Consortium, Inc. initiative, which has yet to announce support from any publishers, or much governance detail. Publishers have direct relationships with readers and viewers and are presumably trying to figure out how they sell advertising without being dependent on Google, Facebook, Amazon or a consortium of ad-tech companies.

“[The Trade Desk] is touchy on the subject of who owns the Unified ID 2.0 initiative,” wrote knowledgeable reporter Allison Schiff in her AdExchanger story Nov. 5. “It’s designed to be an industry effort. But the digital ad ecosystem is littered with the bodies of failed and/or aborted identity consortiums and attempts at a universal ID. (See: DigiTrust and the Advertising ID Consortium backed by LiveRamp.)”

The idea of Unified ID is to collect email addresses with permission from users, then hash and encrypt them and turn them into IDs that will allow following of users among participating websites for targetted advertising.  Nobody’s explained yet how the system will comply with European Union or pending California privacy law.  Meanwhile, data services provider Lotame appears to be in the game, too, with “Panorama ID”, which is explicited asserted in its Oct. 28 unveiling is GDPR and CCPA compliant.

In announcing collaborations, The Trade Desk said it developed initial product code for its Unified ID 2.0 “to be non-commercial, open-source, interoperable, and administered by an independent organization” — with no details on the organization. LiveRamp’s independent organization has said it is a non-stock Delaware corporation, a 501(c)6 industry association, whose board was initially populated  by representatives of ad tech.

There are no details on the Delaware Secretary of State’s website for LiveRamp’s Advertising ID Consortium. The entity’s website says: “Currently, the Consortium membership includes supply-side and demand-side technology platforms who represent a large share of programmatic transactions in the open web. In 2018, the Consortium opened its membership to marketers and publishers to participate in shaping the Consortium’s priorities.” The are no details about joining on the one-page governance document.  (See also: Tech workflow)

In her story, Schiff continued: “The Trade Desk is spearheading the development of Unified ID 2.0, company executives are always very quick to point out that multiple companies are contributing code.Even so, most marketers don’t fully realize that the Unified ID 2.0 is a Trade Desk product, said [Nicole] Perrin [a principal analyst at eMarketer].”

AD TECH

• Liveramp Identity Link as a replacement for the third party cookie? | Nathan Patrick, ByeCookie.com
• TradeDesk’s Unified ID gains support from Criteo, Nielsen | Allison Schiff, AdExchanger.com | EARLIER STORY
• Lotame unveils “cookieless” Panorama ID for web identity | MarTechSeries staff
• NYU followup: Facebook has good reasons for blocking political ad targeting research | John Naughton, The Guardian
• Zuckerberg slams Apple IDFA privacy as harming 2021 economic recovery | Tyler Sonnemaker, BusinessInsider.com
• Zuckerberg fears for future of ‘personalized’ advertising | Allison Schiff, AdExchanger.com
• Unilever in no rush to return to Facebook as alternatives do well | Jack Neff, AdAge.com
• Cheq study forecasts ad fraud will reach $35B this year | Alison Weissbrot, CampaignLive.com
• Project Signal — Washington Post’s contextual ad targeting bid | Sara Guaglione, DigitalNewsDaily/MediaPost.com
• WashPost beefs up contextual targeting in post-cookie era | Lucinda Southern, AdWeek.com
• WashPost executive  says it’s not just about context but consumption | Jarrod Dicker, WashPost PR Blog
• Publicis survey finds marketers pessimistic about third-party cookie changes | Larissa Faw, AgencyDaily/MediaPost.com
• Euro ad group say they don’t want Apple policing with IDFA clampdown | Ronan Shields, AdWeek.com
• OPINION: Ad-tech sell sider’s view on what IDFA sunset means to brands | Jordan Grossman, GasBuddy via Adexchanger.com

PERSONAL PRIVACY

• Remote education is rife with threats to personal privacy | Nir Kshetri, UNC-Greensboro via TheConversation.com
• Clearview’s faceprint technology vulnerable to First Amendment challenge? | Adam Schwartz & Andrew Crocker, Electronic Frontier Foundation
• REPORT: The Pandemic’s Digital Shadow | Freedom House | DOWNLOAD