Clash brews between privacy advocates and advertisers over CCPA “opt-out” tool enforcement; Apple seeks new browser control

Privacy Beat

Your weekly privacy news update.

VIEW IN YOUR BROWSER

 

As Consumer Reports adds funding for CCPA opt-out testing,  some in ad industry complain about Becerra’s privacy-agent ‘opt-out’ tool support

An early clash between the advertising industry and privacy advocates is shaping up over how California will enforce the “opt-out” provisions of the California Consumer Privacy Act (CCPA).

Research by the non-profit Consumer Reports (CR)  released this week shows that an aspect of the law which can be read to allow consumers to designate an “information agent” to submit hundreds of opt-out demands to data brokers, is the forcing issue.  That’s because California Attorney General Xavier Becerra, the CCPA enforcer, is saying the law requires companies to respect such automated bulk opt-out requests.

Last week, Becerra Tweeted his intention, and a co-author of CCPA, Ashkan Soltani, reacted.  This week CR reported that a 100-user research study found significant trouble gaining compliance from a small group of data companies to which CR submitted opt-out requests.  Read: “Why It’s Tough to Get Help Opting Out of Data Sharing,” by Kaveh Waddell, on the Consumer Reports website, and a story by MediaPost’s Wendy Davis: “Companies Fall Short of Compliance with CCPA, Consumer Reports Finds.”  Also, “On Operating a Do Not Sell Authorized Agent Under CCPA,” by CR’s Ginny Fahs.

At the same time, ad-industry trade groups drew a line in the sand, saying the law is supposed to only allow users to make one-by-one manual requests.

The dispute is important, because without an efficient way for consumers to register their distaste for use or sale of their data without their knowledge, CCPA loses much of its teeth. “Without an agent, it would take you 33 hours to opt out of the 400 registered data brokers in California, if you spent five minutes on each one,” says Don Marti, co-author of the CR study. (Marti is also an advisor to ITEGA, sponsor of this newsletter).

In the CR study, no user’s personal data was submitted or requested.  But on his own, Marti says he submitted an opt-out request to data brokers Oracle and Jira that included a request for what they had opaquely collected about him personally.  “Somehow I’m a single dad who drinks a lot of Diet Coke, and I’m in the market for eight luxury cars,” Marti, who is married, said in a blog post.

The issue of whether automated agents can execute opt-out demands is a do-or-die issue for ad-tech because if a large percentage of consumers do so, it could choke off a key source of target-marketing data.  But CR will keep testing.  Also this week, it announced a new round of funding from Craig Newmark Philanthropies and Omidyar Network for its research.  Becerra is awaiting confirmation for a Biden cabinet position, so there is a possibility of both sides lobbying whoever is appointed to succeed him as California AG.

CALIFORNIA PRIVACY 

IDENTITY 

PLATFORM ANTITRUST 

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

 

Above, How Facebook plans to make its case for seeking user data (see “PRIVACY FACEOFF” below)

With PCM launch, Apple pushes to be standard for browser control of ad effectiveness measurement

Apple’s Safari browser will soon begin keeping track when users buy something in response to an ad, but the company’s developers say that information will not been accessible to Apple or anyone other than the publisher or advertiser running the ad campaign.

The feature is called “Private Click Measurement,” (PCM) and Apple’s John Wilander has been talking about it for months in the open privacy-interest group of the World Wide Web Consortium (W3C).  In posting a detailed description about PCM he candidly acknowledged the desire for PCM to become an open web standard.  “We are working with them to get there,” Wilander says. But no other browser maker has committed to use it as yet.  So Apple is going ahead unilaterally.

Advertisers want to know when an ad “converts” to some action, like a purchase, or a visit to a product website and they have been used to getting that through third-party cookies.  But with diminishing use of cookies, Apple and others are seeking alternatives to assist the ad industry’s measurement desires.  The big issue: Should the measurement be controlled within the browser, or done across web servers?  Some points Wilander makes in the announcement: 

  • PCM is not technically tied to advertising, so functional descriptions use more generic terms.  An interesting question: Could PCM be used to attribute, say, linking to a piece of content for copyright attribution or payment? 
  • An app-to-web path is supported, but not yet a web-to-app path.
  • The browser user will be able to look up their stored reports of purchases or other “conversions,” but the click reports will only be stored for seven days.
  • PCM is already included in downloads of Safari in test/debug mode, and the production version, in iOS and iPadOS 14.5 betas and will be turned on by default, although a user can disable it.
  • When a user makes a purchase, the browser won’t send a report immediately. Instead it will way as long as 48 hours and do so randomly, Wilander says. This is a privacy feature to make unauthorized user tracking difficult.

“IF PCM is being misused for tracking purposes or being used in conjunction with unrelated means of tracking users, events or devices, we may block the offending party from using PCM and potential future measurement features,” Wilander warned on behalf of Apple.

BROWERS, ADS AND PRIVACY

PRIVACY FACEOFF . . . 

 

 . . . APPLE’S VOLLEY

 . . . FACEBOOK SHOOTS BACK

 . . . GOOGLE PARRIES 

 

Nicholas Economides 
Economists calling for default data ‘opt-out’, regulation of platforms because of ‘market failure’ over private data

Two economists have penned a preview of a forthcoming research paper which calls for regulation of Google, Facebook and other platforms’ use of personal data, including a requirement that no data be collected without a user’s explicit permission — as required in the European  Union.

The two scholars are Nicholas Economides of the Stern School of Business at New York University and Ioannis Lianos, a professor at University College London.  Their new essay (see QUOTE OF THE WEEK, below, for excerpts) was posted this week to a blog run by the University of Chicago’s Booth Stiglitz Center, and titled, “Giving Away Our Data for Free is a Market Failure.”

“A required first remedy is to make ‘opt-out’ the default regime in the collection of personal information, and sellers would opt-in if they so wish,” the two economists write.  The authors of the California Privacy Rights Act (CPRA) have said they avoided an default “opt-out” (which would have been similar to European Union law) because it might have been vulnerable to U.S. constitutional challenge on First Amendment grounds.  Their essay previews a 72-page journal paper, which is already in pre-release form and to be published by the Networks, Electronic Commerce and Telecommunications Institute. 

“We have shown that the acquisition of private information by default without compensation by digital platforms such as Google and Facebook creates a market failure and can be grounds for antitrust enforcement,” the duo writes in a draft conclusion to the full-length article. They continue: “To avoid the market failure, the default in the collection of personal information has to be changed by law to ‘opt-out.’ “

The make several other recommendations, including a call for antitrust enforcement or the breakup of the platforms. Also, they suggest a system for management of data transactions and compensation, licensing of data and data portability and interoperability standards.

PERSONAL PRIVACY 

STATEHOUSE WATCH 

WASHINGTON WATCH 

EU PRIVACY

BIOMETRIC PRIVACY 

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Ad-blocker eye/o offers “Crumbs” — an in-browser privacy tool — that also releases anonymized data

There’s a new acronym to try and remember in the race to see who will do the best job of balancing privacy with the ad-tech quest for marketing data for targeting users.  It’s “Crumbs” and the originator is eye/o GmBH, the German company that became the most-prominent maker of ad-blocking software, with AdBlockPlus.

Eyeo announced Crumbs on Jan. 25. It calls it a browser plug in tool “that mitigates consumers’ desire for privacy control and advertisers’ need to understand an addressable audience.”

Eyeo is widely believed to be receiving payments from Google to let Google AdWords through its AdBlock Plus nets. Crumbs shares segment memberships from an advertising profile generated completely within the user’s browser or device app.  It was initial disclosed as  “Spectacle”  on GitHub. That’s an acronym for “Sensible Privacy Enablement by Clustering Targeting Attributes in CLiEnt.” (See Jan. 22 Privacy Beat item)

“For a thriving free web and notably journalism, availability of marketing data is crucial,” eyeo said in its public release. “Crumbs supports the monetized web — and especially content creators — by making anonymized yet broad data sharing that complies with common targeting scenarios.”

The eyeo approach works by storing user information in the browser. It’s downloadable from https://www.crumbs.org

An alternative approach would be to have one or more “information fiduciaries” who store and manage a user’s personal data on a server, and operate as the user’s agent to carry out the user’s privacy preferences.  Consumer Reports has been running an experiment with a small number of its members in California along these lines, and ITEGA, the sponsor of Privacy Beat, is pursuing a similar strategy with news publishers acting as the “fiduciary.”

COVID-19 AND PRIVACY

GLOBAL PRIVACY 

PRESS, PLATFORMS & AUSTRALIA 

MEDIA

UPCOMING EVENTS 

UPCOMING:  Identity, Advertising and Future of Journalism |

QUOTE OF THE WEEK

Requiring user permission to mine personal data necessary to fix “market failure” of platform surveillance, economists write 

  • Excerpts below are from an essay, “Giving Away Our Data for Free is a Market Failure,” posted Feb. 1 to the University of Chicago Booth Stigler Center blog by NYU economist  Nicholas Economides and University College London economist Ioannis Lianos. They write that by convincing users to give away their data for free, digital platforms have caused a market failure. The essay is excerpted from their 74-page working paper.

“A required first remedy is to make “opt-out” the default regime in the collection of personal information, and sellers would opt-in if they so wish.

“ . . . Platforms could switch to a regime of paying users for their data as we outlined earlier, which could lead to the emergence of a non-exclusive licensing market for user data when users opt-in to sharing their data with specific platforms. This would enable users to port their data to the platforms that offer them higher levels of return and better conditions in terms of valuing their privacy.

“Non-exclusive licensing could be instituted through a licensing agency that would collect the data from each user and distribute it to platforms. The user would be paid the combined sum of all the amounts that the relevant companies are willing to pay. To determine the “fair” value, one would need to refer to the value of the data in a competitive market. However, this is not currently possible as there is no competitive market, and network effects ensure that a competitive market will not have egalitarian market shares. Digital platforms are likely to exercise their buying power, resulting in downward pricing pressure in the market for personal data depriving the users from a portion of their revenues. A possible solution would be for competition authorities to facilitate users collectively bargaining.

 “ . . . Another option would be to promote the development of “data clubs” that operate on an open, non-exclusive basis and different companies to pool and share data, again respecting high privacy standards. 

 “ . . . Interoperability remedies may also help to intensify inter-platform competition, thus also contributing to a better protection of privacy-related competition.”

ABOUT PRIVACY BEAT

Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp