Ad-tech designates a nonprofit to operate competitor to Google’s “Privacy Sandbox”; governance, rules to come

Privacy Beat

Your weekly privacy news update.



ABOVE: The Trade Desk is turning over its “Unified ID 2.0” tech to be operated by industry nonprofit, Inc.

Ad-tech designates  nonprofit to operate competitor to Google’s “Privacy Sandbox”; governance, rules to come


The ad-tech industry took a big step this week in a race to assert control of user identity rather than cede it to browser makers such as Google and Apple.  The step was the announcement that “Unified ID 2.0” will become an open-standard identity-sharing system completed and operated by a nonprofit,, Inc.

The announcement is significant because the originator of Unified ID 2.0 — the Trade Desk Inc., is a Wall Street-owned major ad-tech company — and its identity idea would have been contending with a half-dozen or more initiates of for-profit competitors.  If it passes ownership and control of Unified ID 2.0 on to Prebid it would be distinguished from for-profit competitors.

The other reason the move is important is that it establishes an appearance of momentum to counter features of Google’s “Privacy Sandbox” initiative, which would place user identity and profile management within the Chrome browser (or other browsers if they adopt it).  Google is starting testing of the related “FLoC” code, which it has asserted is as effective for advertisers as managing identity with third-party cookies. Skeptics say Google’s assertion is not fully backed up.

But the race is now on — will identity be managed technically within the browser, on across the web via something like Unified ID 2.0? “The timing is tight, and we do everything we can to accelerate this, which is why we’re excited about this announcement because it signals the end of talking and planning and the beginning of the actual doing,” Tom Kershaw, Prebid’s board chair, told AdWeek’s Andrew Bluestein in a story posted Thursday.  Kershaw added in an AdExchanger article: “I’d argue that UID 2.0 and Prebid’s efforts around identity are moving at a faster pace than the Privacy Sandbox and that they’ll probably be ready earlier than some of the Privacy Sandbox work,” he was quoted as saying.

Unified ID 2.0 was termed a “community identifier” by Kershaw in Prebid’s official announcement on Thursday. Kershaw also called it a “community asset operated by the industry.”  The statement does not define which community or industry is involved.  Kershaw is also CTO of ad-tech company Magnite, formerly known as The Rubicon Project.

“Unified ID 2.0 was built on a very simple premise – an ID using logins that’s interoperable with other proposed ID solutions – in a way that improves consumer control while preserving the value exchange of relevant advertising,” said Dave Pickles, co-founder, Chief Technology Officer at The Trade Desk and board member. “‘s commitment will ensure independent third party management of Unified ID 2.0 and that it will continue to be developed, based on open source principles, in the best interests of the marketing industry and its consumers.”

Participants in Prebid will have to subscribe to a code of conduct, organizers said. Initially Prebid will be operated without charge to participating ad-tech and other entities, absorbed within the per-company fees of $5,000 to $40,000 a year.

Prebid has not disclosed details of its bylaws or organizing papers publicly so it may not be generally known if it has any stockholders, nor what would happen to any assets if it were to be sold or closed.  In another interview with AdExchanger’s Allison Schiff, Kershaw said Prebid intends to operate services which generate and share encrypted identifiers based upon email addresses supplied by publishers.  “We’re not administering it or providing policy functions,” he told Schiff. “What we’re doing is operating the machinery.”, Inc. was established in 2017 as a nonprofit Delaware corporation to support the “header bidding” required for programmatic advertising, or in corporate papers, “to develop, maintain and steward the responsible integration layer between publishers and the programmatic ecosystem . . . . “  That system is now seen as troublesome from a privacy standpoint. Unified ID 2.0 is an effort by ad tech interests to change that view.

Prebid’s board is currently solely executives of advertising-technology companies, who are guaranteed those controlling seats under its bylaws. Other stakeholder groups collectively get to name some additional, non-controlling board seats. It apparently has no statutory voting members, although its terms companies who pay into Prebid “members.”

Current board members are employed by Index Exchange, MediaMath, Criteo, MediaVine, PubMatic, Magnite, Xandr, CafeMedia, the Trade Desk and OpenX.  “Leader members” guaranteed seats are Index Exchange, Magnite, MediaMath, OpenX, PubMatic, the Trade Desk and Xandr.

Prebid, with 25 employees, has about 100 non-controlling “members”, including at least 21 publishers listed on its website. On the list of mostly small publishers are such name brands as AdvanceLocal, Gannett, Hearst and News Corp.




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


A screen shot of Dan Clarke and Michael Hellbusch’s YouTube webinar on state privacy activity delivered Wednesday.

Lawyer, compliance expert detail ‘landslide’ of state privacy legislation — details in 55-minute YouTube video

State lawmakers are not waiting for Washington to enact digital-privacy protections for their residents and the action is moving almost too fast to follow, a lawyer and privacy-compliance executive say in a 55-minute archived YouTube video recorded Feb. 17.

“You have to keep an eye on this,” IntraEdge President Dan Clarke said during a fast-moving overview with slides about the state of legislation in Washington state and Virginia, and narrative reports on bills in Florida, New York, Utah, North Dakota, Oklahoma and Texas, among other states. In general, he and attorney Michael Hellbusch of the Rutan & Tucker LLP firm, said states are copying either the existing California law, the EU’s GDPR or the billing in Olympia, Wash. The also said:

  • Measures destined for passage do not include a private right of action, even though that is sought by privacy advocates, because it is a lightning rod for massive business opposition
  • Washington state’s bill, like California, does not require “opt-in” to use sensitive data, rather it gives the consumer a clear path to “opt-out.”  (VIEW SLIDE)
  • But Virginia is “opt-in,” has new language defining anonymized data, and it is likely to become law as soon as March 1.  (VIEW SLIDE 1) | (VIEW SLIDE 2)
  • New York Gov. Andrew M. Cuomo, in his “state-of-the-state” address, declared as a top priority getting a privacy law in place by April in the nation’s fourth-most populated state and the home of many media and data companies.

“We’re starting to see this landslide approach of other states,” said Clarke, with Texas lawmakers seemingly waiting to see what happens in Washington and Virginia before crafting bill details there, and Minnesota also waiting.




CCPA enforcement: Missing “opt-out” buttons, failure to disclose data partners, non-responsiveness

DigDay reporter Kate Kaye expended some virtual shoe leather to produce this week the first peak at how enforcement of the California Consumer Privacy Act is going.  Based on conversations with privacy lawyers, the ad industry and an unnamed spokesperson for California Attorney General Xavier Becerra, she reports in “People file lawsuits to test boundaries of California’s privacy law” that:

  • Somewhere between 50 and 100 lawsuits may already have been filed in California courts by individuals alleging privacy breaches under the law, but none are know to have have reached court or settlement. So it is too early to tell if they will help definite language in the law.
  • Becerra’s office confirms they have sent out 30-day “notices to comply” but they won’t confirm the number or disclosure who they’ve gone to. Retail, financial and health-related sites were among recipients of enforcement letters, the AG’s office told Kaye.
  • Lawyers consulted by Kaye said that among issues raised by the compliance notices were:  (1) An alleged failure to identity partner companies a website is sharing personal data with; (2) A question about the location of an “opt-out” button and (3) Failure to respond to consumer requests to have their data deleted or not sold or (4) Failure to update company privacy policies.
  • RELATED: Does CPRA ambiguity imperils content for underrepresented communities? | Dominique Shelton Leipzig, IAPP Privacy Perspectives/






Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat





Identity, Advertising and Future of Journalism | March 4, ITEGA


How Section 230 got twisted by decisions so that distributors got lumped in with publishres 

“The actual text of the law is fine, and I wouldn’t change it. My proposal for reform would be for Congress to reissue Section 230 with the same text and instruct courts to follow the actual text of the law.  The problem with Section 230 is that in a bout of free speech zeal, courts have interpreted the law to be far more extensive than it is written or should be.

“Suppose someone posts a nude photo of you in a comment to my blog post. You ask me to remove it. I say: “Nah, I don’t care. Get lost!”  Section 230 immunizes me. But it shouldn’t.  Although someone else posted the photo, I provided the forum that allowed this person to post it. I have control over the logs that have the poster’s IP address that can be used to identify the poster. I have control over what information gets posted to my website. I also have built an audience, am disseminating information to that audience, and am making information available online for anyone in the world to see. I am also receiving benefits from having my blog and am monetizing it with ads. With these powers and financial rewards should come some responsibilities to ensure that I’m not causing harm to others.

“Contrast this case to intellectual property law. When a company claims its content is being infringed, the law and courts sing a very different tune. Suddenly, there are no free speech concerns. If you owned the copyright to that nude photo on my blog, you could force me to take it down. Section 230 doesn’t apply to copyright.

“  . . . Unfortunately, courts are interpreting Section 230 so broadly as to provide too much immunity, eliminating the incentive to foster a balance between speech and privacy. The way courts are using Section 230 exalts free speech to the detriment of privacy and reputation. As a result, a host of websites have arisen that encourage others to post gossip and rumors as well as to engage in online shaming. These websites thrive under Section 230’s broad immunity.

“Section 230 should not be abolished. But it should be restored to its original meaning and purpose – a much more limited scope than it has now.  Recovering distributor liability will lead to a better balance between free speech and protection against harm. It will promote greater responsibility for platforms and ISPs.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp