Firefox splits the cookie jar; ConsumerReports writes privacy law: Facebook and Australia ignite news value debate

Privacy Beat

Your weekly privacy news update.



ABOVE: Mozilla’s illustration of “State Partitioning” rolling out in Firefox 86

Firefox splits the cookie jar in pre-emptive attack on tracking ahead of Apple and Google plans; but SSO can still work

Mozilla Corp., maker of the Firefox browser, launched a pre-emptive attack on “cookie” tracking this week, announcing it will begin shipping a new way of frustrating the practice — creating a unique bucket in the browser cache for each domain name and walling them off from each other. It calls the innovation “Total Cookie Protection.”

Here’s how Mozilla’s engineers described the change this week in an article explaining how the policy works and how to test it.

“Firefox includes a new storage access policy that blocks cookies and other site data from third-party tracking resources. This policy is designed as an alternative to the older cookie policies, which have been available in Firefox for many years. This policy protects against cross-site tracking while minimizing the site breakage associated with traditional cookie blocking.”

Until now, Firefox has partnered with a nonprofit,, which manually tracks opaque ad-tech and other “tracker” services and lists their domains in a “blacklist.” Firefox has then used that list, which includes the domains of most the major ad-tech companies,  to deny the historic functioning of third-party cookies in the browser.

“State partitioning is a different approach to preventing cross-site tracking,” Mozilla’s engineers write. Gizmodo’s Shoshana Wodinsky helps to explain in her piece, “Firefox’s Latest Update Promises Complete Cookie Control—With Just a Few Caveats’.

Another tech writer, TechCrunch’s Natasha Lomas, in her account, notes that Google has pledged to deny third-party cookie function in its dominant Chrome browser sometime next year, and is working on controversial alternatives.  Apple’s Safari has had a form of cookie-blocking for a couple of years but is about to role out an effort to frustrate other tracking approaches as well.

In its announcements, Mozilla provided an important note about the effect of its change on so-called federated Single Sign On (SSO) services. In a blog post, “Introducing State Partitioning”, the browser maker explained that when a user from one website is trying to log in via another affiliated website, but in a different domain, “we allow the state to be unpartitioned in certain cases” such as a legitimate SSO service. They continue “the top-level SSO site and the embedded SSO service’s iframe will start to use the same storage key, meaning that they will both access the same cookie jar. So, the iframe can get the login credentials via a third-party cookie.”

Mozilla’s browser maket share has been dropping for years and it is No. 4 after Chrome, Safari and Microsoft’s Edge browser.  It, however, is the only notable browser maker that is owned by a nonprofit, the Mozilla Foundation, and which has little or no revenues from advertising or subscriptions.




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


The cover page, above, of Consumer Reports’ model privacy act, unveiled earlier this week.

Consumer Reports unveils tough “model” privacy act, accepts Virgina law but wants it strengthened

Consumer Reports, (CR) the nonprofit co-operative which now has a “digital lab” for testing and assessing privacy and other matters, is out this week with a 22-page model digital privacy law. It would ban outright most uses of personal data that now occur on the web — absent the user’s explicit OK.

It provides enforcement mechanisms that have so far been opposed by congressional Republicans, such as giving private citizens the right to sue rather than limiting action to state or federal enforcers alone. It permits “legitimate patronage programs” that don’t create “privacy have-nots.”

Justin Brookman, a lawyer who directed the drafting with colleague Maureen Mahoney, said CR decided it was important to stake out a strong pro-consumer posture but recognize that a process of negotiation and drafting will be required before anything passes Congress, where, he said,  “I don’t think privacy is the highest priority even compared to other tech policy issues right now.”

There are multiple digital-privacy bills sitting in Congress without much action and two Brookings Institution scholars proposed last year  another model statute that runs 48 pages. Brookman said he had yet to compare the two side by side.

Brookman isn’t saying CR will compromise on privacy. “There are areas for compromise at the margins,” he says. “But not with business models entirely predicated on selling data unbeknownst to the consumers and contrary to their wishes.”

Meanwhile, there’s a lot of action at the state level and Brookman hopes the model act’s language will influence debate in some state houses.  Consumer Reports, for example, decided not to opposed enactment of Virginia’s new privacy act, even though it lacks some of the things in the model bill. (See: “Consumer Reports wants global opt-out for Virginia but on balance likes new law.”) That puts CR at odds with the Electronic Frontier Foundation, the Consumer Federation of America and some PIRGs, which sent Virginia’s governor  this week a letter asking that he veto or return the bill. | RELATED REPORT






A screen capture of the pop-up seen by Australian Facebook users trying to read news last week.

Facebook, Google tussle with Australian government ignites debate over what will pay for news beyond “surveillance capitalism”; Tim Cowen weighs in

New rhetoric and the potential of new initiatives were brewing this week after the Australian government, following a last-minute faceoff with Facebook, enacted a law intended to force Internet platforms to pay for the news they show their users.

Deep questions about copyright and the incentives created by the law — plus whether it is leaving out small publishers — were left in the aftermath. There is talk that European publishers, with the backing of Microsoft Inc., may push something similar. And a larger question: Should journalism become dependent upon platforms such as Google and Facebook whose business models are frequently described as “surveillance capitalism”?  For example, in the midst of the Australian news, smaller platform Twitter announced a plan to charge for content rather than sell more advertising.

An early beneficiary of the Australian situation appears to be Australian-born media mogul Rupert Mudoch, after Google agreed to include his News Corp. in a voluntary payment approach called “News Showcase.”  But this attracted scorn  from a prominent London lawyer, who implied in an op-ed that Murdoch, who has been a consistent and vocal critical of the platforms, was in a “sweetheart deal.” Murdoch’s News Corp. owns both The Times of London and Wall Street Journal.

The British barrister is Tim Cowen, chair of the antitrust practice at Preiskel & Co. LLP and an advisor to a lobby group Marketers for an Open Web (MOW), which has been opposing before the U.K.’s Competition and Markets Authority (CMA) Google’s technology plans post third-party cookies.  MOW has refused to disclose its members, other than to say they include ad-tech companies, advertisers and some publishers — saying they fear Google reprisals.

“MOW has submitted to the CMA that a Google plan to change their browser settings and phase out third party cookies is really designed to undermine publishers’ ability to earn revenue from adverts on their own websites,” Cowen wrote in the op-ed posted on Friday (Feb. 26). They called for interim measures, to protect the public interest and the plurality of media by halting the roll-out of Google’s changes.




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


As March 16 deadline to appoint oversight board approaches, CPRA backers launch information website

Seeking to encourage California citizens to exercise new legal rights to privacy, the lobby group which raised millions to push last fall’s successful California Privacy Rights Act (CPRA) ballot Proposition launched this week a simple web resource detailing the law’s use by consumers. It inclues an executive summary of the law, a section-by-section description, the full text and a timeline for its enforcement.

“The new law will give Californians the strongest online privacy rights in the world, including protecting sensitive personal information, tripling fines against companies that violate kids’ data, establishing an enforcement arm for consumers, and making it harder to weaken privacy laws in the future,” says the website.

The next milestone for the law is March 16, the deadline by which California’s governor, attorney general and lawmakers must name initial members of the oversight board that will approve regulations to enforce the law.







Identity, Advertising and Future of Journalism | March 4, ITEGA



Web privacy and identity: Societal and human questions too far-reaching to leave to one tech firm, one brand — or one industry

“You could call 2021 the year of identity and privacy. But that sells short the challenge, as well as the reality, that marketers are entering new and uncharted territory . . . 

“Right now, email authentication solutions feel like they’re in the lead; but they don’t scale for the web. Likewise, the IAB’s Project REARC initiative, while admirable, isn’t a silver bullet . . . Let’s be honest, it’s not just about technology. It’s about people. Marketers have a say, governments have a say and ultimately the consumer should have a say. Consider how Google’s Privacy Sandbox—regarded as the solution for the future of consented data—has been criticized by industry groups, such as Marketers for the Open Web. As multiple voices in the industry are mobilizing, we are far from consensus . . . 

 “ . . . [I]dentity solutions currently available fall into two buckets.

“In the first bucket, you have “identity currency providers.” Think LiveRamp, The Trade Desk’s Unified ID 2.0, Google’s Privacy Sandbox and other novel solutions designed by specific DSPs, as well as identifiers intended to work across ad-tech platforms like Brightpool and ID5.  In a sense, this bucket is the heir to the third-party cookie. But instead of a browser-based technology for tracking consumers across the web, the idea is to create clearinghouses for transacting anonymized audiences across platforms and channels.

“In the second bucket, you have “identity resolution partners.” Similar to the identity currency providers, identity resolution partners may offer a limited ability to transact, but the core idea is to give marketers insights into households and devices, and ultimately consumers, but done in a consented and privacy-centric way . . . 

“ . . . [P]rivacy and identity also raise larger societal and human questions that are too far-reaching to leave to a single technology firm, brand or industry. After all, philosophers still grapple with what identity means, and now we’re looking at the existential notion and the extent to which you can trade on identity or identity as the product itself. The Enlightenment principles that underpin how we think about privacy are analog concepts in a digital world.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp