Big Tech lobbying states on privacy; Ireland pressured on GDPR enforcement; reports on identity, auditing, standards

Privacy Beat

Your weekly privacy news update.



Illustration by Mark Long for The Markup

The Markup’s reporting: Big Tech’s fingerprints are all over state privacy fights to weaken provisions set by CPRA

An independent journalism outfit that investigates Big Tech has been documenting who’s behind state privacy-law proposals that water-down California’s landmark privacy ballot initiative, the California Privacy Rights Act.  The Markup reports it’s primarily Big Tech pushing the low-privacy bills, in particular the one which just became law in Virginia.

In a long piece, Markup writer Todd Feathers concludes: “Fourteen of 20 proposed state privacy bills were built upon the same industry-backed framework as Virginia’s, or weaker.”  He continues: “Meanwhile, the small handful of bills that have not adhered to two key industry demands — that companies can’t be sued for violations and consumers would have to opt out of, rather than into, tracking — have quickly died in committee or been rewritten.”

For much of the last year, advertising and technology industry lobbyists and executives have been calling for U.S. federal privacy legislation, saying state-by-state regulation would be burdensome and would make California the de facto U.S. standard.  And they’ve been saying they don’t want citizens to be able to sue, or have to grant businesses permission for their data to be sold or shared. So far, there is no consensus in Congress on what to do.



Ryan cites Wyden bill to argue Irish lack of GDPR enforcement could stop data flows from U.S. companies

Better privacy enforcement is needed when tech companies export the data of U.S. citizens for commercial purposes, according to announcements on Thursday from U.S. Sen. Rony Wyden and an Irish-based advocacy group.

First, Wyden unveiled a draft bill (BILL TEXT) which would require U.S. companies to seek a permit before exporting large amounts of personal data of U.S. residents. The government could deny the permit if the data might be mishandled and go to a country where it could ultimately threaten U.S. national security.  The bill leaves defining of “categories of personal data” and “national security” up to the government, with congressional oversight.

Then, the Irish Council on Civil Liberties (ICCL)  revealed it had sent a letter to various Irish authorities citing the Wyden proposal and saying that it could be applied “to countries that have inadequate data protections, or enforcement of data-protection law.”

ICCL senior fellow Johnny Ryan has been campaigning for Irish authorities to crack down on use of personal data by Facebook, Google and other U.S. tech companies which run their European Union (EU) services from Irish-based subsidiaries.  He argues that their practices, including advertising technologies, violate the privacy requirements of the EU’s General Data Protection Regulation (GDPR).

“If Ireland is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the U.S. Department of Commerce,” Ryan wrote in a blog posting on Thursday.

Wyden, in his statement announcing his “Protecting Americans’ Data from Foreign Surveillance Act,” pointed to a concern about foreign adversaries getting commercially acquired information and using it against Americans.  “My bill would set up common-sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it,” Wyden wrote.


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Illustration courtesy of AdExchanger


Who is vying to control identity on the web?  There are at least 80 separate efforts so far, AdExchanger finds

You’ve heard of Facebook Connect and Google Account — two efforts to manage user identity with federated log-in services.

You’ve probably also heard about Unified ID 2.0, an initiative started by The Trade Desk Inc., and now being run by an ad-industry consortium, Inc. Then two weeks ago the Local Media Consortium LLC — a collaboration of U.S. publishers and broadcasters — said it would field NewsPassID.

But that’s not the half of it.  Reporter Sarah Sluis of did some sorting  and searching and this week came up with a list of at least 80 separate efforts to manage web identity — how we are tracked — to replace the deprecation of the third-party cookie.  (See chart, above).  Will so many identity systems benefit anybody? Or will we revert to just letting Google and Facebook do it?



IAB told open standards, guaranteed privacy choice and third-party audits are new advert ecosystem requirements

Open standards, a guarantee of meeting the privacy desires of consumers and third-party auditable reports are necessary components for a stable system of digital advertising, participants in an Interactive Advertising Bureau (IAB) Tech Lab webinar say.

“Privacy by default is coming and we cannot expect our digital-ad infrastructure is going to continue to operate in the ways it has previously,” Tina Lakhani, head  of tech at IAB UK, told a virtual audience of some 260 people near the start of Thursday’s event,  “Addressability Solutions Road Show.” The session title referred to the idea of advertisers being able to use ad tech to “address” consumers with brand messages — either individuals or in anonymized cohorts.

Lakhani said consumers are in control and must be given a “spectrum of privacy preferences” in a direct relationship with either advertisers, publishers, or both.  “Accountability and auditability are essential in us being able to preserve addressability,” she added, declaring: “Open standards will be critical and will help all stakeholders.”

IAB’s moderator and participants agreed with Lakhani, but there was a general perception of confusion and uncertainty about the technologies and approaches to achieving the goals of open standards, consumer privacy control, auditability and “addressability.”  Among necessary components cited by Lakhani: (1) taxonomy and data-transparency standards (2) best-practices for email or phone user identity “tokens”, and specifications for open, auditable data structures.

Concerning third-party auditability, speaker Moshin Pervez, ad-tech company Pubmatic’s solutions-engineering director, said third-party auditing is needed. “It is clearly required taht we give confidence to everyone that we really care about the users’ choices and their privacy,” he said. “We cannot be checking our own homework.”

Log reports of advertising and other clicks should be encrypted and “signed” in such a way that they can’t be spoofed by unethical operators to change reported results, said Mohsin. “Third parties should be able to make use of the APIs so they pull the same information from two different systems,” he said. But he said the system should also make it impossible for any party “to mix and match two different data centers to find out who the user is.”

“We are at the stage now where we are not in a stable position,” said Christer Ljones, head of data at Schibsted Marketing Services AB, a unit of the big Swedish news publisher. “All the processes we have are something’s that sustainable. I think anything that creates an audit log . . . its gonna make our day-to-day a lot easier and allow us to participate more confidentially in the programmatic ecosystem.”



Forrester: Authenticated data not enough to satisfy marketers; brands worried about users declining data use

“Ethically sourced” user data will be a requirement of future advertising technology as brands search for new ways to acquire “deeper contextual data” about their consumer customers, says a survey of 200 U.S. and UK publishers and marketers by Forrester Research.

In one key insight, the report says “authenticated data” — an identity token or known interest cohort for a user — will be too hard to obtain to satisfy marketers and as a result “unauthenticated audience insights” will also be required “to ensure scale.”

“Embrace integrity, competency and transparency to align experiences to customer needs,” Forrester writes in an 11-yage “opportunity snap shop” prepared for and released this week by the ad-tech firm Permutive.  For the research, Forrester surveyed brand and publisher executives, mostly at the director and manager level, during February at companies with at least 500 employees. It’s report is titled: “Relieving Data Deprecation and Identity Challenges.”

They survey found 73% of brand respondents are concerned about increasing privacy regulations, 72% are concerned about ad blockers and 70% are concerned about consumers declining consent to use their data.  For their part, half of publishers believe privacy and ad-tech changes will allow them to “work more closely with advertisers.”

“Marketing is entering a period of upheaval,” the Forrester report says. “To reimagine marketing strategies in the face of data deprecation and identity challenges, brands need ethically sourced customer insights . . . strategies must be built on ethical treatment of customer data, as such customer trust is key to brand strategies.”


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Google RTB consumer breach case assigned to Judge Koh, first hearing June 30 in San Jose

A class-action lawsuit filed last month in U.S. District Court in San Jose, Calif., has been assigned a knowledgeable judge and last week a first procedural hearing was set for June 30. The case, Weaver v. Google LLC (CA 5:-cv-02115) was brought by a couple of veteran technology trial lawyers, Leslie E.. Weaver and Jonathan “Jay” Levine. Google has yet to answer the complaint. The likely first thing will be Google arguments for dismissal.

Their 600-plus page complaint argues Google breaches its contract with consumers by leaking personal data through its Real Time Bidding (RTB) ad-targetting system.  A excerpt of their complaint’s key claims appeared as QUOTE OF THE WEEK in Privacy Beat on April 2.

Judge Lucy H. Koh has been assigned to hear the case. The Wikipedia bio for her notes that her experience includes hearing Apple Inc. v. Samsung Electronics Co., High-Tech Employee Antitrust Litigation, and multidistrict litigation, including the Yahoo and Anthem data breaches and Apple and Google privacy litigation.




Ellery Biddle: “Follow the money: to rein in Big Tech, lawmakers are right to focus on business models” 

“Facebook and Google have made broad-based commitments to protect human rights and the public interest, but only to the extent that this won’t interfere with their ad-based profit models. Lawmakers are right to follow the money . . .  Companies are choosing profit over the public interest and deliberately concealing how they build their algorithmically-driven ad systems. This is not just about trade secrets or bad actors. It is about their fundamental goal: growth.

“Our team at Ranking Digital Rights studies the public-facing policies of the world’s most powerful tech platforms and evaluates them against human rights-based standards, covering issues like freedom of expression, privacy, and discrimination . . . .

“When confronted with pressure from powerful political actors (or actual lawsuits), Facebook is willing to make some concessions . . . .

“When we looked for Google’s commitments and transparency around targeted advertising and its impacts on users, it did even worse than Facebook. We found no public evidence that it assessed the impacts of its ad targeting systems on users’ rights to privacy, free speech, or non-discrimination . . . .
“But the real battle here is for our data. Apple’s new anti-tracking measures will make it harder for third parties, including Facebook, to capture our information. And in so doing, the measures will put Apple in an even more powerful position to capture, make inferences about, and monetize our data, and experts surmise that this may enable the company to prioritize its own ads network . . . .

“In the absence of real transparency from these companies about how they build their technology and what they do with our information, we have only a set of clues about what is happening behind our screens . . . . “


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp