The Markup’s reporting: Big Tech’s fingerprints are all over state privacy fights to weaken provisions set by CPRA

An independent journalism outfit that investigates Big Tech has been documenting who’s behind state privacy-law proposals that water-down California’s landmark privacy ballot initiative, the California Privacy Rights Act.  The Markup reports it’s primarily Big Tech pushing the low-privacy bills, in particular the one which just became law in Virginia.

• Big Tech is pushing states to pass weak privacy laws, research shows | Todd Feathers, TheMarkup.org

In a long piece, Markup writer Todd Feathers concludes: “Fourteen of 20 proposed state privacy bills were built upon the same industry-backed framework as Virginia’s, or weaker.”  He continues: “Meanwhile, the small handful of bills that have not adhered to two key industry demands — that companies can’t be sued for violations and consumers would have to opt out of, rather than into, tracking — have quickly died in committee or been rewritten.”

For much of the last year, advertising and technology industry lobbyists and executives have been calling for U.S. federal privacy legislation, saying state-by-state regulation would be burdensome and would make California the de facto U.S. standard.  And they’ve been saying they don’t want citizens to be able to sue, or have to grant businesses permission for their data to be sold or shared. So far, there is no consensus in Congress on what to do.

• Follow money: to rein in Big Tech, lawmakers are right to focus on business models | Ellery Roberts Biddle, Ranking Digital Rights/New America via TechPolicyPress.com
• Truyo: Don’t Expect National Privacy Legislation “Anytime Soon” | Joseph Zappa, StreetFightMag.com
• ACLU acknowledges it allows Facebook to collect data from its website | Scott Ikeda, CPOMagazine.com
• Don’t Blame the ACLU for Facebook’s Ills; blame monopoly | Soshana Wodinsky, GizModo.com
• Facebook interviews FPF’s Jules Polenetsky on tradeoffs between privacy and utility | Erin Egan, Facebook Blog
• Four key takeaways from the debate about Section 230 amending/repealing | Bruce Olcott et al., Jones Day law firm

• Status of Proposed CCPA-Like State Privacy Legislation as of April 12, 2021 | David Stauss, Husch Blackwell law firm
• Florida House Committee unanimously advances amended privacy bill | Scott Powers, FloridaPolitics.com
• Washington and Oklahoma bills dead for session; Florida significantly revised | Glenn A. Brown, Squire Patton Boggs
• Alabama “opt-out” privacy proposal has no minimum thresholds for businesses | Katlyn Hill & Heather McArn, Hinshaw law firm
• Dark patterns and the CCPA — how your site can comply | Kathryn Rattigan, Robinson+Cole law firm
• Lawsuit claims under CCPA so far focus on failure to maintain data security | Zarish Baig & Kristin Bryan, Squire Patton Boggs law firm

• U.S. government analysts say privacy may disappear over next 20 years | WSJ.com via IAPP Daily Dashboard
• What you need to know about NYPD use of a controversial facial recognition tool | Tate Ryan-Mosley, MIT Technology Review
• WhatsApp’s new privacy policy doesn’t offer choice — and could limit future options | Prabhjote Gill, BusinessInsider.com
• Sixteen States Back Alabama’s Challenge to Census Privacy Tool | Mike Schneider, Associated Press
• OPINION: Be wary when Big Tech says it’s defending your privacy | Gabriel Nicholas, BostonGlobe.com
• Apple and Google block British NHS Covid app update over privacy breaches | Alex Hern, TheGuardian.com

Ryan cites Wyden bill to argue Irish lack of GDPR enforcement could stop data flows from U.S. companies

Better privacy enforcement is needed when tech companies export the data of U.S. citizens for commercial purposes, according to announcements on Thursday from U.S. Sen. Rony Wyden and an Irish-based advocacy group.

First, Wyden unveiled a draft bill (BILL TEXT) which would require U.S. companies to seek a permit before exporting large amounts of personal data of U.S. residents. The government could deny the permit if the data might be mishandled and go to a country where it could ultimately threaten U.S. national security.  The bill leaves defining of “categories of personal data” and “national security” up to the government, with congressional oversight.

Then, the Irish Council on Civil Liberties (ICCL)  revealed it had sent a letter to various Irish authorities citing the Wyden proposal and saying that it could be applied “to countries that have inadequate data protections, or enforcement of data-protection law.”

ICCL senior fellow Johnny Ryan has been campaigning for Irish authorities to crack down on use of personal data by Facebook, Google and other U.S. tech companies which run their European Union (EU) services from Irish-based subsidiaries.  He argues that their practices, including advertising technologies, violate the privacy requirements of the EU’s General Data Protection Regulation (GDPR).

“If Ireland is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the U.S. Department of Commerce,” Ryan wrote in a blog posting on Thursday.

Wyden, in his statement announcing his “Protecting Americans’ Data from Foreign Surveillance Act,” pointed to a concern about foreign adversaries getting commercially acquired information and using it against Americans.  “My bill would set up common-sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it,” Wyden wrote.

• Irish DPA opens probe into Facebook 500M user data breach | Deutsch Welle | RELATED STORY
• Ireland to investigate Facebook over massive data dump | Associated Press
• Facebook could face billion-dollar fines in Irish-EU investigation of data leak | Aaron Holmes, BusinessInsider.com | RELATED STORY
• Report: Facebook had years to fix the flaw that lead to 500M user data leak | Lily Hay Newman, Wired.com
• Motherboard reports there’s another Facebook phone database online | Joseph Cox, Motherboard/Vice.com

• Google urges U.S. to work with the EU on trade as enforcers abroad pursue regulations | Lauren Feiner, CNBC.COM
• Clearview scandal exposes limits of transatlantic AI collaboration | Melissa Heikka, Politico.EU
• New noyb Complaint Takes On Android Ad Tracking; Privacy Group Compares Google’s AAID to Apple’s IDFA | Scott Ikeda, CPOMagazine.com | NOYB’S COMPLAINT
• Privacy activist Max Schrems targets Google over unstoppable Android user tracking | David Meyer, Fortune.com
• German regulator seeks order to stop Facebook from using WhatsApp data | Benjamin Mayo, to5Mac.com  | RELATED STORY
• Amnesty International asks EU for tight privacy rules over Skype, What’sApp | Foo Yun Chee, Reuters PLC
• Privacy: No. 1 request of Euro citizens in rollout of digital currency | Tanzeel Akhtar, Coindesk.com

• India antitrust watchdog orders probe into WhatsApp’s new privacy policy | Aditya Kalra, &. Sankalp Phartiyal, Reuters PLC

• Why businesses need to be tougher on data privacy to boost digital ID rollout | Adam Desmond, FinExtra.com
• What Estonia’s digital ID scheme can teach Europe-wide planning effort | Leonie Cater, Politico.eu
• Is Google is poisoning its AI research reputation with with firings? | James Vincent, TheVerge.com
• Illinois state lawmakers consider biometric data privacy law overhaul | Chris Burt, BiometricUpdate.com
• New York lawmakers seriously consider copying Illinois biometric law | Gautam Rao and Peter A. Nelson, Patterson Belknap law firm

TRACKING PEOPLE

Who is vying to control identity on the web?  There are at least 80 separate efforts so far, AdExchanger finds

You’ve heard of Facebook Connect and Google Account — two efforts to manage user identity with federated log-in services.

You’ve probably also heard about Unified ID 2.0, an initiative started by The Trade Desk Inc., and now being run by an ad-industry consortium, PreBid.org Inc. Then two weeks ago the Local Media Consortium LLC — a collaboration of U.S. publishers and broadcasters — said it would field NewsPassID.

But that’s not the half of it.  Reporter Sarah Sluis of AdExchanger.com did some sorting  and searching and this week came up with a list of at least 80 separate efforts to manage web identity — how we are tracked — to replace the deprecation of the third-party cookie.  (See chart, above).  Will so many identity systems benefit anybody? Or will we revert to just letting Google and Facebook do it?

RELATED LINKS

• Four things to consider when choosing which “universal ID” scheme to use | Florian Lichwald, StreetFightMag.com
• VIEWPOINT: Can we rid the web of its digital “gatekeepers”? |  Gowthaman Roagothaman, CPOMagazine.com

iab-told

IAB told open standards, guaranteed privacy choice and third-party audits are new advert ecosystem requirements

Open standards, a guarantee of meeting the privacy desires of consumers and third-party auditable reports are necessary components for a stable system of digital advertising, participants in an Interactive Advertising Bureau (IAB) Tech Lab webinar say.

“Privacy by default is coming and we cannot expect our digital-ad infrastructure is going to continue to operate in the ways it has previously,” Tina Lakhani, head  of tech at IAB UK, told a virtual audience of some 260 people near the start of Thursday’s event,  “Addressability Solutions Road Show.” The session title referred to the idea of advertisers being able to use ad tech to “address” consumers with brand messages — either individuals or in anonymized cohorts.

Lakhani said consumers are in control and must be given a “spectrum of privacy preferences” in a direct relationship with either advertisers, publishers, or both.  “Accountability and auditability are essential in us being able to preserve addressability,” she added, declaring: “Open standards will be critical and will help all stakeholders.”

IAB’s moderator and participants agreed with Lakhani, but there was a general perception of confusion and uncertainty about the technologies and approaches to achieving the goals of open standards, consumer privacy control, auditability and “addressability.”  Among necessary components cited by Lakhani: (1) taxonomy and data-transparency standards (2) best-practices for email or phone user identity “tokens”, and specifications for open, auditable data structures.

Concerning third-party auditability, speaker Moshin Pervez, ad-tech company Pubmatic’s solutions-engineering director, said third-party auditing is needed. “It is clearly required taht we give confidence to everyone that we really care about the users’ choices and their privacy,” he said. “We cannot be checking our own homework.”

Log reports of advertising and other clicks should be encrypted and “signed” in such a way that they can’t be spoofed by unethical operators to change reported results, said Mohsin. “Third parties should be able to make use of the APIs so they pull the same information from two different systems,” he said. But he said the system should also make it impossible for any party “to mix and match two different data centers to find out who the user is.”

“We are at the stage now where we are not in a stable position,” said Christer Ljones, head of data at Schibsted Marketing Services AB, a unit of the big Swedish news publisher. “All the processes we have are something’s that sustainable. I think anything that creates an audit log . . . its gonna make our day-to-day a lot easier and allow us to participate more confidentially in the programmatic ecosystem.”

• FLoC, the Ad-Targeting Tech Google Plans to Drop on Us All | Soshana Wodinsky, GizModo.com
• Google Shelves Fledge “sandbox” Trials Until Late 2021 | Ronan Shields, AdWeek.com
• Extension block: DuckDuckGo’s solution to Google’s latest privacy controversy | Thomas Germain, ConsumerReports.org
• DuckDuckGo says it will block Google’s FLoC browser cohort tech | Sieeka Kahn, TechTimes.com
• Competitors to Chrome cue up to reject Google’s FLoC “sandbox” proposal | Tim Anderson, TheRegister.com
• Brave, other privacy-focused browsers say no to Google’s FLoC | Rohit KVN, DeccanHerald.com | RELATED STORY | BRAVE’S STATEMENT
• Vivalidi niche browser maker won’t adopt “nasty, dangerous” Google’s FLoC cohorts | Asha Barbarschow, ZDNet.com | VIVALDI’S STATEMENT
• EXPLAINER: Google developer blog explains how FloC would work | Sam Dutton, Web.dev
• Influential W3C Working Group Calls Privacy Sandbox Proposal ‘Harmful’ | Allison Schiff, AdExchanger.com
• OPINION: Et tu Procter & Gamble? Thoughts about China and IDFA | John Gruber, DaringFireball.net
• BACKGROUND: Google’s Privacy Sandbox home page

• Companies persist with fingerprinting as a workaround to Apple’s new privacy rules | Seb Joseph, DigiDay.com
• Apple CEO tells Toronto Star he’s OK with “transparent” ad tech | Mike Peterson, AppleInsider.com
• Battling Facebook, Apple CEO warns to TorStar of digital Peeping Toms | Ian Sherr, CNet.com
• Mozilla-run Public Suffix List flooded with requests after Apple privacy changes hit Facebook | Ax Sharma, BleepingComputer.com
• iPhone’s Next Software Update Aims to Foil App Trackers and Digital Advertisers |  Patrick Lucas Austin, Time.com
• Faced With Potential Loss of Revenue, Snapchat Explores Ways Around Apple’s New Privacy Rules | Scott Ikeda, CPOMagazine.com

Forrester: Authenticated data not enough to satisfy marketers; brands worried about users declining data use

“Ethically sourced” user data will be a requirement of future advertising technology as brands search for new ways to acquire “deeper contextual data” about their consumer customers, says a survey of 200 U.S. and UK publishers and marketers by Forrester Research.

• Forrester study funded by Permutive surveys publishers, brands on data and privacy | Aphrodite Brinsmead, via DigitalContentNext.org | DOWNLOAD STUDY

In one key insight, the report says “authenticated data” — an identity token or known interest cohort for a user — will be too hard to obtain to satisfy marketers and as a result “unauthenticated audience insights” will also be required “to ensure scale.”

“Embrace integrity, competency and transparency to align experiences to customer needs,” Forrester writes in an 11-yage “opportunity snap shop” prepared for and released this week by the ad-tech firm Permutive.  For the research, Forrester surveyed brand and publisher executives, mostly at the director and manager level, during February at companies with at least 500 employees. It’s report is titled: “Relieving Data Deprecation and Identity Challenges.”

They survey found 73% of brand respondents are concerned about increasing privacy regulations, 72% are concerned about ad blockers and 70% are concerned about consumers declining consent to use their data.  For their part, half of publishers believe privacy and ad-tech changes will allow them to “work more closely with advertisers.”

“Marketing is entering a period of upheaval,” the Forrester report says. “To reimagine marketing strategies in the face of data deprecation and identity challenges, brands need ethically sourced customer insights . . . strategies must be built on ethical treatment of customer data, as such customer trust is key to brand strategies.”

• TESTIMONY: “Check My Ads’ Nandini Jammi lays out brand-safety challenge to EU Parliament  committee | Branded.Substack.com
• Google To Release Brand Safety Blocklists That Update Themselves Automatically | Allison Schiff, AdExchanger.com
• Are data brokers a threat to democracy? | Justin Sherman, Wired.com
• VENDOR VIEW: How to choose the right approach – and solution – for a cookie-less world | Valbona Gjini, ID5 via DigitalContentNext.org | 25 OPTIONS FOR IDENTITY
• Brands search for retargeting alternatives as third-party cookie demise looms | Danny Parisi, DigiDay.com
• LiveRamp is name-dropping Macy’s, and its money, in pitches to publishers: Here’s why | Kate Kaye, DigiDay.com
• INTERVIEW: Is contextual advertising read for prime time? | Lynn d Johnson, AdMonsters.com
• Verizon Media Intros Alternative Online Tracking Identifier | Laurie Sullivan, DigitalNewsDaily/MediaPost.com
• Business winners and losers with impending Apple IDFA changes | Salvador Rodrigues, CNBC.com
• Brands challenged by changes in consumer privacy laws | Guillaume Tollet, VentureBeat.com
• Brands  take  a  relook  at  digital  ad  strategy  as users  guard  privacy | Saumya Tewari, Mint.com
• VENDOR VIEW: Building customer-first relationships in a privacy-first world is critical | Travis Clinger/LiveRamp & Jeff Nienaber, Microsoft via TechCrunch.com
• VENDOR VIEW:  ID5 and Smart partner to ensure Universal ID capabilities in a cookie-less environment | Smart news release