Who will enforce ad-industry led privacy rules  after cookie? Schakowsky and Blumenthal say “opt-in” has to be at core of privacy law

Privacy Beat

Your weekly privacy news update.



Ad industry not yet sure who will enforce privacy rules over its cookie-replacement identifier — but so far it intends to supervise the process, lawyer says

Hit by a key executive’s departure for a job at Facebook, the IAB Tech Lab is pressing on with an advertising-industry led attempt to scale up an “alternate media identifier” — or AMI — for the web to replace third-party cookies — and maintain an ability to legally “address” consumers.

Key challenges and assumptions are emerging as a result of a relatively open process lead by an organization called PRAM — the Partnership for Responsible Addressable Media — a trade group formed a year ago by America’s six big advertising-industry lobby groups. The next briefing in the process is an online “roadshow” report on Wednesday, May 19. 

One key assumption is that publishers, regulators and the public will be content to have the handling of user data for targeting advertising controlled by PRAM, rather than by a government or public-benefit entity. 

Another key assumption is that U.S. and global  privacy laws will continue to allow the data-driven targeting — or “addressing” — of personalized commercial messages to individuals.  Four task groups of PRAM are considering the possibility that will no longer by possible — legally or otherwise — without some kind of “opt-in” permission signal given for or by an end user.  


“It’s possible that the needle could be moved to [requiring] consent for tracking,” Stuart P. Ingis, a leading ad-industry affiliated privacy lawyer says. “You’d still have an opt out in other scenarios. You have to divine what that means. But we’re assessing that in various streams and discussions.”

A key challenge — what happens if a so-called “bad actor” — an unscrupulous or uninformed wer service or data processor — joins an AMI-powered system overseen by PRAM and doesn’t follow its rules governing use of user personal information? 

Another key challenge — how to move from a wild-west atmosphere for trading user data made possible by the open standard of third-party cookies, to a new setting in which user data is exchanged via proprietary or competing approaches, some running inside the Google Chrome web browser, sum running within Apple’s iOS operating environment, some running inside Facebook’s social-media network and some running within whatever PRAM comes up with?  Can all of that be brought together under one roof which benefits the public first? 

Clues emerged during a 90-minute April 21 webinar conducted by PRAM and posted publicly.  “When it comes to addressability, the world’s going to be very murky for years to come,” said Michael Donnelly, an Association of National Advertisers (ANA) executive detached to lead the PRAM standards-building task groups. 

“I think there is a recognition that there will be multiple options here,” added Ingis, the DC-based lawyer for advertising and other interests who is at the center of much of the PRAM standards-building work. A core concept, Ingis explained, is that companies who decide to use a PRAM-based “alternate media identifier” will be permitted by some governing entity to do so so long as they follow accompanying rules for how the ID may be used.  Rules will include what types of data can be shared across the PRAM-overseen system and for what purposes.  

Added Ingis: “AMI can be used for those permitted uses and no other and that’s how you put the walls around the system and have it be a closed system and be accountable, measured in a way that works across the board and eliminate bad uses or the potential for bad uses, which has been one of the big critiques of third-party cookies and other technologies.”

In the April 21 webinar, IAB Tech Lab executive Alex Cone noted the technical specifications of Unified ID 2.0, a user-identity token-sharing service developed by ad-tech company The Trade Desk, which says it will turn rights over to PRAM at some point. Cone said UID2 will become “open source” code usable by anyone.  UID2’s design inclues the concept of a “ID Operator” which might be in a position to allow or interrupt a company’s use of the system. 

“What is the accountability framework for actions taken against bad actors?” asked a viewer of the webinar during the closing Q-and-A. 

Ingis jumped in to answer. “A lot of those details are to be figured out,” he said, wich control being partly based on technology and partly on governance rules. “And if they’re not following the program the penalties would presumably be everything up to and including not being able to use the identifier . . . . “ he said, adding a moment later: “If we really want to demonstrate to the world the appropriateness of what this AMI system and PRAM is doing in this system it has to be that the rules are followed and we believe we’ll have both technologically and operationally a way to do that.” 


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Irish high court ruling in Facebook case raises doubts about legality of transfer of EU data to US servers

Coverage about this:




Schakowsky and Blumenthal say “opt-in” has to be at core of urgent drive to adopt federal privacy statute by 2022

Two top-ranking congressional Democrats say a federal privacy law needs to be based upon an “opt-in” standard in which a consumer’s personal data may not be used or shared without first getting permission. That would be a sea-change for America’s platforms and data-warehousing companies and would bring the United States more in line with European law. 

“My belief is that Congress should mandate that companies get consumer opt-in before their data can be collected, used, shared and surveillance advertising and its bulk collection of vast amounts of sensitive information,” U.S. Rep. Jan Schakowsky, D-Ill., who chairs the House subcommittee on digital commerce and consumer protection, said during a May 5 webinar.  

She was joined during the webinar’s start by U.S. Sen. Richard Blumenthal, D-Conn., who chairs the Senate’s subcommittee on consumer protection, product safety and data security, who added: “Chair Schakowsky’s standard of opting in is exactly the right way to go and it is one area where we need to be very demanding about the standards we apply.”

Blumenthal and Schakowsky were invited along with the ranking GOP member of Schakowsky’s subcommittee, U.S. Rep. Gus Bilirakis, R-Fla., to open the webinar convened jointly by two consumer groups and two tech-industry groups ostensibly to demonstrate urgency and common support for adoption of federal digital privacy legislation before the end of 2022. The four groups:

  • Common Sense Media, the California-based proponent of childrens privacy and media literacy that was a key supporter of the California Privacy Rights Act (CPRA) ballot initiative, now law. 
  • The National Consumers League, a century-old, labor-backed consumer champion. 
  • BSA / The Business Software Alliance, a trade group of enterprise-software makers that includes big user-data handlers Oracle, Microsoft, SalesForce, Amazon, Adobe, CloudFare, DropBox, Intuit — but notable not Google, Facebook or Apple.
  • The 21st Century Privacy Coalition — a trade group of big-data using telecommunications companies including AT&T, Verizon, Comcast, Charter/Time Warner, DirectTV and others. Former U.S. Federal Trade Commission Chairman Jon Leibowitz, a lawyer who co-chairs the telcom lobby group, moderated the webinar.

Schakowsky disclosed during the webinar and in a statement that she will use her chair position to convene a series of hearings in the form of “roundtable discussions” to try and craft passable legislation.

But  absent from the May 5 webinar discussion was any mention of key dividing lines. 

For example, business and the GOP generally wants enforcement of privacy laws retained by the Federal Trade Commission and possibly state attorneys general and they want federal law to pre-empt state laws.  Privacy and consumer groups and most Democrats want individual consumers to be able to sue to protect privacy rights and they want to allow states to adopt more restrictive rules that the federal government if desired. Some proposals are beginning to comprise along those fault lines. 



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Harvard unveils details source of current data on mainstream and emerging media — and their funders

As philanthropists, journalists and some technology companies seek ways to turn around a funding crisis for U.S. media organizations, the Future of Media Project at Harvard University this week unveiled the most comprehensive database of mainstream and emerging digital media ownership and their funders. 

The work is a joint venture of the Harvard Business School and its Institute for Quantitative Social Science “with the goal of furthering research and identifying implementable solutions to rebalance truth, privacy and power in the media industry,” says the project’s website.  The project identities to take action to convene key stakeholders, educate decision-makers, design implementable solutions and partner with tech, media and regulators. 








PRAM consulting attorney Ingis offers guidance on how identifier is controlled and enforced 

  • The following is an edited transcript of remarks during an April 21, 2021 online webinar organized by the Partnership for Responsible Addressable Media (PRAM), an advertising-industry trade organization. PRAM is seeking to oversee an “addressable media identifier” — or AMI — to replace third-party cookies in the personal targeting of digital advertising to individuals. The speaker is Stuart P. Ingis, a Washington, D.C., attorney working with PRAM and its task groups.


“We’re building a better mousetrap.  We’re gonna do it leading with the consumer and privacy and hopefully take all of the benefit of the internet that has come over many many years, reduce the risk, and get a framework lead with privacy that benefits consumers . . . . 

“The theme is that the availability would be to all on similar or equal terms and essentially administered and run ultimately at the oversight of PRAM and of course through the various working groups under PRAM. And the notion there is that all people should have the same ability to use for lack of a better term is a common utility that benefits the industry as a whole and would not be limited or prejudiced by any one company’s business agenda so to be an identifier here under th PRAM framework it would have to be available on equal terms.

“Then there is the operability for the addressable media identifiers. And the notion here is that participants to the program that use a PRAM identifier would have the ability so long as they follow the program, use it for permitted uses which we’ll talk about in a second, that their use of it for the stated purpose of this identifier that’s of our creation unlike cookies which have been involved and used for multiple things — third party cookies — would be not interfered with whether it is by a browser, Chrome browser, or an operating system in the case of Apple, these are all principles, or operating systems outside of Microsoft. There’s a number of participants in there. The notion is we build a responsible mousetrap with all these accountability and stuff. It’s built by and for the entire ecosystem without an agenda or competitive thing of one individual company, and if people follow the rules then they can use it and get the benefit for the companies, for consumers, for society as a whole.”

“The notion is that there are a set of permitted uses . . . AMI can be used for those permitted uses and no other and that’s s how you put the walls around the system and have it be a closes system and be accountable, measured in a way that works across the board, and eliminate bad uses or the potential for bad uses, which has been one fo the big critiques of TPcookies and other technologies. This would be something of our creation subject to our rules and limitations and that in and of itself should really provide confidence and trust in the whole ecosystem by consumers, by regulators, by all stakeholders  . . . . 

“Where we’ re reassessing should there be consent or more of an opt-in type of standard given where the world’s evolved on tracking. And what’s focusing that discussion is that is what Apple and Goolge’s new systems are aimed at which is limiting tracking either entirely or without consent and so we’re diving deep into those debates about what’s meaningful, what’s beneficial to consumers what do consumers want? . . . . 

Q: What is an accountability framework for actions to take against bad actors?

“ . . . You would first give people a right to correct, you’d assess the situation. If people are blatantly violating the rule we’d have a due process they’d have the ability to respond  . . . and if they’re not following the program the penalties would presumably be everything up to and including not being able to use the identifier . . . . “


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp