Ad industry not yet sure who will enforce privacy rules over its cookie-replacement identifier — but so far it intends to supervise the process, lawyer says

Hit by a key executive’s departure for a job at Facebook, the IAB Tech Lab is pressing on with an advertising-industry led attempt to scale up an “alternate media identifier” — or AMI — for the web to replace third-party cookies — and maintain an ability to legally “address” consumers.

• CEO Dennis Buchheim Exits The IAB Tech Lab At A Time Of Turmoil For Online Identity | Allison Schiff, AdExchanger.com

• Buchheim to Facebook; More Ad Tech Notables Land At The Walled Gardens | Allison Schiff, AdExchanger.com

Key challenges and assumptions are emerging as a result of a relatively open process lead by an organization called PRAM — the Partnership for Responsible Addressable Media — a trade group formed a year ago by America’s six big advertising-industry lobby groups. The next briefing in the process is an online “roadshow” report on Wednesday, May 19. 

One key assumption is that publishers, regulators and the public will be content to have the handling of user data for targeting advertising controlled by PRAM, rather than by a government or public-benefit entity. 

Another key assumption is that U.S. and global  privacy laws will continue to allow the data-driven targeting — or “addressing” — of personalized commercial messages to individuals.  Four task groups of PRAM are considering the possibility that will no longer by possible — legally or otherwise — without some kind of “opt-in” permission signal given for or by an end user.  

REQUIRE OPT-IN FOR TRACKING? 

“It’s possible that the needle could be moved to [requiring] consent for tracking,” Stuart P. Ingis, a leading ad-industry affiliated privacy lawyer says. “You’d still have an opt out in other scenarios. You have to divine what that means. But we’re assessing that in various streams and discussions.”

A key challenge — what happens if a so-called “bad actor” — an unscrupulous or uninformed wer service or data processor — joins an AMI-powered system overseen by PRAM and doesn’t follow its rules governing use of user personal information? 

Another key challenge — how to move from a wild-west atmosphere for trading user data made possible by the open standard of third-party cookies, to a new setting in which user data is exchanged via proprietary or competing approaches, some running inside the Google Chrome web browser, sum running within Apple’s iOS operating environment, some running inside Facebook’s social-media network and some running within whatever PRAM comes up with?  Can all of that be brought together under one roof which benefits the public first? 

Clues emerged during a 90-minute April 21 webinar conducted by PRAM and posted publicly.  “When it comes to addressability, the world’s going to be very murky for years to come,” said Michael Donnelly, an Association of National Advertisers (ANA) executive detached to lead the PRAM standards-building task groups. 

“I think there is a recognition that there will be multiple options here,” added Ingis, the DC-based lawyer for advertising and other interests who is at the center of much of the PRAM standards-building work. A core concept, Ingis explained, is that companies who decide to use a PRAM-based “alternate media identifier” will be permitted by some governing entity to do so so long as they follow accompanying rules for how the ID may be used.  Rules will include what types of data can be shared across the PRAM-overseen system and for what purposes.  

Added Ingis: “AMI can be used for those permitted uses and no other and that’s how you put the walls around the system and have it be a closed system and be accountable, measured in a way that works across the board and eliminate bad uses or the potential for bad uses, which has been one of the big critiques of third-party cookies and other technologies.”

In the April 21 webinar, IAB Tech Lab executive Alex Cone noted the technical specifications of Unified ID 2.0, a user-identity token-sharing service developed by ad-tech company The Trade Desk, which says it will turn rights over to PRAM at some point. Cone said UID2 will become “open source” code usable by anyone.  UID2’s design inclues the concept of a “ID Operator” which might be in a position to allow or interrupt a company’s use of the system. 

“What is the accountability framework for actions taken against bad actors?” asked a viewer of the webinar during the closing Q-and-A. 

Ingis jumped in to answer. “A lot of those details are to be figured out,” he said, wich control being partly based on technology and partly on governance rules. “And if they’re not following the program the penalties would presumably be everything up to and including not being able to use the identifier . . . . “ he said, adding a moment later: “If we really want to demonstrate to the world the appropriateness of what this AMI system and PRAM is doing in this system it has to be that the rules are followed and we believe we’ll have both technologically and operationally a way to do that.” 

GOOGLE VS. APPLE VS. FACEBOOK 

• AUDIO: Apple vs. Google — from routine update to confrontation | Anstead Herndon, The Daily (NYTmes) | GOOGLE’S STRATEGY
• Google announces upcoming app privacy requirements in Android/Play Store | Daniel Rozensweig Norton Rose Fulbright law firm | GOOGLE STATEMENT
• Apple’s App Tracking privacy push is turning out to be Facebook’s worst-case scenario | MacDailyNews.com
• Apple eyes ad growth after privacy changes | Robert Williams, MarketingDive.com
• https://www.marketingdive.com/news/aiming-for-reinvention-apple-eyes-ad-growth-after-privacy-changes/600023/
• 96% of US users opt out of app tracking in iOS 14.5, analytics find | Samuel Axon, ArsTechnica.com
• One analysis reports on Facebook ad-send impact from iOS14.5 update | Laurie Sullivan, DigitalNewsDaily/MediaPost.com
• Another analysis funds consent lacking from Apple users; speculation about FB effect | Anna Kramer, Protocol.com
• Apple privacy changes already wrecking havoc on Facebook advertisers | Tanya Dua, BusinessInsider.com
• After Apple iOS14.5 update, only 4 percent of iOS users in U.S. let apps track them | Rachel Kraus, Mashable.com

FACEBOOK IRISH DATA TRANSFER RULING 

Irish high court ruling in Facebook case raises doubts about legality of transfer of EU data to US servers

Coverage about this:

• Facebook loses last-ditch attempt to derail DPC decision on its EU-US data flows | Natasha Lomas, TechCrunch.com | DECISION DOCUMENT
• Facebook loses Irish court fight over halting EU-US data transfers | Associated Press
• Facebook Could Lose Ability To Send EU Data To U.S. | Laurie Sullivan, MarketingDaily/MediaPost.com
• Facebook to Defend Itself Against ‘Damaging’ Irish Data Privacy Probe | Reuters via USNews.com
• Ireland rules against Facebook in fight over Europe-U.S. data flow | Jason Aycock, SeekingAlpha.com
• Court allows Irish regulator to proceed with inquiry into Facebook data flows | Reuters PLC

PERSONAL PRIVACY 

• Using Apple’s New iOS to Protect Your Privacy | Nicholas Kjeldgaard, 7-San Diego
• DuckDuckGo as example: Tech companies don’t have to creepy to make money | Clive Thompson, Wired.com
• Could Apple’s new tracking turnoff mean the end of free apps? | Amy Iverson, Deseret.com
• RESEARCH: Forrester report outlines need for “contextual privacy” with data | Phillip Britt, DestinationCRM.om
• Data Privacy – Why Users Should Care and How the Tech Industry Should Safeguard Data | Nigel Cannings, ReadWrite.com
• Apple Air Tags are termed a privacy nightmare | Victor Hristov, PhoneArena.com

PLATFORM PRIVACY

• What’s Google FLoC? And How Does It Affect Your Privacy? | David Nield, Wired.com
• Is Google FloC A Step In The Wrong Direction? | Mita Chaturvedi, AnalyticsIndiaMag.com
• Apple works fine line between privacy and convenience | Chris Smith, TrustedReviews.com
• Facebook to WhatsApp user: Agree or we’ll stop working for you | I.Bonafacic, EnGadget.com | RELATED STORY

AD TECH

• Can Apple change ads by the way it handles in-phone “segment” tracking?  | Benedict Evans newsletter | APPLE’S DESCRIPTION
• What is considered sensitive personal information? | David A. Zetoony, Greenberg Traurig LLP
• U.S. judge dismisses advertisers’ antitrust claims against Google | Paresh Dave, Reuters PLC
• Will ad-tech privacy changes mainly benefit first-world consumers? | Nicholas Rivero, Quartz
• Google Analytics Will Soon Work Without Cookies | Laurie Sullivan, MarketingDaily/MediaPost.com |  RELATED STORY
• Five stages of grief over death of the third-party cookie | Nancy Smith, AdAge.com
• Oracle Signs On To Support Unified ID 2.0 | Allison Schiff, AdExchanger.com
• Ad tech firms pivot to offering context, new target methods after cookie | Ivan Levingston, Bloomberg.com
• Aftershock: What the industry looks like after Apple’s privacy update | Jason Kint, Digital Content Next 
• Research reinforces the value of premium ad context | Rande Price, Digital Content Next
• DSP Trade Desk Reports Big Gains, Warns Of Future Declines | Wayne Friedman, DigitalNewsDaily/MediaPost.com
• Did confusion about UID2 affect The Trade Desk’s earnings call? | Sarah Sluis, AdExchanger.com

Schakowsky and Blumenthal say “opt-in” has to be at core of urgent drive to adopt federal privacy statute by 2022

Two top-ranking congressional Democrats say a federal privacy law needs to be based upon an “opt-in” standard in which a consumer’s personal data may not be used or shared without first getting permission. That would be a sea-change for America’s platforms and data-warehousing companies and would bring the United States more in line with European law. 

“My belief is that Congress should mandate that companies get consumer opt-in before their data can be collected, used, shared and surveillance advertising and its bulk collection of vast amounts of sensitive information,” U.S. Rep. Jan Schakowsky, D-Ill., who chairs the House subcommittee on digital commerce and consumer protection, said during a May 5 webinar.  

She was joined during the webinar’s start by U.S. Sen. Richard Blumenthal, D-Conn., who chairs the Senate’s subcommittee on consumer protection, product safety and data security, who added: “Chair Schakowsky’s standard of opting in is exactly the right way to go and it is one area where we need to be very demanding about the standards we apply.”

Blumenthal and Schakowsky were invited along with the ranking GOP member of Schakowsky’s subcommittee, U.S. Rep. Gus Bilirakis, R-Fla., to open the webinar convened jointly by two consumer groups and two tech-industry groups ostensibly to demonstrate urgency and common support for adoption of federal digital privacy legislation before the end of 2022. The four groups:

• Common Sense Media, the California-based proponent of childrens privacy and media literacy that was a key supporter of the California Privacy Rights Act (CPRA) ballot initiative, now law. 
• The National Consumers League, a century-old, labor-backed consumer champion. 
• BSA / The Business Software Alliance, a trade group of enterprise-software makers that includes big user-data handlers Oracle, Microsoft, SalesForce, Amazon, Adobe, CloudFare, DropBox, Intuit — but notable not Google, Facebook or Apple.
• The 21st Century Privacy Coalition — a trade group of big-data using telecommunications companies including AT&T, Verizon, Comcast, Charter/Time Warner, DirectTV and others. Former U.S. Federal Trade Commission Chairman Jon Leibowitz, a lawyer who co-chairs the telcom lobby group, moderated the webinar.

Schakowsky disclosed during the webinar and in a statement that she will use her chair position to convene a series of hearings in the form of “roundtable discussions” to try and craft passable legislation.

But  absent from the May 5 webinar discussion was any mention of key dividing lines. 

For example, business and the GOP generally wants enforcement of privacy laws retained by the Federal Trade Commission and possibly state attorneys general and they want federal law to pre-empt state laws.  Privacy and consumer groups and most Democrats want individual consumers to be able to sue to protect privacy rights and they want to allow states to adopt more restrictive rules that the federal government if desired. Some proposals are beginning to comprise along those fault lines. 

WASHINGTON WATCH

• Will the FTC’s Rulemaking Push Result in New Privacy Rules? | Julie O’Neill, Morrison Foerster law firm
• ROUNDUP: Cataloging opt-in and opt-out legislative privacy approaches | Sarah Rippey, IAPP Staff
• OPINION: Pre-empting of “inconsistent” state laws suggested | Washington Post Editorial Board 
• House Lawmaker To Convene Privacy Roundtables | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Study Finds Constituents Worried About Data Security in Federal Interactions | Lamar Johnson, MeriTalk.com

STATEHOUSE BEAT 

• New York state lawmaker re-introduces broad opt-in privacy bill | Wendy Davis, PolicyBlog/MediaPost.com | BILL TEXT/STATUS
• Litigation around CCPA involves private-right suits; data breaches | Alysa Zeitzer Hutnik, et al., Kelley Drye law firm
• Provisions of Virginia’s new data-privacy law explained | Jonathan Gallo, Vandeventer Black LLP 
• Colorado Senate committee passes privacy bill after making it more pro-business | David Stauss et al., Husch Blackwell 
• VIDEO: California AG enforcer says they are looking at Global Privacy Control | Stacey Schesser, assistant AG
• Law firm’s monthly privacy blog cites new bills in Pennsylvania, North Carolina | Troutman Pepper LLC | Pennsylvania bill | N.C. bill 
• Status of Proposed CCPA-Like State Privacy Legislation as of May 10, 2021 | David Stauss, Husch Blackwell law firm | SEE CHART, ABOVE