SEE STORY BELOW: Colorado governor poised to sign digital-privacy bill into law. 
————————————————————————————————

FLoC alternative? NY Times data exec
proposes fee-backed governance board
to run anonymizing ad servers

A senior computer scientist at The New York Times disclosed this week his proposal for a “governed in common” anonymizing advertising server as an apparent alternative to run alongside — or instead of — Google’s in-the-browser “FLoC” proposal.  

“Digital advertising has rightly become despised through decades of mismanagement, but it nevertheless is an essential utility,” writes author Robin Berjon, The Times’ VP of data governance, Berjon formerly worked as a specifications writer for the World Wide Web Consortium (W3C), editing the HTML5 spec.  He calls his proposal “GARUDA” and a description for “a trustworthy advertising server” is posted on GitHub.

Berjon writes that a global network of such “trustworthy servers” could anonymize ad requests, advancing user privacy, would be “easier to audit” and “not require moving significant chunks of logic into the browser . . . . ” He suggests transaction fees to support it.

The GARUDA name stands for “Governance of Ad Requests by a Union of Diverse Actors.” It follow a series of proposals for reform the programmatic advertising ecosystem with bird nomenclature, including Google’s FLoC, which proposes to create cohorts of like-interest users within the Chrome browser and dish out cohort IDs to advertisers from there. By contrast, Berjon’s proposal would have a “trusted” ad server do similar work. 

• Warning: Companies starting to match FLoC IDs with existing identities  | Kate Kaye, DigiDay.com

His proposal, which prints at nine pages, has a variety of components. Berjon did not respond to phone or email requests from Privacy Beat to discuss it, but he did so at a June 7 virtual meeting of the W3C’s Web Advertising Business Group, according to one participant.  

His proposal is significant as it represents a proposal affiliated with a prominent publisher to influence the future of digital advertising services once third-party cookies are no longer supported by major browsers. Until now, major proposals have come from Google, Apple and a variety of advertising-technology firms as well as the IAB Tech Lab, but not from publishers or advertisers themselves.

“This document is a draft of a potential specification,” Berjon writes. “It has no official standing of any kind and does not represent the support or consensus of any standards organization.”  He says the “Garuda institution” would shepherd technical standards, “manage the open-source implementation and maintenance of the trusted server”, operate a worldwide network of such servers and “ensure the general health of the advertising ecosystem.”

These are among points in his proposal: 

• A “Garuda institution” (not otherwise described) would be comprised of a governance board and a legal entity. The governance board would choose an executive director for a three-year term to run the legal entity.  Berjon does not state whether the institution would have legal stakeholders or be a nonprofit or public-benefit organization.
   
• Berjon describes transaction fees — what he calls a “very small tax on advertising” — as a basis of support for the server operations and governance, charged as a flat fee per data request or a percentage of each advertisement’s selling cost.  “The amount and type of the tax is determined by the board,” he writes. It’s not stated how the fees would be levied or collected or if any public authority would be involved.

• GARUDA would be “governed in common”  by different constituencies” including publishers, adtech intermediaries and browser vendors perceived as a “proxy for users,” Berjon writes

• The Garuda service would establish “inclusion criteria” and certain voting rights for various constituencies.

• Berjon acknowledges as challenges how to attain a stakeholder-balanced board membership — particularly how to represent advertisers —  and how to address the needs of underrepresented and marginalized communities “notably in the global South.” 

Berjon acknowledges including ideas in Garuda from Mark Nottingham, a Australian-based veteran Internet Engineering Task Force contributor who works for Fastly, and from Cullen Jennings, who is at Cisco; and feedback from engineers at The Washington Post, at Princeton and Oxford universities, and from scholars at the the Berkman-Klein Center for Internet & Society at Harvard Law School. 

FULL DISCLOSURE:  The Information Trust Exchange Governing Association (ITEGA.ORG), host of Privacy Beat, has proposed an anonymizing advertising server called “UDEX.ORG.” ITEGA’s mission includes helping to govern web identity.  Like the Mozilla Foundation and the Internet Corporation for Assigned Names and Numbers (ICANN), ITEGA is chartered as a California public-benefit corporation, with no stockholders. It has received 501(c)3 tax status.

ADVERTISING TECH 

• Targeting practices: a critical look at surveillance advertising | Randy Price, Digital Content Next 
• Publishers Bank On First-Party Data To Drive Subs, Ad Revenue | Ray Schultz, PublishersDaily/MediaPost.com
• How Music App Audiomack Got 64% Of its Users To Opt Into iOS Ad Tracking | Allison Schiff, AdExchanger.com
• The Age Of Privacy: What Should Post-Tracking Advertising Look Like? | Himanshu Bisht, Forbes.com
• VENDOR VIEW: How publishers can dismantle Big Tech’s digital ad dominance | Somer Simpson, QuantCast.com
• Apple and The End Of IP Address Targeting | Sarah Sluis, AdExchanger.com
• Apple privacy moves seen as “another tsunami hitting ad tech” | Ryan Barwick, MarketingBrew.com
• Apple outlined plans to increase consumer data privacy | Reuters PLC via VentureBeat
• Marketers fret as Apple’s hardline stance on tracking gets firmer | Seb Joseph, DigiDay.com
• Explaining the goldmine of interest-based ad tech | Jerry Hildenbrand, AndroidCentral.com
• Progressive Profiling: A Marketer’s Answer to the “Death of Cookies”| Masooma Memon, ConvertFlow.com
• Google will allow Android mobile users to turn off their unique Advertising ID | Jerry Hildenbrand, AndroidCentral.com
• VENDOR VIEW: Acxiom creates slide deck explaining its concept of “identity” | Axciom via DigiDay.com
• VENDOR VIEW: IBM’S Weather Company one the need to explain “tracking” | Sheri Bchstein, via TheDrum.com

ANOTHER STATE? 

Colorado poised to become third state with significant digital privacy law pending governor’s signature

• Colorado governor expected to sign digital privacy law with “global” setting | Saja Hindi, The Denver Post | BILL TEXT
• Private right of action absent from pending Colorado act | Elizabeth Harding & Thomas Weber, Polsinelli PC law firm | RELATED: WHAT THE BILL SAYS
• Legal comparison: Colorado, Virginia and California privacy laws | Alysa Zeltzer Hutnik, Aaron Burstein & Lauren Myers, Kelley Drye law firm
• Colorado Privacy Act seen as stronger than Virginia’s | Joseph Duball, IAPP Privacy Advisor 
• What Colorado’s new data-privacy bill means for businesses and consumers | Ed Sealover, Denver Business Journal

FIRST AMENDMENT

• Justice Department withdraws FBI subpoena for USA TODAY IP number records ID’ing readers | Kristine Phillips, USAToday.com | EARLIER STORY
• First Amendment Trumps Biometric Privacy Law, Amazon Says | Wendy Davis, MediaPost.com Policy Blog

WASHINGTON WATCH

Skeleton bipartisan privacy bill filed May 18 by Klobuchar and Kennedy now has text on the record — but there’s not much there 

The full text of what appears to be a “placeholder” bipartisan digital privacy bill, S.1667, was finally posted on Friday (June 11) on the official congressional website, three weeks afters its introduction on the Senate floor by Sen. Amy Klobuchar, D-Minn. Joining her as sponsors were Sens. Kennedy, Manchin and Burr.  (EARLIER STORY) The 16-page “Social Media Privacy Protection and Consumer Rights Act of 2021” has the following key provisions and not much else:

• It applies to any public website or app of any size or purpose  — including those run by nonprofit organizations — that acquires “individually identifiable information about an individual.” It terms this “personal data.” 

• It requires they give notice of the data use on first visit and provide an easy way for the user to “opt-out” of any data collection or specify privacy preferences. If the user does either, and that makes the site “inoperable” the user can be denied service. “Inoperable” is not defined, however. 

• The list of “personal data” is expansive and includes an email address, phone number, government identifier, geologicaiton information, health information, or other nonpublic personal information as defined by the Gramm-Leach Bliley Act. 

• The U.S. Federal Trade Commission (FTC) is given enforcement authority over the law. State attorneys general are given authority to sue and enforce the act, but must provide notice and a copy of their court papers to the FTC before hand. 

• Covered services must audit their privacy and security programs every two years under a section of the billed labeled “compliance.”  There is no requirement that the audit be by an outside or third party and no reporting or filing requirement for the audit results. 

• The law would take effect six months after passage.  Fines, remedies and penalties are not mentioned and therefore left to the FTC or courts to decide. 

RELATED LINKS

• How the U.S. got boxed in on privacy | Margaret Harding McGill, Kim Hart, Axios.com
• White House releases executive order on data privacy | The White House blog
• COMPARING: Should data privacy be enforced by FTC or new agency? | Christine Bannan and Raj Gambhir, NewAmerica.org
• VIDEO: Senators Blackburn, Blumenthal discuss status of federal privacy law proposals; both say users should “own” data  | Alexandra Levine, Politico.com

WASHINGTON WATCH

• OPINION: Fed’s Digital Dollar IdeaWould Be ‘Nightmareville’ for Privacy | Ella Lubell, Reason.com
• Census Bureau releases guidelines for its use of “differential privacy” | Mike Schneider, Associated Press
• FTC, MoviePass reach proposed settlement over data protection allegations | FTC Statement
• U.S. Launches Task Force to Study Opening Government Data for AI Research | Ryan Tracy, Wall Street Journal

APPLE PRIVACY MOVES 

• A packed set of Apple announcements could have big impacts on news publishers — for good and for ill | Josh Benton, NiemanLab.org
• APPLE’S MEDIA STATEMENT | and  INTERVIEW
• OPINION: Apple is transforming privacy from a marketing slogan into a business advantage | MacDailyNews.com
• Apple Announces More Privacy Measures Aimed at Ad Tech | Andrew Blustein, AdWeek.com
• Apple unveils new privacy features for iOS 15 | IAPP Roundup 
• At Apple conference big story is end of IP address targeting | Sarah Sluis, AdExchanger.com
• Apple Calls Open Season On IP Address Tracking And Targeting | Allison Schiff, AdExchanger.com
• Marketers increasingly can’t avoid Apple’s hardline stance on tracking | Seb Joseph, DigiDay.com
• Apple overhauls Siri to address privacy concerns and improve performance | Alex Hern, TheGuardian.com
• Apple’s privacy restrictions in China are complicating its commitment to privacy | Mack DeGuerin, eMarketer.com
• Privacy Changes Will Force Adtech Landscape To Adjust | Chris Metinko, CrunchBase.com
• Newsletter publishers concerned Apple’s Mail Privacy Protection will crater industry | Mikey Campbell, AppleInsider.com

California’s new privacy board set to begin issuing regulations on July 1; first meeting set for June 14 is open to public “ZOOM” 

Users of personal data collected from California residents were set to be watching keenly online on Monday, June 14, as the newly minted California Privacy Protection Agency governing board holds its first meeting.  In the absence of a U.S. federal privacy law, digital data users are tending to adopt privacy policies that will comply with California law. There’s also similar laws now in Nevada, Virginia, and pending in Colorado. 

The board was established by a November ballot initiative and it has authority to regulate, litigate and fine for violations of the California Privacy Rights Act (CPRA) after enforcement begins in 2023. But rulemaking can begin before that. The five-member board is chaired by Jennifer M. Urban. WikiPedia notes she is a Clinical Professor of Law at UC Berkeley School of Law, where she is Director of Policy Initiatives at the Samuelson Law, Technology & Public Policy Clinic. Her research focuses on information policy: intellectual property, privacy and data protection, and security.

An agenda for the 9 a.m. (PACIFIC) meeting, a public ZOOM webinar link and briefing materials are found here: https://cppa.ca.gov/meetings/  Most of the planned discussion is procedural and informational. But the new board is expected to formally notify California Attorney General Rob Bonta that it will assume rulingmaking authority effective July 1, issuing new regulations, changing or withdrawing existing ones issued by the attorney general.  

“The CPRA calls for regulations on a vast array of issues, which could materially impact compliance strategies,” write four lawyers for the Kelley Drye law firm in a posting about the meeting. 

• RELATED: CCPA’s Metrics Reporting Deadline Approaching | Hunton Andrews Kurth law firm

The CPRA board also has to hire staff and the documents for the first meeting including a position description for an executive director.  The briefing document also includes a narrative history of the CPRA and the board. 

STATEHOUSE WATCH

• Google Should Be Considered A ‘Common Carrier,’ Ohio AG Says In New Lawsuit | Wendy Davis, DigitalNewsDaily/MediaPost.com | RELATED STORY
• Status of Proposed CCPA-Like State Privacy Legislation as of June 7, 2021 | David Stauss, Husch Blackwell law firm
• California’s rising tide of COVID vaccination records raise privacy concerns | Solomon Moore, MercuryNews.com

PERSONAL PRIVACY 

• Apple and Google’s Privacy Changes Are a Huge Benefit for the Creator Economy | Thomas Smith, via Medium.com
• Otonomo says its vehicle location data is privacy-protecting. The data itself says otherwise | Joseph Cox, Vice.com
• One analyst calls Amazon’s “Sidewalk” rollout more surveillance capitalism | Kevin Shalvey, BusinessInsider.com | RELATED VIDEO
• Is there any way out of Clearview’s facial recognition database? | David Gershgorn, TheVerge.com
• SURVEY: Most people do not approve of companies profiting from their data | Eileen Brown, ZDNet.com
• Own an Echo? Amazon may be helping itself to your bandwidth | Joseph Pisani & Matt O’Brien, Associated Press
• Mozilla analyst notes five privacy concerns with Google’s FLoC cohorts | Eric Rescorla, Mozilla 
• Privacy Dashboard, one of Android 12’s best new features | Jimm Westenberg, AndroidAuthority.com
• A growing health data marketplace sparks privacy concerns | Katie Palmer, StatNews.com
• Brave Browser’s Next Trick: Privacy-Preserving News Recommendations | Benjamin Powers, CoinDesk.com
• Finding common ground for marketers and public over personal data | Michael Kassner, TechRepublic.com
• OPINION: The War Over Genetic Privacy Is Just Beginning | John Whitehead & Nisha Whitehead, Ron Paul Institute