FLoC alt? NYT exec proposes fee-backed governance board running anonymizing ad servers | Colo. governor ponders privacy bill

Privacy Beat

Your weekly privacy news update.


SEE STORY BELOW: Colorado governor poised to sign digital-privacy bill into law. 

FLoC alternative? NY Times data exec
proposes fee-backed governance board
to run anonymizing ad servers

A senior computer scientist at The New York Times disclosed this week his proposal for a “governed in common” anonymizing advertising server as an apparent alternative to run alongside — or instead of — Google’s in-the-browser “FLoC” proposal.  

“Digital advertising has rightly become despised through decades of mismanagement, but it nevertheless is an essential utility,” writes author Robin Berjon, The TimesVP of data governance, Berjon formerly worked as a specifications writer for the World Wide Web Consortium (W3C), editing the HTML5 spec.  He calls his proposal “GARUDA” and a description for “a trustworthy advertising server” is posted on GitHub.

Berjon writes that a global network of such “trustworthy servers” could anonymize ad requests, advancing user privacy, would be “easier to audit” and “not require moving significant chunks of logic into the browser . . . . ” He suggests transaction fees to support it.

The GARUDA name stands for “Governance of Ad Requests by a Union of Diverse Actors.” It follow a series of proposals for reform the programmatic advertising ecosystem with bird nomenclature, including Google’s FLoC, which proposes to create cohorts of like-interest users within the Chrome browser and dish out cohort IDs to advertisers from there. By contrast, Berjon’s proposal would have a “trusted” ad server do similar work. 

His proposal, which prints at nine pages, has a variety of components. Berjon did not respond to phone or email requests from Privacy Beat to discuss it, but he did so at a June 7 virtual meeting of the W3C’s Web Advertising Business Group, according to one participant.  

His proposal is significant as it represents a proposal affiliated with a prominent publisher to influence the future of digital advertising services once third-party cookies are no longer supported by major browsers. Until now, major proposals have come from Google, Apple and a variety of advertising-technology firms as well as the IAB Tech Lab, but not from publishers or advertisers themselves.

“This document is a draft of a potential specification,” Berjon writes. “It has no official standing of any kind and does not represent the support or consensus of any standards organization.”  He says the “Garuda institution” would shepherd technical standards, “manage the open-source implementation and maintenance of the trusted server”, operate a worldwide network of such servers and “ensure the general health of the advertising ecosystem.”

These are among points in his proposal: 

  • A “Garuda institution” (not otherwise described) would be comprised of a governance board and a legal entity. The governance board would choose an executive director for a three-year term to run the legal entity.  Berjon does not state whether the institution would have legal stakeholders or be a nonprofit or public-benefit organization.
  • Berjon describes transaction fees — what he calls a “very small tax on advertising” — as a basis of support for the server operations and governance, charged as a flat fee per data request or a percentage of each advertisement’s selling cost.  “The amount and type of the tax is determined by the board,” he writes. It’s not stated how the fees would be levied or collected or if any public authority would be involved.
  • GARUDA would be “governed in common”  by different constituencies” including publishers, adtech intermediaries and browser vendors perceived as a “proxy for users,” Berjon writes

  • The Garuda service would establish “inclusion criteria” and certain voting rights for various constituencies.

  • Berjon acknowledges as challenges how to attain a stakeholder-balanced board membership — particularly how to represent advertisers —  and how to address the needs of underrepresented and marginalized communities “notably in the global South.” 

Berjon acknowledges including ideas in Garuda from Mark Nottingham, a Australian-based veteran Internet Engineering Task Force contributor who works for Fastly, and from Cullen Jennings, who is at Cisco; and feedback from engineers at The Washington Post, at Princeton and Oxford universities, and from scholars at the the Berkman-Klein Center for Internet & Society at Harvard Law School. 

FULL DISCLOSURE:  The Information Trust Exchange Governing Association (ITEGA.ORG), host of Privacy Beat, has proposed an anonymizing advertising server called “UDEX.ORG.” ITEGA’s mission includes helping to govern web identity.  Like the Mozilla Foundation and the Internet Corporation for Assigned Names and Numbers (ICANN), ITEGA is chartered as a California public-benefit corporation, with no stockholders. It has received 501(c)3 tax status.




Colorado poised to become third state with significant digital privacy law pending governor’s signature


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Skeleton bipartisan privacy bill filed May 18 by Klobuchar and Kennedy now has text on the record — but there’s not much there 

The full text of what appears to be a “placeholder” bipartisan digital privacy bill, S.1667, was finally posted on Friday (June 11) on the official congressional website, three weeks afters its introduction on the Senate floor by Sen. Amy Klobuchar, D-Minn. Joining her as sponsors were Sens. Kennedy, Manchin and Burr.  (EARLIER STORY) The 16-page “Social Media Privacy Protection and Consumer Rights Act of 2021” has the following key provisions and not much else:

  • It applies to any public website or app of any size or purpose  — including those run by nonprofit organizations — that acquires “individually identifiable information about an individual.” It terms this “personal data.” 

  • It requires they give notice of the data use on first visit and provide an easy way for the user to “opt-out” of any data collection or specify privacy preferences. If the user does either, and that makes the site “inoperable” the user can be denied service. “Inoperable” is not defined, however. 

  • The list of “personal data” is expansive and includes an email address, phone number, government identifier, geologicaiton information, health information, or other nonpublic personal information as defined by the Gramm-Leach Bliley Act. 

  • The U.S. Federal Trade Commission (FTC) is given enforcement authority over the law. State attorneys general are given authority to sue and enforce the act, but must provide notice and a copy of their court papers to the FTC before hand. 

  • Covered services must audit their privacy and security programs every two years under a section of the billed labeled “compliance.”  There is no requirement that the audit be by an outside or third party and no reporting or filing requirement for the audit results. 

  • The law would take effect six months after passage.  Fines, remedies and penalties are not mentioned and therefore left to the FTC or courts to decide. 




California’s new privacy board set to begin issuing regulations on July 1; first meeting set for June 14 is open to public “ZOOM” 

Users of personal data collected from California residents were set to be watching keenly online on Monday, June 14, as the newly minted California Privacy Protection Agency governing board holds its first meeting.  In the absence of a U.S. federal privacy law, digital data users are tending to adopt privacy policies that will comply with California law. There’s also similar laws now in Nevada, Virginia, and pending in Colorado. 

The board was established by a November ballot initiative and it has authority to regulate, litigate and fine for violations of the California Privacy Rights Act (CPRA) after enforcement begins in 2023. But rulemaking can begin before that. The five-member board is chaired by Jennifer M. Urban. WikiPedia notes she is a Clinical Professor of Law at UC Berkeley School of Law, where she is Director of Policy Initiatives at the Samuelson Law, Technology & Public Policy Clinic. Her research focuses on information policy: intellectual property, privacy and data protection, and security.

An agenda for the 9 a.m. (PACIFIC) meeting, a public ZOOM webinar link and briefing materials are found here: https://cppa.ca.gov/meetings/  Most of the planned discussion is procedural and informational. But the new board is expected to formally notify California Attorney General Rob Bonta that it will assume rulingmaking authority effective July 1, issuing new regulations, changing or withdrawing existing ones issued by the attorney general.  

“The CPRA calls for regulations on a vast array of issues, which could materially impact compliance strategies,” write four lawyers for the Kelley Drye law firm in a posting about the meeting. 

The CPRA board also has to hire staff and the documents for the first meeting including a position description for an executive director.  The briefing document also includes a narrative history of the CPRA and the board. 



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


The Nation uses Google antitrust suit in fund-raising 

Already facing antitrust lawsuits from federal and state governments and from British and U.S.-based newspapers, Google must now contend with more claims — now from a respected politically progressive magazine, The Nation.  The initial suit was filed in December by The Nation and Genius Media but now The Nation, a nonprofit organization, is using it in fund-raising appeals. The case is pending.  (See Quote of the Week, below). 

As the suits pile up, analysts are beginning to wonder what the eventual outcome could be. One long-time Google watcher suggests splitting Google into two companies — Google stockholders would get stock of each but they would become independent.  One would have the client stuff — the Chrome browser and apps. The other would have the server stuff — the search engine and the ad-ops.   The two could not do special deals with each for a number of years to allow for competitors to spring up, this observer said. 


LATE NEWS: Goggle agrees to UK oversight on cookie death watch





“We’re suing Google. Here’s why.” 

From: “Katrina vanden Heuvel, The Nation” <emails@emails.thenation.com> 
Date: June 5, 2021 at 11:02:17 AM PDF
To: Nation Friends
Subject: We’re suing Google. Here’s why.

Dear Friend of The Nation,

You might have seen our recent announcement that The Nation and two other publications are suing Google for antitrust violations. I wanted to take a moment to make sure you saw this news, and to explain what it means for The Nation.

 Like other independent media outlets, The Nation relies on a combination of paid subscriptions, ad sales, as well as the support of donors who believe in independent journalism. We run a lean operation and every dollar counts.

Part of our ad sale income includes what is called the display advertising marketplace. Independent companies match advertisers with unused ad space on our website through an auction-like process. When an advertiser wins the auction, their ad shows up on our site.

Google has intervened in this process, however. For some time, Google’s Ad Server has been excluding bids submitted through rival networks in order to prioritize business from its own Ad Network. Their size makes this possible and it erodes a precious source of revenue for us. So we’re suing.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp