California privacy enforcement brings closer a showdown with ad-tech industry; is “sharing” a sale under GPC?

A showdown between the advertising industry and California became more likely this week over the state’s interpretation of the California Consumer Privacy Act (CCPA) and user consent signals.

California Attorney General Rob Bonta is sending letters to websites that collect user profile information and then share that data with third parties.  At issue is interpretation of what the law means by “sale” of data. For example, if your interests or gender become part of a real-time-bidding (RTB) ad-tech exchange, is that a “sale” even if no dollars change hands? 

Raising the issue is advice from the attorney general that a browser extension called “Global Privacy Control” (GPC) — which a user can use to declare to all websites their data is not for sale (or use?), must be received and followed by websites to comply with CCPA. The prevailing view among both ad-industry and privacy advocates is that widespread adoption by consumers of GPC — if “sale” is interpreted to mean sharing — could disrupt the current ad-tech ecosystem, at least in California. GPC backers say some 50 million web users have already installed the browser app.

Bonta’s office has issued guidance on its enforcement interpretation of the law, implying that honoring the GPC signal is necessary for data “sharing.” But its still not clear whether the state will argue that “sharing” is a “sale” which cannot occur once a user has invoked a “no-sale” flag with GPC, and lawyers are analyzing the matter. 

The guidance states in part: ““If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.”

DigiDay’s Kate Kaye first reported this week that Bonta’s office has begun sending out enforcement letters requiring companies to honor #CCPA opt-out requests sent by #GPC-enabled browsers. She wrote: ““Despite previous doubt among some ad firms, some of the new letters make it clear that the use of data passed among third-parties for behavioral advertising is indeed a data sale under the CCPA in the eyes of the state’s attorney general, according to the lawyers.”

The GPC was initially spearheaded by Ashkan Soltani Georgetown Law and Sebastian Zimmeck (Wesleyan University) in collaboration with The New York Times, The Washington Post, Financial Times, Automattic (WordPress.com & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, Disconnect, Abine, Digital Content Next (DCN), Consumer Reports, and the Electronic Frontier Foundation (EFF).

The GPC backers are using the initiative’s Twitter account to promote Bonta’s broad interpretation. “

“The requirement to honor a global privacy control opt-out request has been in the CCPA regulations since their passage but it’s great to see the AG provide additional clarity for companies that are affected by the law,” researcher and technologist Ashkan Soltani, one of the architects of the GPC, said in an email to the IAPP’s Privacy Advisor. 

WASHINGTON WATCH 

(see “Quote of the Week” below)

• Roundup of reaction to Biden executive order on competition | Kevin Tagland, Benton Institute | DOCUMENT LINK | DOCUMENT SUMMARY
• Biden order  on privacy, net neutrality will require cooperation of independent FTC, FCC | Dave Perera, mlex/LexisNexis
• BACKGROUND: On Sen. Gillibrand’s bid to establish a data-privacy agency | Alan Winchester & Alicia Nakhjavan, Harris Beach PLLC law firm
• Law firm provides detailed report on first Khan-lead FTC meeting | Alexander Okuliar & David J. Shaw, Morrison Foerster law firm
• Bipartisan data-portability bill advances out of House committee | Kristen O’Shaughnessy et al., White & Case law firm
• PROPOSAL: Social media companies would lose Section 230 cover if causing data polarization | Sen. John Kennedy via Benton Institute
• Prominent “privacy” lawyer Joseph Jerome takes a job at Facebook | Mathew Olson, TheInformation.com

ANTITRUST

• Facebook Echoes Amazon in Seeking FTC Chief’s Recusal From Case | David McLaughlin, Bloomberg.com | RELATED STORY
• Facebook and Amazon want Khan’s recusal at the FTC. What now? | Ben Brody, Protocol.com
• State Attorneys General File Lawsuit Over Google’s Dominance of Android App Market | News Media Alliance staff report
• OPINION: Tech Monopolies and the Insufficient Necessity of Interoperability | Cory Doctorow, LocusMag.com
• New caucus shows GOP split on tech regulations | Margaret HardingMcGill, Axios.com
• EDITORIAL: Congress should act on digital antitrust — or the FTC will | Washington Post
• Tim Wu, the Man Behind Biden’s Push to Promote Business Competition | Ryan Tracy, WSJ.com via Benton Institute.

PLATFORMS AND PRIVACY

Reporter takes insightful dive into W3C standard-making culture as free “federated identity” group opens signup

If you have been seeing headlines and stories about privacy and the World Wide Web Consortium’s (W3C) discussion groups, you may be unclear about who is doing what to whom.  Now Issie Lapowsky, one of the tech reporters at Protocol.com, posted this week a long and seriously insightful analytical summary.  It’s definitely worth reading:

• At the W3C, a quiet war underway between browser makers and data users | Issie Lapowsky, Protocol.com

Browser makers — primarily Apple, Google and Microsoft — are moving to cut off access to personal data. Browser makers are doing so first by moving to block third-party cookies from browsers, and also by making it easier for users to demand their data not be used. Lapowsky’s basic thread is that the companies which use consumer data to target advertising are freaking out.

“They’re trying to slow down privacy protections that the browsers are creating,” Brave’s Pete Snyder is quoted as saying of the companies objecting to browser privacy initiatives. 

“I’m very much concerned about the influence and power of browser vendors to unilaterally do things, but I’m more concerned about the companies using those concerns to drive worse outcomes,” former Federal Trade Commission chief technologist Ashkan Soltani is quoted by Lapowsky as saying. 

Lapowsky covers the nuances at work — how do you create a web ecosystem that is both competitive and also privacy respecting?  She quotes key observers about whether the W3C is the right place to develop standards that bear on both of those values. And she raises the question implicitly: If the W3C can’t agree on new competition-preserving privacy standards for user-data exchange, will that make regulation easier or tougher? 

Standards development at the W3C is one approach to governing the use of data on the web.  But there may be others needed, a Brookings Institution scholar, Mark MacCarthy,  wrote in a June 23 essay entitled “Controversy of Google’s ‘Privacy Sandbox’ Shows Need for an Industry Regulator”. (READ FULL PAPER)

Lapowsky’s piece is mostly about discussions taking place with the W3C Privacy Community Group.  This week there’s news that a new W3C “community group” has been formed — the “Federated Identity Community Group”.  This new one is public and doesn’t require a payment to join, by just clicking on the pink “join or leave this group” box. As of July 16, there were already 49 participants.

Here’s an excerpt from the group’s founding charter: 

“The purpose of the Federated Identity Community Group is to provide a forum focused on incubating web features that will both support federated identity and prevent untransparent, uncontrollable tracking of users across the web. While the community group will take privacy concerns into consideration, these concerns will be balanced against the need to explore innovative ideas around federated authentication on the web.

PLATFORMS AND PUBLISHERS 

• Big publishers warn UK that Google’s delay of “end-of-cookie” is harmful | Wendy Davis, DigitalNewsDaily/MediaPost.com | DIGITAL CONTENT NEXT’s LETTER
• France fines Google $593 million for not negotiating ‘in good faith’ with news publishers | Adam Satariano, NYTimes.com | DOCUMENT | RELATED STORY | RELATED STORY
• France issue ultimatum to Google — pay for news or face 1M daily fines besides initial $593M | Gaspard Sebag, Bloomberg.com
• OPINION: On big tech and news publishers, Canada must follow Australia’s lead | David Skok, TheLogic.co

Danish business-school research finds manipulating look, language of cookie banners increases consent 17 percent 

New research from the Copenhagen Business School finds designers of cookie banners can affect users’ privacy choices by manipulating the choice architecture and with simple changes can increase absolute consent by 17%. (JOURNAL ARTICLE)

The researchers analyzed 1,493 user interactions with multiple versisions of a cookie-consent banner on a public website — to see how manipulating the message and architecture would changed the frequency with which users gave consent to use of their data.  “The research findings provide empirical evidence that shows people’s data privacy decisions can be easily manipulated,” the researchers write in their summary report: “Data privacy — are you sure you want a cookie?”

Users need to be able to make informed decisions for free markets to work efficiently, says Jan Michael Bauer an associate professor in the school’s management, society and communication department. “Exploiting psychological mechanisms in design, the manipulate users to the benefit of the website owner is problematic,” he says.

PERSONAL PRIVACY 

• Microsoft says it blocked spying on rights activists, others | Alan Suderman, Associated Press
• Ad world expert on why privacy now matters | Rishad Tobaccowala, via AdWeek.com
• Some 230 startups seen as focusing on helping consumers manage their data | Omidyar Network via MIT Technology Review
• Assessing the value of laws requiring removal of URLs for privacy protection | Theodore F. Claypoole, Womble Bond Dickson law firm
• Few apps will tell you what they do with your personal contacts | Heather Kelly, WashPost.com
• ACLU sues Chicago police for using social media to monitor protests | Tom Schuba, Chicago Sun-Times

BIOMETRIC AND FACIAL PRIVACY 

• From Macy’s to Ace Hardware, facial recognition is already everywhere | Rebecca Heilweil, ReCode/Vox.com
• Is police use of facial recognition technology an invasion of privacy? | Dennis Romboy, DeseretNews.com
• New York City businesses now have to post biometric collection notices | Cynthia J. Larose, & Michael R. Graif, Mintz Levin law firm | LAW EXPLAINED
• NYC’s New Biometric Privacy Law ‘An Indication of What Is to Come’ | Frank Ready, Law.com
• Hyatt To Pay $1.5M To Resolve Illinois Biometric Privacy Suit | Law360.com

AD TECH

Grant for the Web-funded video takes aim at ad tech and promotes ‘blockchain’; What is Distributed Media Lab?

A co-developer of the Open Index Protocol, a system seeking to use so-called “blockchain” technology to fund web content, posted a 23-minute video this week assembling a series of arguments why, in her view, the current ad-tech ecosystem should be abandoned as opaque and fraudulent.  

The video, “Advertising is at the heart of what’s wrong with the Internet today?” is notable for collecting in one place all or the arguments against ad tech. In it, Alexandria Labs CEO Amy James acknowledges $49,000 in funding from Grant for the Web, (GFW). That’s a $100-million blockchain-promoting fund to “boost open, fair and inclusive standards and innovation in web monetization. By far the GFW’s largest grant shown on their website is $2 million awarded last fall to the Distributed Media Lab (DML).

DML is described as working on a proposed web standard “that allows websites to request a stream of very small payments (e.g. fractions of a cent) from a user. In exchange for payments from the user, websites can provide the user with a “premium” experience, such as allowing access to exclusive content, removing advertising, or even removing the need to log in to access content services.‍”

DML’s website shows logos of major media organizations. Crunchbase says it has raised $3.2 million overall. Its CEO, Dave Gehring, explained the company’s plans in a Northwestern University interview.  In it, he says projects are underway with the Local Media Consortium (“The Matchup”) and Local Media Association (“Branded Content Project.”)

“We didn’t want publishers to be our customers,” Gehring says in the interview. “We wanted publishers to be our partners. Because the mission that we’re on is to establish a viable economic framework to support journalism on the open web. We want advertisers to pay money. We want consumers to pay money. But we didn’t want our platform to be an expense to the publisher.”

MORE AD TECH 

• VIDEO: In Lotame-sponsored forum, observations about what’s next for targeting | Amy Corr, AdMonsters.com
• Google herds FLoC back to the lab for undisclosed post-third-party-cookie modifications | Thomas Claburn, TheRegister.com
• Understanding limits, capabilities of FLoC, FLEDGE and TURTLEDOVE | Frederick Vallaeys, SearchEngineLand.com
• AAM’s Integration into the IAB Tech Lab Compliance Registry | Alliance for Audited Media
• Is Amazon Primed for the Data Privacy Era? | Mike Boland, StreetFightMag.com
• Digital ad vet Anthony Katsur is transparency focused as new IAB Tech Lab  CEO | Keach Hagey, WSJ.com 
• VENDOR VIEW: Why publishers should be getting rid of third-party cookies now | Valbona Gjini, ID5.com via DigitalContentNext.com
• VENDOR VIEW: “Publisher cohorts” seen as alternative to FLoC, based on first-party data | David Reischer, Permutive via AdMonsters.com
• VENDOR VIEW: Navigating ad fraud and consumer privacy abuse in programmatic advertising | Jalal Nasir, Pixalate Inc. via TechCrunch.com
• VENDOR VIEW: Why Contextual Targeting Is The Most Inclusive Ad Targeting Tactic | Michael Schwalb, JWPlayer via AdExchanger.com