California privacy enforcement brings showdown with ad-tech industry closer | A “federated identity” group opens signup

Privacy Beat

Your weekly privacy news update.


California privacy enforcement brings closer a showdown with ad-tech industry; is “sharing” a sale under GPC?

A showdown between the advertising industry and California became more likely this week over the state’s interpretation of the California Consumer Privacy Act (CCPA) and user consent signals.

California Attorney General Rob Bonta is sending letters to websites that collect user profile information and then share that data with third parties.  At issue is interpretation of what the law means by “sale” of data. For example, if your interests or gender become part of a real-time-bidding (RTB) ad-tech exchange, is that a “sale” even if no dollars change hands? 

Raising the issue is advice from the attorney general that a browser extension called “Global Privacy Control” (GPC) — which a user can use to declare to all websites their data is not for sale (or use?), must be received and followed by websites to comply with CCPA. The prevailing view among both ad-industry and privacy advocates is that widespread adoption by consumers of GPC — if “sale” is interpreted to mean sharing — could disrupt the current ad-tech ecosystem, at least in California. GPC backers say some 50 million web users have already installed the browser app.

Bonta’s office has issued guidance on its enforcement interpretation of the law, implying that honoring the GPC signal is necessary for data “sharing.” But its still not clear whether the state will argue that “sharing” is a “sale” which cannot occur once a user has invoked a “no-sale” flag with GPC, and lawyers are analyzing the matter. 

The guidance states in part: ““If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.”

DigiDay’s Kate Kaye first reported this week that Bonta’s office has begun sending out enforcement letters requiring companies to honor #CCPA opt-out requests sent by #GPC-enabled browsers. She wrote: ““Despite previous doubt among some ad firms, some of the new letters make it clear that the use of data passed among third-parties for behavioral advertising is indeed a data sale under the CCPA in the eyes of the state’s attorney general, according to the lawyers.”

The GPC was initially spearheaded by Ashkan Soltani Georgetown Law and Sebastian Zimmeck (Wesleyan University) in collaboration with The New York Times, The Washington Post, Financial Times, Automattic ( & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, Disconnect, Abine, Digital Content Next (DCN), Consumer Reports, and the Electronic Frontier Foundation (EFF).

The GPC backers are using the initiative’s Twitter account to promote Bonta’s broad interpretation. “

“The requirement to honor a global privacy control opt-out request has been in the CCPA regulations since their passage but it’s great to see the AG provide additional clarity for companies that are affected by the law,” researcher and technologist Ashkan Soltani, one of the architects of the GPC, said in an email to the IAPP’s Privacy Advisor. 


(see “Quote of the Week” below)


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More



Reporter takes insightful dive into W3C standard-making culture as free “federated identity” group opens signup

If you have been seeing headlines and stories about privacy and the World Wide Web Consortium’s (W3C) discussion groups, you may be unclear about who is doing what to whom.  Now Issie Lapowsky, one of the tech reporters at, posted this week a long and seriously insightful analytical summary.  It’s definitely worth reading:

Browser makers — primarily Apple, Google and Microsoft — are moving to cut off access to personal data. Browser makers are doing so first by moving to block third-party cookies from browsers, and also by making it easier for users to demand their data not be used. Lapowsky’s basic thread is that the companies which use consumer data to target advertising are freaking out.

“They’re trying to slow down privacy protections that the browsers are creating,” Brave’s Pete Snyder is quoted as saying of the companies objecting to browser privacy initiatives. 

“I’m very much concerned about the influence and power of browser vendors to unilaterally do things, but I’m more concerned about the companies using those concerns to drive worse outcomes,” former Federal Trade Commission chief technologist Ashkan Soltani is quoted by Lapowsky as saying. 

Lapowsky covers the nuances at work — how do you create a web ecosystem that is both competitive and also privacy respecting?  She quotes key observers about whether the W3C is the right place to develop standards that bear on both of those values. And she raises the question implicitly: If the W3C can’t agree on new competition-preserving privacy standards for user-data exchange, will that make regulation easier or tougher? 

Standards development at the W3C is one approach to governing the use of data on the web.  But there may be others needed, a Brookings Institution scholar, Mark MacCarthy,  wrote in a June 23 essay entitled “Controversy of Google’s ‘Privacy Sandbox’ Shows Need for an Industry Regulator”. (READ FULL PAPER)

Lapowsky’s piece is mostly about discussions taking place with the W3C Privacy Community Group.  This week there’s news that a new W3C “community group” has been formed — the “Federated Identity Community Group”.  This new one is public and doesn’t require a payment to join, by just clicking on the pink “join or leave this group” box. As of July 16, there were already 49 participants.

Here’s an excerpt from the group’s founding charter

“The purpose of the Federated Identity Community Group is to provide a forum focused on incubating web features that will both support federated identity and prevent untransparent, uncontrollable tracking of users across the web. While the community group will take privacy concerns into consideration, these concerns will be balanced against the need to explore innovative ideas around federated authentication on the web.


Danish business-school research finds manipulating look, language of cookie banners increases consent 17 percent 

New research from the Copenhagen Business School finds designers of cookie banners can affect users’ privacy choices by manipulating the choice architecture and with simple changes can increase absolute consent by 17%. (JOURNAL ARTICLE)

The researchers analyzed 1,493 user interactions with multiple versisions of a cookie-consent banner on a public website — to see how manipulating the message and architecture would changed the frequency with which users gave consent to use of their data.  “The research findings provide empirical evidence that shows people’s data privacy decisions can be easily manipulated,” the researchers write in their summary report: “Data privacy — are you sure you want a cookie?”

Users need to be able to make informed decisions for free markets to work efficiently, says Jan Michael Bauer an associate professor in the school’s management, society and communication department. “Exploiting psychological mechanisms in design, the manipulate users to the benefit of the website owner is problematic,” he says.




Grant for the Web-funded video takes aim at ad tech and promotes ‘blockchain’; What is Distributed Media Lab?

A co-developer of the Open Index Protocol, a system seeking to use so-called “blockchain” technology to fund web content, posted a 23-minute video this week assembling a series of arguments why, in her view, the current ad-tech ecosystem should be abandoned as opaque and fraudulent.  

The video, “Advertising is at the heart of what’s wrong with the Internet today?” is notable for collecting in one place all or the arguments against ad tech. In it, Alexandria Labs CEO Amy James acknowledges $49,000 in funding from Grant for the Web, (GFW). That’s a $100-million blockchain-promoting fund to “boost open, fair and inclusive standards and innovation in web monetization. By far the GFW’s largest grant shown on their website is $2 million awarded last fall to the Distributed Media Lab (DML).

DML is described as working on a proposed web standard “that allows websites to request a stream of very small payments (e.g. fractions of a cent) from a user. In exchange for payments from the user, websites can provide the user with a “premium” experience, such as allowing access to exclusive content, removing advertising, or even removing the need to log in to access content services.‍”

DML’s website shows logos of major media organizations. Crunchbase says it has raised $3.2 million overall. Its CEO, Dave Gehring, explained the company’s plans in a Northwestern University interview.  In it, he says projects are underway with the Local Media Consortium (“The Matchup”) and Local Media Association (“Branded Content Project.”)

“We didn’t want publishers to be our customers,” Gehring says in the interview. “We wanted publishers to be our partners. Because the mission that we’re on is to establish a viable economic framework to support journalism on the open web. We want advertisers to pay money. We want consumers to pay money. But we didn’t want our platform to be an expense to the publisher.”


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Interoperable audience targeting and an open web won’t die along with the third-party cookie, Lotame-sponsored speakers say 

Data-aggregation company Lotame sponsored a webinar discussion this week about a 1,000-person survey across five nations which it says bolstered the need for interoperable, “people-based identity solutions to sustain advertising when third-party cookies are no longer recognized by web browsers.  The survey report was entitled, “Beyond the Cookie: The Future of Advertising for Marketers & Publishers.”  Summarizing the webinar, free-lancer Amy Corr, writing at AdMonsters, said the study found marketers plan to invest more in the open web. “Forty-two percent will buy more direct from publishers/media companies and 18% will invest more in walled gardens,” Corr wrote.

Reporting on the webinar, Corr quoted Lotame executive Alex Theriault: ““Marketers would like to see more money, time, and resources invested in a post-cookie world across various areas. We found that three in five agreed that people-based identity solutions are necessary.”  Added Advance Local publisher executive Scott Lawrence: ““Just because third-party cookies are going away doesn’t mean the audience targeting itself is going away. All it’s doing is evolving.”





Biden’s marching orders on privacy, surveillance and antitrust 

  • The following excerpts related to data, surveillance, privacy and antitrust are included in President Biden’s “Executive Order on Promoting Competition in the American Economy” released on July 9 and posted as a briefing paper on the website.

“The American information technology sector has long been an engine of innovation and growth, but today a small number of dominant Internet platforms use their power to exclude market entrants, to extract monopoly profits, and to gather intimate personal information that they can exploit for their own advantage.  Too many small businesses across the economy depend on those platforms and a few online marketplaces for their survival.  And too many local newspapers have shuttered or downsized, in part due to the Internet platforms’ dominance in advertising markets . . . .

“This order affirms that it is the policy of my Administration to enforce the antitrust laws to combat the excessive concentration of industry, the abuses of market power, and the harmful effects of monopoly and monopsony — especially as these issues arise in labor markets, agricultural markets, Internet platform industries, healthcare markets (including insurance, hospital, and prescription drug markets), repair markets, and United States markets directly affected by foreign cartel activity . . . .

“It is also the policy of my Administration to enforce the antitrust laws to meet the challenges posed by new industries and technologies, including the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors, the aggregation of data, unfair competition in attention markets, the surveillance of users, and the presence of network effects.

“Sec. 5.  Further Agency Responsibilities.  

     “(a)  The heads of all agencies shall consider using their authorities to further the policies set forth in section 1 of this order, with particular attention to:

          “(i)    unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy . . . . “


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp