Verizon Media pledges be open about using “hashed email” identifiers | California hints at definition of “sale”

Privacy Beat

Your weekly privacy news update.


Is Verizon offering 148M users clear ability to opt out of “hashed email” tracking? 

An ad-industry trade group, adapting to the end of third-party cookies and increasing privacy regulation, announced a retooling of how it expects its members to deal with so-called “hashed emails” as a method of tracking consumers.  The move was announced by the Network Advertising Initiative. ( WHAT IS NAI? )

Joining the NAI hashed-email bandwagon this week was Verizon Media, the soon-to-be-spun-out unit of the big telecom.

“If they’re going to target using a hashed email address, they have to provide an opt-out for that hashed email address,” Anthony Matyjaszewski, the organization’s vice president for compliance, was quoted by MediaPost’s Wendy Davis as saying. 

Verizon Media includes AOL, Yahoo, TechCrunch and dozens of other digital-content services and claims to reach 148 million “logged-in” users. In May, Verizon corporate said it was selling Verizon Media to private-equity firm Apollo Global Management Inc., which is also the largest lender to Gannett Co. Inc., the newspaper chain.  Verizon Media is represented on NAI’s board and is pushing its own hashed-email related service called “ConnectID.”

A “hashed” email is a string of characters computed from an email address. In theory, only the entity which created the hash can turn it back into an actual email address.  But if the same has is moved across multiple websites and they store it, it can become in effect a persistent identifier.  The holy grail of the current ad-tech system is to be able to track consumers and target ads to them across the open web.  That was easiest with third-party cookies, but major browser companies are gradually refusing to allow “cookies” to be used in that way. 

In the last year, ad-tech companies have been announcing new approaches to user tracking designed to circumvent — or comply with — European and California privacy laws. For example, The Trade Desk’s Unified ID2.0 approach starts with a hashed email and seeks to control who has the right to “decrypt it.”  The NAI announcement would appear to require that NAI members using Unified ID2.0 must offer consumers an explicit opportunity to “opt-out” of the use of the hashed email for tracking. 

In 2020, NAI developed a method for  “universal opt-out from tailored advertising tied to email.“ NAI is saying At present, all NAI members planning to use hashed emails were told by the NAI they have to use the NAI’s opt-out system.  So far, besides Verizon Media, NAI members Oracle Advertising, Neustar, Criteo and Inmark Intelligence have done so, the NAI statement said. 

Other NAI members not yet listed as signed up include Google and other major ad-tech companies, including AppNexus, IndexExchange, Lotame, MediaMath, Microsoft, NeuStar, Rubicon Project, Pubmatic and The Trade Desk.





Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


California AG offers hints about how sharing of user data could be enforced as a “sale” under CCPA

A new clue about what constitutes a “sale” emerged this week from a news conference and detailed documentation about enforcement of the California Consumer Privacy Act (CCPA).  The clue was among 27 anonymized examples of specific enforcement actions taken by state Attorney General Rob Bonta’s office.  Bonta also opened a website making it easy for consumers to complain about website privacy practices.

Analysis by privacy lawyers at the Squire Patton Boggs law firm found three of the 27 example cases bore on whether collecting and sharing data constitutes “sale” which a user can forbid under a browser tool such as the Global Privacy Control.  The firm’s analysis states: “These cases seem to indicate that collection by a third-party cookie provider, absent a service provider commitment by such provider, may be a “sale” to such provider – a position that the OAG has been advancing in enforcement actions of which we are aware – and that this must be tied directly to the “Do Note Sell” link and tool.”

California began enforcing the CCPA a year ago and this week’s report was the first detailed public summary of how it is going. Bonta said 75% of businesses acted to come into compliance with the 30-day statutory cure period and the rest are either under continued investigation or are still within the 30-day period. 





Facebook engineer proposes way for users to specific their advertising interests through the web browser 

A key Facebook engineer outlined this week an idea for “flipping digital advertising around,” giving consumers the ability to signal their advertising interests through web-browser software — rather than having interests inferred for targeting by opaque ad-tech networks. 

Benjamin Savage — Facebook’s regular representative to the World Wide Web Consortium’s (W3C) Privacy Community Group — has posted his idea — “Ad Topic Hints” — to a GitHub address. But he cautioned that he had already received so many constructive ideas and reactions that the description needs rewriting. “I’m not married to any particular algorithm,” Savage told some 50 people at an every-other-week virtual meeting of the privacy group. “It is just the concept.”  He said his key focus was to design a service that could no function as a “persistent identifier.” 

Key participants in the group reacted respectfully. Apple WebKit engineer John Wilander asked if Ad Topic Hints could be coded to not transmit health or other sensitive personal interests and attributes that would be consider sensitive. And he wondered if the interest hints could be shown only to specific entities with which the user has a “first-party” relationship. 

Brian May, from distillery, said he liked the idea of a user being able to signal interests, but he said his own research suggested that classifying which ad signals a particular interest is tricky and therefore is a “totally wrong vehicle” for helping with personalization. 

Michael Kleber, a Google engineer who works on the Chrome browser, said he was hesitant to embrace the Facebook engineer’s proposal. “There is something in this area that I would find very appealing,” he said. “But I think the user understandability story has to be different from what I see here.” 

Kristen Chapman, from Salesforce, said she generally liked the idea but that the grist given a consumer to use to indicate interests should come from more sources than just ad views. “Often segmentation and audience targeting is about an entire experience online,” she said. “It’s more layered and complicated than just advertising.”



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Inaugural meeting of W3C’s “federated ID” group set for Aug. 2; Google continues to sponsor organizing effort  

Google, which has said it will not support cross-site tracking identity services in its dominant Chrome browser, is nevertheless sponsoring the startup of a World Wide Web Consortium (W3C) federated-identity community group — and the first meeting is now set for Aug. 2.  (Scroll down to June 25 story)

“In the interest of full disclosure, Google is sponsoring me for much of my work that’s led to the creation of this community group and will continue to be a sponsor going forward,” said key organizer Heather Flanagan, in an email list posting. “That said, I do not speak for Google nor do I have any authority over any decisions they make.” She said she would not choose anyone from Google to co-chair the group. Flanagan drafted the group’s initial charter. She nominated herself as chair. 

Federated identity refers to the idea of allowing a web user to obtain a login or other credential at one web service, and be able to provide it to an otherwise unrelated entity in order to be recognized and served. Most of the proposals in the open-web advertising technology ecosystem for tracking users are designed to allow tracking of users among sites but without the element of an obvious “log-in.” 

Flanagan said the first virtual meeting of the group will be via Zoom and will start at noon EDT on Aug. 2.  Participation is free and open but requires a request be submitted. 






IAB Tech Lab CEO interview: Seeks open source, feedback but “we can’t be paralyzed by consensus”

  • The following excerpts are from an interview with Tony Katsur, the new CEO of the IAB Tech Lab Inc., conducted by AdExchanger reporter James Hercher and posted July 19

“ . . . [T]here are four watershed moments occurring simultaneously. And each represents challenges as well as immense opportunity. I’m thinking of consumer privacy, identity and addressability, ad fraud and security, and also connected TV, where we’re looking at a $70 billion television industry that is going to transition to TV delivered over IP [Internet Protocol] . . . . .

“The IAB Tech Lab has done a great job of being a steward of the technology standards that govern the industry . . . We will continue the critical work of driving standards across the ecosystem. But we need to deliver more technology frameworks and code to the ecosystem . . .  But that doesn’t mean everything’s going to come from the Tech Lab. That could be standing up an open-source initiative in the spirit of Linux or Apache, where we can establish some grounding framework. And then let’s let the industry innovate on top of that to solve business use cases . . . 

“My goal over the first 60 days is to gather as much feedback as possible from every constituency: publishers, ad technology companies, agencies, advertisers, consumer advocacy groups. And to be prepared to make tough decisions. Not everyone is going to be thrilled by some decisions. We need to make decisions. I’m prepared to reap the praise and share the praise with the team, as well as be the pincushion, if you will. We’re only going to get better if there’s candid feedback amongst the ecosystem. And I’m willing to listen to and accept that feedback to take the industry to a better place. But we can’t be paralyzed by consensus.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp