Is Verizon offering 148M users clear ability to opt out of “hashed email” tracking? 

An ad-industry trade group, adapting to the end of third-party cookies and increasing privacy regulation, announced a retooling of how it expects its members to deal with so-called “hashed emails” as a method of tracking consumers.  The move was announced by the Network Advertising Initiative. ( WHAT IS NAI? )

Joining the NAI hashed-email bandwagon this week was Verizon Media, the soon-to-be-spun-out unit of the big telecom.

“If they’re going to target using a hashed email address, they have to provide an opt-out for that hashed email address,” Anthony Matyjaszewski, the organization’s vice president for compliance, was quoted by MediaPost’s Wendy Davis as saying. 

Verizon Media includes AOL, Yahoo, TechCrunch and dozens of other digital-content services and claims to reach 148 million “logged-in” users. In May, Verizon corporate said it was selling Verizon Media to private-equity firm Apollo Global Management Inc., which is also the largest lender to Gannett Co. Inc., the newspaper chain.  Verizon Media is represented on NAI’s board and is pushing its own hashed-email related service called “ConnectID.”

A “hashed” email is a string of characters computed from an email address. In theory, only the entity which created the hash can turn it back into an actual email address.  But if the same has is moved across multiple websites and they store it, it can become in effect a persistent identifier.  The holy grail of the current ad-tech system is to be able to track consumers and target ads to them across the open web.  That was easiest with third-party cookies, but major browser companies are gradually refusing to allow “cookies” to be used in that way. 

In the last year, ad-tech companies have been announcing new approaches to user tracking designed to circumvent — or comply with — European and California privacy laws. For example, The Trade Desk’s Unified ID2.0 approach starts with a hashed email and seeks to control who has the right to “decrypt it.”  The NAI announcement would appear to require that NAI members using Unified ID2.0 must offer consumers an explicit opportunity to “opt-out” of the use of the hashed email for tracking. 

In 2020, NAI developed a method for  “universal opt-out from tailored advertising tied to email.“ NAI is saying At present, all NAI members planning to use hashed emails were told by the NAI they have to use the NAI’s opt-out system.  So far, besides Verizon Media, NAI members Oracle Advertising, Neustar, Criteo and Inmark Intelligence have done so, the NAI statement said. 

Other NAI members not yet listed as signed up include Google and other major ad-tech companies, including AppNexus, IndexExchange, Lotame, MediaMath, Microsoft, NeuStar, Rubicon Project, Pubmatic and The Trade Desk.

RELATED LINKS

• Verizon Media adopts Opt-Out of Targeted Ads Across Its Network | Joseph Zappa, StreetFightMag.com | VERIZON MEDIA STATEMENT
• VENDOR VIEW: Why the internet needs to move to “decentralized identity” technology | Nick Lambert, Dock, via ComputerWeekly.com
• VENDOR VIEW: Why the ad industry is stuck in wait-and-see mode on identity | JoAnne Monfradi Dunn, Allianz, via AdExchanger.com
• IBM-funded ethic lab’s Renieris testifies to Congress on identity and privacy | Shannon Roddel, Notre Dame News

FTC, PRIVACY AND COMPETITION

• Florida congresswoman’s bid to give FTC more enforcement power gains privacy-advocate support | Wendy Davis, DigitalNewsDaily/MediaPost.com
• BENTON SUMMARY | SUPPORTER STATEMENTS | BILL TEXT (pending)
• House passes bill to revive FTC authority to recover money for consumers | Rebecca Klar, TheHill.com via Benton Institute
• New Changes at the FTC: Return of the Rulemaking? |  Leonard L. Gordon & Michael A. Munoz, Venable LLP law firm | EXPLAINING PENALTY OFFENSE
• BACKGROUND: The Case for “Unfair Methods of Competition” Rulemaking | Rohit Chopra & Lina Khan | Unv. Of Chicago Law Review
• Why the FTC is forcing tech firms to kill their algorithms along with ill-gotten data | Kate Kaye, DigiDay.com

WASHINGTON WATCH 

• Senate GOP leaders urged Biden to prioritize privacy legislation | Senate Commerce Committee | LETTER TEXT
• INTERVIEW: Privacy regulation expert Woodrow Hartzog on Biden executive order | Julia Angwin, TheMarkup.com
• White House reviewing Section 230 in misinformation crackdown effort | Betsy Klein, CNN.com
• Mandating interoperatibility? The ACCESS ACT explained | Lumen / Berkman Klein Center at Harvard University | WHAT IS LUMEN?

ANTITRUST 

• Biden names activist to head Justice Department’s antitrust enforcement | Benton Institute summary
• 56% of Americans support more regulation of major technology companies | Emily A. Vogels, Pew Research Center

PRIVATE DATA?

California AG offers hints about how sharing of user data could be enforced as a “sale” under CCPA

A new clue about what constitutes a “sale” emerged this week from a news conference and detailed documentation about enforcement of the California Consumer Privacy Act (CCPA).  The clue was among 27 anonymized examples of specific enforcement actions taken by state Attorney General Rob Bonta’s office.  Bonta also opened a website making it easy for consumers to complain about website privacy practices.

Analysis by privacy lawyers at the Squire Patton Boggs law firm found three of the 27 example cases bore on whether collecting and sharing data constitutes “sale” which a user can forbid under a browser tool such as the Global Privacy Control.  The firm’s analysis states: “These cases seem to indicate that collection by a third-party cookie provider, absent a service provider commitment by such provider, may be a “sale” to such provider – a position that the OAG has been advancing in enforcement actions of which we are aware – and that this must be tied directly to the “Do Note Sell” link and tool.”

California began enforcing the CCPA a year ago and this week’s report was the first detailed public summary of how it is going. Bonta said 75% of businesses acted to come into compliance with the 30-day statutory cure period and the rest are either under continued investigation or are still within the 30-day period. 

RELATED LINKS

• Most Companies Cure California Privacy Violations After Notices, AG Says | Wendy Davis, DigitalNewsDaily/MediaPost.com
• California Attorney General Sees “Great Progress” With CCPA Enforcement | Timothy Butler et al., Troutman Pepper law firmLaw firm analyzes California CCPA enforcement actions | Alysa Zeltzer Hutnik, Alex Schneider & Kaelyne Yumul Wietelman, Kelley Drye law firm | RELATED POST
• Law firm’s warnings about complying with CCPA notice rules | Odia Kagan, Fox Rothschild LLP law firm
• BACKGROUNDER: How the Global Privacy Control browser extension works | Daniel Rosenzweig, Steve Roosa & Wenda Tang, Norton Rose Fulbright law firm
• Retention/deletion requirements in California now similar to GDPR | David Manek et al., Ankura law firm
• VENDOR VIEW: How To Best Prepare for CPRA Compliance | eDesign Interactive

STATEHOUSE BEAT 

• Ohio Lawmakers Consider Data Privacy, Cybersecurity Bills | Michael Pittman & Lynn Hulsey, GovTech.com | OHIO BILL TEXT | OHIO GOVERNOR’S STATEMENT
• Privacy bills pending in Massachusetts and New York | Meaghan Powell et al., Gilbert & Tobin law firm | TEXT: Massachusetts privacy bill | TEXT New York privacy bill 
• With Ohio, Colorado, state privacy bills growing widespread | Jean Dimeo, NextGov.com | COLORADO OFFICIAL BILL SUMMARY 

BIOMETRIC PRIVACY 

• New York City’s Biometric Privacy Law Takes Effect: What You Need To Know | Alan R. Friedman et al., Kramer Levin law firm
• NYC Dept of Consumer Affairs Publishes Sample Biometric Signage | Cynthia Larose, Mintz law firm
• Stores you probably shop at that use facial-recognition technology | Hannah Towey, BusinessInsider.com
• Illinois Biometric Act has been a class action nightmare, but things may get better | Laura Balston, Constangy, Brooks, Smith & Prophete, LLP law firm

PERSONAL PRIVACY

• Ex-investors sees growth-obsessed startups creating a “Minority Report” world | Denis Mars, TechCrunch.com/
• Problem for priest: Your location data is for sale, and it can be used against you | Sara Morrison, Recode/Vox.com
• The argument for new law guaranteeing personal data contracts | Steven Hessing, Medium.com
• WHITE PAPER: The consequences of paying with your data | Rob Sumroy et al., Slaughter & May law firm
• Restoring your privacy costs money, which makes it a marker of class | Mark Pesce, TheRegister.com

Facebook engineer proposes way for users to specific their advertising interests through the web browser 

A key Facebook engineer outlined this week an idea for “flipping digital advertising around,” giving consumers the ability to signal their advertising interests through web-browser software — rather than having interests inferred for targeting by opaque ad-tech networks. 

Benjamin Savage — Facebook’s regular representative to the World Wide Web Consortium’s (W3C) Privacy Community Group — has posted his idea — “Ad Topic Hints” — to a GitHub address. But he cautioned that he had already received so many constructive ideas and reactions that the description needs rewriting. “I’m not married to any particular algorithm,” Savage told some 50 people at an every-other-week virtual meeting of the privacy group. “It is just the concept.”  He said his key focus was to design a service that could no function as a “persistent identifier.” 

Key participants in the group reacted respectfully. Apple WebKit engineer John Wilander asked if Ad Topic Hints could be coded to not transmit health or other sensitive personal interests and attributes that would be consider sensitive. And he wondered if the interest hints could be shown only to specific entities with which the user has a “first-party” relationship. 

Brian May, from distillery, said he liked the idea of a user being able to signal interests, but he said his own research suggested that classifying which ad signals a particular interest is tricky and therefore is a “totally wrong vehicle” for helping with personalization. 

Michael Kleber, a Google engineer who works on the Chrome browser, said he was hesitant to embrace the Facebook engineer’s proposal. “There is something in this area that I would find very appealing,” he said. “But I think the user understandability story has to be different from what I see here.” 

Kristen Chapman, from Salesforce, said she generally liked the idea but that the grist given a consumer to use to indicate interests should come from more sources than just ad views. “Often segmentation and audience targeting is about an entire experience online,” she said. “It’s more layered and complicated than just advertising.”

AD TECH

• Targeted advertising is missing its target, Analytics research claims | Ryan Barwick, MarketingBrew.com | REPORT DETAILS
• Examining how OpenWeb does (or doesn’t?) make advertising brand safe | Shoshana Wodinsky, GizModo.com
• Coalition of Privacy-Focused Tech Companies Calls for Ban on Surveillance Advertising Technologies | Scott Ikeda, CPOMagazine.com | LETTER TEXT AND SIGNATORIES
• RESEARCH: Targeted ads isolate and divide us even when they’re not political | Silvia Milano et al., Oxford University via TheConversation.com
• Publishers’ ad marketplace urges “high road” in privacy  with cohort-only IDs | David Kohl, TrustX.org via dExchanger.com
• SURVEY: Two-thirds of publishers, advertisers optimistic about privacy changes | James Hercher, AdExchanger.com
• INTERVIEW: Q-and-A with New IAB Tech Lab CEO Tony Katsur |  James Hercher, AdExchanger.com | KATSUR’S LINKEDIN COMMENTS | See QUOTE OF WEEK
• “OpenWeb Looks A Lot Like An OpenScam” | Nandini Jammi and Claire Atkin , CheckMyAds.org
• AT&T scrambles to sell ad tech unit Xandr as losses mount | Sara Fischer Axios.com
• Google toughens its enforcement and suspension policy for ad violations | Laurie Sullivan, MediaPost.com
• GOOGLE STATEMENT: “Piloting a new ‘strikes’ system to address repeat ad policy violations” | Brett Kline, Google Product Manager
• Ad-tech exec thinks households will still be targeted if individuals are not | Joseph Zappa, StreetFightMag.com
• Incrementalism? How ad campaigns might be tracked in privacy-focused world | Huanlei Ni, StreetFightMag.com
• VENDOR VIEW: Thoughts about balancing privacy and personalization | Rafael Lourenco, ClearSale via StreetFightMag.com

EU PRIVACY 

• Austrian activist Schrems’ Facebook privacy complaint referred to EU court | Reuters PLC
• Will the Global Privacy Control browser opt-out work under GDPR? | Robin Berjon, Berjon.com
• EU-U.S. Data Privacy Talks Enter Second Year With No Timeline for Resolution | David Uberti, WSJ.com
• Assessing EU’s “Standard Contractual Clauses” update proposal | Oliver Bell & Christopher Archer, Morgan Lewis law firm