Ad-tech industry struggles to agree on privacy enforcement for email-based identifiers; plans a vote in new year

There’s a new report about the challenge of finding someone to play the “heavy” in governing identity and privacy on the web. The Internet Advertising Bureau Tech Lab (IAB Tech Lab) is said to be balking at the role of enforcing privacy rules in the operation of a nascent standard, Unified ID 2.0, which is based on encrypting and sharing email addresses among advertisers. IAB represents ad-tech companies of all sizes, including Google as well as some advertisers and publishers.

• Why The IAB Tech Lab Still Hasn’t Taken On The Administrator Role For Unified ID 2.0 | Allison Schiff, AdExchanger.com

AdExchanger reporter Allison Schiff wrote last week that during a Tech Lab board meeting the week before, “a vote on the matter was tabled for further discussion” because the lab is “still on the fence” about “serving as an administrator” for Unified ID.  The administrator of the encrypted-email sharing network would might distribute encryption keys to advertisers and ad-tech companies, decryption keys to “complaint members” and compliance auditing. “The administrator must also shut off bad actors that abuse the ID,” Schiff writes. 

The problem is liability, according to a knowledgeable source consulted by Privacy Beat. The assumption is that if a company deriving millions of dollars in revenues from ID-dependent advertising services is “shut off,” they might be inclined to litigate.  That would require the administrator of the system to have the financial and legal capacity to defend its decisions. IAB Tech Lab doesn’t want that liability, the source said, particularly where it might be required to discipline its own members.

“The IAB Tech Lab board appears willing to move forward as an admin as long as it’s not on the hook for shutting down the baddies,” Schiff writes at AdExchanger.  She wrote the TechLab plans a reconsideration and vote “sometime in the new year.” 

Without effective discipline, the source speculated, the system would not be trusted by the public or by regulators. A key policy analyst at the Brookings Institution, Cam Kerry, has argued for laws or regulation that grant “safe harbor” from enforcement to operators who prove compliance with transparent privacy frameworks. 

The Information Trust Exchange Governing Association (ITEGA.org), sponsor of this newsletter, issued a call in April for support of a ‘public option’ user privacy/identity ecosystem, led by a journalism-aiding nonprofit.   ITEGA’s board said in a report that meetings and webinars it organized “found consensus about the need for enforceable rules around digital identity management, industry-independent governance, and efforts to enact a U.S. federal privacy law.” The board  said “U.S. advertising-tech leadership has moved close to a partial solution, but has appeared unwilling to cede control of consumer identity authentication to a public-interest structure that could be global in impact and similar to the way internet domain names are governed.” 

AD TECH AND PRIVACY 

• Adtech vendors still tracking EU users who deny consent via IAB’s TCF, study suggests | Natasha Lomas, TechCrunch.com
• Axel Springer Partners With InfoSum To Evolve First-Party Data Strategy | Tony Silber, PublishingInsider/MediaPost.com
• VENDOR VIEW: How publishers can collect first-party data to engage | Andrew Sullivan, OpenWeb via DigiDay.com

PERSONAL PRIVACY 

• How to understand and use Apple’s new iOS App Privacy Report | Heather Kelly, WashingtonPost.com
• Apple iOS 15.2 seen as bad news for Facebook because of privacy monitoring | Jason Aten, Inc.com
• How to opt out of Verizon’s shady data tracking | By Sasha Lekach, Mashable.com
• Big data brokers know everything else but your name | Justin Sherman, Wired.com
• How to delete voice history from Amazon Alexa, Google Assistant, and Apple’s Siri | Sumukh Rao, XDA Developers
• How to use your phone’s new privacy-protection tools | J.D. Biersdorfer, NYTimes via SeattleTimes.com
• If you use Google, you’re likely being tracked. Change these settings to stop it | Kelsey Fogarty, CNet.com
• 10 Reasons to Hide Your IP Address | Ankush Das, MakeUseOf.com
• Amazon’s dystopian surveillance cameras can identify you by skin and scent | Hannah Bertolino, DazedDigital.com
• Mobile carriers sell your personal data – here’s how to stop them | Ben Lovejoy, 9to5Mac.com

Amid 884 pages, ad tech opens battle over California privacy rule making;
GPC is defended by originator

The U.S. advertising and ad-tech industries filed more comments than any other group amid 884 pages received by the California Privacy Protection Agency (CCPA) and made public last week, signaling the start of a long lobbying effort between advertising industry and privacy advocates over enforcing the California Privacy Rights Act (CPRA).

The new CPPA issued a call in September for public and industry comment on how it should interpret and enforce multiple aspects of the state’s landmark CPRA.  Due on Nov. 8, the comments were almost uniformly filed on that date, and are now public in four PDF files. LINKS:  (1, 2, 3 and 4).

No comments appear to have been filed by Microsoft, Amazon, Facebook nor any major advertising-technology companies or data brokers. Google’s relatively brief comments focused on seeking multi-state alignment, overall clarity, flexibility and well defined rules about audit processes and “automated decisionmaking.” 

Six advertising trade groups summarized their 50-page response in a 10-page letter which takes renewed aim at the Global Privacy Control (GPC), arguing that consumers should not be allowed to set an across-the-board “opt-out” of all data collection, as the GPC enables. The comments imply that if that were the case, advertisers would direct sites to instead force consumers to make a site-by-site decision, which the CPRA appears to allow. 

A comment filed by Wesleyan University Prof Sebastian Zimmick, who co-wrote and “open-sourced” the GPC browser plug in, urged the board to confirm that not only the GPC is covered by the law, but so would be signals sent in behalf of a consumer by a third party. Ad tech companies are freaked out about that possibility because it would increase opt-outs and compliance with data deletion requests. Litigation on this point is likely eventually.  

The advertising trade groups signing the letter and supporting exhibits. They said they represent $2.4 trillion in U.S. ad spend and 2,500 companies. Signatories were the Association of National Advertisers, the Network Advertising Initiative, the Digital Advertising Alliance, the American Association of Advertising Agencies, the American Advertising Federation and the Interactive Advertising Bureau. 

The advertising and ad-tech company groups’ letter also raised concerns about regulating “dark patterns” that privacy activists say are confusing. And they encourage California to try and “align” its rulemaking with new data-privacy laws in Virginia, Colorado and elsewhere, while the United States lacks any relevant federal privacy statute. The last two concerns were echoed by many of the other filed comments. 

Among comments were those from the U.S. Chamber of Commerce, Californians for Consumer Privacy, the News Media Alliance, Pinterest, the Surveillance Technology Oversight Project, the Electronic Frontier Foundation, the California ACLU, Princeton University professors, CafeMedia, Avast, Mozilla, the Media Alliance, Privacy Rights Clearing House, the Electronic Privacy Information Center, Consumer Action, Consumer Federation of America, New America’s Open Technology Institute, the Business Software Alliance (BSA), Digital Content Next, Entertainment Software Association, the Association of Magazine Media (MPA), the Internet Association, Stanford University professors, Common Sense Media, the California Retailers Association, the Insights Association, California Grocers Association TechNet, Consumer Reports and several law firms representing named or anonymous clients.

Among other issues or suggestions raised by commentators: 

• What constitutes “significant risk” to privacy as a threshold for regulation or enforcement
• How is anonymized information defined and when may such data be used or shared
• What constitutes a “sale” of information among parties? 
• Whether a data handler is obligated to delete on consumer request personal information it didn’t collect 
• How to align automated decisionmaking and other rules with the European Union
• Create a rule giving a company 45 days to fix a privacy problem before sanctions
• Make sure “sale and sharing” applies to advertising sold within social networks

STATEHOUSE BEAT 

• How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech | Richard Eisert, Davis+Gilbert law firm
• AN ASSESSMENT: California’s consumer privacy act at the Two-Year Mark | Mary T. Costigan, JacksonLewis law firm
• CPRA Countdown: It’s time to brush up on California’s latest data privacy law | Brittney E. Justice et al., Bracewell LLP law firm
• New Mexico settles Google cases alleging collection of minors’ personal info | The State AG Report 
• In Connecticut, questions about vaccine passport policy | Christine Stuart, NBCConnecticut.com

ANTITRUST 

• VIDEO:  Capitol Hill hearing on digital competition, antitrust and consumer rights | U.S. Senate |  RELATED TWEET | TESTIMONY OF ROGER ALFORD (see QUOTE OF WEEK) 

WASHINGTON WATCH 

• Internet Association — Silicon Valley’s voice in Washington — dissolves (over antitrust?) | Emily Birnbaum, Politico.com
• Is Interactive Advertising Bureau stepping into lobbying void? | Emily Birnbaum, Politico via Benton Institute 
• 700-member IAB taps Amazon exec as its chief lobbyist | IAB Statement
• In U.S., only the Supreme Court guarantees “right to privacy” | William Falk, TheWeek.com
• Can we regulate social media without breaking the First Amendment? | Jameel Jaffer interviewed by Nilay Patel, TheVerge.com
• Ad exchange OpenX slapped with FTC fine for collecting location data on children | Carly Page, TechCrunch.com

FTC chair Lina Khan, above

In letter, Khan tells Blumenthal that FTC will seek Section 18 regulation of online privacy, choice and signals

The head of the U.S. Federal Trade Commission gave the clearest signal yet that she will seek to put in place new data-use regulations because, she argues, companies don’t realize how much consumers value their privacy and consumers don’t have enough choice to signal or exercise that value. 

“The commission is considering initiating a rule making under Section 18 of the FTC Act to address lax security practices, data privacy abuses, and algorithmic decision-making that may result in unlawful discrimination,” FTC Chair Lina M. Khan wrote in a letter (TEXT) to Sen. Richard Blumenthal, D-Conn.

RELATED LINKS:

• FTC will use ‘full suite of tools’ to tackle data privacy, discrimination, Khan says | Andrew Wyrich, DailyDot.com
• Khan has been setting up privacy move, but may need another Democrat to proceed | Ben Brody, Protocol.com | RELATED STORY
• FTC Moves Toward Section 18-based Privacy Regulations | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Why Lina Khan put the fear of god into big tech this year | Andrew Wyrich, DailyDot.com
• Staff Report on ISP Privacy Practices Paves the Way for an FTC Privacy Rulemaking |     Qiusi Newcom & Laura Phillips, Faegre Drinker Biddle & Reath LLP law firm
• FTC says OpenX Will Pay $2 Million for Collecting Personal Information from Children | FTC Statement

EU & UK PRIVACY

• Facebook’s internal assessment of EU-US data transfers shows it has no legal leg to stand on, says noyb | Natasha Lomas, TechCrunch.com
• Despite EU court rulings, Facebook says US is safe to receive Europeans’ data | Vincent Manancourt, Politico.EU
• ANONYMOUS OPINION: Are ad tech vendors in Europe ignoring user consent signals? | Adalytics Research LLC
• How the U.S. is taking cues from Europe on tech policy | Ashley Gold, Axios.com
• Amazon fends off extra privacy fines after record EU penalty | Stephanie Bodoni, Bloomberg.com ($)
• Solving the Transatlantic Data Dilemma between US and EU | Thorsten Wetzling et al., Open Technology Institute/NewAmerica.org
• Norway Fines Grindr $7 Million Over Take-It-Or-Leave-It Privacy Approach | Wendy Davis, PolicyBlog/MediaPost.com

WORLD PRIVACY 

• The very bright future of Australia’s “consumer data right” law | Anthony Borgese et al., MinterEllison law firm
• Should Canadian police get private data from companies you patronize? | Jeremy Hainsworth, TimesColonist.com
• Phillipines’ Duterte appoints new chief of privacy watchdog | ABC-CBN News
• India’s data-privacy bill exempts government agencies | PTI/OutlookIndia.com | RELATED STORY
• Despite new laws, organizations in Uganda struggle with data protection and privacy compliance | Brian Oduti, GlobalVoices.org

PRIVACY BUSINESS 

• Competition & Privacy: It’s Both Or Nothing | Robin Berjon’s personal blog
• Qonsent and Optable join $3.5B-capitalized privacy startups | Allison Schiff, AdExchanger.com
• The Rise of Cookies Litigation (and How to Avoid It) | Eleanor Ludlam et al., DAC Beachcroft LLP law firm
• Assuage Customer Privacy Concerns With These 15 Business Strategies | Forbes.com Expert Panel

JOURNALISM

• Journalism is a public good. Let the public make it |. Darryl Holliday, Columbia Journalism Review

UPCOMING EVENTS

• CONFERENCE/VIRTUAL: Annual Leadership Meeting (ALM), Feb. 7-10, New York City, Interactive Advertising Bureau
• LIST: Omidyar Good ID project lists upcoming identity gathering