Ad-tech industry struggles to agree on privacy enforcement for email-based identifiers; leads debate over CPRA

Privacy Beat

Your weekly privacy news update.


Ad-tech industry struggles to agree on privacy enforcement for email-based identifiers; plans a vote in new year

There’s a new report about the challenge of finding someone to play the “heavy” in governing identity and privacy on the web. The Internet Advertising Bureau Tech Lab (IAB Tech Lab) is said to be balking at the role of enforcing privacy rules in the operation of a nascent standard, Unified ID 2.0, which is based on encrypting and sharing email addresses among advertisers. IAB represents ad-tech companies of all sizes, including Google as well as some advertisers and publishers.

AdExchanger reporter Allison Schiff wrote last week that during a Tech Lab board meeting the week before, “a vote on the matter was tabled for further discussion” because the lab is “still on the fence” about “serving as an administrator” for Unified ID.  The administrator of the encrypted-email sharing network would might distribute encryption keys to advertisers and ad-tech companies, decryption keys to “complaint members” and compliance auditing. “The administrator must also shut off bad actors that abuse the ID,” Schiff writes. 

The problem is liability, according to a knowledgeable source consulted by Privacy Beat. The assumption is that if a company deriving millions of dollars in revenues from ID-dependent advertising services is “shut off,” they might be inclined to litigate.  That would require the administrator of the system to have the financial and legal capacity to defend its decisions. IAB Tech Lab doesn’t want that liability, the source said, particularly where it might be required to discipline its own members.

“The IAB Tech Lab board appears willing to move forward as an admin as long as it’s not on the hook for shutting down the baddies,” Schiff writes at AdExchanger.  She wrote the TechLab plans a reconsideration and vote “sometime in the new year.” 

Without effective discipline, the source speculated, the system would not be trusted by the public or by regulators. A key policy analyst at the Brookings Institution, Cam Kerry, has argued for laws or regulation that grant “safe harbor” from enforcement to operators who prove compliance with transparent privacy frameworks. 

The Information Trust Exchange Governing Association (, sponsor of this newsletter, issued a call in April for support of a ‘public option’ user privacy/identity ecosystem, led by a journalism-aiding nonprofit.   ITEGA’s board said in a report that meetings and webinars it organized “found consensus about the need for enforceable rules around digital identity management, industry-independent governance, and efforts to enact a U.S. federal privacy law.” The board  said “U.S. advertising-tech leadership has moved close to a partial solution, but has appeared unwilling to cede control of consumer identity authentication to a public-interest structure that could be global in impact and similar to the way internet domain names are governed.” 



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

Amid 884 pages, ad tech opens battle over California privacy rule making;
GPC is defended by originator

The U.S. advertising and ad-tech industries filed more comments than any other group amid 884 pages received by the California Privacy Protection Agency (CCPA) and made public last week, signaling the start of a long lobbying effort between advertising industry and privacy advocates over enforcing the California Privacy Rights Act (CPRA).

The new CPPA issued a call in September for public and industry comment on how it should interpret and enforce multiple aspects of the state’s landmark CPRA.  Due on Nov. 8, the comments were almost uniformly filed on that date, and are now public in four PDF files. LINKS:  (1, 2, 3 and 4).

No comments appear to have been filed by Microsoft, Amazon, Facebook nor any major advertising-technology companies or data brokers. Google’s relatively brief comments focused on seeking multi-state alignment, overall clarity, flexibility and well defined rules about audit processes and “automated decisionmaking.” 

Six advertising trade groups summarized their 50-page response in a 10-page letter which takes renewed aim at the Global Privacy Control (GPC), arguing that consumers should not be allowed to set an across-the-board “opt-out” of all data collection, as the GPC enables. The comments imply that if that were the case, advertisers would direct sites to instead force consumers to make a site-by-site decision, which the CPRA appears to allow. 

A comment filed by Wesleyan University Prof Sebastian Zimmick, who co-wrote and “open-sourced” the GPC browser plug in, urged the board to confirm that not only the GPC is covered by the law, but so would be signals sent in behalf of a consumer by a third party. Ad tech companies are freaked out about that possibility because it would increase opt-outs and compliance with data deletion requests. Litigation on this point is likely eventually.  

The advertising trade groups signing the letter and supporting exhibits. They said they represent $2.4 trillion in U.S. ad spend and 2,500 companies. Signatories were the Association of National Advertisers, the Network Advertising Initiative, the Digital Advertising Alliance, the American Association of Advertising Agencies, the American Advertising Federation and the Interactive Advertising Bureau. 

The advertising and ad-tech company groups’ letter also raised concerns about regulating “dark patterns” that privacy activists say are confusing. And they encourage California to try and “align” its rulemaking with new data-privacy laws in Virginia, Colorado and elsewhere, while the United States lacks any relevant federal privacy statute. The last two concerns were echoed by many of the other filed comments. 

Among comments were those from the U.S. Chamber of Commerce, Californians for Consumer Privacy, the News Media Alliance, Pinterest, the Surveillance Technology Oversight Project, the Electronic Frontier Foundation, the California ACLU, Princeton University professors, CafeMedia, Avast, Mozilla, the Media Alliance, Privacy Rights Clearing House, the Electronic Privacy Information Center, Consumer Action, Consumer Federation of America, New America’s Open Technology Institute, the Business Software Alliance (BSA), Digital Content Next, Entertainment Software Association, the Association of Magazine Media (MPA), the Internet Association, Stanford University professors, Common Sense Media, the California Retailers Association, the Insights Association, California Grocers Association TechNet, Consumer Reports and several law firms representing named or anonymous clients.

Among other issues or suggestions raised by commentators: 

  • What constitutes “significant risk” to privacy as a threshold for regulation or enforcement
  • How is anonymized information defined and when may such data be used or shared
  • What constitutes a “sale” of information among parties? 
  • Whether a data handler is obligated to delete on consumer request personal information it didn’t collect 
  • How to align automated decisionmaking and other rules with the European Union
  • Create a rule giving a company 45 days to fix a privacy problem before sanctions
  • Make sure “sale and sharing” applies to advertising sold within social networks




FTC chair Lina Khan, above

In letter, Khan tells Blumenthal that FTC will seek Section 18 regulation of online privacy, choice and signals

The head of the U.S. Federal Trade Commission gave the clearest signal yet that she will seek to put in place new data-use regulations because, she argues, companies don’t realize how much consumers value their privacy and consumers don’t have enough choice to signal or exercise that value. 

“The commission is considering initiating a rule making under Section 18 of the FTC Act to address lax security practices, data privacy abuses, and algorithmic decision-making that may result in unlawful discrimination,” FTC Chair Lina M. Khan wrote in a letter (TEXT) to Sen. Richard Blumenthal, D-Conn.







Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Fees on $100,000 stock trade — a few bucks; Fees on $100,000 in Google-handle advertising — $20,000 | Why?

  • What follows is an excerpt from written testimony of Roger P. Alford, professor, Notre Dame Law School, and a former Justice Department lawyer, submitted to a Dec. 15, 2021 hearing of the Senate Judiciary Committee subcommittee on Competition Policy, Antitrust and Consumer Rights

“Big Tech frequently introduces “innovations” to degrade the quality of competing products and services. Let me offer a concrete example based on my work with the state of Texas. As alleged in the multi-state antitrust complaint against Google that Texas is leading.

“Google uses its power in the online digital advertising market to force publishers to use Google’s exchange, which charges extremely high transaction fees.

“A $100,000 stock trade will cost you a few dollars in exchange fees paid to the NYSE. But a $100,000 ad campaign will cost you $20,000 in fees paid to Google’s exchange. As a result of these kinds of fees, Google earned revenue of $65 billion last quarter—over $700 million per day—almost all of it from digital advertising.

“Obviously Google’s supra-competitive fees hurts publisher revenue, so they developed some code, called header bidding, to allow them to route their inventory to multiple exchanges that could do the trades for much less.  Google did not welcome this innovation, so they introduced their own technological changes to exclude competition.”

  • “Google changed the data fields so publishers could no longer determine if they performed better using one exchange or another. 

  • “They introduced Accelerated Mobile Pages, (or “AMP”) which is that carousel of news stories you see when you do a search in Chrome on your phone. Amazingly, AMP was designed without using JavaScript so that it would be incompatible with header bidding coding. 

  • “Google also throttled the load time of non-AMP ads with artificial one-second delays. Google’s own employees struggled with “how to [publicly] justify [Google] making something slower.”

  •  “And Google imposed artificial line item caps so that publishers could make fewer granular bids and win fewer auctions if they used another exchange, somewhat like the now illegal quoting convention in the stock market of avoiding odd-eighths in bid/ask quotes.

“In short, the complaint alleges that Google introduced numerous “innovations” for the express purpose and result of excluding competition and making it more difficult for its own consumers to increase their revenue using competing exchanges.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp