Google’s Chrome to allow user to disable cross-site tracking; W3C group discusses role for “independent enforcement entity”

Google says its Chrome browser will allow consumers to turn off its cross-site tracking authorization system when it replaces third-party cookies, in a move which could disable those consumers’ ability to save certain logins.  The disclosure came in a regular meeting of a World Wide Web Consortium (W3C) group in which browser-maker engineers and others are debating the future of web identity and privacy services.

The ability of browsers to control cross-site tracking is a hot debate in W3C groups, but now there are proposals to include an independent third-party entity in the governance of tracking, referred to as an “Independent Enforcement Entity” (IEE).  In addition, users should also have the right to “toggle” such features on or off, a key technologist says.

“[Chrome] as a browser is also going to offer a toggle,” Kaustubha Govind, engineering manager for Google’s Chrome privacy initiatives, remarked during a Jan. 13 virtual meeting of the W3C Privacy Community Group involving more than 40 people online. “We do have privacy-conscious users that probably do really understand what domains are and do want to disable all cross-site features.”

Govind first broached the idea of an IEE in a slide deck she and a colleague prepared for an Aug. 12, 2021 meeting of the W3C Privacy Community Group. (Slide shown above, and an earlier story in Privacy Beat, Sept. 10, 2021.)

RELATED POSTS:

• NYT exec proposes fee-backed governance board running anonymizing ad servers | Robin Berjon, NYTimes via PrivacyBeat
• Brookings privacy expert sees “safe harbor” as part of bipartisan measure; says ITEGA might “fill the bill”| Cam Kerry via PrivacyBeat
• Veteran ad-tech leader calls for public-private intervention to head off disjointed web identity | Randall Rothenberg via PrivacyBeat
• ITEGA calls for support of ‘public option’ user privacy and identity ecosystem | ITEGA Directors via PrivacyBeat
• Legal think tank suggests third-party “accountability agent” could certify and jump start U.S. privacy rules | Markus Heyder, Sam Groga & Matthew Starr via PrivacyBeat

Since the 1990s, web sites have used “cookie” files to store in a user’s device  login status across different websites. Gradually, the advertising-technology industry exploited that feature as “third parties” to surreptitiously track user activity across multiple sites to compile dossiers for targeting advertising. As Apple, Mozilla and eventually Google code their browser software to block third-party cookies, engineers are now debating whether there is anything cookies should still be allowed to do — such as login or data-sharing among sites that are in some way related to each other.

Google’s First Party Sets (FPS) proposal, and others, would centralize decisions about cookie use in the browser technology. At Friday’s meeting however, a two-person team with backgrounds in journalism (Scott Yates)  and the cable-TV industry (Ralph Brown) proposed that an IEE — through JournalList.net — govern which sites should be considered editorially trustworthy and and thus entitled to share data across sites. The FPS proposal has focused more on business trustworthiness. The Jan. 14 session left unsettled whether the two concepts should be merged or separate. The debate continues on an email list. 

Meanwhile, the ad-tech industry continues to struggle with what should govern the use of hashed email identifiers in the Unified ID 2.0 service initiated by The Trade Desk, a major ad-tech operator. Trade Desk continues to haggle over terms under which it will turn over “key management” for UID2 to an independent third party.  So far, the IAB Tech Lab board has said it doesn’t want to control who gets booted from the UID2 system for data-privacy violations.

The Information Trust Exchange Governing Association, sponsor of this newsletter, is an independent 501(c)3 nonprofit organization chartered to help manage privacy and identity among participating web services.  It has been mentioned as a possible candidate to operate as an IEE in both the identity context as well as as a governor of when advertisers should be allowed to share user data.

There were these other developments in web identity and privacy:

• Consumer Reports’ Digital Lab and the MIT Media Lab are collaborating to release a standard protocol for how websites respond to consumer requests to stop sharing and provide copies of stored personal data. The “Data Rights Protocol” (DRP) is being championed in part by Wesleyan University computer scientist Sebastian Zimmeck, who also helped write code for the Global Privacy Control (GPC) browser application. California privacy regulators are seeking to require any website that receives a GPC “signal” to stop tracking them to comply; the idea would be to make that compliance consistent using a DRP.  Consumer Reports CEO Marta L. Tellado headlined a YouTube video in October in which technologies explained the ideas beind the Data Rights Protocol. CR has six million members. The video included Prof. Sandy Pentland’s summary of alternate forms of data ownership (slide above).
• Adding to at least two other existing “community groups” addressing similar subjects, a Mozilla Corp. engineer has spearheaded another effort to accelerate solutions for cross-site web identity sharing as the so-called third-party cookie is increasingly shunned as a privacy problem

AD TECH — EU and Google analytics

• Use of Google Analytics violates EU law, Austrian authority rules | Oliver Noyan, Euractiv.om
• Ruling: Google Analytics Violates EU Privacy Law | Pymts.com
• Schrems complaint action: Austrian website’s use of Google Analytics found to breach GDPR | Natasha Lomas, TechCrunch.com
• IAB Tech Lab – a reluctant peacekeeper in the privacy wars | Ronan Shields, DigiDay.com
• With Prebid at the helm of UID 2.0, indie ad tech marches to a unified beat but not all voices are in harmony | Ronan Shields, DigiDay.com
• Privacy, preference and personalization — it all depends on consent | Chitra Iyer, CMSWire.com
• VENDOR VIEW: Why prioritizing personalization can build trust between consumers and brands |Jurgen Galler, CEO, iPlusX via DigitalContentNext.org
• ANALYSIS: Why Apple’s Privacy Policies May Have Cost Social Media Companies Billions | Danny Maijorca, MakeUseOf.com
• VENDOR VIEW: Where will our data go when cookies disappear? | James Avery CEO, Kevel, via TechCrunch.com

PLATFORMS AND PRIVACY 

• RESEARCH: High frequency of third-party data sharing without consent | Niam Yaraghi & Samantha Lai, Brookings Institution | DOCUMENT LINK
• Mozilla, The Markup partner to explore Facebook’s data collection practices | Source: Mozilla Corp. blog
• T-Mobile begins blocking iPhone users from enabling iCloud Private Relay in the US | Chance Miller, 9to5Mac.com
• Federal appeals court agrees to let Google pay $13M to privacy groups over “Street View” | Blake Brittain, Reuters PLC

Image from a Politico/”Morning Consult” poll of U.S. voter privacy attitudes 

Business, advertisers vaguely pressure Congress for privacy law; new poll find general public — and bipartisan — support

As enforcement of California’s law begins and Florida lawmakers renew debate over a state privacy law, a powerful lobbying group lead by the U.S. Chamber of Commerce is trying to move Congress from talk to action on a U.S. Federal privacy law.

The coalition’s letter, including major advertising interests, seeks  “bipartisan and durable national data protection legislation” but includes no details, leaving it up to Congress to wrangle over key policy issues: (1) Should individual citizens have the right to sue over privacy violations and (2) Should tougher state laws such as California’s be permanently or temporarily pre-empted. Business interests answer “no” and “yes”, consumer advocates answer “yes” and “no.” So far, that’s equaled stalemate until middle ground is found.

• U.S. Chamber of Commerce, others urge Congress to pass privacy legislation | Diane Bartz, Reuters PLC | RELATED STORY
• Powerful business, ad groups open-letter urges privacy action by Congress | U.S. Chamber of Commerce | LETTER TEXT | CHAMBER’S STATE PRIVACY MAP

The Chamber-lead push was unveiled in the same week that Politico/“Morning Consult” released a 2,000-person poll showing that 56% of U.S.-registered voters — across the political spectrum — say they support federal privacy legislation.  Democratic votes are the must enthusiastic bloc, the poll found.

WASHINGTON WATCH

Mactaggart and Rep. DelBene debate features of potential federal privacy law | Gicel Tomimbang, Squire Patton Boggs (US) LLP

• New Bill Would Require Sites To Summarize Data Practices | Wendy Davis, DigitalNewsDaily/MediaPost.com
• EXPLAINER: DelBene’s Information Transparency and Personal Data Control Act (HR 1816) | Samual Garner, Bryan Cave law firm
• Lawmakers Introduce Terms-of-service Labeling, Design and Readability (TLDR) Act | Justin Hendrix, TechPolicy.Press
• Five key privacy issues to watch on Capitol Hill in 2022 | Kirk Nahra, WilmerHale law firm
• What is Eshoo/Lofgren proposed Online Privacy Act of 2021? | Odia Kagan, Fox Rothschild LLP law firm
• ROUNDUP: “Eye on Privacy Year in Review” | Sarah Aberg et al., Sheppard Mullen Richter & Hampton LLC

FTC PRIVACY ENFORCEMENT

• FTC 2022 Regulatory Priorities to Include Privacy and Security | Julia Kadish & Liisa Thomas, SheppardMullin law firm
• Facebook antitrust suit can move forward, a judge says, in a win for the F.T.C. | Cecilia Kang, NYTimes.com
• FTC Seeks to Move Beyond Notice and Consent to Restrict Data Collection and Use | Amy Gordon & Ryan P. Blaney, Proskauer law firm
• FTC orders SpyPhone to stop its stalkware business practices | FTC Announcement | ANALYSIS OF ORDER | FTC ORDER
• Ad Tech company OpenX To Pay $2 Million FTC Settlement | Shelby Dolen & Malia Rogers, Husch Blackwell law firm
• Lead generation company  ITMedia Solutions to pay $1.5M over sale, use of consumer data | source: U.S. Federal Trade Commission

PERSONAL PRIVACY 

• Listing the “apps” that collect the most personal data | Jason Cohen, PCWeek.com
• How To Opt Out of Verizon’s New Data Collection Policy | Craig Johnson, Clark.com
• How to stop your Roku, Apple TV or other streamer track you | Sarah Lord & Eli Blumenthal, CNet.com
• Surveillance will follow us into ‘the metaverse | Tatum Hunter, WashingtonPost.com
• Biometric Privacy in 2022: The Current Legal Landscape | David J. Oberly, BlankRome law firm/LegalTechNew
• How to Use Your Phone’s Privacy-Protection Tools | J.D. Biersdorfer, NYTimes.com
• Five  free privacy tools for protecting your personal data | Jared Newman, PCWorld.com
• Philadelphia stresses privacy and transparency in smart streetlight pilot | Sarah Wray, Cities-Today.com

The case for continued antitrust scrutiny of Google gains ground with unredacted Texas suit disclosures; news publishers press their claims

A spate of stories last week  — and on Jan. 17 — followed public release on Friday (Jan. 14) of blockbuster claims of collusion in a case brought by state attorneys general under federal antitrust law. The claims were made when the suit was filed by the Texas attorney general last week — but they were shielded from public view at the request of Google’s lawyers. AFter hearing, a judge ordered them “unredacted.”

• Behind a secret deal between Google and Facebook | Daisuke Wakabayashi & Tiffany Hsu, NYTimes.com
• Facebook, Google CEOs aware of formal advertising market deal — court filing | Diane Bartz et al., Reuters PLC
• Newly Unredacted Filings Allege Google Ran Manipulated Ad Auctions | Tony Silber, PublishersDaily/MediaPost.com
• Suit Alleges Google Misled About Ad Price Fixing, Auction Process For Years | Laurie Sullivan, MarketingDaily/MediaPost.com

At the same time, a separate set of antitrust actions filed by smaller U.S. newspaper publishers and a big British one are being consolidated into federal court in New York City. These cases, started by a West Virginia newspaper family, were covered in a video by Editor & Publisher magazine, which has started an updating standing page with information as the proceeds.

• Over 200 papers quietly sue Big Tech |  Sara Fischer, Axios.com
• West Virginia publisher launched suit in February 2021; others joined | Wall Street Journal
• VIDEO: Deep dive into class action antitrust suit against Facebook & Google | Mike Blinder, EditorAndPublisher.com | VIDEO LINK | E&P antitrust page
• LIST: Smaller U.S. newspaper publishing groups sueing Google/Facebook | Sara Fischer, Axios.com
• COURT DOCUMENT | Lawyers involved in newspapers’ suit
• Newspaper antitrust cases tackles problems copyright can’t fix | Cory Doctorow, Electronic Frontier Foundation
• Why US publishers aren’t signing up to Google News Showcase | William Turville PressGazette.co.uk

CALIFORNIA PRIVACY 

• Google, Pinterest lobbying actively to seek limits on California privacy laws | Trisha Ostwal, AdWeek.com
• Summarizing new data/privacy laws effective in California in 2022 | Jordan Jennings, Taft Stettinius & Hollister LLP law firm
• California’s attorney general summarizes details of privacy enforcement actions | Deborah George, Robinson+Cole law firm | CASE SUMMARIES
• General themes emerge in public comments on CPRA rule making | Christian Auth et al., Bryan Cave law firm
• Stakeholders sharply disagree on multiple aspects of CPRA | Shelly Kim et al., Akin, Gump, Strauss Hauer & Field LLP law firm
• SUMMARY: Key points of California privacy law reviewed by law firm | Brittney Justice et al., Bracewell LLP

FLORIDA PRIVACY BILLS

• Florida House Data Privacy Bill Released | Alfed Saikali, Shook, Hardy & Bacon LLP | HOUSE BILL TEXT | DETAILED BILL ANALYSIS
• Florida Senate bill introduction appears to set up battle over private suit right | Kelly Melciondo, Bilzin Sumberg law firm | SENATE BILL TEXT 

STATEHOUSE BEAT 

• Key points and comparisons of California, Virginia and Colorado privacy laws | Mary Hildebrand, Lowenstein Sandler LLP law firm
• Amendments Proposed to Virginia Consumer Data Protection Act | David Stauss, Husch Blackwell law firm
• ROUNDUP: 2022 – a busy year for privacy legislation has already started | Kate Lucente et al., DLA Piper law firm
• Consumer data privacy bills introduced in Washington state, Indiana, D.C., Florida | David Stauss, Husch Blackwell LLP
• Bills enacting the New York Privacy Act re-introduced | IAPP Daily Dashboard
• EFF appeals to NY Legislature on health, law-enforcement privacy bills | Hayley Tsukayama, Electronic Frontier Foundation
• Illinois enacts law limiting police access to home-device personal data | Amy Kabaria & John Seiver, Davis Wright Tremaine LLP law firm
• BOOKMARK: State privacy-law tracker | David Stauss, Husch Blackwell LLP law firm
• Illinois Appellate Court Specifies BIPA Accrual of Statute of Limitations | Gregory Abrams, Faegre Drinker Biddle & Reath LLP law firm
• ROUNDUP: Data Privacy And Security Class Actions Ripple Through U.S. Courts | King & Spalding law firm

Google said to step up lobbying as EU parliament debates self-preferencing curbs; ban on targeted advertising sought

Britain’s Financial Times daily published last week a remarkable account of what it called a “last-ditch effort” by Google to lobby European Parliament members against their likely passage this week of an EU Digital Makets Act (DMA) — on the grounds it will harm its advertising and self-preferencing search businesses.  The story implies that the IAB Tech Lab’s European arm was coordinating the lobbying effort.

• Google in last-ditch lobbying attempt to influence incoming EU tech rules | Financial Times
• Debate looms over EU corporate and advocacy effort to ban targeted advertising | Clothilde Goujard, Politico.eu | EU PARLIAMENT’S NEWS RELEASE
• Last-ditch effort by privacy advocates to ban targeted ads via Digital Services Act | Natasha Lomas, TechCrunch.com

A Dutch parliament member termed the effort a “marked escalation in lobbying” in recent weeks, The FT report said.  The DMA targets the perceived power of Big Tech platforms which Germany’s competition watchdog formally calls “gatekeepers.”  The EU’s transparency registered, reviewed by the FT reporter, shows Google invested about six million Euros in lobbying-related activities in 2020 and has roughly eight in-house lobbyists in Brussels, as well as external lawyers and consultants.  Google, in a statement quoted by the paper, said it has engaged “openly and constructively” with pollcymakers “to put across our point of view.”

EU AND UK PRIVACY

• Google offers not to put News Showcase into search results in Germany as antitrust probe rolls on | Natasha Lomas, TechCrunch.com
• European parliament found to have broken EU rules on data transfers and cookie consents
• Natasha Lomas, TechCrunch.com | RELATED ACCOUNT
• France fines Google $169M and Meta $67M for click opaqueness | Jenny Colgate, Rothwell, Figg, Ernst & Manbeck PC law firm | FRENCH DECISION ANALYZED
• European carriers seek to block one key iPhone privacy feature | Mariyan Slavov, PhoneArena.com
• After Brexit, the UK’s privacy regime remains similar to GDPR and such | Anne Bevit, et al., Cooley law firm
• New EDPB guidelines on what constitutes a third-country transfer | Karin Tukiainen et al., Lindahl law firm
• New possibilities for data: European Union legal developments | Gonzalo F. Gallego et al., HoganLovells law firm
• Analysis of EDPB consultations on international data transfers from EU | Gemma Nash, OsborneClarke law firm

GLOBAL PRIVACY 

• Shanghai Data Exchange Kicks Off Trading | Xia Jiang et al., Cooley LLP law firm
• Turkish DPA publishes draft guide on cookies | IAPP Daily Dashboard
• China’s New Privacy Law: The Impact On Canada and Beyond | Justin P’ng, Julie He & Summer Lewis, Fasken.com law firm
• India hits Google with antitrust investigation over alleged abuse in news aggregation | Manish Singh, TechCrunch.com

PRIVACY BUSINESS

Unsecured TransCredit database leaked over 800K records of US drivers | Jay Jay, Teiss.co.uk

• Data clean rooms could be the perfect technology for the privacy-first era | TechRadarPro, TechRadar.com
• BUSINESS: Time to get a grip on new data-privacy realities | Anton Laiskovskyi, Entrepreneur.com
• Will DuckDuckGo prove Internet users want an “easy button” for privacy? | Max Willets, DigiDay.com | EARLIER STORY
• OneTrust grows while the Internet fractures over privacy/identity | David McCabe, NYTimes.com

IDEAS, OWNERSHIP, COMMONS, BLOCKCHAINS

• Why people believe misinformation and resist correction | Jason Hendix, TechPolicy.Press
• Could a small online forum in Vermont show the way to fixing the Internet | Ethan Zuckerman, ProspectMagazine.co.uk
• RELATED: “Civilizing Social Media” | Ethan Zuckerman, UMass.edu
• What Co-Ops and Distributed Autonomous Organizations can learn from each other | Austin Robey, FWB.help
• BOOK: “The Commoner’s Catalog for Change” | David Bollier, CenterForNewEconomics.org
• VENDOR VIEW: When will newspapers automate the sale of local advertising to compete with platforms? | Luke Insoll, DanAds, via DigitalContentNext.org

UPCOMING EVENTS

• CONFERENCE/VIRTUAL: Annual Leadership Meeting (ALM), Feb. 7-10, New York City, Interactive Advertising Bureau
• IAPP Global Privacy Summit 2022 | April 12-13, Washington, D.C. | (discount offer)
• LIST: Omidyar Good ID project lists upcoming identity gathering