Google shifts “First Party Sets” venue after W3C privacy-group rejection; Rosewell implies CMA deal violation
A Google effort to seek agreement on one of its “Privacy Sandbox” replacements for third-party cookies might be foundering.
After a rejection by a privacy group led by employees of Mozilla, Microsoft and Apple, Google has decided to shift consideration of its “First Party Sets” (FPS) browser-cookie replacement to another venue. But Debate within the Privacy Community Group of the World Wide Web Consortium (W3C) continues — with an unconfirmed assertion that FPS violates a binding agreement Google made months ago with British antitrust enforcers.
As well, a lead privacy engineer at Facebook, Ben Savage, Tweeted negatively about FPS, saying it “does not seem like it’s headed towards standardization.” Privacy Beat first reported on the evolving dispute last week.
The ongoing debate can be followed via the public listserv W3C maintains for the Privacy Community Group. On June 2, Apple’s Theresa “Tess” O’Connor reported she and the group’s other two co-chairs from Mozilla (Tanvi Vivas) and Microsoft (Erik Anderson) had decided to close discussion of “First Party Sets.” The next day, Goggle’s Kastubha Govind responded saying Google would “continue to incubate” the FPS proposal within a different W3C standards committee.
Next, British ad-tech executive James Rosewell, a perennial critic of Google’s post-cookie initiatives, emailed a post asserting “FPS does not align” with European Union privacy regulations, “as required under Google’s commitments” in a written agreement with British antitrust regulators, the Competition Markets Authority (CMA). Roswell copied his post to Matthew Hancox and David Verroken, two executives at the Dutch ING Bank N.V., which agreed in February to monitor Google’s compliance with its CMA promises, reporting infractions immediately to the CMA. Roswell asked for their opinion about FPS.
Then The Washington Post’s Aram Zucker-Scharff posted: “Since Matthew and David are on this email, presumably they could tell us if FPS is or is not against the agreements Google has made with the CMA? I think a definitive statement in this matter would presumably help lead participants towards a best next step.”
Next, W3C strategy lead and counsel Wendy Seltzer, administrative advisor to the group, rebuked Roswell to “legal argumentation out of W3C’s technical groups.”
By end-of-day on Tuesday, New York Times data-governance VP Robin Berjon — a former W3C standards author — noted in a post the “already significant grumbling in the community that the [Web Infrastructure Community Group] is primarily a venue for the standards-washing of Google’s plans; it would be very unfortunate if the WICG found itself used as justification to ship FPS in a browser.”
At the May 26 privacy-group meeting, one participant — Aram Zucker- Scharff of The Washington Post — suggesting carving out a portion of the FPS — an “independent enforcement entity” (IEE) — which would in some way govern privacy-protecting means of data transfer between sites. Another participant — Don Marti of ad-tech firm CafeMedia — said an IEE, if properly funded and governed, could play a role deciding which “first-party sets” are valid. (ITEGA, a 501(c)3 nonprofiit organization that sponsors this newsletter, has expressed interest in taking such a role. See earlier story.)
Zucker-Scharff said it might make sense to break off the IEE proposal from FPS “into its own thing.” He added: “Where this is something that might be useful, some sort of governance entity for advertising technology and privacy.”
Govind first broached the idea of an IEE in a slide deck she and a colleague prepared for an Aug. 12, 2021 meeting of the W3C Privacy Community Group. (See an earlier story in Privacy Beat, Sept. 10, 2021.) Google is also advancing an idea of for allowing login across multiple website without third-party cookies, called the Federated Credential Management API.
PUBLISHERS, PLATFORMS, PRIVACY
- Google warns Canadian parliamentarians not to rush “deeply flawed” online pay-for-news bill | Marie Woolf, Canadian Press
- Facebook is developing a privacy-safe ad product as it tries to save its advertising business | Lindsay Rittenhouse & Lauren Johnson, BusinessInsider.com
- Would Apple Introduce A Privacy Search Engine To Compete With DuckDuckGo? | Laurie Sullivan, InsidePerformance/MediaPost.com
- Duck Duck Go escalates privacy battle with Google, blocking “Fledge” and “Topics” | Scott Ikeda CPOMagazine.com | RELATED STORY
- Google Chrome’s Topics API test going public July 1 | Nicole Farley, SearchEngineLand.com
- Duck-Duck-Go facing the challenge of privacy as marketing | Jeremy Wegstaff, TheMarkup.org | DUCK-DUCK-GO RESPONSE
- Facebook’s new data-sharing plans raise old concerns | Mathew Ingram, Columbia Journalism Review
- Behind Meta/WhatsApp’s splashy privacy push | Daniel Barber, VentureBeat.com
- FTC proposes $150M fine for Twitter’s use of security data to target ads | FTC News Release
- Despite FTC proposed settlement, Twitter hit with private class-action lawsuit | Christina Tabbaco, LawStreetMedia.com
House sets June 14 hearing on privacy bill to neuter CCPA, outlawing most citizen lawsuits; U.S. Chamber opposes
A well-publicized “bipartisan” U.S. federal privacy bill, unveiled last week, is starting to take flak from multiple sides, with a public video hearing set for June 14 as the first policy showdown over how it handles conflicting state laws and the right of citizens to sue over privacy violations.
The “American Data Protection and Privacy Act” is in draft form, with a accompanying 10-page bill summary. Although it includes both Republican and Democrat supporters, it is not yet supported by Sen. Maria Cantwell, D-Wash., the chairman of the Senate Commerce Committee, which has jurisdiction. Even severely limiting the right of privacy citizens to sue over privacy doesn’t satisfy a key business interest (link below).
The 64-page discussion draft “would allow consumers to opt out of ad targeting based on data about their activity over time and across sites . . . even if those consumers previously agreed to allow that information to be collected. ,” wrote Wendy Davis, of DigitalNewsDaily/MediaPost.com at “Lawmakers Float Opt-In Privacy Bill”. She said the draft bill, unveiled by Senator Roger Wicker (R-Mississippi), Representatives Frank Pallone, Jr. (D-New Jersey) and Cathy McMorris Rodgers (R-Washington), would impose numerous other prohibitions on companies’ ability to collect and harness consumer data.
The most knowledgeable, insightful and nonpartisan analysis so far of the bill and reaction to it comes from Muge Fazlioglu, a staff writer for the nonprofit International Association of Privacy Professionals. “Given what has happened and been said over the last 72 hours, and in anticipation of what is to come in the coming days, weeks, and months, hard work remains in translating the energy created by the ADPPA discussion draft into a meaningful legislative outcome,” she concludes. Substantively, she writes the bill proposal includes confusing language about whether tech companies would have an enforceable “duty of loyalty” to consumers for mis-use of personal data. She also writes: “In the other contentious issue alongside [state-law] preemption, the private right of action within ADPPA is complicated to unravel.”
Other key nonpartisan commentators:
Bill McGeveran, an associate dean of the University of Minnesota law school, Tweeted (image above) that the draft bill appears to pre-empt most of the California Consumer Privacy Act (CCPA) except a small section. That would appear to align against House Speaker Nancy Pilosi, who has said publicly she wouldn’t support a bill that overrules the CCPA. Without Cantwell’s support, he said in another Tweet, he’s “not holding my breath” for passage.
Another academic expert on privacy law, Blake Reid of the University of Colorado, Tweeted analyzing what he called the “pre-emption morass” of the Wicker-Pallone draft. (See QUOTE OF THE WEEK, below, for a compilation of Reid’s sequential Tweets.)
Ad-tech industry’s effort to standardize user-data exchange is unveiled; IAB Lab invites public comment until July 30
A trade-group of the advertising-tech industry opened last week a 60-day-public comment period on its plan to standardize how websites exchange “signals” from the public about the use of personal data for commercial purposes. The IAB Tech Lab announced the proposed “Global Privacy Platform (GPP) last week. Comments will be accepted until July 30. The 30-page draft specification can be downloaded FROM HERE.
“It is a single protocol designed to streamline transmitting privacy, consent and consumer choice signals from sites and apps to ad-tech providers and integrates with existing privacy signals,” the IAB Tech Lab statement said. It said the protocol will “integrate” with both the parent Interactive Advertising Bureau’s “transparency and consent framework” in Europe as well as the California Consumer Privacy Act.
IAB Tech Lab CEO Anthony Katsur, in a statement, said the GPP “ensures that consumer privacy remains at the core of everything we do through a single platform.” He said the draft iteration of GPP would continue to be developed and was a product of two years of legal and technical work so far. “One-off solutions and protocols cannot solve cross-jurisdictional consumer privacy and control challenges in the advertising ecosystem,” he added.
- Oberlin professor, with $240K NSF grant, to study privacy, algorithms and equity | Jason Hawk, Elyria Chronicle-Telegraph
- A tech columnist’s idea for a privacy “butler” to replace reading privacy policies: The InfoValet? | Geoffrey A. Fowler, WashingtonPost.com | WHAT’S INFOVALET?
- Newmark’s $5M gift allows Consumer Reports to offer new privacy/security tools | ConsumerReports.org
- German telecom Vodaphone angers privacy advocates with persistent ID post-cookie plan | Mayank Sharma, LifeWire.com | RELATED STORY
- De-Anonymization Is the Biggest Privacy Threat No One Is Talking About | Sydney Butler, HowToGeek.com
- Many Tech Employees Say They’d Quit Rather Than Be Monitored During Work | Chris Teale, MorningConsult.com
- Critics fear health tech sector won’t protect online data privacy | Darius Tahir, Kaiser Health News via Tampa Times | RELATED: MOZILLA HEALTH-APP PRIVACY TRACKER
- The role of AI in data privacy | Joe Ayyoub, VentureBeat.com
California privacy board releases draft regulations prior to June 8 meeting; lawyers offer analysis
The California Privacy Protection Agency Board was holding a public meeting on Wednesday (June 8). Materials for the meeting, including a draft Initial Statement of Reasons, were made available pre-meeting, including an agenda and link to the 1 p.m. EDT meeting Zoom.
The Agency has also prepared some “Frequently Asked Questions” about the rulemaking process, which are available on the regulations page, under FAQ. IInformation on how to attend the meeting and the meeting agenda can be found on the California Privacy Protection Agency’s website.
PLATFORMS AND SPEECH
- WEBINAR: “The CPRA and Beyond: Compliance with Upcoming State Privacy Laws” | June 9, 1:00 p.m. EDT, IAPP Web Conference
- WEBINAR: “Analyzing the California Privacy Rights Act Draft Regulations,” June 9, at 1 p.m.EDT | Husch Blackwell law firm
- WEBINAR: “Strategies for Privacy Analyses of New Technologies,” June 9, 3 p.m. EDT, Prof. Daniel Solove
- WEBINAR: US State Privacy Laws: What You Need to Know | June 9, 10 a.m., International Association of Privacy Professionals
- IN-PERSON EVENT: “Transcend Summit,” June 9, New York, 8 a.m.-6 p.m., Sponsor: IAB Tech Lab
- HYBRID HEARING: “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security” | June 14, 10:30 a.m. EDT, U.S. House Subcommittee on Consumer Protection and Commerce
- LIST: Omidyar Good ID project lists upcoming identity gathering
QUOTE OF THE WEEK
Colorado privacy-law academic expert Tweets analyzing “pre-emption morass” of Wicker-Pallone bipartisan draft
Below is a compilation of sequential “Tweets” posted on June 3 by Blake Reid, who teaches law and technology and is director of the Samuelson-Glushko Technology Law & Policy Clinic (TLPC) at the University of Colorado law school. Reid also directs the telecom and platforms initiative at the Silicon Flatirons Center. Earlier, he was an attorney and graduate fellow in First Amendment and media law at the Institute for Public Representation at Georgetown Law and a law clerk for Justice Nancy E. Rice on the Colorado Supreme Court.
“Some quick reactions to the preemption morass in the new federal privacy legislation draft. Quickly, the federal preservation section is confusing. The reference to the very specific breach provision in the CPNI rules stands in stark contrast to the broad savings clause for other federal laws. Are there other limiting authorizations? Will need to analyze carefully. (There’s also a specific, vaguely-worded FCC carveout that makes me very anxious.)
“There are also some exceptions where the law yields to some of the provisions of sector-specific laws like GLBA, HIPAA, FERPA, FCRA, etc. Will take deep dive by experts to understand those interactions.
“But onto the real action: the default presumption is preemption of state laws. That’s bad news; literally any state law that nominally strays into the extremely broad subject matter of this bill and implementing regs is by default subject to a federal preemption fight. Of course, there are an extremely broad set of exceptions. Overall, these introduce a ton of ambiguity to the statue. Most notably, preemption doesn’t apply to “civil rights laws,” with no further elaboration on what that means! What privacy law is not a civil rights law?
“There are 15 other exceptions ranging from the broad (consumer protection laws of general applicability and employment/education privacy laws, data breach notification requirements, contract/tort law, various criminal laws, public safety laws, public records laws, etc.) . . . .to the extremely specific (Illinois BIPA, part of California’s data security law).”
As far as I can tell, the default-preemption structure coupled with broad/ambiguous exceptions (particularly the civil rights exception) will introduce a tremendous degree of uncertainty about what is actually preempted. I’m not a litigator, but it’s hard to see how this doesn’t throw complicated questions of federal preemption into a broad range of state-level litigation whose contours will take years or decades to settle on . . . and which may change over time, because preemption hinges not only to the scope of the (very broad) statute, but the FTC’s implementing regulations. See the CA net neutrality battle for an example of how federal-level policy changes can trickle down in preemption fights.
My big worry about federal privacy legislation has long been how it would approach preemption. I worried that it would be either be wildly over-inclusive and risk all kinds of unintended consequences for a range of state laws, or so under-inclusive that it wouldn’t pass. This bill’s approach somehow manages to leave *both* over- and under-inclusion as possibilities. It also introduces a whole new range of problems by tasking courts with drawing the boundaries not only of federal privacy law, but a wide range of bodies of state law, and not only in cases under federal privacy law, but a wide range of nominally unrelated state law cases.
In theory, one approach would have been to vest the FTC with the authority to evaluate and issue guidance on the contours of preemption. But the bill seems to narrowly circumscribe the FTC’s rulemaking authority. (Am I missing something here? I hope so.) At the end of the day, I end up back where I started: state-level privacy preemption is a hard, maybe impossible conceptual challenge. And unfortunately, this bill doesn’t look, at least on first blush, like it rises to meet that challenge. This is is not to say that the bill as a whole isn’t worth this tradeoff—I defer to actual privacy experts on the benefits question. But this preemption approach sure puts a *lot* of weight on the “cost” side of the scale.”
|ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to firstname.lastname@example.org.