PRIVACY BEAT: W3C moves Google, Apple, Microsoft identity ideas to privacy group; meets privately with ad-tech dissidents

Privacy Beat

Your weekly privacy news update.

VIEW IN YOUR BROWSER

W3C moves Google, Apple, Microsoft identity ideas to privacy group; meets privately with ad-tech dissidents

Two developments involving the World Wide Web Consortium (W3C) seem to suggest the standards-development group is paying attention to broad stakeholders on a key challenge — how to manage cross-site identity and privacy absent the so-called “third-party cookie.”

First, the W3C’s Advisory Board, which includes key managers of the Cambridge, Mass.-based unincorporated collaborative, spent more than an hour in a virtual meeting last week with a group of mostly advertising-technology affiliated stakeholders responding to a letter challenging the openness of its processes to smaller companies other than large platforms.

(See: Ad Tech Petitions W3C Board For More Fairness In Cookie Debates | Allison Schiff, AdExchanger.com)

One of the participants, Joshua Koran of Zeta Innovation Labs, confirmed the scheduled call had taken place, but he said the W3C group required all participants to sign a non-disclosure agreement about what transpired. It is believed one item on the agenda addressed the heart of how proposals are considered by W3C working and interest groups. Typically a proposal is reviewed without a formal “impact assessment” of how it would affect multiple stakeholders. The discussion may have included ideas for changing that.

Second, it appears that the W3C’s Privacy Community Group is emerging as the focal point of the privacy and identity discussion. On Thursday (Aug. 13), formal work began on two important proposals, one initiated together by Apple and Microsoft and a second initiated by Google. Both would make changes in how web browsers store and handle data about users.

It’s not yet clear if they compete and whether all three major browser makers would ultimately embrace either or both. Also, the Privacy CG, as it is called, is focused primarily on browser behavior. One issue raised by ad-tech dissidents is whether browser software should be the last word on web privacy and identity standards.

The Google-proposed idea is called “First Party Sets.” It would add code to browser software that would declare a collection of domains related by corporate or other control collectively as “first parties” for the saving and sharing of data about a user, such as their interest or subscription attributes and whether they are “logged in.” Kaustubha Govind and David Benjamin of Google’s Chrome engineering group, discussed “First Party Sets during Thursday’s virtual meeting of the W3C privacy group.

The Apple-Microsoft idea is called “IsLoggedIn” and it would coded browser software so that when a user logs in at a website, the fact of their log in — or log out — (but no data sharing) could be known to other sites. In addition, the service would allow the end-user to specify how long particular bits of information about them can be retained by the service they’ve logged into. Melanie Richards of Apple discussed “IsLoggedIn” during Thursday’s virtual meeting.

Notes of the meeting may be found HERE.

ADVERTISING TECH

“Branded” newsletter alleges lack of transparency at Google over “dark pool” ads.txt | Claire Atkin and Nandini Jammi | Branded.Substack.com (EARLIER STORY)

Wired Magazine profiles Nandini Jammi’s new “Check My Ads” effort | Gilad Edelman, Wired.com

34,000 network requests and 24MB of data pulled in three hours via TP cookies on LA Times site? | Thomas Baekdahl via Twitter (graphic from Augustin Fou)
How about 412 third-party requests at Wall Street Journal? | Pat Walshe via Twitter
Firefox adds protections against redirect tracking | Catalin Cimpanu, ZDNet.com
‘Changing the pipes to run on a better currency’: Publishers’ first-party data strategies take shape | Lucinda Southern, DigiDay.com
Facebook’s argument for data use: “The value of personalized ads to a thriving app ecosystem | Facebook Developer Audience Network Team
Johnny Ryan about how personal data is breached by RTB | Johnny Ryan via Twitter
AUDIO: Google Ads GM Jerry Dischler On A Cookieless Future | Sarah Sluis, AdExchanger.com
Publishers advised by CafeMedia co-founder to “clean up your ads.txt file” | Paul Bannister via AdExchanger.com
LiveIntent and FullContact tout “omniID” as TP cookie tracking replacement | Ray Schultz, MediaPost.com
Neustar launching post-cookie measurement with Fabrick | Asif Khan, StreetFightMag.com

ANTITRUST

Apple to game maker: You can’t sell on Apple phones without paying us 30% | Lucas Matney, TechCrunch.com
Game player Epic’s antitrust challenge to 30% Apple fee joins key battle | David Pierce, Protocol-Sourcecode blog
Fortnite creator Epic sues Apple and Google after ban from app stores | Jack Nicas et al., NYTimes.com
In big antitrust shift, federal judge agrees to end 1948 “Paramount Decree” | Wayne Friedman, MediaPost.com

Why movie theaters are in trouble after DOJ nixes 70-year-old Paramount Decree | Kate Cox, Ars Technica

Does your organization need customized privacy compliance solutions? ITEGA can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

KPMG find 56% of North American consumers want companies to give them more control over their data; 9 of 10 want right to control and understand use of their data

A new survey of 1,000 North American consumers by the consulting firm KPMG finds a significant shift toward concern about corporate use of personal data, even as the public recognizes sharing data gives them access to valuable services. Nine out of ten (91%) respondents agree that the right to delete personal data and the right to know how their data is being used should be extended to all US citizens, ZDNet reported.

The survey and report, “The New Imperative for Corporate Data Responsibility” was conducted in the spring and released last week by the firm’s cyber-security practice and Orson Lucas, a principal in that practice. “Consumers believe data privacy is a human right. Corporations need to raise their game,” Lucas writes in the report.

A total of 56% of survey respondents say companies should prioritize giving consumers more control over their own data in 2020 and the majority of Americans (87%) characterized data privacy as a human right.

TechRepublic’s Marcy Bayern summarized the report: “Overall, consumers are increasingly suspicious of what companies are doing with their personal data. Consumers said they don’t trust companies to ethically sell personal data (68%), to use personal data in an ethical way (54%), to ethically collect personal data (53%), or to protect personal data (50%).”

“With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies. Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices,” Lucas says in the report.

KPMG, according to MobileIndustryEye’s account, found that:

Nine in 10 Americans insist companies (91%) and the government (90%) have a responsibility to protect consumer data
Almost all (91%) agree the following data privacy rights of the California Consumer Privacy Act should be extended to all US Citizens: the right to delete personal data, and the right to know how their data is being used
More than nine in 10 Americans say companies should put data privacy guidelines and policies in place, be held responsible for corporate data breaches, take corporate data responsibility seriously, and take the lead in establishing corporate data responsibility.

‘U.S. consumers are finally paying attention to how brands use their data and many distrust how it’s being used,” wrote MediaPost’s Laurie Sullivan in her analysis of the KPMG report. She added: “Some 83% say they are worried about data breaches and the potential theft of their social security number. About 54% do not trust companies to use their personal data in an ethical way. Half do not trust companies to protect personal data.”

PERSONAL PRIVACY

SURVEY: Americans overwhelmingly willing to choose companies that prioritize privacy best practices | Transcend.io corporate site
RESEARCH: Measuring the public’s privacy concern — an academic perspective | Eric Durnell, Aerendir Social Research
Google accidentally enables Home device to listen to ordinary sounds | Adam Smith, The Independent
TikTok Tracked User Data Using Tactic Banned by Google | Kevin Poulsen & Robert McMillan, WSJ.com
Las Vegas Cops Used ‘Unsuitable’ Facial Recognition Photos To Make Arrests? | Todd Feathers, MotherBoard.com
Lawsuit claims Google Home device starts recording without activation command | Wendy Davis, DigitalNewsDaily
Judge Sides With Facebook In Investor Lawsuit Over Privacy | Wendy Davis, DigitalNewsDaily.com
TikTok found to have tracked Android users’ MAC addresses until late last year | Natasha Lomas, TechCrunch.com
GAO outlines facial recognition’s privacy concerns | IAPP Daily Dashboard

COVID AND PRIVACY

COVID-19 contact tracing apps create privacy pitfalls around the world | Laura Hautala, CNet.com
Why you can trust the new coronavirus contact-tracing apps to safeguard your privacy | David Z. Morris, Fortune.com
DigiDay explains “redirect tracking” which browsers say they will block | Tim Peterson, DigiDay.com (Most consumers fear tracking — Pew research)
Private and NGO sectors agree to share user location data with NYC government in COVID effort | Ryan Johnston, StateScoop.com

PRIVACY BUSINESS

Mozilla is laying off 250 people and planning a ‘new focus’ on making money | Jacob Kastrenakes, The Verge.com
Firefox’s Future Depends On Its Biggest Rival: Google | Barry Collins, Forbes.com
Sources: Mozilla expected to extend its Google search deal | Catalin Cimpanu, ZDNet.com
STATEMENT: Changing World, Changing Mozilla | Mitchell Baker, Mozilla executive chairman (Her message to employees)
Inc. Magazine says privacy compliance fastest growing U.S. industry; cites OneTrust | Ryan Chiavetta, IAPP Privacy Tech blog
Five Steps to Ensure Your Business is Compliant with the Next Set of Data Privacy Laws | Caitlin Murphy and Andrew Shaxted, FTI Consulting via JDSupra
Adtech’s LiveRamp grows revenue despite COVID-19; reports profit too | Alison Wiessbrot, AdExchanger.com
Capital One fined $80 million for 2019 hack of 100 million credit card applications | Devlin Barrett, WashingtonPost.com

Who should be in charge of how sensitive user data is shared or stored? Ideas play out across Twitter-stream

A robust dialogue among a principal executive of the Interactive Advertising Bureau Lab (IAB Lab), the founder of a upstart browser software company, a publisher technologist and an ad-tech expert is playing out in a series of Twitter exchanges.

Some underlying subject matter: Who is to be in charge of how sensitive user data is shared or stored — publishers, advertisers, ad-tech companies, browser companies, or someone else?

“We believe in work towards #PredictablePrivacy for consumers, via open industry standards and frameworks for compliance/accountability,” Tweets Jordan Mitchell, the IAB Tech Lab VP of consumer privacy, tech and data who is managing its “Project Rearc” initiative to replace the use of third-party cookie tracking in programmatic advertising. “The alternative is proprietary and fragmented consumer privacy run by for-profit, shareholder-driven companies.”

“Don’t try open-washing me,” replies Brendan Eich, CEO-founder of Brave Software, which is trying to take control of user profiling within the browser. “I’ve been doing open standards work for 35 years (NFS, TCP/IP; Web for 24 years). “PredictablePrivacy could mean anything: users can predict they are being tracked across sites for anything, even malware distribution. No thanks.”

Chiming in is Robin Berjon, on the data-governance-and-privacy tech team at The New York Times who piles onto Mitchell: “What does “Predictable Privacy” even mean? Is that just a rebranding of the transparency & choice gimmicks? Do you mind explaining where this newfound passion for accountability comes from and why it’s been absent over the past two decades? What changed?” (Berjon’s additional Tweet).

Reponds Mitchell: Now is NOT the time for continued proprietary, fragmented approaches for tracking that circumvents consumer transparency and choice, entrenches our industry deeper into the “addressability arms race”, and puts app publishers in further violation of app store terms. Now is the time for our entire industry to insist on open standards that enable #PredictablePrivacy for consumers across devices, supported by trustworthy accountability mechanisms that move our industry forward.”

Adds Berjon in another Tweet: “…[S]ome of the adtech folks have what may seem like strange positions, for instance that browsers have a duty to share data with them despite user preference.” Said Berjon in a third Tweet: “When users have to opt out of something in order to get privacy, they are being forced.”

Jumps in Augustine Fou, an ad-tech analytics consultant: “don’t pretend the @IAB and any of your specs and policies actually help consumers. You’ve had more than a decade to show any such results. But alas, NONE, despite lots of busy-ness and committee meetings. I’D RATHER HAVE GOOGLE AND APPLE PROTECT MY PRIVACY than the @iab and [Jordan Mitchell].

The debate comes a few days before an Aug. 19 webinar organized by Mitchell in which experts will discuss now the end of cookie-based identifiers will affect advertising and funding of web services. The discussion will include Mitchell, executives of two major publishers (Meredith and News Corp.) and an ad-tech company (LiveIntent).

CALIFORNIA PROP 24

Consumer Watchdog Endorses Prop 24 For Consumer Privacy | PRNewswire
Vocal California Advocacy Group Backs New Privacy Proposal | Wendy Davis, MediaPost.com
Johnny Ryan says CPRA ballot initiative will benefit publishers over ad-tech | Allison Schiff, AdExchanger.com
UC-Berkeley law school bloggers explains how Prop. 24 can’t be weakened by Legislature | David A. Carillo & Steven M. Durvernay, SCOCABlog.com
Californians for Consumer Privacy highlight one-way ratchet of Proposition 24 | CCPA Website
The gathering storm: Proposition 24 and the future of US privacy | Lydia F. de la Torre, Santa Clara Law School via Medium
What is the California Privacy Rights Act (CPRA)? Sensitive personal data listed | Jodi Daniels, Idenhaus.com
California poised to raise privacy bar with ‘CCPA 2.0’ | Key aspects listed | David Oberly, Portswigger.net
Prop. 24 would require businesses to protect consumer information | Kelly Nguyen, The Daily Californian

CALIFORNIA PRIVACY

How Facebook is blocking partners’ use of Californian’s data under CCPA | Jane Bello Burke, Hodgson, Russ LLP
Multiple Retailers Sued Under CCPA for Sharing Data Used to Identify Fraudulent Returns | Hunton Andrews Kurth LLP via NatLawReview.com

Google Faces California Privacy Suit Over Android Phone Tracking | Andrea Vittorio, BloombergLaw.com
Lawyer says “private info” user CCPA does not include aggregate or de-identified information | Christian M. Auty, Bryan Cave Leighton Paisner law firm
CCPA exemptions for employment and B2B data could expire in 2021, 2022 or 2023 | Julia K. Kadish et al., National Law Review
RESEARCH: Assessing why entities are failing to declare their “role” under CCPA | CompliancePoint Inc. via JDSupra

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Verizon Media, owner of Yahoo, appears to make it tough to opt-out of tracking

If you use Yahoo Mail on your mobile device, good luck figuring out how to opt-out of tracking by Verizon Media.

First, you have to navigate through several screens. The first gives you two choices: “Agree” to tracking or “Learn More.” There is no “decline” or opt-out option given. Click “Learn More” and you come to a second screen, “How Verizon Media and its partners collect and use data.” Choices are “I agree” or “Manage partners.” Still no opt-out choice.

The third screen gives you two more “choices.” One is “I agree” to default tracking by Verizon and its partners. The other choice is to scroll through a list of a dozen or more Verizon partners and select privacy preference with each one individually. “All our foundational partners require you to manage your choices directly through their privacy policies,” the screen says, adding: “Click on each partner below to access their privacy policy.”

Might this experience may illustrate why privacy regulation based upon the “opt-out” concept is pretty much useless for all but the most patient or determined privacy-minded consumer? The CCPA requires the “Do Not Sell My Information” prominent link. And if you’re living in the European Union, you are “opted out” by default because of the General Data Protection Regulation (GDPR). So unless you’re in Europe or California, this is how Yahoo/Verizon treats your privacy. Any only when you agree does the sequence then link to you the Verizon privacy policy to read.

WASHINGTON BEAT

How Kamala Harris feels about Big Tech | David Pierce, Protocol/SourceCode
Is Kamala Harris a win for Silicon Valley? | Alexandra S. Levine, Politico.com
FTC Probe Of Mobile Ad Industry Puts Bidstream Data Under Microscope | Laurie Sullivan, MediaPost.com

In DC, advertisers still lobbying for “opt-out” national law — unlike GDPR | Andrew Blustein, AdWeek.com
Sens. Merkley, Sanders seek to ban collection of biometric data without informed consent about use | Michelle A. Reed, Atkin Gump law firm
Online platform immunity under Section 230 teed up for FCC | Dana Zelman , Peter Karanjia & Jim Halpert | DLA Piper law firm
Platform-funded CDT opposes Trump administration’s challenge of Section 230; Trump then objects | Nandita Bose, Reuters.com
New bill in Congress proposes more transparency in privacy policies | Brett Hebert, Taft Stettinius & Hollister LLP
FCC Commissioner Questions AT&T And Verizon About Location Data | Wendy Davis, MediaPost.com
Amazon Is a Private Government. Congress Needs to Step Up | Stacy Mitchell, Institute for Local Self Reliance via TheAtlantic.com

STATEHOUSE BEAT

Vermont Data Privacy and Customer Protection Overview and Breach Notification Requirements | Natasha G. Kohne, et. al, Atkin Gump law firm
Enforcement of Maine’s strict online privacy law begins without clear strategy | Reuben Schafir, Portland Press Herald
Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data | Joseph Cox, Motherboard/Vice.com

EU AND PRIVACY SHIELD

Will EU launch a market “trust” for personal data? Here’s what that would mean for privacy | Anna Artyushina, York University via MIT Technology Review (EU white paper)
Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance | Sylvie Delacroix, Neil D Lawrence, International Data Privacy Law
U.S. Regulators Continue to Administer and Enforce the Privacy Shield | Elizabeth Canter et al., Covington law firm
EU, US initiate talks on potential ‘Enhanced’ Privacy Shield | Jedidiah Bracy, IAPP Privacy Advisor (JOINT STATEMENT)
After Schrems II, Privacy Shield obligations are still binding | Adam Schlosser, IAPP Privacy Perspective
ANALYSIS: Privacy Shield seen as dead in practice; even though EU-US negotiating | Natasha Lomas, TechCrunch.com
So the Shield Is Gone? Lots of analysis to do before relying on SCCs | Jennifer Baker, CPO Magazine
What Privacy Shield organizations should do in the wake of ‘Schrems II’ | Brian Hengesbaugh, GlobalComplianceNews.com
How big data broker Acxiom is adapting to the invalidation of Privacy Shield | David Meyer, Fortune.com
Will Schrems II open a data war between US and EU, creating a European data silo? | Ted Claypoole, Womble Bond Dickinson law firm
What happens to data held in the United Kingdom after Schrems decision? | Vicki Bowles, Veale Wasbrough Vizards LLP
What happens now that the UK has a left the EU? | ICO website

GLOBAL PRIVACY

Police use of facial recognition violates human rights, UK court rules | Kate Cox, ArsTechnica.com
Two-thirds of Norwegian survey respondents uneasy about privacy protection | Dag Mostuen Grytli & Magnus Muhlbradt, Norwegian Data Protectorat
GDPR: Email marketing in the age of digital privacy | Adam Uzialko, Business.com
How China’s top-notch mass surveillance system threatens global freedoms | Hollie McKay, FoxNews.com
French privacy watchdog opens preliminary investigation into TikTok | Mathieu Rosemain, Reuters PLC

Philippine hospitals, virus patients’ cooperation sought as data privacy law hinders contact tracing | ABS-CBN News
How the shady world of the data industry strips away our freedoms | Uri Gal, University of Sidney via TheConversation.com
New Zealand Will Consider Schrems II Decision In Implementing Own Privacy Act | Odia Kagan, Fox Rothschild LLP
Sweden: Privacy Guidance For Video Surveillance On Public Transit | Odia Kagan, Fox Rothschild LLP

TRUST AND JOURNALISM

Apple’s move to steer more traffic directly to its News app surprises publishers | George P. Slefo, AdAge.com
“Shady move?” ‘Apple News+ Safari change automatically redirecting traffic to itself infuriates publishers | Max Willens & Lucinda Southern, DigiDay.com
Vendor analysis of options for publisher monetization after TP cookies | LiveRamp via DigiDay.com
Google advice to publishers — just use our server, tags and cookies | Laurie Sullivan, MediaPost.com
ROUNDUP: App data, privacy, and the Apple IDFA “Armageddon” | Brian Bowman, StreetFightMag.com
Tribune papers joining WashPost’s “Zeus” advertising framework | Sara Guaglione, PublishersDaily/MediaPost.com
WashPost’s Zeus Technology to license its performance adtech to Tribune Publishing | WashPostPR blog
Chatham Names ex-Tribune Co. exec Tony Hunter CEO Of McClatchy | Sara Guaglione, MediaPost.com

Publisher interest in subscription-driving bundles simmers | Max Willens, DigiDay.com
Craig’s List founder Craig Newmark on why he’s funding journalism | Pierre Biename, DigitDay.com

UPCOMING EVENTS

WEBINAR: Enforcement of CCPA and other state laws | Aug. 4, IAPP Web Conference
WEBINAR: How the Removal of Identifiers Impacts Publishers | Aug. 19 & 24, IAB Tech Lab’s Rearc Project
WEBCAST: Compliance vendor Exterro offers Privacy Shield advice | Aug. 19, Exterro Legal GRC Software
WEB CONFERENCE: “Reboot 2020” | Sept. 15-17, IAB Tech Lab
WEB CONFERENCE: “ONA20 Everywhere” | Oct. 1-16, Online News Association

QUOTE OF THE WEEK

RTB termed “outrageous privacy violation” by 10 U.S. Congress members seeking FTC probe of “bidstream” use

“According to major publishers, companies are participating in RTB auctions solely to siphon off bidstream data, without ever intending to win the auction and deliver an ad. In a June 16, 2020, open letter of concern to the digital advertising industry, a group of major publishers, whose websites and apps supply the bidstream data to the RTB industry, wrote that ‘the current system allows for a significant data breach by companies gaining access to the real-time bidding (RTB) infrastructure (i.e. the ‘bid stream’) for the sole purpose of harvesting both publisher-specific and audience-specific data.’

“Americans never agreed to be tracked and have their sensitive information sold to anyone with a checkbook. Furthermore, there is no effective way to control these tools absent intervention by regulators and Congress. Technological roadblocks, such as browser privacy settings and ad blockers, are routinely circumvented by advertising companies. This outrageous privacy violation must be stopped and the companies that are trafficking in Americans’ illicitly obtained private data should be shut down. Accordingly, we urge the FTC to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.”

Excerpt from July 31 letter to U.S. Federal Trade Commission Chairman Joseph J. Simons from U.S. Rep. Ron Wyden, D-Oregon, and nine other members of Congress. (See last week’s Privacy Beat for story).

ABOUT PRIVACY BEAT

Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to newsletter@itega.org.

Forward

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.