Legality of RTB data “sharing” questioned  in U.S. federal court — and separately in legal threat from Ryan

A tech-savvy federal judge in California, in a preliminary ruling, is setting the stage for a monumental battle over the legality of “real-time bidding” (RTP) for companies that must comply with the California Privacy Rights Act (CPRA) beginning next year.  So is Johnny Ryan, the Irish privacy advocate.

U.S. District Judge Yvonne Gonzalez Rogers’ rejected a request by Google Inc. to dismiss a class-action lawsuit launched last year. Missouri resident Kimberley Woodruff and other users say the RTB system violates privacy by sharing personal information with third parties. Google’s main argument is that the information shared is not “personal,” consumers have no expectation of privacy, and the company’s privacy statements disclose its practices adequately.

• Google lawyers fail to derail class-action lawsuit in California federal court over ad bidding | Sara Merken, Reuters PLC
• JUDGE’S RULING TEXT | RELATED STORY | RELATED STORY | ORIGINAL LAWSUIT | EARLIER STORY

Rogers disagrees in her June 13 decision. “While plaintiffs might have been informed about Google’s use of information for its own internal purposes such as directing targeted advertising to plaintiffs, the referenced disclosures do not discuss the challenged conduct here — the sale and disclosure of plaintiffs’ personal information to third parties without plaintiffs’ consent or knowledge.”

The judge ruled the suit alleges enough facts to infer that personal information is shared by Google via the RTB process, and the case can therefore move forward. “Google argues that such information routinely shared and thus cannot support a reasonable expectation of privacy,” she ruled. “Not so,” she concludes.

Meanwhile, Irish Council for Civil Liberties privacy advocate Johnny Ryan says his organization is determined to challenge use in the European Union of a new initiative of the IAB Tech lab called “Global Privacy Platform (GPP).” (THIRD ITEM)  In a June 8 letter  to the IAB’s chief executive, Ryan says GPP relies upon a transparency-and-consent framework already found by EU regulators to violate the EU’s General Data Protection Regulation (GDPR).  “”Therefore, we will be obliged to take legal action if you persist,” Ryan wrote in the letter to the IAB’s Anthony Katsur.

RELATED LINKS 

• Ryan asserts in letter to IAB Tech Lab that Global Privacy Platform “will not fly”; threatens suit |  Johnny Ryan via Twitter | LETTER TEXT
• IAB Tech Lab invites 60-days of public comment on standard for “signaling” for consumer privacy preferences | IAPP Daily Dashboard
• IAB Tech Lab building framework for domestic and global privacy compliance |. Trishla Ostwal, AdWeek.com

IDENTITY AND PRIVACY 

• Ex-Canadian privacy czar: Risk of digital ID being “harmful to privacy” | TheParadise.ng
• Democrats critical of government identity contractor IDme | Caroline Haskins, BusinessInsider.com
• Privacy concerns motivate digital bank consumers to embrace new authentication technologies | Jenna McNamee, BusinessInsider.com

PERSONAL PRIVACY 

Facebook Sued For Allegedly Collecting Patient Data From Hospital Sites | Wendy Davis, DigitalNewsDaily/MediaPost.com

• Facebook is receiving sensitive medical information from hospital websites | Todd Feathers et al., TheMarkup/ArsTechnica.com
• Report says Facebook and anti-abortion clinics collect sensitive info on would-be patients  | Grace Oldham & Dhruv Mehrotra, RevealNews.org with TheMarkup.org
• How Surveillance Capitalism Is Spreading to Schools | Velislava Hillman & Molly Esquivel, Progressive.org
• Detroit  Airport’s Experimental Biometric Flight Info Display Will Recognize Passengers and Tailor Content for Them | FindBiometrics.com
• A New Tech Could Reduce Eavesdropping on Devices | Avery Hurt, Discover Magazine
• Technologies propose update to Domain Name Services that might help privacy | John Leyden, Portswigger.net
• Several Google Play Store apps steal user data – report finds | TEISS.co.uk
• Users beware: Apps are using a loophole in privacy law to track kids’ phones | Fresh Air/NPR.org

PLATFORMS AND PRIVACY 

• Facebook Agrees To Settle Battle Over Location Privacy | Wendy Davis, DigitalNewsDaily/MediaPost.com

• Firefox Turns On New Cookie-Blocking Feature :”Total Cookie Protection” | Wendy Davis, DigitalNewsDaily/MediaPost.com | RELATED STORY

• Brave roasts DuckDuckGo over Bing privacy exception | Thomas Claburn, TheRegister.com

• Apple’s iOS 16 spares ad tech further anguish (for now) but more privacy clampdowns expected | Ronan Shiels, DigiDay.com

AD TECH

• What Is the Competition and Transparency in Digital Advertising Act | Yakira Young, AdMonsters.com
• AUDIO: Johnny Ryan On How Ad Tech Can Change So Much – And Also Not At All | James Hercher, AdExchanger.com
• Five tech giants own over half the global ad market | Sara Fischer, Axios.com
• Exploding three myths that claim contextual advertising is ineffective | Joseph Zappa, StreetFightMag.com
• Publishers realize their user data is valuable to brands and agencies  | Susie Stulz, AdMonsters.com
• Apple’s ad business may reach $6 billion by 2025 | Nicole Farley, SearchEngineLand.com
• VENDOR VIEW: Future of ad-tech is about consent, not cookies | Joe Root, CEO, Permutive.com
• RESEARCH: $1B in streaming ads may be playing to powered-off devices | Shoshana Wodinsky, GizModo.com

CALIFORNIA PRIVACY 

As California develops CPRA enforcement rules for 2023, law firm details challenges with “sharing” of user data

As regulators works through the process of making rules for the Jan. 1, 2023 enforcement of the California Privacy Rights Act (CPRA), a law firm has provided a heads up on why the definition of “sharing” vs. “selling” will become a big deal at that time.

“The CPRA concept of ‘sharing’ . . . focuses on whether personal information is used by third parties for cross-context behavioral advertising, rather than on whether there is monetary or other valuable consideration for disclosure,” write W. James Denvil and Sophie Baum of the Hogan Lovells law firm in their blog/newsletter analysis entitled, “CPRA countdown: The new concept of ‘sharing.’ “   (See, QUOTE OF THE WEEK, below, for an excerpt)

RELATED LINKS 

• CPPA board moves CPRA rulemaking process forward | Jennifer Bryant, IAPP Staff | REGULATIONS FAQ | DRAFT REGS DOCUMENT (66 pages)
• Advertising trade group describes next steps for California privacy regs | Alison Pepper, AAAA.org
• California Privacy Protection Agency Votes To Initiate Formal Rulemaking Process | Libbie Canter & Lindsay Tonsager, Covington law firm
• California Privacy Protection Agency Posts Preliminary Proposed Regulations | Nancy Libin et al., Davis Wright Tremaine LLP law firm
• Utilizing the “right to cure” provision of California privacy law | Cassie Collignon, Colby Everett & Robyn Feldstein, BakerHostetler law firm

STATEHOUSE BEAT 

• New York lawmakers Amend privacy bill to require consumer “opt-in” | Tweet from Jessica B. Lee, Loeb & Loeb LLP law firm | BILL STATUS
• Maryland enacts Personal Information Protection Act |. IAPP Daily Briefing
• Connecticut”s governor signs transparency privacy law | Gov. Ned Lamont website

EUROPEAN PRIVACY 

• EU privacy chief rebukes Irish DPA over lack of GDPR enforcement against Big Tech | Vincent Manancourt, Politico.eu
• Regulator Calls for Big Tech Privacy Cases to Be Handled by EU Watchdog | Foo Yun Chee, Reuters PLC
• Analyzing European Commission’s Q&A On The New Standard Contractual Clauses | Mark Prinsley et al., Mayer Brown law firm
• French privacy regulator offers guidance on use of Google Analytics in cross-border transfers | Patrice Navarro & Julia Schwartz, Hogans Lovells law firm
• WhatsApp has until July to comply with EU consumer law, EU says | Fuu Yun Chee, Reuters PLC
• Apple Faces German Antitrust Probe Into App Tracking Transparency | Tim Hardwick, MacRumors.com | REGULATOR’S STATEMENT  | RELATED STORY
• REPORT: The challenge of filing data-protection complaint under the GDPR | AccessNow.com
• Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules | Wim Nauwelaerts, Alston & Bird law firm
• In France, Marseille battles against cameras and the surveillance state | Fleur Macdonald, MIT Technology Review

GLOBAL PRIVACY 

• Leaked audio revealed that TikTok data of US users was accessed repeatedly in China, report says | Travis Clark, BusinessInsider.com
• Canada’s Privacy bill sets out rules on use of personal data, artificial intelligence | Marie-Danielle Smith & Jim Bronskill, The Canadian Press | RELATED STORY
• Canadian IPC reiterates need for private sector privacy law for Ontario | IAPP News Blog
• China issues draft specification for certification of cross-border transfers of personal information | Mark Parsons, Sherry Gong & Tong Zhu, Hogans Lovells law firm | RELATED REPORT
• ‘A Mass Invasion of Privacy’ but No Penalties for Canadian restauranteur Tim Hortons | Ian Austen, NYTimes.com

PLATFORMS AND PUBLISHERS

• WSJ says Facebook may drop news deals costing big publishers millions | Alexandra Bruell & Keach Hagey, WSJ via FoxBusiness.com | PUBLISHER REACTION

PRIVACY BUSINESS

• Kaiser Permanente Exposes Nearly 70K Medical Records in Data Breach | Elizabeth Montalbano, ThreatPost.com
• REPORT: Outlining privacy considerations for video-based safety systems in trucks | Future of Privacy Forum | Future of Privacy Forum
• VENDOR NEWS: Sourcepoint and MediaMath partner in claim of “privacy-safe” data exchange | aithority.com

UPCOMING EVENTS 

• WEBINAR: “Managing Privacy Risk and Safeguarding Personal Information” | JUNE 21, IAPP
• WEBINAR: The Color of Surveillance: Policing Abortion and Reproduction | June 22, 1 p.m. EST, Georgetown Law Center on Privacy & Tech