The US Senate appears to be coalescing around KOSA, a kids online privacy law enjoying bipartisan support. While the chances of a now thoroughly, electorally distracted Congress passing the APRA appear closer to slim, divided by none, the more targeted KOSA may well cross the [now lame duck] finish line.
The bigger question here is, what else? The Supremes eroding the FTC’s and other agencies’ “Chevron defense” spells trouble for rulemaking under KOSA, APRA… let alone existing, aging federal laws.?
Moving on, in this issue:
- Much ado about cookies
- The FTC speaks truth on hashing
- The European Commission is on a warpath
From our bullpen to your screens,
Your comments and subscriptions are welcome!
An AdTech Watershed Cometh?
Recent headlines across the adtech press have been dominated by the industry’s dramatic reaction to Google's reversal on Chrome’s third-party cookie (de)depreciation.? But is Google’s decision on the cookie a bit of a ‘nothing burger’ compared to two other stories which could have much more significant long term ramifications for the adtech industry? Namely, the forthcoming US Antitrust lawsuit against Google and the shuttering of Oracle's advertising business.
What’s happening: Many industry commentators have hypothesized that Google’s 3PC decision might be directly connected to a forthcoming antitrust case against Big G.?
- The US Department of Justice (DOJ) antitrust lawsuit against Google goes to trial in September, focusing on its alleged monopolization of the digital advertising market.
- This is the second federal antitrust case against Google, with the first targeting its search business.
Why it matters: The current lawsuit zeroes in on Google's adtech business, accusing the company of illegally monopolizing key market segments like the publisher ad server, ad exchange, and ad network markets in the US.
- The DOJ claims that Google's actions have corrupted competition, using exclusionary and unlawful means to maintain dominance.
- The remedy? A divestiture of Google’s adtech business, including Google AdX and DoubleClick for Publishers (DFP).?
The dotted line: As we covered last week, Oracle has retreated from adtech for largely business reasons. Datalogix, BlueKai, Moat, and Grapeshot, will shut down by the end of September.
- The decision coincides with Oracle settling accusations it violated federal, California and Florida privacy laws.
- Oracle did not admit to any wrongdoing and it is not clear which specific statutes or regulations Big O violated.
All indicators point to Oracle washing their hands of it all, sacrificing $115M to refocus on their multibillion dollar cloud business.?
Zooming out: Last we checked the US does not have a general federal privacy law (yet/still), and still runs on a notice-and-opt-out model with limited exceptions. But the US does have an invigorated FTC and DOJ willing to press their case against Big [Ad] Tech monopolists.
If Oracle's retreat leaves a lucrative vacuum for competitors, a broken up Google will send a stern warning to monopoly hopefuls. The US’s market regulators will be watching for potential re-consolidation within the industry. The bigger picture is not about cookies.
De-Deprecated: Cookies Live to Crumble Another Way
This blog originally appeared in abridged form in the July 23 issue of Lucid Privacy Bulletin, here.
In their announcement, the Privacy Sandbox team has proposed an "updated approach" where the Sandbox's APIs will live alongside a new user choice "experience" for controlling 3PCs.
It's possible that Google will offer an option like Apple's App Tracking Transparency (ATT). But will the choice be global (i.e. at the browser level) or per each website visited? Opt-in or opt-out? And if opt-in, will the request be one-time or regularly refreshed? Specific to each purpose (e.g. measurement vs personalization)? With prominent Accept All/Reject All buttons as seen on nearly every European (and some US) sites?
True to Google fashion the details of what the experience will look like exactly and what it will do is left to everyone's imagination. But European regulators may well steer Google into a particular direction…
Reads and Listens
- The Supreme Court Ruling That Could Kill Net Neutrality. The Decoder’s Nilay Patel and the Verge’s Sarah Jeongdiscusses how the Supreme Court’s unwinding of the Chevron Defense doctrine (1) undermines the US administrative state, and (2) will make it more difficult for the FCC to claw back net neutrality. It’s a win for the Supremes and a loss for consumers, let alone consumer protection regulators.?
- ?IAPP AI Governance in Practice Report. Given the complexity and transformative nature of AI, significant work has been done by law and policymakers on what is now a vast and growing body of principles, laws, policies, frameworks, declarations, voluntary commitments, standards and emerging best practices that can be challenging to navigate. The recent report aims to disambiguate these concepts.
Other Happenings
- FTC Confirms Hashing = Pseudonymization. It comes as no surprise that the FTC, focusing on advertising data selling, confirms the nary-obvious: Hashing is not anonymization. Companies misrepresent hashed data as anonymous, but if the hash (e.g. email, phone) is used to identify a unique user, it is a pseudonymous ID like any other. The FTC has warned about this since 2012. Misleading privacy claims about hashed data are deceptive and enforceable. Recent cases against Nomi, BetterHelp, Premom, and InMarket show that the FTC is well past the traditional notion of ‘PII’ -- browsing data tied to device and user-identifiers is personal and potentially ‘sensitive’.
- EC Tells Meta to 'Fix' its CoP Biz Model ASAP. Following the European Commission's coordination of action by the Consumer Protection Cooperation (CPC) Network, Meta has until September to respond to the EDPB's ruling that their 'Consent or Pay' model breached EU law. It's unlikely that summer vacations have been canceled at Meta -- utilizing their typical timewasting tactics to draw out any regulatory action, the business is sticking to their guns. “Subscriptions as an alternative to advertising are a well-established business model across many industries. Subscription for no ads follows the direction of the highest court in Europe and we are confident it complies with European regulation.” It comes in the same week, as the IAB EU published their case that CoP is a legitimate business model for the publishing industry. We’ve said it before and will say it again: What’s not OK for Meta may be OK for publishers.
- EC Gets Tough with EU Members On DSA and DGA Enforcement. The European Commission has initiated infringement proceedings against seven member states for not complying with the Digital Services Act (DSA) and the Data Governance Act (DGA). Specifically, Belgium, Croatia, Luxembourg, the Netherlands, Spain, and Sweden have not appointed a competent authority to supervise online intermediaries under the DSA. The deadline for this appointment was 17 February 2024. Additionally, Ireland is being called out for failing to designate the necessary competent authorities to implement the DGA -- these authorities are crucial for enforcing the respective regulations and ensuring a unified approach across the EU.?
- Congress and California Press Pedal on Car Privacy. US Senators are probing how connected cars violate consumer privacy, revealing that major automakers sell drivers' data, including location, often obtained through deceptive practices. Hyundai sold data for 61 cents per car, while Honda earned 26 cents per car; This data, often shared with insurers, has prompted calls for FTC action. Concurrently, California's Privacy Protection Agency is reviewing connected vehicle privacy practices under the CCPA, underscoring the growing scrutiny of car data privacy. Remember: modern cars are effectively smartphones on wheels.
Lucid Resources
