?Lucid Privacy Bulletin: Compliance rewind

SPOTLIGHT

?? Lucid Rewind: Google Analytics 4 and IP Address Privacy?

Last year Google announced it will no longer log or store IP addresses in its Google Analytics platform (GA4).?

This move was made as part of a wider effort to 1?? sunset Google’s legacy (and GDPR-poor) Universal Analytics (UA) platform, and 2?? move clients over to Google’s new and (and GDPR-capable) GA4.?

• UA will sunset on July 1, 2023
• GA4 has not been logging or storing IP addresses since March of 2022.

While this was good for consumer privacy, it disrupted campaign throttling, attribution and other standard activities leveraging IPs.?

Spring forward to March of 2023, Google announced it can no longer be an exempted CCPA “service provider” for several of its personalized ad services.?

Google noted that it can still be one for its analytics solution, if customers 1?? disable cross-Google data sharing, which 2?? can only be done in (CCPA-capable) GA4.?

Compliance-go-round: Whereas last year’s changes were to address GDPR (and Schrems II) enforcement, this year’s changes respond to looming CCPA enforcement, commencing… that’s right, on July 1, 2023. ??????

?? Read our 2022 GA4 blog post here.

HEADLINES

NORTH AMERICA

?? Texas Passes Data Privacy and Security Act

Yeehaw! Texas "stirrin' up dust by passing the Data Privacy and Security Act (HB 4). The DPSA is modeled on Virginia, but offers few unique twists of the spurs.?

1. Applicability: The law does not set revenue or volume thresholds. It also carves out small businesses unless the SB “sells” Texans’ sensitive personal data. In which case enhanced notice and consent is needed. Nonprofits are exempt too.
2. Data “sales”: Like in California, Texas “sales” include data exchanged for valuable considerations.” Like Virginia, the law requires enhanced disclosures in the event sensitive personal data is sold; like inIllinois biometric data sales must be explicitly disclosed.
3. Universal opt-outs: Texas joins California, Colorado, Connecticut, and Montana in mandating that user-initiated opt-out signals (i.e. GPC) be honored. Universal and ‘traditional’ opt-outs also apply to targeted ads and automated decisions with significant effect.
4. Enforcement: The Attorney General is still Sheriff. The Act does not create a special agency or offer a private right of action. Violations have a 30 day cure period. Y'all better comply!
5. Departures from CO, CT, and MT:

• Sorry teens, the law does not go above COPPA, so your data can be sold and you can be ad-targeted without your prior consent.?
• Opt-out requests can be authenticated. It’s not clear what this would look like with a detected GPC signal, but it could mean a pop-up requesting a confirmatory action.?
• There’s no language allowing for consent to be revoked, but in practice there’s no consent without a concurrent opt-out, and this may be amended.?
• Nonprofits are exempt and the AG is not required to engage in rulemaking.

If signed into law, the DPSA will be effective July 1, 2024. That’s a quick draw. But despite a number of twists, Texas blazes now-familiar trails.?

EUROPE

?? Now Anti-Fraud? CNIL Ups the Ante in War on Cookies?

The French CNIL, has long been one of the most assertive European watchdogs on the adtech beat and is the head of the EDPB’s inglourious Cookies Taskforce. Haphazard CMP implementation or wilful neglect, CNIL Raines down pain.

Recap

• Since 2020, the CNIL has been sweeping cookies and levying fines of nearly €500K.?
• Google, Amazon, Carrefour and Le Figaro made up a large share of the sanctions.
• Ongoing enforcement fits into CNIL’s 2022-2024 strategic plan for protecting French consumers’ “daily digital life”.

To-date, CNIL has also published numerous recommendations covering valid consent, dark patterns, and even consent record retention. They have also endorsed local Google Analytics competitors.

Partisans: NOYB and other privacy advocacy groups have supported the CNIL’s increased focus on popular publishers, calling programmatic advertising in particular “the greatest data breach in history”.

Microsoft, Bing’d up: At the end of 2022, CNIL fined Microsoft Ireland €60M because Bing required two clicks to refuse all nonessential cookies but only one click to accept them.?

• CNIL also found that when users visited Bing, MS dropped a nonconsensual cookie that bundled several ad-related and analytics purposes.
• One of those was to combat ad fraud, a use case industry views as ‘essential’ to enforce acceptable use terms and stop, well, $$ theft.?

Last week, the CNIL closed the case and waived the fine, noting how MS fixed everything within the allotted cure period.

Fraud hunter: Yet, CNIL did not waive its view, maintaining the cookie also helped Bing deliver targeted ads. This does not appear to be a case of a ‘tremendously unfair world’, but of a legal interpretation clashing with technical implementation. Could the fraud burn have been avoided if MS set a distinct anti-fraud cookie? ?? CNIL, please confirm. ???

WORLD

?? CAC Issues Updated C-SCC Filing Guidance

Clarity’s better late than never. China’s Measures for using China Standard Contracts (C-SCC) were scheduled to take effect on June 1st. Yet, instructions for how to file them, when and where, were left to collective imagination. Until now.

Enter CAC’s filing instructions and templates.

Highlights

• Filing contents: Executed C-SCCs and a Personal Information Protection Impact Assessment Report.?
• Recipient: The applicable provincial CAC and not the federal HQ.
• Decision: The provincial CAC will respond with a ?Pass or ?Fail and may request supplemental information in case of failure.?
• Appeals: There is no process to appeal an ultimate ??Rejection.

Timelines?

• Filing: Within 10 business days from the C-SCC’s effective date.
• Decision: Within 15 business days from the filing or re-filing date. (But this process is new and this timeline may be revised pending officials’ ability to keep up.)?
• Supplemental info: Within 10 business days from a ?Fail notice if additional info is requested.
• Re-filings: Organizations may need to situationally re-file executed C-SCCs and documents due to material changes in business practices or the recipient-country’s data protection laws.
• PIPIAs: Privacy and transfer impact self-assessments must be completed within 3 months of filing or re-filing.
• Grace period: Companies already transferring China PI abroad have 6 months (through Dec 1, 2023) to get their transfers in order.

Wait, what’s this “Report”??

The PIPIA Report compiles instructions, itemizes submission documents, and offers some templates. A final care package would include copies of the company’s business registration certificate (USCC) and the legal representative’s ID card, executed C-SCCs, and a completed PIPIA (see Annex 5 for CAC’s own template).

This is all v1 and may be updated over time. We’ll do the same with our version of the PIPIA.

See our earlier blog post on C-SCCs and the PIPIA assessment here.?

PERSPECTIVE

TECH IN FOCUS

?? EU Ad Industry Should Embrace IAB’s Updated Compliance Efforts

On 16 May 2023, IAB Europe launched v2.2 of its Transparency and Consent Framework (TCF). Changes are in response to evolving industry and consumer needs, and importantly to fulfill commitments made to the Belgian Data Protection Authority (ADA) in the wake of its controversial ruling against the trade group.?

Recap: The DPA found IAB Europe to be a Controller of the privacy signals TCF users transit. As a result:?

• The IAB had to change its own GDPR legal posture and take on additional accountability.?
• Additionally, the trade group had to refresh framework policies and tech specs to bolster compliance.?

Looming deadline: All TCF participants, whether ad-supported publishers, adtech intermediaries, advertisers/agencies or consent management platforms (CMPs), have until September 30, 2023 to adopt TCF v2.2.?

Highlights

• Legitimate Interests: Consent is now the only legal basis for personalisation.?
• Friendlier language: Coded disclosures have been simplified. #nolegalese
• Added Vendor details: Actual categories of PD collected, data retention practices, and where LI applies.
• Number of Vendors: Total number of entities chirp-chirping behind the consent banner.?
• UX and dark patterns: Updated interface standards for publishers and commercial CMPs.

IAB EU has committed to taking measures to ensure compliance, and IAB Tech Lab’s Global Privacy Platform aims to support technical accountability.

Real talk: Show us 10 different sites and we’ll show you 10 different compliance experiences. The IAB’s evolving solutions present a real shot at a consistent, interoperable, and now cross-jurisdictional approach. With Google fully onboard and with GPP tackling US-specific needs, adoption is a virtuous spiral.???

Migrating to TCF v2.2 includes reviewing updated Purpose classifications and allowable legal basis, and then making the necessary changes to respective implementations. Given the deadline, the Lucid team is available for consultation on the details and their practicalities.?

ROUNDUP

1. Amazon Nabbed by FTC For Ring Doorbell Privacy Infraction. Amazon's Ring unit settled with the FTC for $5.8M over privacy violations after a former employee spied on female customers with cameras placed in bedrooms and bathrooms. While this is meant to hold Amazon and others accountable for prioritizing profits over privacy, the dollar amount is a mere drop in the profits bucket.
2. US Senators Question Twitter's Privacy Compliance Under Musk. Four US senators are investigating Twitter's privacy practices and potential violations. Following layoffs, resignations, and the hasty launch of new products, lawmakers emphasized how neither Musk nor Twitter are exempt from legal obligations. With the FTC conducting its own investigation, some lawmakers dismissed both probes as harassment.
3. Microsoft Anticipates $425M GDPR Fine Over LinkedIn Ads. Microsoft plans to “defend itself vigorously” against a pending fine from the Irish DPC. The alert came by way of an investor disclosure. The “non-public” draft decision by the DPC against LinkedIn follows alleged 2018 GDPR violations, which at the size of the pending penalty involve fundamental issues ranging from transparency to necessity to genuine user choice.
4. Dutch Groups Call On Consumers For Google Class Action. Two Dutch consumers’ associations are preparing a mass claim against Google, complaining that Big G collects data in a way where real consent from users is impossible and then transfers the data overseas where it is liable for foreign? government surveillance. They demand that the tech giant immediately stop tracking, collecting, and selling consumer data without their consent and pay compensation to all Dutch users of Google.

READINESS TOOLS

? Pan-US Readiness Record (US)??

? Utah Readiness Record (UCPA)?

? California Readiness Record (CCPA/CPRA)

? Virginia Readiness Record (VCDPA)

? Colorado Readiness Record (CPA)

? Connecticut Readiness Record (CTDPA)

? Transfer Impact Assessment Template (TIA)

? China Transfer Impact Assessment Template (PIPIA)