?? Privacy round twos

Lucid folks,

2024 could be the year of watershed second rounds in years-long standoffs between privacy advocates on the one side and organizations forming the infrastructure of the ad-supported open web. While Generative AI continues to garner popular attention, progenitor questions surrounding Big Data -- on privacy and competition grounds -- may be reaching a boiling point.

At the end of the day, whether it is to train and make nimble a chatbot copilot or target auction-based ads, it’s still about the… well, you know what.

In this issue:

• New resource -- Pan-US DPIA!
• On the CA Delete Act's?'inadvertent' data brokers
• LiveRamp may have some ‘splainin to do.
• Part 6 of our dive into the CMA’s latest Privacy Sandbox report.
• Are auction-based ads a massive GDPR breach? TBD. No, really.?
• POTUS and Agencies are zeroing in on sensitive data abuses.

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

CA ‘Delete Act’ and Inadvertent Brokers: 5 Key Takeaways

On February 9, 2024 Lucid Principal Ben Isaacson participated in a panel at the California Lawyers Association?(CLA) Privacy Summit with Delete Act Author Tom Kemp and Lothar Determan from Baker McKenzie to discuss CA SB 362, aka the ‘Delete Act’. The discussion ranged across multiple topics important to companies directly regulated by the law, but also those who may be inadvertently pulled into its gravitational pull.

As he covered in his earlier blog, the law as written suffers from a number of loopholes? that undermine its meaningful application.?

“In discussing these issues with my co-panelists it is increasingly clear to me that a rulemaking process, if not legislative amendments, are needed to to make compliance feasible – in particular for the inadvertent, digital-only ‘data brokers’ the law's broad definition creates.”?

Continue reading.

Introducing Lucid Privacy's Pan-US Data Protection Impact Assessment

The Lucid Privacy Group is pleased to offer a new public resource.

The Lucid Privacy Pan-US Data Protection Impact Assessment (US DPIA) is a holistic, unified worksheet for companies assessing privacy risks in-line with comprehensive US state privacy laws.

As of the date above, there are eight (8) US state privacy laws in effect or coming into effect in 2024-5 that obligate certain Controllers (Businesses under CCPA) to complete a DPIA (by any name). Each state offers slightly varying triggers and substantive requirements for a DPIA but otherwise overlap and generally align with GDPR DPIAs.

Editor's note:?this Pan-US DPIA only covers finalized text and rulemaking as of the date above. For the sake of clarity, this document anticipates but does not explicitly include finalized requirements concerning CCPA Privacy Risk Assessments.?We will continue to update this document as policy making continues and additional states come on board.

Download it here.

Advocates Face Off Against Global Identity Graph Provider

The original cookie onboarding and offline-to-online identity linkage provider, LiveRamp, is facing intense scrutiny in the UK and France.

Filings with the UK ICO and CNIL France are led by the Open Rights Group (ORB) who, together with CrackedLabs, conducted a comprehensive study into the workings of the ad/id tech company’s ubiquitous ‘RampID’.?

• Complaints allege that LiveRamp’s new Authenticated Traffic Solution (ATS) violates the GDPR at a scale so massive?that it is too complex for the ORB to litigate. Hence their (2nd) request for ICO and CNIL to intercede.

• Like the original 2018 complaints. ORB calls into question LiveRamp’s core business model of continuously tracking and (re)profiling “about 700 million people globally, 45 million people in the UK and 25 million people in France…”
• ORB’s conclusions underscore how LiveRamp’s Data Clean Rooms and other PETs-driven solutions are besides the point. The root issue remains the manner in which the data is collected and its purposes are socialized to average consumers.

Zooming out: ORB’s report is a case of Privazilla Minus One. Regulatory actions could affect all EEA-facing businesses?leveraging and?contributing data to?LiveRamp’s identity databases. For broader context, LiveRamp has a vested interest in letting Google deprecate third-party cookies in Chrome. ATS should be viewed as part of LiveRamp’s business strategy that takes full advantage of its new data collaboration and cookie-alternative identity capabilities.

CMA x Google Privacy Sandbox Part 5: Covert Tracking Prevention

Google's planned deprecation of third-party cookies in Chrome in favor of the Privacy Sandbox (GPS) is slated for H2 2024 and testing is well under way. The UK’s Competition and Markets Authority, and market participants of all persuasions, are closely monitoring how Google is fulfilling its February 2022 fair play Commitments.??

In our Part 1 we zoomed in on the CMA’s views around Content & Ad Relevancy, and in Part 2 on the regulator’s views regarding Ad Measurement. In Part 3 we dove into the Cross-Site Boundaries and in Part 4 we touched on tension points around ad verification practices.?

For our 5th and final installment below we summarize the issues surrounding Google’s Covert Tracking Prevention proposals.

Google’s Bounce Tracking Mitigations (BTM), User-Agent Client Hints (UA-CH) and IP Protection proposals are intended to reduce nonconsensual cross-site tracking?which can undermine Chrome’s new privacy model.?

What critics are saying: Stakeholders raise valid concerns that here too Google can benefit from its own user and traffic data,?all the while restricting and otherwise drip-dropping limited data to its adtech competitors.?

Why it matters: Over the past few years Google has been looking to compete with Apple on privacy branding while positioning itself as a [compliant] pro-advertiser platform. Both tech giants have made significant privacy changes that, in the end, use analogous anti-tracking & anti-fingerprinting Privacy Enhancing Technologies (PETs).?

Privacy counterpoint: Firefox, Brave, DuckDuckGo and Edge offer a range of similar anti-tracking and anti-fingerprinting features. And, users continue to install increasingly sophisticated ad and tracking blockers. Covert (and overt) tracking protections are status quo, and this issue really is about competitive (dis)advantage.

What the CMA is saying: The CMA agrees there are some valid concerns about self-preferencing that Google must ensure they address before proceeding with their proposals. As before, the CMA continues to engage with Google on its anti-tracking proposals.?

Zooming out: Across all the concerns the CMA has surveyed, to proceed with 3rd party cookie deprecation Google must continue to work towards “policy or technical safeguards… and governance mechanism[s]” that ensure the Privacy Sandbox remains suitably neutral and trustworthy… and reasonably utile within its privacy model.?

Read the UK CMA’s full Q4 2023 Report here.

ICCL Fails GDPR Challenge of Auction-Based Ads

Crusaders in the fight against Real-Time Bidding, meaning auction-based ads, the Irish Council for Civil Liberties & Johnny Ryan have seemingly had a bit of a slap down from the Hamburg Regional Court this week.

The background: The ICCL has long badged the RTB system as the “biggest data breach in history”. However, it seems that The Hamburg Regional Court has entirely dismissed a lawsuit filed by the ICCL against RTB.

Why it matters: Although the court has not issued an official report yet the IAB Tech Lab wasted no time in getting the message out that the court (i) “entirely dismissed the case”, and (ii) “rejected the ICCL’s meritless claims as lacking in specificity & riddles with legal infirmities under GDPR”.

Or did it? Competing announcements from ICCL stress that the court did not, in fact, decide the matter on its merits. Rather, it dismissed the ICCL’s case (iii) without prejudice to (iv) a subsequent filing of an appeal. In other words, the ICCL did not plead their case in a way that met the court’s plausibility bar (i.e. standing) but that the civil rights group can retool and try again.

No love lost: A healthy dialogue over the historically opaque data practices across the programmatic ad ecosystem is critical to the future of the ad industry. But to the casual, if interested, observer the discourse is not helped by the absolutist positions held by both sides on the Lawful or Awful aisle. Embellishment and exaggeration does not really advance the possibility of compromise and finding a solution acceptable to the vast majority.?

Bigger picture: It is true that the ICCL’s case failed. So did the FTC’s first shot at mobile data broker Kochava. But it is also true that they can appeal and continue their fight. The point here is that the fight -- and the discourse around it -- will continue.

Who’s right? Who’s next? Wherever this issue lands, hopefully on its merits, there is content aplenty for the good artists at Epic Rap Battles of History.

Other Happenings

1. Biden Issues Order to Protect Americans’ SPI from Foreign Adversaries. The EO focuses on the most sensitive of Americans' data: genomic, biometric, health, and financial data. The administration's goal is to prevent large-scale data transfers and curb adversarial surveillance as well as scams?and privacy intrusions. The DOJ has been tasked?to develop implementing regulations and collaborating with with other agencies on higher security and other necessary standards. POTUS' move should be seen as a not-so-subtle?nudge?at?Congress over missing federal legislation.
2. FTC's Warning: Full Stop on Selling or Disclosing SPI for Advertising. Avast, X-Mode, InMarket actions alleged violations from selling browsing info and unauthorized location tracking. Despite lacking traditional identifiers, such data reveals intimate details, from health conditions to religious affiliations. Brace yourself, as opt-in consent could soon be your new reality if the FTC's intentions materialize into enforceable regulations.
3. UK ICO Broadcasts Their 2024 Enforcement Priorities. The year will be a busy one. Information Commish John Edwards has his eyes set on Generative AI, childrens’ privacy and adtech. He is in steady company across the Channel and over the Pond. ICO staff have begun work on AI and age assurance guidance, and plan to continue their cookie enforcement sweeps. On the latter; to date 38 of the 53 publishers warned last year have ‘fixed’ their issues and 4 have committed to doing soe over the next month. (Editor’s note: Details are scant and we still see plenty of cringe out in the wild. We expect multiple waves and at least one publisher in the public stockades.)
4. Cynical Resignation in Action? Following our last week’s look at ‘Privacy Cynicism’ we may very well have a real life example on our hands. The Open Rights Group has lodged complaints with the ICO and the CNIL about Liveramp's long-standing identity graphing systems. Yes, long-standing. LiveRamp was one of the first pioneers of offline-to-online data ‘onboarding’. With the looming loss of cookie identities in Chrome, data hungry businesses are looking to Liveramp’s global identity databases for solace. Are these practices lawful under the GDPR? Déjà vu.

Lucid Resources

• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US)
• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)