?? Privacy round twos
Lucid Privacy Group
Trusted Global Privacy Specialists for Data-Driven Companies
Lucid folks,
2024 could be the year of watershed second rounds in years-long standoffs between privacy advocates on the one side and organizations forming the infrastructure of the ad-supported open web. While Generative AI continues to garner popular attention, progenitor questions surrounding Big Data -- on privacy and competition grounds -- may be reaching a boiling point.
At the end of the day, whether it is to train and make nimble a chatbot copilot or target auction-based ads, it’s still about the… well, you know what.
In this issue:
…and more.
From our bullpen to your screens,
?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!
CA ‘Delete Act’ and Inadvertent Brokers: 5 Key Takeaways
On February 9, 2024 Lucid Principal Ben Isaacson participated in a panel at the California Lawyers Association?(CLA) Privacy Summit with Delete Act Author Tom Kemp and Lothar Determan from Baker McKenzie to discuss CA SB 362, aka the ‘Delete Act’. The discussion ranged across multiple topics important to companies directly regulated by the law, but also those who may be inadvertently pulled into its gravitational pull.
As he covered in his earlier blog, the law as written suffers from a number of loopholes? that undermine its meaningful application.?
“In discussing these issues with my co-panelists it is increasingly clear to me that a rulemaking process, if not legislative amendments, are needed to to make compliance feasible – in particular for the inadvertent, digital-only ‘data brokers’ the law's broad definition creates.”?
Introducing Lucid Privacy's Pan-US Data Protection Impact Assessment
The Lucid Privacy Group is pleased to offer a new public resource.
The Lucid Privacy Pan-US Data Protection Impact Assessment (US DPIA) is a holistic, unified worksheet for companies assessing privacy risks in-line with comprehensive US state privacy laws.
As of the date above, there are eight (8) US state privacy laws in effect or coming into effect in 2024-5 that obligate certain Controllers (Businesses under CCPA) to complete a DPIA (by any name). Each state offers slightly varying triggers and substantive requirements for a DPIA but otherwise overlap and generally align with GDPR DPIAs.
Editor's note:?this Pan-US DPIA only covers finalized text and rulemaking as of the date above. For the sake of clarity, this document anticipates but does not explicitly include finalized requirements concerning CCPA Privacy Risk Assessments.?We will continue to update this document as policy making continues and additional states come on board.
Advocates Face Off Against Global Identity Graph Provider
The original cookie onboarding and offline-to-online identity linkage provider, LiveRamp, is facing intense scrutiny in the UK and France.
Filings with the UK ICO and CNIL France are led by the Open Rights Group (ORB) who, together with CrackedLabs, conducted a comprehensive study into the workings of the ad/id tech company’s ubiquitous ‘RampID’.?
Zooming out: ORB’s report is a case of Privazilla Minus One. Regulatory actions could affect all EEA-facing businesses?leveraging and?contributing data to?LiveRamp’s identity databases. For broader context, LiveRamp has a vested interest in letting Google deprecate third-party cookies in Chrome. ATS should be viewed as part of LiveRamp’s business strategy that takes full advantage of its new data collaboration and cookie-alternative identity capabilities.
领英推荐
CMA x Google Privacy Sandbox Part 5: Covert Tracking Prevention
Google's planned deprecation of third-party cookies in Chrome in favor of the Privacy Sandbox (GPS) is slated for H2 2024 and testing is well under way. The UK’s Competition and Markets Authority, and market participants of all persuasions, are closely monitoring how Google is fulfilling its February 2022 fair play Commitments.??
In our Part 1 we zoomed in on the CMA’s views around Content & Ad Relevancy, and in Part 2 on the regulator’s views regarding Ad Measurement. In Part 3 we dove into the Cross-Site Boundaries and in Part 4 we touched on tension points around ad verification practices.?
For our 5th and final installment below we summarize the issues surrounding Google’s Covert Tracking Prevention proposals.
Google’s Bounce Tracking Mitigations (BTM), User-Agent Client Hints (UA-CH) and IP Protection proposals are intended to reduce nonconsensual cross-site tracking?which can undermine Chrome’s new privacy model.?
What critics are saying: Stakeholders raise valid concerns that here too Google can benefit from its own user and traffic data,?all the while restricting and otherwise drip-dropping limited data to its adtech competitors.?
Why it matters: Over the past few years Google has been looking to compete with Apple on privacy branding while positioning itself as a [compliant] pro-advertiser platform. Both tech giants have made significant privacy changes that, in the end, use analogous anti-tracking & anti-fingerprinting Privacy Enhancing Technologies (PETs).?
Privacy counterpoint: Firefox, Brave, DuckDuckGo and Edge offer a range of similar anti-tracking and anti-fingerprinting features. And, users continue to install increasingly sophisticated ad and tracking blockers. Covert (and overt) tracking protections are status quo, and this issue really is about competitive (dis)advantage.
What the CMA is saying: The CMA agrees there are some valid concerns about self-preferencing that Google must ensure they address before proceeding with their proposals. As before, the CMA continues to engage with Google on its anti-tracking proposals.?
Zooming out: Across all the concerns the CMA has surveyed, to proceed with 3rd party cookie deprecation Google must continue to work towards “policy or technical safeguards… and governance mechanism[s]” that ensure the Privacy Sandbox remains suitably neutral and trustworthy… and reasonably utile within its privacy model.?
Read the UK CMA’s full Q4 2023 Report here.
ICCL Fails GDPR Challenge of Auction-Based Ads
Crusaders in the fight against Real-Time Bidding, meaning auction-based ads, the Irish Council for Civil Liberties & Johnny Ryan have seemingly had a bit of a slap down from the Hamburg Regional Court this week.
The background: The ICCL has long badged the RTB system as the “biggest data breach in history”. However, it seems that The Hamburg Regional Court has entirely dismissed a lawsuit filed by the ICCL against RTB.
Why it matters: Although the court has not issued an official report yet the IAB Tech Lab wasted no time in getting the message out that the court (i) “entirely dismissed the case”, and (ii) “rejected the ICCL’s meritless claims as lacking in specificity & riddles with legal infirmities under GDPR”.
Or did it? Competing announcements from ICCL stress that the court did not, in fact, decide the matter on its merits. Rather, it dismissed the ICCL’s case (iii) without prejudice to (iv) a subsequent filing of an appeal. In other words, the ICCL did not plead their case in a way that met the court’s plausibility bar (i.e. standing) but that the civil rights group can retool and try again.
No love lost: A healthy dialogue over the historically opaque data practices across the programmatic ad ecosystem is critical to the future of the ad industry. But to the casual, if interested, observer the discourse is not helped by the absolutist positions held by both sides on the Lawful or Awful aisle. Embellishment and exaggeration does not really advance the possibility of compromise and finding a solution acceptable to the vast majority.?
Bigger picture: It is true that the ICCL’s case failed. So did the FTC’s first shot at mobile data broker Kochava. But it is also true that they can appeal and continue their fight. The point here is that the fight -- and the discourse around it -- will continue.
Who’s right? Who’s next? Wherever this issue lands, hopefully on its merits, there is content aplenty for the good artists at Epic Rap Battles of History.
Other Happenings
Lucid Resources