?? Into the Sandboxverse

Lucid folks,

2024 is off to a rapid start.?

New Jersey passed a comprehensive privacy law punctuated by an opt-in to process?sensitive data, an opt-in to sell/monetize the data of teens 13 - 17 y.o., and the recognition of universal opt-out mechanisms.?The bill also comes?with a healthy?mandate for the NJ AG to engage in rulemaking, likely around required DPIAs and other now-familiar operational requirements. Meanwhile, in an ironic twist on the “bridge and tunnel crowd” moniker, NY’s Privacy Act remains stalled in committee.?

In other patchy developments,?2024 spells one thing -- the beginning of the actual end of the third-party cookie.?Challenges ranging from technical implementations to brand safety, professional anxiety even, remain top of mind for digital marketers.

In this issue:

• The cookies are falling
• ICO tackles algorithmic fairness
• 23andMe’s brand-breaking faux pas

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

1% Into the Sandboxverse

~30M Chrome users around the world are now experiencing the Internet, from news and gaming sites to e-shops and subscription services, without third-party cookies.?

Back to the feature: Intelligent tracking protection (ITP) by whatever name, which blocks third-party (really, cross-domain) cookies and various fingerprinting workarounds without (hopefully) disrupting anodyne web services, has been a selling point for Chrome’s bitter browser rivals since late 2017.?

• Apple Safari, since September of 2017
• Mozilla Firefox, since September of 2018
• Microsoft (Chromium) Edge, since January of 2020

Google’s vision of a viable future is one where their business model is not rewritten by Apple and regulators -- the Biffs in Google’s narrative. But this notion is challenged by the reality that Big G is no Marty either.

Teamsbusters: In a portent of bugs and ghoulies to come, Microsoft 365 users on Chrome have been reporting cross-service issues in SharePoint, OneDrive and Teams. In response, MS has advised subscribers to pretty please switch to Edge.?

• This raises an opportunity for introspection -- why are Apple and Microsoft users still in Chrome??
• Answer: The perfect browser doesn’t exist, and all of us(ers) are creatures of habit. A Sandboxed browsing experience would need to be noticeably bad for users to jump ship… and lose their favorite QoL features like Chrome’s tab grouping in the process.?

All that aside, how many trial users will enjoy ITP while also opting out of Topics API? Google and everyone else want to know. Low-to-tolerable opt-out rates are a win.?

Sandrunner, scorch trials: Readiness of the ad industry varies, with the Internet Advertising Bureau indicating that brands and agencies feel only ~70% prepared for the incoming deprecation.

• Industry voices believe that the full Sandbox launch will be pushed back (again) as Google’s plans still “face stiff opposition from various industry stakeholders”.
• There’s also concern that many stakeholders will simply not be able to keep up with Google’s implementation and testing timelines, potentially leading to another delay.
• Technical mazes aside, critics assert Privacy Sandbox will make it “harder to earn revenue as an open internet publisher”.

What is clear is an urgent need for collaboration among ad buyers, sellers and tech providers to test and test again.

PS: TTD’s critical op-ed is gated behind OpenPass, an SSO identification alternative to cookies.

Fall of the house of tracker: Advertisers, publishers, and brands have had ample time to prepare for Sandbox and the demise of third-party cookies. But this is easier said than done, and in the end publishers are seen as having to fill the third-party data gap.?

• Advertisers remain wary of losing targeting accuracy and performance transparency in a post-Sandbox, post-SKAdNetwork, and those with sufficient data stores are testing PET-powered data collaboration environments (i.e. DCRs).
• Those with subscribers are testing tokenized emails and SSO, supplementing non-authenticated ‘signals’ with probabilistic device identification techniques. That said, probabilistic solutions may increasingly run afoul of Apple’s fortified anti-fingerprinting policies.?
• First-party data is still king, and web and app publishers are catalyzed to grow their own “content fortresses”.?
• Those tired of the microtargeting horror-drama entirely are hopeful that AI will revolutionize contextual targeting, making this path more attractive to higher-paying advertisers.

Leveraging a mix of solutions to compensate for profiling 'signal' loss is par for the long-chartered course. But a?post-cookielyptic open web that leans into PETs -- within and independent of the Sandbox -- is a silver lining.

Zooming out: By phasing out third-party cookies for good later this year, Google is propelling forward with its sandy plan to (1) stay on par with Apple in “improving user privacy”, while (2) differentiating away from Apply by preserving “the critical needs of the [ad-funded] digital ecosystem.” Will this plot resolve to a happily ever after for most? Or will the CMA be the deux ex machina that halts the falling cookieroid? Time will tell.?

The GAMpire Strikes Back

Whether you are pro, con or too far far away to give a Jar Jar, rest assured Chrome users are still monetizable, most notably by Big G. The question is, to which John Williams tune -- A, B or C?

PS: You’ll find Simon Harris’s original post here.

Other Happenings

1. UK ICO Proposes Rules for on Algorithmic Decisions in Employment. “Computer says No”. The ICO has emphasized that data protection laws impose restrictions on the use of solely automated decision-making and profiling in recruitment (i.e. no human interaction). The risks associated with automated decision-making and profiling, include the potential for unfair discrimination, invisible profiling, lack of candidate expectation, and the presence of biases or inaccuracies.?
2. Vermont Lawmakers Copy/Paste Wash MHMD. Vermont's new Bill S.173 is the twin of Washington's MHMD, tackling the consumer health web and app scene HIPAA doesn’t. Like WA’s law, VT’s bill covers small and large businesses, spills the tea on the collection of an expansive set of “consumer health data”, gives Vermoneters the power to delete their info… and to self-enforce violations through the courts (PRA). VT's echoing Washington's privacy mission and also putting its foot down on location-based data games - like a superhero duo for your data!
3. CJEU Clarifies Controller Liability. This ruling really emphasizes the importance of clear instructions & oversight that Controllers must exercise when engaging processors. Controllers must issue clear instructions and maintain ongoing oversight of the processor actions.? Lack of clarity in arrangements will limit the controller's ability, in the event of an incident, to demonstrate that the processor went rogue.
4. 23andMe Blames You for Their Data Breach. Like the bearded "Who's on First" comedy routine, 23andMe's fingerpointing at their customers for (1) recycling passwords, and (2) failing to use optional Multi-Factor Authentication (MFA) is an absurdist runaround. But beneath the tactlessness of blaming breach victims lies a valid Xunzi-ish debate: are users fundamentally 'bad' at cyber self-defense? And if so, is it on businesses to maximally protect users from themselves? A?jury trial is likely to find the company at some fault for not being paternalistic enough.

Lucid Resources

• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)