?? Still you

Lucid folks,

We live in truly interesting times. Elon Musk has sued the Global Alliance for Responsible Media (GARM) into the ground. Meanwhile, privacy advocates and the Irish DPC are pressing their case against X’s AI training excesses.?

Moving on, in this thready issue:

• New public resource!?
• On publishers and cookie-alternative IDs
• ‘Significant’ privacy changes may be in the eye of the beholder?

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

Introducing Lucid Privacy’s TTPIA Template

We are pleased to offer a new templated resource.

Standard privacy impact assessment templates may fall short of assessing context-specific risks arising from the use of cookies, pixel tags and similar tracking technologies.?

Irrespective of jurisdiction, an assessment of such technologies should consider:

1. The digital marketing goals and expectations of the organization.
2. The specific services and technologies being used or planned for use.?
3. The privacy-protective outcomes the organization wishes to achieve.
4. The user and device-level data being collected through these technologies.
5. The tools and setups in place to manage these technologies.
6. The legal and regulatory risks these technologies present within the context of their specific use.
7. The technical and organizational measures to be taken to achieve the desired privacy-protective outcomes.
8. The required consents and/or notice language that the organization is prepared to present on the website to ensure compliant use of technology services.

The Lucid Tracking Technology Privacy Impact Assessment (TTPIA) offers a comprehensive worksheet for privacy analysts and engineers to identify and address risks associated with their organization’s use of various tracking technologies, wherever they operate.?

Download it here

We will continue to update this document over time. If you have questions or comments email us at [email protected].

Privacy in the Age of New ID Solutions

Despite Google’s recent delay in phasing out Third-Party Cookies (3PC), the writing is on the wall: online publishers must explore new identity (ID) and first-party data solutions to maintain their targeted advertising capabilities.

Universal or alternative IDs, which leverage persistent identifiers like email addresses, phone numbers, or device IDs, have emerged as potential solutions to provide a consistent user experience across platforms. However, these cookie alternative solutions come with significant privacy-perceptional challenges that publishers must navigate with care. Unlike 3PCs, which were often invisible to users but readily controlled by the informed, these new IDs are more opaque, raising the stakes for obtaining genuinely informed consent at scale.

One silver lining from Google’s turbulent Privacy Sandbox initiative is that a pro-privacy shift in ad targeting is possible, if painful in the short term….

Continue reading

-RW

Reads and Listens

Another?week, another pick from our personal queues:

• ?? Grumpy GDPR: Does Switching from an EU to US ESP Require Recipient Notification? The ‘significance’ of a change in processing is in the eyes of the beholder. Or is it? Rie and Milo? debate whether Rie changing her EU-based Email Service Provider (ESP) to a US one requires a timely notification to newsletter subscribers. Milo? thought this was a minor change in the general scheme of things and the US’s adequacy status (via DPF), but was later persuaded that informing subscribers of the change is a best practice. It’s hard to disagree. A tasteful email does not not need to hinge on privacy alone -- it’s also a way to (1) alert recipients of possible delays or inbox filtering kinks that may need to be worked out, and (2) remind them they can, as always, opt-out at any time.
• ???FPF: Op-Ed on the FEC Allowing AI for Political Campaign Ads. If you are feeling besieged by neverending Trump vs Biden Harris ads, posts, emails and, yes, text messages you are not alone. Nor are you alone in questioning the veracity of content created using AI. The prospect of scaled, pervasive BS-as-a-Service (nee misinformation, coined here) has the good folks at the Future of Privacy Forum (FPF) worried. When the think tank submitted their public concerns to the Federal Election Commission (FEC) in 2023, there was some hope to move the needle beyond self-restraint. Alas, not so. As Google and other platforms move to require disclosure of AI-generated content, the question remains if and when the US will get more durable guardrails in place. Read the FPF’s full op-ed here.

-AK

Other Happenings

1. India Uses DPDP to Tackle AI Likeness Theft and Dark Patterns. Shivangi Nadkarni reports on the world's biggest democracy's attitude to the risks posed by AI. The risks posed by AI, such as privacy violations, algorithmic bias, and the potential for misuse in areas like dark patterns is as rife in India as anywhere else.? India is starting to take these issues seriously, as evidenced by Digital Personal Data Protection Act and court cases addressing AI misuse.? But is it enough?
2. Canadian Lawmakers Drag Feet on PIPEDA Reforms as Actors Press for Gen AI Protections. Screen and video game actors are raising their… actual… voices in protest over studios cozying up to AI developers. As performers look to strike over potential job losses, the homeplace of comedy film greats is dragging its Cannuckles on Bill C-27, which aims to modernize Canada’s aging PIPEDA for the digital economy. The included Artificial Intelligence and Data Act proposal largely conceptually tracks the EU AI Act would tackle high-risk systems and data misappropriation among other concerns, but committee members are months behind on making headway.???
3. Freemum Smart TVs: When 'TheTruman Show' Watches Back. Smart TVs pose a visceral privacy risk due to their ability to track viewing habits through technologies like Automatic Content Recognition (ACR) and Advertisement Identification (AdID). These tools monitor everything you watch, collecting and sharing data with third parties often without clear consent. While some data collection can be minimized by adjusting settings, it’s difficult to stop entirely, leaving users vulnerable to privacy breaches and unwanted surveillance by manufacturers and advertisers.
4. Argentina Beefs Up 'Do Not Call' Registry Requirements. Argentinians -- individuals and businesses -- wishing to opt-out of unsolicited telemarketing will rest easier knowing that the popular Do Not Call Registry Act has been strengthened with a central DNC management system, clearer distinctions for minor violations, and procedures for individuals to lodge their complaints. The FTC and CPPA are waving hello to the Agency for Access to Public Information.

-RW, AK

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)