?? Themes of symmetry

Lucid folks,

If you happen to operate a “trifecta of monopolies” where you are accused of perpetrating “a campaign to condition, control, and tax digital advertising transactions over 15 years”, your company just might be broken up.?

Google is back in federal court, this time defending its ad business practices. As with the search case, which ended in an unflattering ruling. Google is posed to argue. As AdExchanger’s Allison Schiff points out, Google’s defense is symmetrical (really, identical) to past defenses, that it is being punished for offering tools and services that are better than its competitors’ and cost less too. Both trials, from the DOJ’s masterfully written complaints to the expert witness testimony (Day 1) offer an unprecedented look at the inner workings of programmatic advertising.

Moving on, in this issue:

• The symmetry of DSR response timetables
• What we’re reading and listening to (besides the G trials and POTUS debate)
• Paris shows how AI can be used to great benefit

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

US: Privacy Request Response Times State-by-State

More State privacy laws in effect today and coming online next year means more operational throughput for privacy and compliance teams.?

As the IAPP’s Cobun Zweifel-Keegan eloquently puts it in his latest DC digest, privacy pros are helped by pervasive “themes of symmetry”. “Whatever the underlying reason, humans have a universal aesthetic preference for symmetry” that extends to law and rulemaking.?

Call it legal mirror neurons firing or cookie cutters flashing if you will, but when you get down to operational brass tacks the US privacy landscape is less divergent than we may believe. One such area of helpful symmetry covers (1) what privacy rights can be exercised, and (2) within what timeframes.?

Well said, Cobun, “embracing symmetry may be one way of prioritizing true user autonomy” and compliance-operational efficiency. Do mind the third-party requests, though.

-AK, MT

Read and Listens

Another week, another set of picks from our personal queues:

• CCPA Issues New Advisory Covering Dark Patterns. While there is nothing new or novel in the enforcement division’s new bulletin, there are subtle digs at European cookie consent practices. In short, the CPPA is calling attention to how asymmetric button placements and styling, as well as ‘creative’ verbiage can undermine consumers’ ability to (1) clearly and easily opt-out of “selling” and “sharing”/targeted ads, or (2) grant their free and informed consent to permit such uses. Can you spot what’s off (or not) with the UX examples provided? ?
• Why Are Businesses Getting CIPA Threats About Pixels? Some legal-privacy situations do feel straight out of Better Call Saul, or as Ben Isaacson laments, a midnight infomercial. To-date, businesses have been receiving thousands of warnings and demands that they are violating the California Invasion of Privacy Act (CIPA). “While CIPA pre-dates the use of website pixel tags, the language and scope of the law is so broad that it could possibly cover any such technologies regardless of whether they are ubiquitous across the Internet.” Hence, a cyclical tide in the volume and creativity of claims, and why automatic dismissal is not guaranteed. ?
• Luiza and Schrems Dig into AI. Love him or hate him, there is no avoiding the fact that Max Schrems is a pioneer in privacy advocacy whose work has reshaped data protection.? Max joined Luiza Jarovsky (another trailblazer) to discuss some of the pressing issues around AI at the moment. Notably, recent enforcement actions against X and Meta, areas where AI development is falling short, and… Max’s frustration with the procedural aspects of GDPR enforcement he feels need reform. The European Commision seems to agree some things need fixing. See below. ?
• FPF Analyzes the European Commission's 2nd GDPR Report. Five years hence, is the GDPR effective? Should it be amended? Per Andreea ?erban’s analysis, an overhaul is not in the cards. But the EC recognizes that national and regulatory disagreements -- including over fundamental issues such as the legitimacy of the legitimate interests legal basis -- are undermining the GDPR’s second co-equal goal. That is, to ensure the free flow of personal data within the EU/EEA. On a positive note, the report acknowledges that the GDPR has had a net-positive impact in protecting Europeans at home and setting global standards for the protection of their data abroad.

-RW, AK

Other Happenings

1. Paris, the First AI-ified Olympics. The 2024 Olympics in Paris were the first to use AI-powered systems at scale. Some gave divers 3D dashboards to monitor their time and speed. Others powered chatbots and content moderation to curb abusive comments on social media. Still others helped officials forecast power needs and identify accessibility issues at event venues using “digital twin” models. Given this extensive use of AI, the IOC published an Olympic AI Agenda, a strategic roadmap for deploying the tech and doing so in a safe and responsible way. Give it a read, particularly pages 14-15.?
2. X Agrees to Not Train Grok AI on EU User Data. Elon Musk has apparently succumbed to pressure from advocates and regulators, halting plans to train its AI system on EU users’ tweets. The self-correction is the latest in a series of pivots by Big AI Tech firms who face mounting scrutiny (and lawsuits) over their rampant data harvesting practices. X’s agreement with the Irish DPC is only the beginning -- the data protection authority has asked the European Data Protection Board (EDPB) to opine on platforms using user data to train their models.
3. Future of Ads or Privacy Nightmare? Ford Seeks to Patent New Eavesdropping Tech. Ford may be following GM off the proverbial privacy cliff. The manufacturer aims to revolutionize in-car advertising by using conversation analysis, vehicle data, and location information to deliver tailored ads. The system would listen to occupants' discussions, track driving conditions, and predict destinations to fuel personalization. The application is sure to face significant scrutiny, as the patent offers nothing about Ford’s data protection plans. And while a patent is unlikely to be the place to iron such things out, it’s telling that the application does not even pay lip service to fair information privacy principles. Will the FTC look in? They may. Without robust safeguards, this innovation could lead to serious invasions of personal privacy, including when passengers visit or discuss sensitive locations.
4. IAB Tech Lab Releases New Privacy Taxonomy. The IAB Tech Lab is seeking public comments on its new classification framework, developed in partnership with Ethyca. If the name sounds familiar, it should. Ethyca is the pioneer behind a developer-friendly (and open-source!) system for describing personal data types and uses called FidesLang. The Tech Lab’s new Taxonomy adopts FidesLang to the adtech industry with the goal of further standardizing privacy and compliance practices across a diverse ad ecosystem. The public comment period will close on October 5, 2024.

-RGE, RW

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)