?? We built this ad city on...

Lucid folks,

This week we bring you a lightning round?of topics with gravitational implications for privacy-compliance, tech policy and digital media.?

The lineup:

• CJEU x IAB Europe
• UK ICO x Anti-Fraud
• FTC x Browsing Data
• PETs x Public Perception
• Tech Giants x DMA

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

CJEU x IAB EU TCF: Decisions and Middle Roads

On March 7, 2024 the European Court of Justice made a long-awaited decision clarifying (i) the nature of IAB Europe’s Transparency and Consent (TC) String (choice signal), and (II) the trade group’s legal role in the signal’s creation and use by the ad tech ecosystem.

What they said: The EUCJ confirmed that, contrary to the IAB Europe’s position, the TC String is indeed personal data with all its applicable GDPR obligations (legal basis, transparency etc).

• Linkage = potential re/identifiability. When a Consent Management Platform (CMPs) associates an IP address or another UID with a user’s preferences, the TC String becomes a personal characteristic.?
• Standards-setting + guidance = influence. The IAB’s direct hand in the development of TCF likely makes it a co-controller of the TC String, but not for what happens after.

Why it matters: Privacy activists have long criticized the IAB for privacy-washing ad tech business models. By going after the industry’s consent infrastructure, activists hope to erode vendors’ ability to establish any legal basis at scale.

• A (co)controller mishandling personal data can be fined up to 2-4% of global revenues, a fatal amount for a standards body.
• With Google supporting TCF v2.x, TC Strings are a compliance currency, without which publishers and advertisers can be pushed towards contextual ads.

Between the lines: In 2021 European lawmakers could have banned targeted ads entirely, but didn’t. Instead, they banned the targeting of children and added rules regarding advertising transparency and consent.

• Similarly, TCF and consent banners were not created in a vacuum. European data protection authorities have and continue to influence their development.?
• Case in point, last year the Belgian DPA had approved IAB Europe’s remediation plan which included TCF v2.2. The updated spec gave publishers more control, removed Legitimate Interests for ad and content personalization, and provided for additional disclosures at the DPA’s request.

Zooming out: The EUCJ did not invalidate TCF or consign IAB Europe to a Cysiphusian purgatory. Rather, the high court validated the Belgian DPA’s enforcement approach, opening the door to a TCF v3.0 and durable ad industry reform… should all sides want it.

UK ICO x Anti-Fraud: Questions and Implications

The UK ICO has sent another shot across the bow of news publishers, reinforcing the view that advertising fraud prevention and brand safety trackers are not exempt from CMP gatekeeping.?

What they said: "Our guidance states that 'online advertising cookies are not exempt from PECR's consent requirements and never have been… This includes all third-party cookies used in online advertising, including for purposes such as frequency capping, ad affiliation, click fraud detection, market research, product improvement, debugging and any other purpose'".

Why it matters: Advertisers don't traditionally like their ads nudging up against ‘bad’ news, and will actively blacklist their ads appearing against ‘unsuitable’ coverage such as ‘Gaza’ or ‘Ukraine.’ Nor do they appreciate paying for ‘invalid’ eyeballs (e.g. bots).?

• It’s about ‘gaining access’ to a browser/device irrespective of whether what’s accessed is personal data.?
• The ICO is not the EDPB, but the latter’s view of technical ‘access’ is expansive and influential, and even brings into scope tracking based on a user’s (but not a router’s) IP addresses.?
• So what if the IP represents a bot? Could ICO take a nuanced position? Maybe, but…

No truce, yet: The ICO has intimated their hands are tied. The law is the law, and this won’t change without the help of the UK’ GDPR reform bill (DPDI).

• The bill is in Parliament and a final cut may put ad trust and safety on the same exempt level as site/app trust and safety. It’s an election year and we are unlikely to see dust settle until 2025.??
• Meanwhile, the ICO will continue their vigilance of cookie banners and consent practices, and have warned industry that the next top 100 websites will be hearing door knocks.?

Zooming out: Not everyone is a BBC. For ad-supported news publishers in particular there is an existential concern. Unless society is fine with ‘Photoshopped Royal Family Photograph’ being the epitome of investigative journalism, Europe may need to allow ‘Pay or OK’, which has its own share of hurdles. Revenue alternatives and political dispensations aside, another option could be to ensure publishers get more of a shrinking pie.

FTC x Browsing Data: Sensitive or 'Sensitive'

In February 2024, the FTC released another proposed consent decree with yet another ‘mass data collector’. The company faces a $16.5 million penalty and a prohibition on selling or licensing any web browsing data for advertising.?

Who did what: Avast is a blast from the 2000s antivirus past. It still offers itself as a privacy and security product protecting consumers from online tracking and security threats, offering software and a browser extension.?

• Consumers were told Avast would “block annoying tracking cookies that collect data on your browsing activities” and promised that its desktop software would “shield your privacy.”?
• When Avast acquired Jumpshot in 2014, Jumpshot was given access to Avast users’ browsing histories… which Jumpshot sold to >100 companies.

Why it matters: At its core the case is about blindsiding and lying to consumers. Avast users were not provided notice that their browsing data was sold, in fact, they were told the opposite.?

• Where Avast did state that data could be disclosed to third parties, Avast assured consumers data would be anonymous and aggregated.?
• The FTC alleged that this was untrue, and that contracts specifically permitted re-association “for the purposes of targeting and tracking.”

Interesting detail: While the FTC is putting Avast in the same box as X-Mode and InMarket, Avast didn’t collect precise geolocation data like the others. They did sell imprecise geolocation, which is not ‘sensitive’ under the CCPA or other US state or federal laws.

A new doctrine? The FTC has outright stated, now multiple times, that “a consumer’s browsing information is highly sensitive” and “browsing and location data are sensitive. Full stop.”?

• It's a strange assertion where, this year alone, the FTC signed multiple consent decrees over precise geolocation.?
• Stranger still is the discord with the DOJ, who stated that web browsing data is NOT sensitive.?

Zooming out: It may be that the FTC came down hard on Avast for its blatantly broken promises. And we know that this is an active FTC, pushing the boundaries of established law in the name of privacy protection (and in light of an inert Congress). We should expect more cases trying this theory… and more aggressive pushback from businesses.

PETs x Public: Practices and Perceptions

What’s what: This study presented at the FTC’s Privacy Con aimed to understand how consumers perceive privacy violations in online advertising.?

• Conducted jointly by Columbia University and HEC Paris, this study of ~1700 US consumers, focused on the effectiveness of Privacy Enhancing Technologies (PETs) in improving consumer privacy perceptions.?
• Using a dual privacy framework, it examined both intrinsic (consumer desire to control personal information) and instrumental (economic consequences of sharing data) components.

Why it matters: While PETs like the Google Privacy Sandbox offer technical improvements, they do not necessarily enhance consumer perceptions of privacy.?

• The study underscores the need for a consumer-centric approach to online privacy. Rather than solely focusing on technical solutions, addressing consumer perceptions and concerns should be a priority for the ad tech industry.
• Behavioral targeting, the industry standard, was found to significantly violate consumers' intrinsic privacy preferences, while contextual targeting showed lower perceived privacy violations. Interestingly, consumers appeared in-different to seeing ads if they were untargeted and not based on tracking data, emphasizing the importance of addressing tracking and targeting practices in online advertising.

Between the lines: Despite efforts to enhance privacy through PETs, such as the Google Privacy Sandbox, consumer perceptions of privacy violations remain largely unchanged.?

• While keeping data on the consumer's device improves perceptions, the method of targeting—whether at the individual or group level—it does not significantly impact perceived privacy violations.?
• Contextual targeting, which limits tracking across websites, emerged as a promising approach to reducing perceived privacy violations.

Zooming out: Educating consumers about online advertising practices and the benefits of PETs is crucial. Ultimately, the goal should be to align technical privacy improvements with consumer perceptions, ensuring a holistic approach to online privacy protection. It's essential to prioritize the perception of consumers over the interests of big tech, steering away from broken ad tech models towards more transparent and privacy-conscious practices.

Tech Giants x DMA: Letter or Spirit

The Digital Markets Act (“DMA”) came into force March 7, 2024, requiring the 6 designated ‘gatekeepers’ (Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft) to comply with the landmark law.

Why it matters: The First Six are giant walled ad networks, and the DMA is a competition law. Under the DMA [Ad] Gatekeepers must…

• Allow their business users to access the data that they generate in their use of the gatekeeper’s platform (think ad attribution/post backs).
• Provide advertisers with the tools and information necessary for them to carry out independent verification of their advertisements hosted by the gatekeeper.
• Allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform.
• Allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations.

What they're saying: Responses by Google and Apple were quickly panned by critics as meeting the letter but not the spirit of the DMA, overshadowing the Act’s first year with inevitable lawsuits.?

• Google released a blog that promised “detailed information about how their websites, apps, videos and ads are performing” but in Googlian fashion hasn’t released any details on how they will do so. Big questions remain to what degree this will help in a cookieless, Sandboxed Chrome.?
• Apple has been digging itself out of an EPIC mess. Even though it released a blog detailing how it is complying with the DMA (i.e. permitting alternative app stores and payment processing), ad industry veterans have flagged this as a devil’s bargain.
• ByteDance aims to provide even more detailed information… while facing a very real sell-off threat in the U.S.
• Meta now allows the unlinking of its and greater interoperability… while waiting for the other shoe to drop on its ‘Pay or Ok’ consent model.
• Amazon is working to modify Amazon Ads to granularly report pricing in real-time… including for junk ad inventory.
• Microsoft has kept its head down and out of the spotlight.

Zooming out: In its own way the DMA is a shine-the-light law. By increasing transparency for business users and holding Tech Giants’s feet to the fire with penalties of 10 - 20% of global revenues, the idea is to make it easier for regulators to stop anticompetitive shenanigans. It will take time and lawsuits to see how serious the European Commission is on enforcing the spirit of the law.

Lucid Resources

• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US)
• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)