?? Wheel of dharma

Lucid folks,

Data sovereignty is back on the menu at chez European Commission. The issue is as much about growing Europe’s own AI-grade compute infrastructure as securing edges and meeting the needs of regional businesses. The idea here is that a harmonization of the EU Data Act, Digital Markets Act and GDPR will unlock competitive opportunities while giving organizations more options about keeping their data (and AI models) closer to home. And while the EU government is not aiming for hard localization, what goes around comes around. A successful Schrems III on privacy grounds would be a win for? protectionists and a loss for EUNEEDSAI. (See our Roundup section below.)

Moving on, in this issue:

• Google’s cookie (un)deprecation is back in the spotlight
• On retail media and first-party data
• The FTC issues a troubling report on social media

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

Google’s Not Out of its Cookie Quagmire Yet

The dharmic wheel of Google’s regulatory trials (and revelatory quotables) continues to turn. Google’s gambit to re-crumble cookies by the hands of its users faces a new (but expected) challenge.?

What happened: In its latest report, the UK’s Competition and Markets Authority (CMA) agrees with industry skeptics that Google’s idea of a “new [informed consent] experience in Chrome” would trigger a range of privacy and fair play concerns.

What’s next: When Google does unveil this consent prompt, the CMA will ensure market participants can provide due feedback.

Why this matters: This vector of tut-tut is about the user’s (compliant) privacy experience. From the report, we know that the CMA and ICO have issues with Google’s Topics and Interest Group consent interfaces.?

• The current UX “may not clearly disclose who is processing the user data and the purpose for which it is used, including obtaining valid consent from visitors. Moreover, we believe that the current UX does not adequately inform users that a range of parties beyond the first party site may be processing their data, potentially in combination with third-party data collected outside the site they are currently visiting.”?

Zooming out: Many questions remain. Will Google’s proposed UX will depart from the all too familiar cookie banners and spare Chrome users yet another droll litany of purposes and parties to Groan at? If so, it will be one more missed opportunity to free users from the exhausting niyama of ePrivacy Directive. We lay this karma at the feet of European legislators incapable of overhauling the outdated ePD.

-AK

Is Retail Media the Future of Advertising?

Although the majority of the headlines have been promoting a plethora of Alternative ID solutions as the successors for the crumbling third party cookie, maybe there is a stronger case for Retail Media Advertising models.

What it is: Retail Media Advertising refers to the practice where retailers offer advertising opportunities on their own digital properties, such as their websites, mobile apps, and in-store platforms.

• The Retail Model leverages the retailer’s first-party data, which includes information collected directly from their customers, such as purchase histories and browsing behaviors.
• Retail Media also provides retailers with a welcome new revenue stream by monetizing their first party data on third party websites, as well as their own digital and physical spaces.

Privacy promises: In addition to addressing the very real threat of AI search decimating website traffic, Retail Media offers a promising alternative to third-party cookies, primarily due the fact that the first party data is gathered with explicit consent.?

• This offers advertisers a way to continue personalized marketing while adhering to evolving privacy regulations.

No panacea: Before every retailer rushes to become a media owner/data broker, the transition to retail media is not without challenges.?

• European Data Protection Authorities (DPAs) have begun addressing retail media, although opinions are evolving. For example, the CNIL in France has acknowledged retail media as a promising alternative to third-party cookies but raised concerns about transparency and fairness.???
• In the étude économique sur les modèles publicitaires alternatifs, the CNIL expresses reservations in the increased use of proprietary purchase data, in particular customer loyalty data for advertising purposes, which raises issues of consent and the potential for data misuse.???

Zooming out: It seems that retailers with a little internal innovation could be sitting on an exciting new revenue stream, but they need to ensure that they are closely monitoring how their first party data is actually used… and that consent meets Europe’s high bar. Remember, ‘zero-party data’ is an industry invention and is not the blank cheque some marketers think it is.

-RW

FTC to Social Media: You’re Busted for ‘Mass Surveillance’ and Lax Teen Privacy

FTC just published its latest report “A Look Behind the Screens - Examining the Data Practices of Social Media and Video Streaming Services”.?

As Lucid’s Raashee Gupta-Erry covers in her insider breakdown, the new staff report exposes alarming issues in social media that, at their core, are driven by business models that incentivize privacy-negative data practices.?

1. The report covers 9 companies whose practices FTC staff have analyzed since 2020, describing extensive data collection practices, including the use of sensitive health inferences, that most users are not aware of.?
2. Importantly, the report’s authors conclude that industry’s self-regulatory efforts have fallen short?in the face of profit, and once again call on preoccupied Congress to pass a darn privacy law.
3. Perhaps more damning are the staff’s observations that the children are not OK, and that this area in particular requires actual regulatory oversight.

You can spar over how the FTC wields charged terms like “mass surveillance” to refer to targeted ads writ large while highlight truly awful conduct involving sensitive health and location data. But in the void of a comprehensive federal privacy law and with an antagonistic SCOTUS, the FTC is entitled to hyperbole to draw attention to these important issues. We’re not talking about cats and dogs (or geese) here.

Check out Raashee’s summary and the FTC’s eye-opening report.

-AK

Other Happenings

1. Instagram’s “Big” Teen Protection Update: Too Little, Too Late? Instagram is rolling out new features for teens, but let’s be honest—this feels more like Meta covering its own back than protecting teens. Meta will finally make teen accounts private by default, will cease notifications between certain hours, and give parents enhanced control over these defaults. The social giant promises to monitor for suspicious signups and activity, and to guard against clever workarounds like one ‘parent’ unlocking multiple teens’ accounts. While these measures will significantly deter predatory interactions and should be applauded, Meta’s motives are not exactly altruistic. The social giant faces lawsuits and looming regulation. If not a stratic dodge, this is a case of Meta giving itself a defensive leg up in the event of competitive and regulatory cross-fire.
2. Montana Joins the Privacy Patchwork: Another Law Drops Next Week. Heads up, Montana's privacy law kicks in on October 1st, adding to the growing list of states trying to keep our data safe—or at least regulated. It’s the fourth one this year after Texas, Oregon, and Florida. Montana breaks no new ground, keeping to the middle of the road with mandated disclosures, focusing on data monetization, restricting authorized agents (opt-outs only!), providing now-standard privacy rights with no private right of action, and recognizing opt-out preference signals like GPC. Nearly identical laws are coming in 2025 out of Delaware, New Hampshire, New Jersey, although Maryland gets a gold star for banning sales of SPI.
3. Tech Leaders Urge EU to Harmonize AI Regulations for Global Competitiveness. Meta and other companies have voiced concerns about the quagmire of data protection rules in the EU which is negatively affecting local AI development. EUNEEDSAI argues that without clear guidelines, no one can effectively train AI models on European data, which hampers their ability to grasp local cultural nuances. Even Max Schrems, a privacy activist and nemesis of Meta, agrees that Data Protection Authorities (DPAs) are unhelpful offering conflicting views on AI. While Meta feels unfairly targeted, other companies like Ericsson emphasize the broader issue: Europe risks falling behind the U.S., China, and India unless regulatory hurdles are addressed.
4. UK ICO Presses Publishers’ Buttons on Consent Functions. The UK ICO is not letting up on ensuring that media owners are monitoring and controlling their consent mechanisms. This time they have issued a reprimand to Bonne Terre Limited (Sky Betting) for deploying third-party tracking technologies before obtaining user consent, leading to unauthorized data processing for marketing uses. Although the issue was fixed within a day,? the ICO highlighted potential harms like loss of autonomy and unwanted targeted ads. The ICO is continuing to investigate other websites for similar issues and warns of further action for future breaches. You have been warned!

-RGE, RW

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)