ePrivacy, MarTech, Zero-Party Data, and the future of media

Please find below our quarterly update on five specific topics: 

• ePrivacy and regulatory framework
• MarTech and AdTech in a Privacy-First world
• Competition and digital markets
• Zero-Party Data and Customer Centricity
• The future of media

(also available in audio format – on Masters of Privacy)

ePrivacy and regulatory framework

EU-US data transfers: A new beginning 

The European Union and the United States announced a Trans-Atlantic Data Privacy Framework aiming to replace the now dead Privacy Shield, which used to provide legal cover for personal data transfers to the United States before Max Schrems (an Austrian citizen) used a lawsuit against Facebook to question his rights with regards to surveillance carried out by National Security officials in the US (under the cover of Section 702 FISA – Foreign Intelligence Surveillance Act). 

The latest episode in this legal battle, which we simply call Schrems II (a July 16th 2020 judgment of the Court of Justice of the EU) had also resulted in requiring additional safeguards before using the Privacy Shield’s primary alternative, Standard Contract Clauses (Schrems I, a prior ruling by the same court -with the same plaintiff-, had already ruined a previous framework called Safe Harbor).

It does seem like the newly agreed framework will grant EU citizens sufficient safeguards with regards to electronic surveillance in the US, but all details are still being ironed out and the EDPB (European Data Protection Board) was quick to point out that the Schrems II judgment still applies. In essence, this means that using Mailchimp, Google Analytics, Airtable, Salesforce Marketing Cloud (the last time I checked) and many other Software as a Service tools which store and process data on US soil is still extremely risky and hard to bring into compliance. 

I won’t get into the added complexity of the more recent US Cloud Act, which obliges any US company to share data with US authorities, even when such data is being stored and processed in the EU (as is the case with Microsoft cloud services, Amazon AWS, SendGrid, and many others). 

Open season for consumer protection associations

We cannot leave Luxembourg just yet, as the CJEU found that consumer protection associations don’t need to specifically identify one of their members as the subject of a GDPR violation in order to bring legal action. In fact, they don’t even need to demonstrate a specific infringement. It will suffice with the fact that such harm could happen in light of a particular company’s non conformance to the GDPR’s rules.

The EU reaches an agreement on the Digital Services Act

Most importantly, as it affects the topics covered here, the DSA will ban ads that target children or individuals based on their religion, sexual orientation, ethnicity or political affiliation. Also, social media platforms will have to be transparent about the systems they use to recommend certain contents to their users, offering alternative feeds which are not based on profiling. 

The FTC’s internal struggles with AdTech

FTC Commissioner and Chair Lina Khan warned about the dangers of “surveillance advertising” during her keynote speech at the IAPP (International Association of Privacy Professionals)’s Global Privacy Summit. Luckily, her colleague at the FTC Noah Phillips was there to provide a more nuanced analysis, explaining that “bad actors are not just big guys” and that smaller companies tend to do the most harm in the Ad Tech ecosystem. He also made the point that using the pejorative term “surveillance” to cover all digital advertising was doing a disservice to plenty of practices which are not harmful. 

Martech and AdTech

Reject All is the new black

Google started to deploy a “Reject All” cookie consent button across Europe, following the fine received from the French Supervisory Authority, CNIL (150 million euros) for making it harder to reject cookies than accepting them (requiring a larger number of clicks). Although running counter to EDPB guidelines, as well as those of many supervisory authorities, this is pretty commonplace in Spain, for instance, but CNIL made it clear that this asymmetry was unlawful. 

There is a general consensus out there that large publishers and brands will now follow suit bringing the “Reject All” option forward to their CMP (Consent Management Platform)’s first layer, surely suffering dearly as a result in terms of sample sizes. 

The police with no Karma

As Eric Seufert has commented on his blog, Apple is expected to start policing ATT rules with regards to fingerprinting (and not just IDFA, which it can easily enforce), as plenty of companies are still relying on probabilistic attribution to measure conversions or deduplicate audiences. 

We have recently noted that Android has taken a smarter approach to the issue by announcing a stand-alone SDK Runtime as part of its own Privacy Sandbox. This separate Runtime would allow the Google Play Store to approve an App while separately having a chance to audit the manner in which trackers contained in the isolated SDK could affect user privacy. 

On its part, Google has also chosen to wear their own police hat by threatening to close advertiser accounts that do not conform to its new consent guidelines. This means that some key Google Ads features like remarketing or conversion tracking will require valid consent in the EU.

Google’s new big brother role (surely for fear of bigger fines, which most EU Supervisory Authorities would love to hit them with) has also expanded into Google Analytics. Customers of the most widely used web analytics platform will now be able to leverage the company’s Consent Mode toolkit to disable Google Signals, a key feature of GA4 without which things like cross-platform reporting, remarketing lists based on analytics data, demographics reports, or interests reports will simply not be available.

Shopify Audiences

The ecommerce platform for retailers of all sizes has announced a new program that will allow merchants to contribute their customer data towards a common pool that they can then leverage on the Facebook/Instagram platform to target with their own campaigns. 

A merchant will not be able to access the customers of others, but Shopify is treating the combined personal data as its own first-party data, and this should allow it to avoid restrictions on third-party data imposed by Apple, should they come into play. 

One last round

Brands are demanding basic performance metrics from TikTok, which has grown so fast it is finding it hard to cope. The best thing they could come up with as a result is a proven technology for the measurement of external conversions: third-party cookies!

Competition and digital markets

Apple CEO Tim Cook has used a speech at the IAPP’s Global Privacy Summit (mentioned earlier) to denounce calls for an intervention of competition authorities on the App Store, allowing customers to use a method called “sideloading” to avoid its fees and arbitrary approval system altogether. Apple’s App Store has become one of the worst dictatorships in the world economy, but the company has so far managed to shield itself from scrutiny on the basis of iOS’s lower market penetration with regards to Android. Tim Cook explained that sideloading would represent a major threat to the privacy and security of its customers.

Zero-Party Data and Customer Centricity

Your friendly neighbor, Google

Google is launching a new preference center so that people can more easily manage their privacy settings, opt out of personalized advertising and specify whether they want to see fewer ads on a given topic. I believe they can even discriminate against certain brands.

Open banking meets personal agency

Stripe has introduced Financial Connections to allow individuals to retrieve transactional information from their own bank accounts in order to better inform their relationships with Stripe customers (merchants and providers) and possibly obtain better conditions.

The future of media and independent creators

The creator economy keeps marching forward with two major decisions taking place in the last few days: Meta will pay creators for their original content on Reels (Facebook’s answer to TikTok). On their part, TikTok has introduced Pulse, a new contextual advertising product which shares 50% of its revenues with creators. 

Have a great week.

(Photo by Miguel Saenz de Santa María on Unsplash)