83 Baker St, London, W1U 6AG, England
Ponzano 51, 1st
28003 Madrid, Spain
(Updated on November 7th 2022 to include the latest update on the Digital Services Act)
[An audio version of this update -covering a limited selection of topics- is available on the Masters of Privacy podcast]
Our recommended reading today is a piece of academic research titled “On dark patterns and manipulation of website publishers by CMPs”. It is authored by Michael Toth, Nataliia Bielova and Vincent Roca. The analysis concludes that Consent Management Platforms should probably be considered Data Controllers, as they regularly guide publishers through their deployment, even providing diagnostic tools that determine a need for one. An essential conflict arises in their business model: respecting EDPB guidelines results in too low a consent rate to justify their deployment (and the annoyance that comes with it).
With this we can move on to the usual five sections:
Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels. We have covered it in a recent Masters of Privacy episode with Tara Taubman-Bassirian, a French Privacy lawyer.
Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform. We took a deep dive into this particular dilemma in our recent interview with Peter Hense, a German AdTech & Privacy lawyer.
It is also worth noting that we are likely to see more of these data brokerage cases, as the original Criteo complaint was filed by Privacy International (an NGO) against a whole bunch of similar players (Acxiom, Oracle, Experian, Quantcast, Tapad).
The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). We touched on these requirements in yet another Masters of Privacy interview with analytics and privacy engineering expert Cory Underwood. As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel.
Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the biometric data privacy law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web.
Moving further west, California’s Attorney General imposed a symbolic but game-changing fine on Sephora after it failed to respect Global Privacy Control settings on the browser (we also covered this in our interview with Cory Underwood – bottom line, analytics and targeting pixels on a page were considered a personal data sale). Hopeful as it may sound for privacy advocates, an article by Don Marti shows that it may prove much harder for consumers to catch other companies selling their data after receiving an opt-out signal from the GPC extension.
Also in California, a class action has been filed against Oracle for its data brokerage practices, involving profiles about billions of people. Privacy warrior Johnny Ryan is acting as a leading representative (“of the entire internet population). It remains to be seen whether they are able to show actual harm, as similar lawsuits have failed before when run by NGOs as indirect representatives of unspecified individuals.
It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud. However, it being a complex issue, we have put together a separate piece (as well as a yet-to-be-published interview) hoping to bring some clarity to the whole drama.
The Digital Services Act has been published in the EU official journal, and its effects are expected to be fully felt after January 2024. Insofar as it affects Digital Marketing, targeted advertising and profiling are forbidden when involving children or special categories of data. It also imposes controversial content moderation rules on very large platforms and forbids the use of “dark patterns” when it comes to such platforms pushing their own ancillary services. We are discussing its sister law, the Digital Markets Act within the Competition and Digital Markets section.
For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives – it remains to be seen, in the meantime, whether the current Prime Minister will keep her job for more than two weeks, and how her departure will affect this initiative.
Upcoming EU rules on collective redress will significantly alter the landscape in digital advertising and data protection enforcement in general (privacy infringements are now open to class actions), possibly importing some of the worst traits of the trigger-happy litigation culture that the US legal system is known for. A recent lawsuit in Holland (one of the first countries to transpose the Directive into national law) against TikTok could provide some clues.
Lastly, crossing the pond again, Colorado enacted its own Privacy law, requiring consent for targeted advertising and imposing clear conditions on the obtention of such consent (hint: dark patterns will not be allowed). It will be interesting to see if some of its advances permeate into other state laws or even future drafts of the proposed American Data Privacy and Protection Law. For its part, California could not control itself and came up with a pretty confusing piece of legislation (Age-Appropriate Design Code Act) aiming to protect children but possibly breaking the internet and doing away with people’s patience.
Google announced support for external Data Clean Room providers with its PAIR initiative. This is an interesting move from a legal standpoint. Whereas walled garden-run Data Clean Rooms (such as Google’s Ads Data Hub) can easily lead to a joint controllership scenario requiring an ad hoc contract for each specific advertiser, neutral clean rooms have a shot at becoming mere data processors. It definitely calls for an ad-hoc episode – and we shall have it!
We have long known that the best possible prices for consumers came at a dear cost to small businesses and merchants, who have been bullied around for far too long. California’s Attorney General is now building a case on top of the contracts SMEs were forced to sign, which include penalties if they dare list their items at lower prices in other websites. The Attorney General is even arguing that consumers are actually suffering higher prices as a result of the bottleneck created by the Seattle giant.
The EU Digital Markets Act has seen the light and many have predicted a gigantic backfire. The law, that happens to discriminate against large US-based companies (due to the set threshold for so-called “gatekeepers”), may in fact result in a deterrent for potential EU-based challengers (and the funding or growth strategy they may require) eventually providing yet another regulatory moat for the entrenchment of the former.
Apple keeps expanding its ad network, making apps even harder to find, happily collecting customer data in the name of their privileged relationship (aka app store dictatorship) and asking their customers to identify themselves (and their credit cards) ad nauseam – all of it while hampering the effectiveness of any meaningful competitor by educating their customers into “asking apps not to track them”.
Lastly, we need to mention TikTok in this chapter as well. The US may end up forcing ByteDance to sell it to a local player, after identifying important gaps in its data transfer policies (with China-based employees being able to access personal data about US citizens) and raising concerns over the app’s potential as an instrument of mass manipulation (after all, the content individually presented to each user is not determined by her social graph, but rather by an algorithm).
There’s been plenty of news about individual empowerment in the face of ad targeting and personal data processing. Consent-O-Matic, a consent pop-up blocker backed by Aarhus University (Denmark), has denounced the efforts made by OneTrust, a Consent Management Platform (CMP) to circumvent its tool, including the filing of a patent application to this avail. Brave has also joined this particular game with a feature that will simply remove all consent pop-ups (as PrivacyCloud’s Consent Manager add-on did back in 2018). Our interview with Peter Hense did also cover this particular issue.
Google released its new hardware and announced that Pixel 7 phones would beat Apple at its own game by providing a VPN by default (Android VPN, a part of the new Google One offering), thus hiding all IP addresses from ISPs and phone networks. This does go further than Apple’s Private Relay, which requires a paid iCloud account and will only mask traffic going through the Safari browser, contributing to a growing view that, in Apple’s world, privacy is for those who can afford it.
Yet another initiative we had started off as a side-project a few months ago has found a twin sister, and surely an improved version of it in DuckDuckGo’s new email protection service. As we once intended with NODO Mail, the Duck.com service allows individuals to create aliases and then forward things to their primary inbox. This will help end users get rid of trackers such as pixels used to verify whether an email has been opened. Apple is already offering a similar service (Hide My Email).
There is also news that there is less interest in Social Media (21% of internet users expect to use less social media in the coming six months, according to an Outbrain-sponsored report), and that advertisers are once again looking for quality media.
Netflix has unveiled its ad-supported tier, $3 cheaper than its cheapest no-ads subscription. A contradiction familiar to quality publishers is however at play: users willing to pay to remove ads happen to be the most valuable anyone can target (less price-sensitive).
Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users – starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion.
Retail media keeps marching along at great speed (by the looks of some growth numbers in the UK, a market that tends to be ahead of the US in terms of digital advertising). Retailers are both selling their own inventory and monetizing their first-party customer data through ID-matching and different types of data clean rooms. We will cover this in greater detail, as it is not free of legal challenges, given that retailers and brands entering into a data sharing agreement could easily face a joint controllership scenario. Furthermore, consent may be the only valid legal basis for the processing, taking us back to square one.
(Photo by Amadeusz Misiak on Unsplash)