Spring Newsroom 2023

Readings

“How Website Tracking Technologies Are Transforming Risk Analysis Across Industries” by Lauren Winchester (Info Security Magazine). Here’s a different perspective of the challenge posed by certain “tracking” pixels in healthcare or highly-regulated industries. Whereas #GDPR-related cases have grabbed the headlines (latest: Austrian DPA vs. Meta pixel following NOYB’s 101 complaints on EU-US transfers), class actions and FTC fines are piling up in the United States (GoodRx, Betterhelp, Edmodo, Premom). Highlight: “As a first step, security leaders should review all company websites to determine what tracking technologies are currently in use.”

Now, for the meat.

ePrivacy

Enforcement actions, lawsuits, open complaints

GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union.  

LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018.

The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios).

TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024.

The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct.

Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario – in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available. 

CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner. 

All against ChatGPT:

• Italy’s Garante forced the company to block Italian IP addresses until OpenAI released a number of privacy safeguards: age verification (and parental consent), a prominent Privacy Policy, an opt-out of personal data used for training purposes -which makes it clear that they rely on Legitimate Interest), and the initial steps for individuals to request the erasure of their personal data.
• The European Parliament introduced amendments to the upcoming AI Act concerning foundational models to reflect social concerns about generative AI. This has resulted in new obligations for so-called “foundation models” (requiring companies such as OpenAI to demonstrate the identification and mitigation of foreseeable risks to key social assets and fundamental rights). 
• Various companies forbid their employees the use of the tool, fully aware that it could ingest sensitive information, eventually making it available to present and future competitors. These included: Apple, Samsung, Verizon, JP Morgan, Bank of America, Goldman Sachs and Citibank.
• The Center for AI and Digital Policy filed a complaint against OpenAI before the FTC, asking it to halt the release of AI models more powerful than GPT-4 until government safety protocols and regulations are in place.
• There were questions about both copyright and data protection, as derivative works or fair use (fair dealing in the UK) entered a new dimension. Japan tackled the issue quickly from both angles, on one hand making it clear that it could not appreciate major risks to data protection (albeit demanding basic safeguards), and on the other making it clear that training such systems would not violate the Japan Copyright Law (2020 – probably the first in the world to open an exception for text and data mining – resulting in the permissibility to copy any copyright-protected work for the purpose of machine learning without authorization of copyright holders). 
• Spain’s AEPD published guidelines on the accuracy principle as it applies to AI. 

The FTC has embarked on a series of enforcement actions against what it considers excessive data collection or data processing activities by advertisers in the context of their digital marketing endeavors. This has included:  

• Accusing Ed Tech provider Edmodo of unlawfully using children’s data for advertising purposes while unlawfully delegating compliance on school districts. This runs counter to COPPA provisions, which require parental consent.
• Announcing an enforcement action against the Premom ovulation tracking app (Easy Healthcare Corp.) for sharing patient information with third parties for advertising purposes, including AppsFlyer and Google. The app did all of the above without user consent and in contravention of its own stated principles.
• This follows a $7,8m fine for Betterhelp as well as a $1,5m fine for GoodRx a few months ago.

In a separate COPPA-based action, Microsoft will have to pay $20m to the FTC after it was found to be illegally collecting children data through their use of the Xbox gaming platform. 

Google reached a $39,9m settlement with Washington state Attorney General after it accused it of “misleading location tracking” practices. These included: “Collecting location data even when consumers disabled “Location History;” Misleading descriptions of location settings; Tracking Android devices, even with location access turned off; Repeatedly nudging users to consent to location tracking; Wrongly claiming certain products would not function unless location was enabled; and Incomplete disclosures of Google’s location data collection.”

Legal updates and guidelines

Three important CJEU decisions have landed in the past weeks:

• On Compensation: Mere infringement of the GDPR does not give rise to a right to compensation: Infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.
• On Data Subject Access Requests, th GDPR: the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data, if that is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR
• On Anonymization: EU General Court Clarifies When Pseudonymized Data is Considered Personal Data, extending a literal interpretation of the Breyer case. In the Banco Popular case (where the Single Resolution Board shared anonymized data with Deloitte and was found in breach by the EDPS) The Court held that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjects.

The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421m EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions:

• 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent
• 39% are now rejecting all cookies, with 49% actively managing their consent preferences (analytics-related cookies are normally favored).
• The share of sites serving more than 6 third-party cookies dropped to 12% from 24%,  with 29% of all websites not serving any third-party cookies at all (vs. 20%)

While the CNIL considers the latter an natural outcome of its own enforcement/awareness initiatives, we would rather point at the concentration of advertising budgets around the larger platforms (walled gardens). In other words, we have a safer, less competitive digital advertising market. Key #AdTech industry insights shared at the latest LUMA Partners conference do seem to confirm this.

Australia’s Privacy Act is making progress. It includes a private right of action in case of a data breach, as well as a hard opt-out of targeted content and ads. Publishers have demanded to be excluded from the former (at the risk of curtailing freedom of speech and undermining news reporting) and online platforms have warned that the opt-out (applying to both targeted ads and personalized content) would do away with the free nature of their services, forcing the platforms to implement a subscription-based model in the country (rather than offering Instagram, Facebook or WhatsApp free of charge).

A string of new state-level privacy laws saw the light since our last report: Indiana, Iowa, Tennessee, and Montana joined Utah, Virginia, Colorado, and California. Texas has just passed its own, which should be signed into law shortly (see the IAPP Map for further details, updated at the end of May).

Spain’s AEPD published a guide for cryptographic systems as a data protection security measure in partnership with the Spanish Association for the Promotion of Information Security and Spanish Professional Association for Privacy. 

Private initiatives

As Cory Underwood reported on his blog: Android introduced an obligation for app developers to allow users to delete their data directly from the web (as well as from within their app). 

Google also announced that it will delete health facilities from a user’s location history even when she has chosen not to turn off said feature. Although this is connected to the recent Roe v. Wade overturn in the US (resulting in the potential prosecution of abortion-related activities), it is consistent with the higher level of risk associated with this special category of personal data. 

Apple released its Privacy Manifests feature to completely get rid of fingerprinting techniques in iOS apps. The App Store is now separating SDK permissions from general app permissions. This will make Privacy Nutrition Labels more accurate as they will automatically combine the privacy manifests of all embedded SDKs. Also, if an app makes calls to an external API, it will be asked to explain the reasons for such calls. Apple will both provide a list of privacy-impacting SDKs and a list of required reasons for API calls to be allowed. This is very similar to the SDK Runtime announced by Android a few months ago (in the context of the Android Privacy Sandbox), separating SDK permissions from host app permissions. 

The iPhone maker also released its long expected AR/VR headset, accompanying the largest amount of cameras and sensors ever seen on a human being’s face with various privacy safeguards such as keeping so-called VisionOS OpticID credentials on the device or preventing eye input from being tracked by third-party apps, websites, or Apple itself. 

MarTech and AdTech

The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. 

Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested)

Separately, Google has been testing the performance of privacy-preserving signals against third-party cookies within both Google Ads and DV360. The fact that these signals have gone beyond the Topics API (to include contextual information and publisher-provider IDs), coupled with the fact that the Privacy Sandbox’s most promising initiative has faced a possibly insurmountable amount of internal criticism, could be a sign that Chrome’s future will not hinge on finding common agreement in the highly participatory Privacy Sandbox working groups. Said criticism did not stop Google from announcing a publicly available Privacy Sandbox API, as well as the gradual disappearance of third-party cookies starting in January 2024. 

Data Clean Rooms kept making serious inroads as the most promising piece of technology in the new competitive digital advertising space space that LUMA Partners have described as “Hedged Gardens” (as opposed to both the open web and walled gardens):

• The IAB Tech Lab released a first draft of its Guidance and Recommended Practices for Data Clean Rooms, covering their three main use cases (planning, activation, measurement) and the manner in which they leverage Privacy Enhancing Technologies (PETs). 
• We have run two separate interviews on the matter, including one with InfoSum and another one with Legal Army.

Oracle is killing AddThis. The once highly-popular social share aggregator  (which it acquired for $200m in 2016) could keep track of individual users across multiple websites, along with the content they shared – all of it without consent. While Oracle’s partners suggested a possible reliance on legitimate interest the company decided such an argument (legal basis) would not fly. 

Competition and digital markets

Following the above mentioned series of measures across the EU (as a reaction to the rapid growth of ChatGPT), the primary leaders in the space took serious note: 

• OpenAI made it clear that it would avoid Europe if the new legal framework went too far (subsequently giving some assurances to complaining EU officials). 
• Google Bard expanded to over 180 countries and territories, avoiding the EU in view of the regulatory risk involved

A leaked Google memo became the most popular read in Silicon Valley circles. It made clear that neither OpenAI nor Google had a moat when it came to Large Language Models (LLM) that power ChatGPT or Bard, and hinted at the future explosion of open sourced models, which was further assisted by Meta’s public release of its own model (LLaMA).

The UK Competition and Markets Authority is closely following developments in the Chrome Privacy Sandbox and the deprecation of third party cookies. It will eventually be down to it and its data protection counterpart (ICO) to decide on an acceptable balance between privacy (by finally deprecating said cookies) and competition (by not ruining the media monetization prospects of smaller publishers in the process). The former’s report on the progress of Google’s promised endeavors was published in April. 

Zero-Party Data and Customer Centricity

Neeva (a search engine that neither collected user data nor served ads) closes down for business. It joins an already pretty crowded cemetery of MyData-related projects.

Future of media

The Canadian government demanded that Facebook/Google compensate the biggest publishers for the links that people share on their platforms, to which Meta responded with an initiative to block links to such publishers. The story repeats itself, and now it could go the Australian (forced compensation) or Spanish way (Google News leaving the country until publishers begged it to return). 

The business model of once impressive digitally-native outlets was questioned even further after Buzzfeed closed its popular website and Vice Media went out of business. 

We have interviewed both Licorice and Anonymised on Masters of Privacy, alternative solutions that do not rely on the individual’s email address or phone number as an alternative to third party cookies in the open advertising ecosystem. It is every day more clear to many that UID and other identity solutions won’t survive regulatory or technical scrutiny.

That’s it for now! More ideas, suggestions, or podcast interview proposals around any of these topics are more than welcome.

Have a great summer.