Weekly Roundup: FTC’s New Action Plan, Mozilla’s Analysis on Google’s Privacy Budget Proposal, And More

Summary

• The office of the California Attorney General recently released a set of examples when it sent notices to businesses for CCPA violations. It’s an attempt to provide more clarity around the law.
• Mozilla has highlighted the issues with Google’s Privacy Budget Proposal. There are many loopholes in the idea that can lead to device fingerprinting.
• Mozilla’s analysis also says that the exhaustion of the privacy budget can crash websites.
• Recent past incidents suggest that the FTC will soon move forward in the process of creating new privacy rules. Apart from data collection practices, FTC can also focus heavily on the privacy of children.
• If the FTC decides to make new privacy rules, the implementation can take years due to a time-consuming process.
• IAB Europe is writing letters to publishers and consent management providers to fix their GDPR violations. Many consent management providers are not following its Transparency and Consent Framework. It is suspending such companies until the issues aren’t fixed.

The California AG Releases Example To Bring More Clarity In CCPA

The Office of the Attorney General recently released a set of examples when it sent notices to businesses for CCPA violations. It’s an attempt to provide more clarity around the law. Here are some takeaways for you:

• You should be aware of the service providers who are using the data from your properties. They should be contractually obliged to use the data only for the purposes permitted by the law. Not only ad tech providers but treat all third parties in the same way.
• It may not be enough to refer your visitors to third-party trade association opt-out tools like ones from Network Advertising Initiative and the Digital Advertising Alliance. Enable your visitors to opt-out right from your site.
• It’s important to have a complaint management program that is efficient at handling your consumer’s issues.
• The AG has already clarified earlier that you need to respect Global Privacy Control signals. Examples include an instance where not doing so resulted in a CCPA violation notice.
• It’s your responsibility to stay aware of any changes in the policy and make changes in your business process accordingly.

You can read the document for more details.

Understanding FTC’s New Action Plan And Its Impact On Privacy Laws

Last week, we saw how the FTC is gearing up to work on new privacy rules. This week, The Wall Street Journal dives into how the initiative can take shape in the coming years. It says that the implementation of any new rule would take years to complete. The FTC can also declare some practices (such as some data collection methods) unfair and use its power to police the businesses. Children’s online privacy can also be another main objective of the agency, and it can make new rules related to data collection from minors.

Recent past incidents suggest that the FTC will soon move forward in the process of creating new rules. Ms. Lina Khan, chair of the FTC, has already expanded her control over the rule-writing process. President Biden has also ordered the FTC to work towards writing competition rules to prevent unfair data-collection practices. The agency has already started receiving petitions against targeted ads.

The process of making the new rules will be time-consuming. First, the FTC would have to publish a draft and seek public comments. In special circumstances, the agency might need public comments even before starting the first draft. Later, the review and approval process will follow. Once the FTC comes up with its new rules, the ad tech industry has to abide by them. 

Mozilla Highlights Issues With Google’s Privacy Budget Proposal

The objective of Google’s Privacy Budget proposal is to prevent device fingerprinting. But, Mozilla doesn’t think that the idea is good enough. In its recent analysis, Mozilla has highlighted the major issues with this Privacy Sandbox proposal. Here’s what it says:

• A single piece of information can help in fingerprinting if it is uncommon. For example, learning if someone uses a Chrome browser is not very identifying; by contrast, learning that someone uses Firefox Nightly is quite identifying because there are just a few users who have Firefox Nightly on their devices. In such cases, trackers can zero down on users, despite having a small privacy budget.
• Multiple reads of the same surface can lead to budget exhaustion. But, some surface reads are necessary; for example, reading the screen size is always required for a site to stay responsive. Also, some values are always static, and knowing them isn’t worth spending the budget. For example, Apple phones always use iOS, there’s no need for an additional query to find it. So, we need an efficient process for budget calculation.
• Sites will frequently crash if they can’t make API calls due to the lack of budget. A predetermined order to spend the budget can help, but some users will still face issues.
• Attackers can also fingerprint devices using the budget mechanism itself. They can exhaust the budget with a particular pattern of queries, and then test which queries still work (because they already succeeded).

Takeaway

None of the proposals are supposed to be perfect from inception. Public comments and opinions will highlight the issues so that they can be fixed. It’s a part of the process where criticism leads to a better product.

IAB Europe Pushes CMPs For Privacy Compliance

The data protection authorities in the EU are actively working to improve the online privacy protection of their citizens. In September, the G7 countries also discussed the issues with collecting consent for targeted ads. The leaders think that publishers and ad tech companies do not acquire consent honestly. “Meaningful consent is frequently not obtained”, says the G7 roundtable statement. Cookie walls, dark patterns, consent fatigue, are all under the scrutiny of authorities.

The interference of the authorities has kicked off IAB Europe in action. It is writing letters to publishers and consent management providers to fix their GDPR violating implementations. IAB has designed the Transparency and Consent Framework to help the industry comply with GDPR. The framework sets the standards for data collection and management by the companies. But some CMPs aren’t following it. So, IAB has started suspending such CMP from the list of its approved companies. The suspension will continue until the issues aren’t fixed.

Check your implementation if you are also one of the TCF users.

Moments That Matter

Google has a cunning plan to break your ad blocker – TechRadar

ACCC finds Google’s dominance in adtech supply chain harms businesses and consumers – AdNews

CPRA Update: California Privacy Rulemaking Process Begins – Ad Law Access

Meredith and Dotdash merger would form lifestyle juggernaut – Axios

Google updates Privacy Sandbox timeline for September 2021 with extension for FLoC discussions – XDA Developers