By McKenzie Thomsen
It’s been a while since our last adtech update, and the industry is still uncertain (and CPRA hasn’t even come into effect yet!). So let’s dive into the big privacy adtech news, starting with the most recent news.
Google Postponed Third-Party Cookie Deprecation… Again
Google has announced it has postponed its deprecation of cookies… again. Initially, Google developed the Privacy Sandbox initiative as an alternative to third party cookies, aimed at preserving privacy. Currently, the Privacy Sandbox APIs are available to select developers in Chrome. But Google states that after receiving developer feedback and after the UK’s Competition and Markets Authority expressed concern that the deprecation of third party cookies and their replacement with the Privacy Sandbox might be anticompetitive (or at least have anti-competitive results), Google has slowed their deprecation and rollout.
Now, Google has announced that they want the Privacy Sandbox API trial period to be extended thus pushing back the deprecation of cookies for the second time (Google originally announced the deprecation by 2022). The APIs will be launched and generally available in Q3 of 2023 and will begin the phase out of cookies in the second half of 2024.
IAB holds that ad measurement is a “sale” under CCPA, but not a “share”
In a recent presentation to the California Lawyers Association’s Privacy Law Section last month, the Interactive Advertising Bureau (“IAB”) stated that it is their belief that most advertising services, including measurement and attribution, constitute a sale under the California Consumer Privacy Act (“CCPA”). However, the IAB does not believe that measurement/attribution are a share under the law. Because measurement/attribution “often occurs after ‘targeting’ and, provided that the measurement/attribution data is not used to further optimize targeting of identifiable consumers, the IAB claims that it] does not constitute [cross-context behavioral advertising] or ‘sharing.’”
The IAB went into further detail about what adtech practices fall under California law and when (detailed below).
Legal & Compliance Challenges: Ad Targeting
- Consumers have the right to opt out of ad targeting based on:
- Third-party data/ audience segments. This is likely “cross-context behavioral advertising” and a “sale”.
- Advertiser audience segments, such as a retargeting audience or a custom audience list. This is likely “cross-context behavioral advertising” and a “sale”.
- Publisher audience segments that are sold programmatically, such as a seller-defined audiences, because the ad delivery process requires at a minimum making the consumer’s IP address available to the winning bidder. This is likely a “sale”.
- Contextual targeting on inventory that is sold programmatically, because the ad delivery process requires at a minimum making the consumer’s IP address available to the winner bidder. This is likely a “sale”.
Legal & Compliance Challenges: Ad Delivery & Reporting
- Consumers have the right to opt out of certain ad delivery and reporting activities:
- Frequency capping is likely a “sale”, because a unique user ID must be passed to count impressions against
- Measurement is likely a “sale”, because unique user IDs are often passed to count the number of people reached by an ad, where, and how often it was shown
- Conversion tracking is likely a “sale”, because advertisers often pass unique user IDs to match against impressions
- Optimization is likely a “sale” and “targeted advertising”, because optimization models often rely on “combing” user information across advertiser campaigns
- Any other “combination” of consumer personal data collected from different sources for any ad-related activity.
Real-Time Bidding is a Data Breach
This news came out in May, but for those who don’t know, it’s important. The Irish Council for Civil Liberties (“ICCL”) released a report that held that the adtech industry’s real-time bidding mechanism (RTB) is the “biggest data breach ever.”
RTB is a kind of programmatic media buying that facilitates the buying and selling of ads in real time at an instant, online auction. In layman’s terms, when a user visits a website, this triggers a bid request that can include various pieces of personal information about the website visitor (e.g., demographic data, browsing history, location, the page being loaded, etc.). The bid request goes from the publisher to an ad exchange/Supply Side Platform, which in turn submits the bid request and the accompanying data to a multitude of advertisers who automatically submit bids in real time to place their ads.
However, the Irish DPA hasn’t enforced the GDPR against the industry for RTB and the cherry on top is that the ICCL sued the Irish DPA to compel them to enforce against RTB.
TikTok thinks Legitimate Interest Is a Valid Legal Basis for Targeted Advertising in the EU
It’s not. We’ve learned multiple times that it’s not, the first time being when the Belgian DPA found the Interactive Advertising Bureau’s (“IAB”) Transparency and Consent Framework (“TCF”) used during RTB violates GDPR because the TCF consent string bypasses user consent by claiming legitimate interest as a legal basis to track and profile web users for advertising. It’s important to note that we are still waiting to see if the IAB will revise the TCF to be in compliance. Since the Belgian ruling, the Dutch DPA also found that commercial purposes (e.g., maximization of profits) are not considered a “legitimate interest” (read: legitimate interest is not a legal basis for targeted advertising). Moreover, the Dutch DPA has indicated that websites and other actors in the Netherlands should cease using RTB to profile users. The Court of Justice of the European Union (“CJEU”) however, has expressed concern over the Dutch ruling.