The Privacy Pulse–July

👋 Hey, I'm Jared Moscow–the Director of Product, Privacy at the IAB Tech Lab. This is the July issue of The Privacy Pulse, a monthly newsletter. I’ll share privacy-world happenings that I am seeing in the form of news stories, tweets, and more. It’s a new space for me and it is rapidly evolving. Thanks for reading!

📰 What’s new this month?

🔟 Each month I’ll highlight 10 stories. This won’t be an exhaustive list! However, these links are worthy of a quick glance to a full read. 

⚖️ US Privacy Legislation

On July 18th, the Governor of Oregon signed the Oregon Consumer Privacy Act (OCPA) into law. Oregon becomes the twelfth US state with a privacy law and the sixth US state to pass a privacy law in 2023. The requirements of the OCPA are similar to other US state privacy laws–though there is an interesting expansion to consumer rights. Oregon will be the first state to provide consumers with the right to request specific third parties a data controller has disclosed personal data with. No other state requires this level of specificity when it comes to identifying third parties. The OCPA goes into effect July 1, 2024–the same day as the Texas Data Privacy and Security Act.

1. Oregon Consumer Data Privacy Law Adds to Bipartisan State Surge

🇪🇺🇺🇸 EU-U.S. Data Privacy Framework

It was near impossible to miss the headlines announcing the finalization of the EU-U.S. Data Privacy Framework. As this story dominated privacy news for the first two weeks of July, I found myself wondering ... What the heck is an adequacy decision? Maybe you already knew the answer to this. But if you're also not a lawyer, fear not, the good folks at the European Commission put together a handy FAQ on the EU-U.S. Data Privacy Framework:

2. Questions & Answers: EU-US Data Privacy Framework

Caitlin Fennessy –VP & Chief Knowledge Officer at IAPP–did a fantastic job summarizing the top 3 takeaways from the decision:

1. The framework's national security/government access protections apply regardless of transfer mechanism. This means that companies using standard contractual clauses or other mechanisms to move personal data from the EU to the U.S. can now mark their transfer impact assessments for government access complete. What better assurance than the European Commission's sign off.
2. For those that remained certified to the Privacy Shield, expect a transition period to update data privacy policies with references to the new framework and complete the certification process.
3. For those looking to certify to the new framework, whether you participated in the Privacy Shield or not, stay tuned for near-term guidance from the Department of Commerce's International Trade Administration.

There are two questions that I’m left asking. First, what does this mean for the current $1.3B fine Meta is facing? Second, when does Max Schrems get involved? More from AdExchanger on the second tidbit:

3. If There’s Anything Certain In Life, It’s That Schrems III Is Coming

👩 ⚖️ CJEU Decision

Keeping our focus on the EU, let’s chat about Meta & the Court of Justice of the European Union (CJEU). The CJEU decision is notable because it opens the door for competition authorities to determine data protection issues–a responsibility previously held solely by EU Data Protection Authorities. Zooming out from Meta, this is noteworthy for Adtech as implications ripple into running behavioral and personalized advertising under GDPR.

4. CJEU ruling on Meta referral could close the chapter on surveillance capitalism

If you are reading this and you work in Advertising, I highly recommend both analysis posts from Mikołaj Barczentewicz :

5a. The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)

5b. The CJEU’s Decision in Meta’s Competition Case Part 2: Sensitive Data and Privacy Enforcement by Competition Authorities

⏳ Sandbox Gradual Availability

Our summer of Sandbox marches on. The delivery of Chrome 115 ushered in the start of general availability for a set of Privacy Sandbox web-platform APIs focused relevance and measurement. By the August edition of the Privacy Pulse, 99% of Chrome browsers will have access to the available sandbox APIs. There are a lot of caveats around throttling up general availability in the dev blog. The key concern? Stability.

6. Shipping the Privacy Sandbox relevance and measurement APIs

6a. With the release of Chrome 115, Google readies to enable Privacy Sandbox’s APIs

In addition to the shipment news, Google shared a detailed technical overview of how Google Ads products have started to leverage sandbox APIs for measurement.

7. Combining the Event and Aggregate Summary Reports from the Privacy Sandbox Attribution Reporting API

While it’s exciting to see these APIs available, I’m more interested to see how much the APIs are actually used. Here’s to hoping we see usage metrics from third parties in Q3 and Q4.

🤫 Sensitive data

Sensitive data is, by nature, sensitive! Some companies can’t seem to use it correctly, legally, or just keep their hands off of it entirely. Two stories from July on such use:

8. Tax prep companies shared private taxpayer data with Google and Meta for years, congressional probe finds: Yikes! Meta using questionable data to target ads and train AI models. I’ve seen this movie before. What makes this version so spicy is the inappropriate use of taxpayer data. Meta & Google had tracking pixels on TaxAct, TaxSlayer, and H&R Block websites. So every taxpayer using one of these sites has had their sensitive data leverage to enhance behavioral targeting practices? If you used TurboTax, are you in the clear? It’s hard to see an upside here for consumers.

8a. Attacks on Tax Privacy: How the Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers' Sensitive Data: Full report from Senator Warren’s office.

9. FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million: From the Federal Trade Commission release:

In an action first announced in March, the FTC charged that BetterHelp used and disclosed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes despite promising consumers that it would only use or disclose personal health data for limited purposes.

Sure, the fine might be relatively small, but people are watching what you do!

🧵Threads

Transparently, even though the launch hype was through the roof, I have not tried Threads. Maybe I’ve outgrown my ‘early-adopter’ phase? Rest assured, if Meta rolls out a product with ambitious user growth numbers north of 100M, the privacy hawks will be waiting. This story from Forbes is a super interesting comparison of privacy on Threads vs. Instagram vs. Twitter. Did you know you can’t delete your Threads profile without deleting your Instagram account? That should play nicely with GDPR deletion requirements.

10. Threads—Exactly How Private Is Meta’s New Twitter Challenger?

10a. Instagram's Twitter Alternative 'Threads' Launch Halted in Europe Over Privacy Concerns

🪣 Bonus Bucket

July was overflowing with privacy news on the big tech front. Let’s discuss a few stories:

🍎 Privacy Changes

Can we make adtech more complex? How about simultaneous releases from Apple and Google that further challenge marketers' capabilities. That’s exactly the storm July has delivered with the rollout of iOS 17 and Chrome 115. WWDC gave marketers' their first real warning signs for the coming changes across the Apple product suite. While marketers' have had a much longer time–years–to prepare for the rollout of Privacy Sandbox APIs in Chrome.

The privacy changes as part of Apple iOS 17 and Google’s Chrome could mean a messy month for marketing

🏛️ Adtech & DC

I’m a big fan of the IAPP - International Association of Privacy Professionals , their events, and the content they produce. This article from Cobun Zweifel-Keegan, J.D., CIPP/US, CIPM helps capture the privacy problem areas we’re thinking about in adtech. It’s a refresher on the challenges ahead and what the advertising industry is doing to work together on solutions.

A view from DC: Adtech is built on a privacy fault line

🆕 What's new in Privacy at Tech Lab?

Updates on the Privacy Working Groups for July

Global Privacy Working Group

• GPP API v1.1 is ready for implementation: https://iabtechlab.com/blog/global-privacy-platform-api-v1-1-is-ready-for-implementation/
• Data Deletion Request Handling in GPP work stream has kicked off. The working group has been reviewing the proposal on support of data deletion request handling in GPP.

Accountability Working Group

• Development of proposal comparison document for work on the Accountability Platform: Bloom Filter Approach & Federated Querying Approach

PIAT

• The Privacy Implementation & Accountability Taskforce has identified the first two projects under review will be the Diligence Project and the Privacy Taxonomy Project.

🐦 Around the Horn

Tweets & Threads from June that touch on privacy, advertising, and related Tech Lab items:

European Parliament Audit Lara O'Reilly

Privacy Resources for Sensitive Data Amy Olivero

Thread on CJEU judgement Eric Seufert

Frameworks Joe Duball

iOS Fingerprinting Tommy Mysk

🗓️ July Shouts:

• Bills: With state legislative sessions complete for 2023 this will be quiet until 2024
• Data Clean Rooms: Tech Lab launched it’s first guidance on Data Clean Rooms with the release of the Open Private Join and Activation (OPJA) spec! IAB Tech Lab Blesses Its First Set Of Data Clean Room Specs

👋 That’s a wrap for July! See you in August.