Blog

US states sue Google over dark patterns and German ad industry criticizes third-party cookie deprecation

Julie Rubash, Chief Privacy Counsel
January 31, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

State ATTORNEYS GENERAL Sue Google re Dark Patterns

The Attorneys General in D.C.IndianaTexas and Washington state filed complaints against Google in a coordinated effort alleging violations of state consumer protection laws based on misrepresentations, omissions and unfair trade practices regarding Google’s collection and use of location data.

Specifically, the complaints allege that Google misrepresented that consumers could prevent Google from retaining and using their location information or using it to target advertisements through their location history, account, device and Google Ad Personalization settings, and that Google unnecessarily conditioned use of Google’s products and services on consent to collection and use of location data. They also allege that Google employed user interfaces that made it difficult to deny use of location data.

OUR TAKE

These are not the first actions against Google regarding its privacy controls.

The Arizona AG filed a complaint against Google in May 2020 making similar accusations regarding location controls, which lawsuit has been permitted to proceed to trial.

Earlier this month, the France data protection authority (CNIL) issued sanctions of up to 150 million euros for requiring users of youtube.com to follow a multi-click process to refuse cookies while allowing users to accept cookies with just one click.

A California class action lawsuit based on Google’s privacy controls was recently dismissed, however. The plaintiffs alleged that Google’s continued collection of data despite the plaintiffs turning off their “Web & App Activity” buttons constituted a breach of contract, but the judge dismissed the claim, holding that the plaintiffs’ expectations from turning off the WAA button didn’t give rise to a contract.  

ANA urges FTC to Reject Surveillance Ad Ban

The Association of National Advertisers (ANA) submitted comments to the FTC urging the FTC to deny a recent petition submitted by Accountable Tech to ban “surveillance advertising”. The comments were submitted by ANA in response to a request for public comment on the petition. In its comments, the ANA stressed that advertising, including interest-based-advertising, yields significant value to society and the economy, that the FTC does not have authority to issue a rule banning surveillance advertising, and that Accountable Tech failed to disclose its interests behind the petition sufficient to enable the FTC to rule out a motivation to advance anticompetitive business interests.

WHY IT MATTERS

Advocates and lawmakers are pursuing a ban on “surveillance advertising” at both the legislative and the regulatory levels, both of which have received opposition from the advertising industry. The Banning Surveillance Advertising Act was introduced earlier this month banning or placing restrictions on certain types of targeted advertising.

The Interactive Advertising Bureau (IAB) came out in opposition to the bill, stating that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly”.

Consumer Reports and the Electronic Privacy Information Center (EPIC) recently issued a whitepaper suggesting that the FTC should either ban all secondary uses of data (including the transfer or use of data for advertising), ban most secondary uses, allowing for some exceptions such as security, analytics, product improvement and first-party marketing, prohibit specific secondary uses such as cross-context targeted advertising (the targeting of ads based on consumer activity across different websites, apps and physical locations), or mandate compliance with opt-outs (including universal opt-out settings and databases).

The FTC last month announced in a public filing that the commission is considering initiating a rulemaking regarding commercial surveillance, privacy abuses and algorithmic decision-making, but the specific contents of such rulemaking have not yet been revealed.   

Indiana Privacy Bill Advances to Senate Floor

After a 10-0 committee vote, Indiana Senate Bill 358, which closely resembles Virginia’s Consumer Data Protection Act, will proceed to a Senate floor vote. The bill in its current form would take effect January 1, 2024 if passed.

WHY IT MATTERS

The Indiana bill is the first comprehensive state privacy law to advance past committee so far in 2022. Several other states are making progress though. New legislation was introduced over the past week in Georgia, Hawaii, Oklahoma and Virginia, bringing the number of states with active comprehensive privacy legislation to 22. Committee hearings were held in the past week for privacy legislation in Alaska, Maryland, Virginia and Washington. 

EUROPE

German Ad Industry Criticizes Deprecation of Third-Party Cookies

A coalition of media, internet and advertising associations contacted the European Commission in Brussels, claiming Google’s plans to block third-party cookies in its Chrome browser violates European competition law by excluding competitors and their marketing partners from the processing of commercially relevant data, without affecting Google’s ability to collect significant amounts of user data. 

WHY IT MATTERS

The statement was submitted before Google released its news regarding the replacement of FLoC with Topics (see Industry section below), so it is unclear whether and how the news would affect the coalition’s position. Google has been under investigation by the UK’s Competition and Markets Authority (CMA) relating to Google’s proposals to remove third party cookies, as a result of which Google has submitted multiple rounds of commitments to, in the words of Google, “ensure that the changes we make in Chrome will apply in the same way to Google’s ad tech products as to any third party.” 

EDPB Issues Guidance re the Right of Access

The European Data Protection Board published Guidelines on data subject rights, specifically addressing the right of access. The guidance details appropriate measures, timing, limits and restrictions for providing access in response to a data subject request under GDPR, including several examples demonstrating how controllers should respond in specific scenarios. The EDPB is inviting comments on the guidelines, which can be submitted through March 11.

WHY IT MATTERS

Of particular note to the digital advertising industry, the guidance includes a section addressing “issues with establishing the identity of the person making the request” and includes a specific example of a controller that processes cookies and associated pseudonymous random identifiers for behavioral advertising.

The guidance says that, in this scenario, if the data subject exercises his right of access via the controller’s website, the controller should be able to precisely identify the data subject to show the data subject’s behavioral advertising data, by linking the terminal equipment of of the data subject to its advertising profile with the cookies dropped in the terminal, and subsequently grant access to the personal data, since a link between the data processed and the data subject can be found.

Alternatively, if the data subject makes a request via email, the controller will have no other choice but to ask the data subject to provide additional information (the cookie identifier stored in the terminal equipment of the data subject) to be able to identify the advertising profile associated with the data subject. 

iNDUSTRY

Google replaces FLOC with Topics

Google announced on its blog a new Privacy Sandbox interest-based-advertising proposal, Topics, to replace its earlier FLoC proposal. As explained by Google, Topics, powered by the browser, will share three non-sensitive topics with each site a user visits and the site’s advertising partners, based on the user’s browsing history over each of the previous three weeks. Topics will be stored entirely on the user’s device (not on external servers) and deleted after three weeks. Chrome will build user controls to let users see or remove topics or disable the feature. 

WHY IT MATTERS

Google had pushed back the testing phase of FLoC to Q1 2022 in its Privacy Sandbox timeline following a blog entry from Criteo identifying certain flaws with FLoC. The timeline is still showing a Q1 2022 testing phase for its “show relevant content and ads” proposals, which includes both Topics and Fledge, its remarketing and custom audience proposal. Google also announced in its blog post that it would soon launch a developer trial of Topics in Chrome for website developers and the ads industry to try it out, so the change does not appear to have altered Google’s timeline. The timeline for deprecation of third-party cookies remains set to begin transitioning in Q4 2022.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

HHS clarifies application of HIPAA to online tracking technologies

March 26, 2024

New guidance from HHS suggests that under some conditions, using...

Sourcepoint Partners with Freestar to Provide Access to Portfolio of Leading Privacy Solutions

March 25, 2024

Sourcepoint partners with Freestar to offer top privacy solutions,...

[WEBINAR] The Evolution of “Consent or Pay”: Legal Insights and Best Practices

March 14, 2024

Explore the intricate landscape of Consent or Pay models...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]