A Little Privacy: week of August 2

–

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy.

USA

Facebook disables accounts of university researchers

In response to a report that Facebook disabled the personal accounts of New York University researchers who were collecting data on the targeting of political ads on Facebook, Sen. Mark Warner (D-VA) released a statement calling Facebook’s decision “deeply concerning” and stating that “it’s time for Congress to act to bring greater transparency to the shadowy world of online advertising, which continues to be a major vector for fraud and misconduct.” 

OUR TAKE

Although Sen. Warner is just one senator, we have seen a rapidly increased emphasis in the United States on addressing privacy, antitrust, fraud and misconduct in the advertising industry, in particular surrounding the collection and use of data for ad targeting. This is just another signal that we’re likely to see an increase in legislation, regulation and enforcement in these areas.

Europe

Amazon threatened with unprecedented GDPR fine

According to new information released this week, Amazon has 6 months to establish a proper legal basis for its ad targeting practices to avoid receiving a 746 million euro fine per day of delay after the 6-month period. The decision was issued by the Luxembourg data protection authority and agreed to by other European states. 

Amazon had previously relied on its contract terms of service as a means of obtaining consent to ad targeting, which the Luxembourg DPA held to be insufficient. 

Some context: Amazon is not the first company to try to rely on its Terms of Service as a legal basis to process data for ad targeting, either leaning on it as a form of consent under Article 6.1(a) or claiming that ad targeting is “necessary for the performance of a contract” under Article 6.1(b)  Article 6.1(b) only applies if processing is necessary for the performance of a contract, and, despite arguments from Facebook and Amazon, the courts don’t appear to consider targeted advertising to be “necessary” to the services they provide consumers. 

OUR TAKE

Identity solutions that rely on first-party data may tempt data controllers to combine consent with other contract terms (e.g., agreeing to the terms of service). These cases are good reminders to always ensure consent is distinguishable, clear, and freely given. 

IAB provides contextual advertising guidance

IAB Europe released a Guide to Contextual Advertising, noting that $412B is projected to be spent on contextual advertising by 2025. The guide provides best practices, including using providers who have access to opt-in panels and checking up on the transparency of providers through A/B testing on the accuracy and precision of their classification. The guide also discusses the integration of first-party data with contextual advertising, offering that “incorporating real-time insight into a contextual campaign ensures the perfect blend between audience and context is achieved.” 

OUR TAKE

Shifts to contextual targeting may present new challenges for publishers and advertisers to ensure the providers and methods selected are transparent, effective and responsible. Additionally, an emphasis on opt-in panels and first-party data to supplement contextual advertising will depend on consent solutions that are tailored to the needs of the evolving digital advertising industry.   

GLOBaL

Brazil’s LGPD goes into effect

The final portion of the LGPD went into effect on August 1, authorizing administrative sanctions for noncompliance. The Brazil data protection authority, however, pledged to take a responsive approach to organizations failing to comply, as reported by ZDNet. 

OUR TAKE

Now that sanctions are a possibility, we may start to see companies taking LGPD more seriously, although the “responsive approach” promised by the DPA may calm anxieties. 

Israel DPIAs

The Israel Authority for Conducting an Impact on Privacy Survey released a new guide to help companies identify and reduce risks from collection of personal data. The public comment period is now open to receive feedback on the guidelines.

OUR TAKE

Although Israel law doesn’t currently require data protection impact assessments, this is another example of the growing emphasis from countries across the globe either mandating or encouraging companies to incorporate such assessments into projects involving personal data.   

Pseudonymous data use in South Korea

South Korea’s Personal Information Protection Commission issued proposed amendments to the Notice on the Combination and Export of Pseudonymous Information, providing clarity on the pseudonymization, export and combination of data, in order to promote the safe and convenient dissemination of pseudonymous information. The Commission opened a 20-day public comment period to provide feedback. 

OUR TAKE

Due to the pseudonymous nature of most advertising data (i.e., not directly identifying an individual without combining with other data), changes to requirements and guidelines regarding the handling of pseudonymous information are likely to impact the advertising industry, but we will know more from analysts in the coming weeks.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy.