Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
The Attorneys General in D.C., Indiana, Texas and Washington state filed complaints against Google in a coordinated effort alleging violations of state consumer protection laws based on misrepresentations, omissions and unfair trade practices regarding Google’s collection and use of location data.
Specifically, the complaints allege that Google misrepresented that consumers could prevent Google from retaining and using their location information or using it to target advertisements through their location history, account, device and Google Ad Personalization settings, and that Google unnecessarily conditioned use of Google’s products and services on consent to collection and use of location data. They also allege that Google employed user interfaces that made it difficult to deny use of location data.
These are not the first actions against Google regarding its privacy controls.
The Arizona AG filed a complaint against Google in May 2020 making similar accusations regarding location controls, which lawsuit has been permitted to proceed to trial.
A California class action lawsuit based on Google’s privacy controls was recently dismissed, however. The plaintiffs alleged that Google’s continued collection of data despite the plaintiffs turning off their “Web & App Activity” buttons constituted a breach of contract, but the judge dismissed the claim, holding that the plaintiffs’ expectations from turning off the WAA button didn’t give rise to a contract.
The Association of National Advertisers (ANA) submitted comments to the FTC urging the FTC to deny a recent petition submitted by Accountable Tech to ban “surveillance advertising”. The comments were submitted by ANA in response to a request for public comment on the petition. In its comments, the ANA stressed that advertising, including interest-based-advertising, yields significant value to society and the economy, that the FTC does not have authority to issue a rule banning surveillance advertising, and that Accountable Tech failed to disclose its interests behind the petition sufficient to enable the FTC to rule out a motivation to advance anticompetitive business interests.
WHY IT MATTERS
Advocates and lawmakers are pursuing a ban on “surveillance advertising” at both the legislative and the regulatory levels, both of which have received opposition from the advertising industry. The Banning Surveillance Advertising Act was introduced earlier this month banning or placing restrictions on certain types of targeted advertising.
The Interactive Advertising Bureau (IAB) came out in opposition to the bill, stating that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly”.
Consumer Reports and the Electronic Privacy Information Center (EPIC) recently issued a whitepaper suggesting that the FTC should either ban all secondary uses of data (including the transfer or use of data for advertising), ban most secondary uses, allowing for some exceptions such as security, analytics, product improvement and first-party marketing, prohibit specific secondary uses such as cross-context targeted advertising (the targeting of ads based on consumer activity across different websites, apps and physical locations), or mandate compliance with opt-outs (including universal opt-out settings and databases).
The FTC last month announced in a public filing that the commission is considering initiating a rulemaking regarding commercial surveillance, privacy abuses and algorithmic decision-making, but the specific contents of such rulemaking have not yet been revealed.
After a 10-0 committee vote, Indiana Senate Bill 358, which closely resembles Virginia’s Consumer Data Protection Act, will proceed to a Senate floor vote. The bill in its current form would take effect January 1, 2024 if passed.
WHY IT MATTERS
The Indiana bill is the first comprehensive state privacy law to advance past committee so far in 2022. Several other states are making progress though. New legislation was introduced over the past week in Georgia, Hawaii, Oklahoma and Virginia, bringing the number of states with active comprehensive privacy legislation to 22. Committee hearings were held in the past week for privacy legislation in Alaska, Maryland, Virginia and Washington.
A coalition of media, internet and advertising associations contacted the European Commission in Brussels, claiming Google’s plans to block third-party cookies in its Chrome browser violates European competition law by excluding competitors and their marketing partners from the processing of commercially relevant data, without affecting Google’s ability to collect significant amounts of user data.
WHY IT MATTERS
The statement was submitted before Google released its news regarding the replacement of FLoC with Topics (see Industry section below), so it is unclear whether and how the news would affect the coalition’s position. Google has been under investigation by the UK’s Competition and Markets Authority (CMA) relating to Google’s proposals to remove third party cookies, as a result of which Google has submitted multiple rounds of commitments to, in the words of Google, “ensure that the changes we make in Chrome will apply in the same way to Google’s ad tech products as to any third party.”
The European Data Protection Board published Guidelines on data subject rights, specifically addressing the right of access. The guidance details appropriate measures, timing, limits and restrictions for providing access in response to a data subject request under GDPR, including several examples demonstrating how controllers should respond in specific scenarios. The EDPB is inviting comments on the guidelines, which can be submitted through March 11.
WHY IT MATTERS
Of particular note to the digital advertising industry, the guidance includes a section addressing “issues with establishing the identity of the person making the request” and includes a specific example of a controller that processes cookies and associated pseudonymous random identifiers for behavioral advertising.
The guidance says that, in this scenario, if the data subject exercises his right of access via the controller’s website, the controller should be able to precisely identify the data subject to show the data subject’s behavioral advertising data, by linking the terminal equipment of of the data subject to its advertising profile with the cookies dropped in the terminal, and subsequently grant access to the personal data, since a link between the data processed and the data subject can be found.
Alternatively, if the data subject makes a request via email, the controller will have no other choice but to ask the data subject to provide additional information (the cookie identifier stored in the terminal equipment of the data subject) to be able to identify the advertising profile associated with the data subject.
Google announced on its blog a new Privacy Sandbox interest-based-advertising proposal, Topics, to replace its earlier FLoC proposal. As explained by Google, Topics, powered by the browser, will share three non-sensitive topics with each site a user visits and the site’s advertising partners, based on the user’s browsing history over each of the previous three weeks. Topics will be stored entirely on the user’s device (not on external servers) and deleted after three weeks. Chrome will build user controls to let users see or remove topics or disable the feature.
WHY IT MATTERS
Google had pushed back the testing phase of FLoC to Q1 2022 in its Privacy Sandbox timeline following a blog entry from Criteo identifying certain flaws with FLoC. The timeline is still showing a Q1 2022 testing phase for its “show relevant content and ads” proposals, which includes both Topics and Fledge, its remarketing and custom audience proposal. Google also announced in its blog post that it would soon launch a developer trial of Topics in Chrome for website developers and the ads industry to try it out, so the change does not appear to have altered Google’s timeline. The timeline for deprecation of third-party cookies remains set to begin transitioning in Q4 2022.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.