A Little Privacy: week of August 2
August 9, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy.
In response to a report that Facebook disabled the personal accounts of New York University researchers who were collecting data on the targeting of political ads on Facebook, Sen. Mark Warner (D-VA) released a statement calling Facebook’s decision “deeply concerning” and stating that “it’s time for Congress to act to bring greater transparency to the shadowy world of online advertising, which continues to be a major vector for fraud and misconduct.”
Although Sen. Warner is just one senator, we have seen a rapidly increased emphasis in the United States on addressing privacy, antitrust, fraud and misconduct in the advertising industry, in particular surrounding the collection and use of data for ad targeting. This is just another signal that we’re likely to see an increase in legislation, regulation and enforcement in these areas.
According to new information released this week, Amazon has 6 months to establish a proper legal basis for its ad targeting practices to avoid receiving a 746 million euro fine per day of delay after the 6-month period. The decision was issued by the Luxembourg data protection authority and agreed to by other European states.
Amazon had previously relied on its contract terms of service as a means of obtaining consent to ad targeting, which the Luxembourg DPA held to be insufficient.
Some context: Amazon is not the first company to try to rely on its Terms of Service as a legal basis to process data for ad targeting, either leaning on it as a form of consent under Article 6.1(a) or claiming that ad targeting is “necessary for the performance of a contract” under Article 6.1(b) Article 6.1(b) only applies if processing is necessary for the performance of a contract, and, despite arguments from Facebook and Amazon, the courts don’t appear to consider targeted advertising to be “necessary” to the services they provide consumers.
Identity solutions that rely on first-party data may tempt data controllers to combine consent with other contract terms (e.g., agreeing to the terms of service). These cases are good reminders to always ensure consent is distinguishable, clear, and freely given.
IAB Europe released a Guide to Contextual Advertising, noting that $412B is projected to be spent on contextual advertising by 2025. The guide provides best practices, including using providers who have access to opt-in panels and checking up on the transparency of providers through A/B testing on the accuracy and precision of their classification. The guide also discusses the integration of first-party data with contextual advertising, offering that “incorporating real-time insight into a contextual campaign ensures the perfect blend between audience and context is achieved.”
Shifts to contextual targeting may present new challenges for publishers and advertisers to ensure the providers and methods selected are transparent, effective and responsible. Additionally, an emphasis on opt-in panels and first-party data to supplement contextual advertising will depend on consent solutions that are tailored to the needs of the evolving digital advertising industry.
The final portion of the LGPD went into effect on August 1, authorizing administrative sanctions for noncompliance. The Brazil data protection authority, however, pledged to take a responsive approach to organizations failing to comply, as reported by ZDNet.
Now that sanctions are a possibility, we may start to see companies taking LGPD more seriously, although the “responsive approach” promised by the DPA may calm anxieties.
The Israel Authority for Conducting an Impact on Privacy Survey released a new guide to help companies identify and reduce risks from collection of personal data. The public comment period is now open to receive feedback on the guidelines.
Although Israel law doesn’t currently require data protection impact assessments, this is another example of the growing emphasis from countries across the globe either mandating or encouraging companies to incorporate such assessments into projects involving personal data.
South Korea’s Personal Information Protection Commission issued proposed amendments to the Notice on the Combination and Export of Pseudonymous Information, providing clarity on the pseudonymization, export and combination of data, in order to promote the safe and convenient dissemination of pseudonymous information. The Commission opened a 20-day public comment period to provide feedback.
Due to the pseudonymous nature of most advertising data (i.e., not directly identifying an individual without combining with other data), changes to requirements and guidelines regarding the handling of pseudonymous information are likely to impact the advertising industry, but we will know more from analysts in the coming weeks.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy.
Latest Blog Posts
Bedoya testifies in FTC nomination hearing, plus federal online...
UK denies privacy class action against Google. European commission...
The IAB Europe’s Transparency & Consent framework is the...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with the latest privacy and media news.