Media Review #6

UK CMA and ICO Reports, UID 2.0 GDPR Issues and More

In this part of the “Media Review” series, we take a deeper look at five stories – including an analysis of the most influential stakeholders in the cookieless environment, UID 2.0 GDPR issues, and Google’s presentation of a new concept aimed at providing a privacy-preserving federated identity before third-party cookies are phased-out.

Last Updated:
Published:

CMA secures improved commitments on Google’s Privacy Sandbox – Competition and Markets Authority (CMA)

United Kingdom’s Competition and Markets Authority has been investigating emerging Google proposals for almost a year now. In May, it published the initial commitments that the company promised to follow in the further development of the Privacy Sandbox.

After the publication, there was a month-long consultation period, during which the interested parties could submit their comments and concerns. CMA heard from over 40 parties, demanding the commitments to be strengthened in selected areas.

Google has proposed a set of modified commitments in which the company promises to:

  • ensure that the CMA’s role and the ongoing CMA process are mentioned in Google’s key public announcements;

  • instruct its staff not to make claims to customers which contradict the commitments;

  • report regularly to the CMA on how Google has taken third party views into account;

  • address concerns about Google removing functionality or information before the full Privacy Sandbox changes, including delaying the enforcement of its Privacy Budget proposal, and offering commitments around the introduction of measures to reduce access to IP addresses (Gnatcatcher);

  • clarify the internal limits on the data that Google can use;

  • provide greater certainty to third parties developing alternative technologies;

  • improve the provisions on reporting and compliance, including appointing a CMA-approved monitoring trustee;

  • provide for a longer duration of 6 years from the date of any decision to accept Google’s modified commitments.

These commitments are available in full in the report. The consultation period is planned to end on December 17th. Acceptance of these commitments will result in closure of the investigation and proceed to the oversight period.

ICO calls on Google and other companies to eliminate existing privacy risks posed by adtech industry – Information Commissioner’s Office (ICO)

One day before the CMA’s report, the UK’s Information Commissioner published an Opinion as a warning to companies designing new methods of online advertising to comply with data protection laws.

While the CMA report focused solely on the Privacy Sandbox developed by Google, this opinion is much broader and touches all third-party cookies alternatives.

The ICO wants to influence the emerging proposals while they are still at the early stages of development to avoid “window dressing” and actually give people control over their personal data.

The commissioner clearly emphasized the will to improve the current state and not accept the alternatives maintaining the status quo. 

At the conclusion of the opinion, the commissioner proposed a list of recommendations for the industry:

  • Demonstrate and explain the design choices;

  • Be fair and transparent about the benefits;

  • Minimize data collection and further processing;

  • Protect users and give them meaningful control;

  • Necessity and proportionality – the benefits are not disproportionate to be a risk to privacy rights;

  • Lawfulness, risk assessments and information rights – the solution meets the requirements of appropriate lawful basis;

  • Special category data – the solution addresses the potential of processing special category data.

Federated Credential Management a k a WebID – BlinkOn

During the BlinkOn 15 conference, Dan Sinclair from Google presented the FedCM concept, which aims to provide a privacy-preserving federated identity, before third-party cookies are phased-out.

The main issue with today’s federated identity is that it frequently uses third-party cookies for the login purpose, which can be used for cross-site tracking.

Out of all the models analyzed by Google, the company decided to follow the mediation model, in which the browser mediates the communication between the Identity Provider, the user, and the websites. There is no direct communication between the Relying Parties and IDPs.

The company aims to publish the specification and continue discussions within the FedID community group at the W3C.

One of the drawbacks of the selected model is that it returns data about the user (e.g. an email address) to the Relying Parties, which could be used for tracking if the Relying Parties colluded with each other.

Unified ID 2.0 Faces Roadblocks In Europe As A Result Of GDPR – AdExchanger

Allison Schiff from AdExchanger claims that there may be problems appointing an independent administrator to govern and police the use of UID 2.0 in countries where GDPR is applicable.

UID 2.0 is an initiative started by TheTradeDesk to introduce the universal, email-based identifiers as a replacement to third-party cookies. It has recently contributed source code to the Technical Working Group of the Partnership for Responsible Addressable Media (PRAM) run by IAB Tech Lab to make it open source.

The main issue comes from the fact that GDPR requires the appointment of a so-called “data controller” for UID 2.0, which would be liable for challenges related to processing activities that infringe GDPR.

The UID 2.0 design defines three supporting functions: an operator, an auditor, and an administrator, which will serve as a centralized database managing access to the UID 2.0 ecosystem of partners. While Prebid.org volunteered to be an operator, there is no entity that wants to become an administrator and thus bear most of the risk.

Digital Privacy Is Now An Unstoppable “Three Body Problem” – Mobile Dev Memo

Myles Younger from Media.Monks published an article where he analyzes the groups of stakeholders most influential on the new “cookieless” environment

The author brings up physics’ “Three Body Problem” as a metaphor for the digital environment, in which the three bodies are:

  • Tech competitors, including Walled Gardens, hardware and software makers, adtech platforms and telcos;

  • Government regulators trying to define the role of digital technology in the societies of tomorrow;

  • Public opinion more sensitive to intrusive tracking after a series of data privacy scandals.

Myles also emphasizes that there will be no longer be an “easy button” and marketers will have to use multiple tools to succeed. He also sees the increase in importance of server-side technology.

Regardless of the above, the author is confident that the sunset of cookies doesn’t mean the death of digital advertising.

If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.