On February 25, 2022, the Utah Senate unanimously (28-0) passed Senate Bill 227, also known as the Utah Consumer Privacy Act (Privacy Act). The 2022 session adjourned on March 4, and Utah Governor Spencer Cox has 20 days from that date to either sign (or not sign) the bill, after which it becomes law, or veto the bill, in which case it does not become a law unless the legislature overrides the governor’s veto. The Privacy Act would become the fourth comprehensive state consumer privacy law in the United States. Continue Reading Utah Consumer Privacy Act on the Horizon
For the second year in a row, amidst a wave of biometric lawsuits in other states, Maryland legislators have introduced a new biometric privacy law mimicking the Illinois Biometric Information Privacy Act (BIPA). In 2021, a similar proposed law (HB 0218) failed to make it past committee hearings and was withdrawn by its sole sponsor, Maryland House Delegate Sara Love. Continue Reading Maryland Legislators Once Again Push for a BIPA-Style Biometric Privacy Bill
On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement , the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.”  Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts. Continue Reading Data Privacy Day Surprise Enforcement for Loyalty Programs
As the use of facial recognition and other biometric technology expands, so too has litigation under the Illinois Biometric Information Privacy Act (BIPA). Nearly 2,000 cases have been filed, the vast majority of them in Illinois. Late last year, the Illinois First District Appellate Court issued two key decisions.
As the world turns anew in 2022, a seismic shift is underway in the AdTech industry as detailed in the first part of this Requiem for a Cookie series: online tracking technology as we know it is likely undergoing a permanent change. More specifically, the third-party cookie, which has been the dominant method for tracking online user behavior, is quickly being phased out—and in many instances pushed out by regulators. Out of the ashes of soon-to-be outdated tracking techniques, however, arise multiple privacy-forward alternatives. Which technique or techniques will ultimately replace third-party cookies, however, is unclear, and 2022 is expected to bring clarity to the plethora of alternative options currently vying for dominance.
Pushing for third-party cookie eradication and leading the charge into new alternatives, Europe is a key incubator for new development in the space. Most notably, the Belgian Data Protection Authority (BE DPA) is spearheading a reanalysis of the Transparency and Consent Framework (TCF) implemented by the Interactive Advertising Bureau (IAB). Broadly adopted within the AdTech industry, the TCF stands today as the dominant consent solution utilized to satisfy EU members’ affirmative consent requirements. But the days of TCF’s prevalence appear to be waning as the BE DPA is expected to imminently release a decision confirming alleged infringements by the IAB arising from use of the TCF—specifically violations of the General Data Protection Regulation (GDPR) consent and transparency principals. As of the date of this article, the BE DPA is awaiting potential feedback from other European data protection authorities on its draft decision regarding GDPR infringements, and it is expected that this will be one of the first major privacy developments in the AdTech space of 2022.
Given the uncertainties around TCF, many AdTech players have been implementing new techniques that are expected to eventually replace third-party tracking cookies. The French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) already released a statement warning individual consumers and data subjects that “the end of the use of third-party cookies does not mean the end of tracking Internet users online.”  To make sense of the array of alternatives that are in development, the CNIL categorized prominent alternative technologies into four categories, as described below:
- First-party cookies and fingerprinting. While the eventual deprecation of third-party cookies is anticipated, the vitality of first-party cookies appears strong. Often necessary for certain operations and for website functionality, first-party cookies are only created and stored on the website a user directly visits. The CNIL cautions, however, that first-party cookies can still be exploited by third parties, as they can be configured to “return data via URL calls on the advertiser’s domain.”  A similar tool is known as “fingerprinting” and is another tracking technique whereby the information provided by a user’s browser regarding the technical specifications of a user’s hardware (e.g., the operating system or screen size) is collected and used to build a user profile. This information, when sufficiently specific, can be used to track users in a manner similar to cookies.
- Single Sign-On (SSO). Primarily used to facilitate a user’s online connection, SSO allows the user’s account to follow the user while browsing other related websites to which the user’s credentials apply. The account can then be used as a tracker across those websites.
- Unique Identifiers. By tracking users via hashed data relating to a unique identifier (for example, Apple’s Identifier for Advertisers or IDFA), third parties can use the login information and email addresses to link usage of various services.
- Cohort-based Advertising Targeting. Primarily pioneered by Google’s Federated Learning of Cohorts (FLoC), cohort-based targeting avoids targeting individuals by instead clustering a large group of people with similar interests and assigning the group a unique identifier. This enables individuals to effectively “hide in the crowd” while allowing advertisers to reach appropriate audiences.
In addition to the above methods identified by the CNIL, several other creative tracking solutions are gaining traction within the AdTech industry and are expected to make gains in 2022. First, on one end of the cohort-based spectrum is micro-grouping, where small groups of users (between three and five users) are tracked as a single entity in real time. Zero-party data, where users intentionally elect to share their preferences and intentions (e.g., a user answering a survey administered by the website host), is data that comes straight from the source, and is regaining popularity in marketing. Conversion measurement is getting an overall facelift, but perhaps most specifically through Google’s Privacy Sandbox, where notably, Google announced that it is seeking to use “privacy-preserving techniques like aggregating information, adding noise, and limiting the amount of data that gets sent from the device.”  Hearkening back to more traditional techniques used for generations within the print advertising industry, contextual targeting relies on the content of the website a user is visiting instead of user data gleaned from third-party cookies; for example, a website concerning parks and recreation may feature advertising for hiking gear or outdoor clothing to all website visitors, not specific, targeted individuals. The above methods appear to be gaining traction in the AdTech industry, and 2022 is expected to not only bring further developments in these techniques, but also to spotlight clear “winners” in the bake-off to replace third-party cookies.
Regardless of which technique or techniques the AdTech industry eventually chooses as the replacement for third-party cookies, it will be imperative that these techniques are designed and implemented with privacy compliance in mind. Along these lines, the CNIL propagated a firm reminder that under existing European privacy laws, any action that creates an individual or group profile and involves targeted advertising will require prior consent of the user–even if no personal data is processed.  Users must be able to “choose freely and in an informed manner” to refuse such tracking, and indeed, public demand for user choice is expected to continue, as recent years have indicated user focus on privacy transparency and choice. Ultimately, 2022 could prove to be a watershed year in the AdTech industry and may signify the final crumble of third-party cookies.
 Alternatives to third-party cookies: what consequences regarding consent? (Nov. 23, 2021), https://www.cnil.fr/en/alternatives-third-party-cookies-what-consequences-regarding-consent.
 Building a privacy-first future for web advertising (Jan. 25, 2021), https://blog.google/products/ads-commerce/2021-01-privacy-sandbox/.
 See Alternatives to third-party cookies, supra at  (citing the ePrivacy Directive and Art. 82 of the French Act on Information Technology, Data Files and Civil Liberties).
Last week while Americans were preoccupied with carving turkey and baking pies, the privacy world was aflutter with a string of developments in Europe that may drastically affect the future of worldwide website usage and global advertising technology as we currently know it. In short, due to some of the recent positions taken by regulators, “tracking” techniques and cookies as we know them may quickly be saddled with extra compliance requirements. Continue Reading Requiem for a Cookie: The Beginning of the End for Current AdTech Models
This past summer, we reported on the July 2021 vote by the Uniform Law Commission (ULC) to approve the Uniform Personal Data Protection Act (UPDPA), a model data privacy bill designed to be promulgated in state legislatures across the United States. Now the District of Columbia becomes the first jurisdiction to have the bill introduced for consideration. Continue Reading Washington, D.C., Becomes the First Mover on the Uniform Personal Data Protection Act
On October 21, 2021, the FTC released a report making it quite clear: internet service providers (ISPs) are next in line for heightened FTC scrutiny. After analyzing the data collection, sharing, and usage practices of the six largest ISPs and three of their affiliated advertising entities, the FTC concluded that the ISPs “amass large pools of sensitive data, and that their uses of such data could lead to significant harms.” 
This report traces its lineage back to August 2019, when the FTC used its powers under Section 6(b) of the FTC Act to issue Orders to File Special Reports to the six largest ISPs that comprised approximately 98.8% of the mobile internet market. Continue Reading ISPs, the FTC Has You In Their Crosshairs
California’s proliferation of new privacy laws shows no sign of slowing. In September and October, California’s Governor Gavin Newsom signed multiple privacy bills into law, covering genetics, abortion rights, and updates to the California Privacy Rights Act (CPRA) in Assembly Bill 694 (AB 694), which among other things clarifies the timing of the California Privacy Protection Agency’s (CPPA) rulemaking responsibilities. Continue Reading California’s Governor Newsom Signs New Privacy Law Clarifying Timeline for CPRA Regulations
A forthcoming Harvard Law Review article reviewed 857 cases that cited Carpenter v. United States, the landmark Supreme Court Fourth Amendment case, from its publication in June 2018 to March 2021. The purpose of this study was to evaluate the landscape of post-Carpenter Fourth Amendment law.
The full text of the article can be found here.