Category Archives: Behavioral Advertising

Google adds warnings on data privacy exposures

In its Annual Report filed on February 5, 2019, Google’s parent, Alphabet, Inc., emphasized in a more pronounced way the privacy regulatory and business headwinds it now faces. Specifically, on pages 9 and 10 of the report, Alphabet writes “as the focus on data privacy and security increases globally, we are and will continue to be subject to various and evolving laws. The costs of compliance with these laws and regulations are high and are likely to increase in the future.” It goes without saying, proper compliance will never be optional for the company given that Google’s surveillance advertising accounted for over 85% of its total revenues in 2018.

According to its 10-K, those laws and regulations that may subject Alphabet “to significant liabilities and other penalties” include:

The California Consumer Privacy Act of 2018 that comes into effect in January of 2020, and gives new data privacy rights to California residents and regulates the security of data in connection with internet connected devices.

Privacy laws, which could be interpreted broadly thereby limiting product offerings and/or increasing costs.

Given the recent package of bills introduced in California to bolster CCPA and other privacy-related laws, Alphabet is certainly wise to include CCPA and unnamed “privacy laws” on its 10-K’s list of risk factors.

Alphabet also warns: “Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business.” As pointed out by Bloomberg, this wording is not merely reused boilerplate but represents new language.

Even though the duopoly of Google and Facebook are not going away anytime soon, Alphabet’s latest filing is an acknowledgement that upcoming regulatory and market changes may limit how these companies do business. In other words, the free reign they have had for so many years may finally be coming to an end.

Data Privacy Day 2019

January 28, 2019 will mark the tenth anniversary of Data Privacy Day.  Even though the sponsors, messaging and website may have changed from 20102011 and 2012, the overall idea that personal privacy rights should be specifically called out for celebration remains a powerful statement.  In 2014, Congress jumped on board by issuing a Resolution designating January 28th as ‘‘National Data Privacy Day’’.  Two years later, the 2016 celebration of Data Privacy Day crystalized why privacy stakeholders were starting to sound the alarm.  And, by 2019 it has gotten to the point where even large technology companies are calling for regulatory action.

In the coming months, a divided Congress will likely begin a bipartisan effort to address one of the few bipartisan topics out there – data privacy rights.  This effort may succeed if for no other reason next year launches California’s new data privacy regime and companies are feverishly lobbying behind the scenes to preempt this Consent Armageddon from materializing.    In other words, there may soon be a “Data Property Day” coming into focus – the date when privacy rights that were born out of early constitutional and statutory underpinnings first became a basic property right. 

Apple pushes new data regime

In a Time Magazine op-ed piece that is a likely preview of his talk at the “Globalization 4.0” World Economic Forum meeting next week in Davos, Apple’s Tim Cook proposes more government intervention in the digital ad marketplace.   Cook previously railed against the “data industrial complex” at an October EU privacy event.   Apple also recently poked Google in the eye with its massive CES billboard in Las Vegas that reads: “What happens on your iPhone, stays on your iPhone.”  

In his January 16, 2019 Time editorial, Cook suggests that consumers should no longer tolerate “companies irresponsibly amassing huge user profiles.”  He obviously is smart enough to recognize the existing digital ad ecosystem needs to stay firmly in place for his company to thrive – 25% of all persons now check their phones within one minute of waking up largely due to the existing social media landscape he now criticizes.  Rather, he proposes federal omnibus privacy legislation that would ostensibly place more control with consumers who will be allowed for the first time the chance to say, as he put it: “Wait a minute. That’s my information that you’re selling, and I didn’t consent.”

Cook “kicks off” his debate with the following salvo:

That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.

Similar to what is now being enforced in Vermont, Apple apparently advocates for the registration of data brokers but adds the new regulatory requirement of tracking transactions as well as codifying the right of erasure enshrined in GDPR and purportedly also acceptable to Facebook.  Backing up “some” of its rhetoric with action, Apple has recently allowed even users outside GDPR’s purview the ability to learn what data is held by it and to correct any inaccuracies – it still, however, does not allow users to learn how their data is used by other companies:

It is not difficult to cynically consider Apple’s new lobbying campaign simply an attempt at undercutting Samsung and Google – especially given Apple itself will always remain a very integral part of the digital ad ecosystem.  In the near term, Apple faces little economic risk with its privacy-friendly posturing – only a potential increasing of its already lofty brand equity. Given that Apple is not technically a “data broker” the significant added costs to data brokers created by its advocacy will certainly not be absorbed by Apple. 

No matter what its motivation, Apple’s new perspective may one day give consumers a bird’s eye view of exactly how valuable their personal data is to companies lacking any direct relationship with them.  And, after that recognition, it may finally be time for consumers to get paid for their valuable data.

UPDATE: January 18, 2019  
Notwithstanding Mr. Cook’s public stance regarding Apple’s GDPR compliance, Apple Music was hit on January 18, 2019 with a complaint alleging a potential maximum penalty of € 8.02 Billion for various GDPR violations.

Vermont Steps in Front of California with New Privacy Law Aimed at Brokers


Earlier this year, Vermont became the first state to enact a privacy law specifically targeting data brokers. This law, which will become fully effective on January 1, 2019, requires state registration of any business “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”.

According to Guidance provided earlier this month by the Attorney General’s Office, the type of consumer information subject to this new law includes: “People with incomes over $100,000,” “People who like to play billiards,” or “People preparing for a wedding.” 

Data broker registrations must include information regarding how consumers can opt out of data collection and sales as well as disclosure regarding the number of “data broker security breaches” sustained in the prior year.   This beach notification requirement exists in addition to the one created by Vermont’s data breach law.

In addition to an annual registration, data brokers must also maintain certain protective measures involving those administrative, technical and physical safeguards appropriate for the scope and size of the business or face a potential unfair or deceptive practice claim under the state’s consumer protection law.   

The statutory civil penalties of this new law are actually quite limited given that a data broker required to register who fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year.  The real bite is found in the potential civil action that may be brought under Vermont’s Consumer Protection Law, namely potential treble damages and reasonable attorneys’ fees. By linking privacy violations with an established consumer protection law, the Vermont statute nicely meshes existing law – and related interpretative rulings, into an effective privacy battle axe.   

While Vermont may never become a real challenger to California when it comes to privacy laws or regulations, this new law could have a ripple effect with other states eventually providing similar protections.  And, given the call for a federal privacy law to harmonize patchwork state laws, the statute can also very easily be a model for certain provisions in a new federal omnibus privacy law.  Combined with other laws that will be vigorously enforced regarding consumer consent, the coming year is shaping up as a strong one for consumer privacy rights.

Facebook and Google data slurping will likely continue in 2019

In a December 18, 2018 bombshell expose, the New York Times admits it as well as more than 150 companies — “most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations”, received special access to Facebook user and friend information.  For example, Microsoft was granted access to user names, Yahoo was able to view posts, Amazon could obtain contact information, and Netflix could even read, write and delete Facebook private messages as well as see all users on a particular thread. Today, these companies either deny the claims outright, claim they were not kept in the loop as to their access capabilities, or simply suggest that such practices terminated.

Facebook today posted a blog post to “clear up” what is set forth in the article.  According to Facebook, most of the features that gave rise to such usage “are now gone”:

We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.

Netflix told the Times it was “unaware of the broad powers Facebook had granted.”  It further said:  “At no time did we access people’s private messages on Facebook, or ask for the ability to do so.”  A Microsoft spokesperson told CNBC in a statement:  “Throughout our engagement with Facebook, we respected all user preferences.”  In another statement to CNBC, Amazon said: “We only use information in accordance with our privacy policy.”  Indeed, in the New York Times article, there is this self-reference: “The Times — one of nine media companies named in the documents — had access to users’ friend lists for an article-sharing application it also had discontinued in 2011.  A spokeswoman for the news organization said it was not obtaining any data.”

Pushing aside the pristine parsing of words now being used, the fact remains Facebook users were never explicitly made aware of this massive exchange of consumer data between Facebook and its partners.

Not far different from this latest Facebook entangle, Vanderbilt University computer science professor Douglas C. Schmidt, in a study released in August 2018, found that:  “A major part of Google’s data collection occurs while a user is not directly engaged with any of its products. And while such information is typically collected without identifying a unique user, Google distinctively possesses the ability to utilize data collected from other sources to de-anonymize such a collection.” Indeed, Android mobile devices send 10 times more data to Google than iPhones.

On August 13, 2018, the AP Newswire released an expose on Google’s geo-data collection practices – but only after retaining Princeton researchers to confirm exactly how Google was able to gather this data.   Stemming from this usage of consumer information, there is a newly consolidated Google class action suit.  Not surprisingly, Google is defending by claiming its data collection could be stopped by changing certain settings – users would simply need to turn off “web and app activity” settings that would, in effect, disrupt full usage of many of their apps.

Once upon a time, Google’s Code of Conduct was built on the motto “Don’t be evil”.  It’s parent company – Alphabet, however, chose not to even use the motto in its own Code after forming in 2015.  And, Google earlier this year explicitly removed the “Don’t be evil” motto from its Code of Conduct.  Instead, Google’s current Code of Conduct reads:  “And remember… don’t be evil, and if you see something that you think isn’t right – speak up!”  The fact those who do actually speak up are being fired or resign – such as one whistleblower on the company’s lack of gender diversity or another who left based on Google’s plans for Chinese censorship, this glib new wording should not instill much confidence going forward.

Given Google’s masterful ability to silence class action lawyers with buckets of cash and consumer cy pres funds, it is not expected the pending consolidation will effectuate any real change.  Moreover, despite Facebook’s numerous congressional representations regarding how it complies with GDPR on a global level, if not for the likes of EPIC and Max Schrems there would be no real pressure on either Facebook or Google to change any of their practices.

With 2019 coming closer into view, it becomes clear that many companies using and maintaining consumer data will likely continue into the New Year with their existing practices given they do not really care about compliance risk – nor do users apparently really care about privacy risk.  Until such time as the compliance and privacy risks are superseded by even greater risks – or overtaken by demonstrated economic benefits to both users and owners of data, it seems likely this status quo will remain intact in the coming year.

The first new business that can address this current apathy by creating tangible and easily understood economic benefits for all participants might very well succeed in modifying an entire ecosystem.  The motivation for launching such an enterprise is readily apparent. As recognized in the Times article:  “Personal data is the oil of the 21st century, a resource worth billions to those who can most effectively extract and refine it.”

Consent Armageddon is coming

On November 19, 2018, the UK’s Register reported how even though the Washington Post was in technical violation of the GDPR, the UK’s privacy enforcement arm, the Information Commissioner’s Office, admitted in private emails that it was not likely going to seek extra-jurisdictionally any potential penalties.

According to the Register, the Washington Post’s online subscription options offers readers a free option (for a limited number of articles); a $6 a month option (for unlimited articles); and a $9 a month option that allows users to switch off tracking and cookies.  With the free and $6 a month options, readers, however, must consent to the use of cookies, tracking and ads.

Acting on a complaint apparently ginned up by the Register, a Case Manager from the UK ICO reviewed these policies and purportedly decided they were in violation of applicable privacy law.  (“I am of the view that the Washington Post has not complied with their Data Protection obligations.   This is because they have not given users a genuine choice and control over how their data is used.”).

Pushing aside the fact the pricing model set forth in the article may be stale – the current pricing is apparently set at a higher rate, and the fact EU residents can apparently opt out of the WaPo’s terms that may be in violation of GDPR, the article still brings home a very important point, namely that consent cannot truly be “freely given” when it is given only in response to a threatened change in pricing.

By way of background, Article 7 (4) of the EU’s GDPR states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”  By charging a different price for the same services based solely on whether consent is given, there is certainly technical violation of GDPR.

Moreover, under the recently enacted Section 1798.103 (“Right to Equal Service and Price”) of the California Consumer Privacy Act, this alleged violation is made even more stark:  “A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer’s personal information pursuant to section 1798.102, or because the consumer exercised the consumer’s rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. . . .”

Whether by way of GDPR or CCPA – or other laws still not enacted, companies will eventually be tested on the adequacy of “freely given” consents.  And, the extra-jurisdictional limitations of GDPR will certainly not curtail US enforcement under an even more direct CCPA.  In other words, despite what others may suggest, marketers and others embedded in the digital ad ecosystem should likely get their consent proofs in order – especially as “big brands continue to redirect their ad spend and adapt their advertising practices to the GDPR.”

Between the recent 60 Minutes GDPR feature with Max Schrems – an educational piece that can only further draw consumer ire, or the actual four Complaints filed by Schrems that will likely resolve these issues, a Consent Armageddon is headed our way beginning in 2020 – the year CCPA also comes online and GDPR enforcement efforts will be more fully staffed.    More importantly, with the proper mechanisms in place, sometime after 2020, data subjects will finally have the power to fully exert ownership and controlled use of their own data – a property class that should be treated no differently than gold or silver.

Apple’s CEO rails against the “data industrial complex”

Tim Cook was on fire in Brussels giving his October 24, 2018 keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC).  As reported by TechCrunch, Mr. Cook targeted Google and Facebook when he said: “Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. . . These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.”

He played to his appreciative EU audience when he said:  “We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. . . . It is time for the rest of the world, including my home country, to follow your lead. . . . [Apple] is in full support of a comprehensive, federal privacy law in the United States”.

Cook argued for a federal US privacy law that would prioritize four things:

  1. Data minimization — “the right to have personal data minimized” or not collect it in the first place;
  2. Transparency — “the right to know what data is being collected and what it is being collected for” to “empower users to decide what collection is legitimate and what isn’t”;
  3. The right to access — given “data belongs to users” it should be made easy for users to get a copy of, correct and delete their personal data; and
  4. The right to security — given “security is foundational to trust and all other privacy rights”

According to Cook, the creation of extensive digital profiles “is surveillance.  And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us uncomfortable.”

After he dropped his mic, Cook quickly went on Twitter to double down on his speech:

It is not clear how his obviously well-thought out position will ultimately impact Apple’s bottom line.  As previously observed, Apple has a natural symbiotic relationship with the social media platforms given “the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.”

Whether Cook is ultimately bluffing for PR points or believes his company’s lobbying can ultimately finesse any future legislative effort is beside the point.    The most powerful tech company in the world has just thrown down the gauntlet for a unified US privacy regime.  No different from the recently-enacted bipartisan anti-opioid abuse law, consumer privacy is a bipartisan issue so it is likely Congress will eventually come together to pick up Mr. Cook’s heavy glove.  And, for that Mr. Cook deserves another loud round of applause.

Gilder’s Life after Google

Even though one online reviewer called it “[a] random walk through Silicon Valley without any goal, valuable information, conclusions or anything other than what would fit a gossip magazine”, Gilder’s book provides a grand thesis with very deliberate underpinnings.  There are certainly many other books and articles out there that better inform regarding blockchain.  Nevertheless, Gilder explains exactly why blockchain will in the distant future help cause Google to lose its digital stranglehold.  For that, his book largely stands alone.

Gilder has had close access to the elite tech digerati for decades. There is no denying he knows what and who he is talking about. The writing style, however, will not be everyone’s cup of tea.  For example, applying a straw man style, he often builds up only to take down later in the book. This can easily be frustrating.  Also, an imagined meeting with Satoshi Nakamoto – the pseudonymous founder of Bitcoin, can either be considered a highlight of the book or downright hokey based on one’s literary taste.

To Gilder, Google’s downfall largely rests on its giving away free products without fully understanding how this zero-sum system neglects the value and impact of consumer time on Google’s $30 billion dollar Siren Servers – a Jaron Lanier term used to convey the eventual death spiral of a company blinded by its 75,000 server farm.  Gilder reminds:  “Without prices, all that is left to confine consumption is the scarcity of time”.

Interestingly, Jaron Lanier as well as Peter Thiel feature predominately in this book as the existential fodder for much of Gilder’s musings. The true sparkle, however, remains pure Gilder – including his view that Google’s fall is precipitated on the behemoth’s not fully understanding true wealth can only be a product of knowledge and memories.  As Gilder suggests, “wealth is not a thing or a random sequence. It is inextricably rooted in hard won knowledge over extended time.” How he eventually connects the many dots found in the book is worth the read despite the haphazard approach.  And, despite valid style criticisms, given so few are walking down this exact path, Gilder’s trailblazing can only be lauded.

Using pokes and outright direct digs on failed exercises of socialism and a “World Saving” Artificial Intelligence fealty pursued by Elon Musk, Gilder’s libertarian bent expresses a slightly brighter vision where creativity and humanity win out.  He is on to something – just ask Tim Berners-Lee about his startup, Inrupt to get additional perspective on Google.  And, the decentralized web ecosystems exemplified by Blockstack and Hashgraph are certainly aimed at tearing down the current global ecosystems founded by the Tech Lords of Stanford. Ultimately, in futurist Gilder’s vision, individuals win when they can more easily trust and be secure in their interactions.

Those seeking an actual name for the specific Google killer app will be disappointed. Gilder does not reveal which business vision will launch the “killer app” required to actually break the status quo.  Readers are provided with an abstract roadmap lacking in specific directions because no specific killer app has been publicly announced yet and will likely not be released for several years.

EU-US Privacy Shield may soon be suspended


The EU-US Privacy Shield may finally be in actual jeopardy.  It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell.  That is no longer the case.   A vote today by the European Parliament made sure of that.

As reported by the IAPP,  on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018.    This is the second September review of the EU-US Privacy Shield.

Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given.   Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.

UPDATE:  October 23, 2019

As reported in TechCrunch, the EU-US Privacy Shield has withstood its last review given the appointment of an ombudsperson role but there still remains pending litigation targeting it.

UPDATE:  July 16, 2020

On July 16, 2020, the EU Court of Justice decided “Schrems II” and invalidated the EU Commission’s Decision 2016/1250 regarding the adequacy of the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).  As described in the Press Release:

[T]he limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

In rejecting the use of a Privacy Shield Ombudsperson who was independent from the Intelligence Community – the agreed-upon safeguard found in the Privacy Shield Decision, the Court of Justice ruled that such a mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.” 

New California law provides statutory damages for data incidents

With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages.  Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount.  Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis.   Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.”   Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified.  For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use.  Section 1798.150(a)(1).   Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out.   Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit.  Section 1798.150(b)(3).   The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

Notwithstanding the last-minute changes made to this last-minute statute, it still provides California consumers with the country’s most expansive statutory privacy rights– rights that will be immediately deployed by class counsel after 2020.   Most analysis on this new law, however, has focused on comparing it to the EU’s GDPR privacy regime – a recently implemented privacy regime that impacts many  US-based companies.    In addition to the privacy requirements, companies processing significant amounts of consumer personal data should also take the class action risk very seriously and if they do not already purchase insurance for that risk, they should at least evaluate transferring some of this liability risk by way of the privacy and data security insurance long been available to most any company.

UPDATE:  September 28, 2018

SB211 was signed into law largely to “technically correct” errors in the law but nevertheless made two significant changes to Section 1798.150 when it removed the prior requirement that consumers notify the Attorney General prior to bringing any action for a data breach and removed the prior requirement that the Attorney General could bar consumer plaintiffs from bringing suit.  These two significant changes will certainly make for a very interesting class action year in 2020.

UPDATE:  February 26, 2019

On February 22, 2019, a proposed amendment to the law was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations.  If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger.