Privacy Insider: September 28, 2021

Cookies. They're the lifeblood of many businesses. And they're undergoing a massive shift.

Well, that's at least true for the third-party kind. The kind that comes from an advertiser with a relationship to the site a user's visiting, deployed to track that user around the web for insights on their behaviors. 

Thanks partly to the Cambridge Analytica scandal, users and regulators have become increasingly concerned about the data such cookies were collecting. How did Facebook know which users were most likely to own guns or how they voted in the most recent election? These kinds of revelations put a new spotlight on tracking cookies.

It's a hugely important topic. There are entire economies built on ad tracking and a lot of profit at stake. 

What's not clear is what we should do about it. Because online content has billed itself as "free," it feels uncomfortable to start talking about paying every time I want to Google something, you know? But if third-party cookies disappear, who picks up the tab?

See, the content was never actually "free." It's just that platforms have used ad-sales profits to fuel their engines. The content all of us as consumers can access for "free,"  written by journalists, lawyers, artists and academics, is paid (mainly) via the money sites make from displaying content users want to see, yes. Meaning: The money they make from advertisers desperate to get on the same page as that excellent content because they've indicated an interest in that topic. And that happens via tracking.

If advertisers walk because cookies disappear, who then pays for us to obsessively absorb information? If ad sales don't pay for the work we all ingest, where does that money come from?  

There are a few ideas at play. 

There's the Brave model. If you haven't heard of it, Brave is a browser that sells itself on user privacy. It doesn't support targeted ads on its platform. Instead, it scrubs websites' ads and then fills the space with ads it sells in-house. Instead of users seeing personalized ads, the entire user base sees ads based on an "anonymous aggregate of the browser's user base," as Computerworld reports. 

Facebook's recent experiment is similar to Brave's model. It's looking at ways to target users with ads without using personal data. Instead, users with common interests would be lumped together as a "group" of potential buyers who might be interested in a product, as The New York Times reports. 

Last year, Apple deployed a pop-up window to allow users to opt out of being tracked by third parties for advertising purposes. More than 80% used it, and that had an impact on small businesses, especially. I chuckle as I write this, but even Facebook stated that it was "Speaking up for small businesses" in full-page ads in The New York Times, The Washington Post and The Wall Street Journal. "Our studies show, without personalized ads powered by their own data, small businesses could see a cut of over 60% of website sales from ads," Facebook said. 

In an article for WIRED called, "Nice Try, Facebook. iOS Changes Aren't Bad for Small Businesses," Dipayan Ghosh said Apple's changes "hurt Facebook and its affiliated data brokers and ad networks — not the main-street small businesses evoked by Facebook's newspaper ads." 

Some say it doesn't matter if Big Tech can't make advertising dollars off third-party cookies because companies like Google, Apple and Facebook own most user data already. They could run on those insights alone. And that's where some of the antitrust complaints lodged against the companies come in. To oversimplify a complicated topic. 

Absent a browser-based solution, there could be ramifications to users and consumers other than less-relevant ads popping up on their iPhones or Androids. Some businesses may have to raise prices to make up for ad revenue loss. Or, websites could turn to a subscription-only model. 

Though some of the products and services claim their way is the best path forward for protecting consumer privacy, we've yet to agree on how to do that without devastating advertisers. 

That's what Google's Privacy Sandbox ostensibly will do. But things are moving slowly. Google had initially sought to phase out third-party cookies by the end of 2022 but has since delayed to 2023. It told advertisers it would come up with an alternative plan before it ditched third-party cookies altogether, and so far, no one's come up with it. 

"While there's considerable progress with this initiative, it's become clear that more time is needed across the ecosystem to get this right," Google said in its June update. 

For now, we'll have to let companies fumble with some experiments. But businesses have reason to be concerned about how much that'll cost them until an anxious industry finds its way before regulators find it for them. 

Hey, if you missed our web conference last week on U.S. state privacy laws, it was a good one! See the link above for access. 

Enjoy reading, and I'll see you next week!

If cookies go away, who pays for the internet? 

The New York Times reports on the future of the internet now that the $350 billion digital ad industry is being dismantled. "Driven by online privacy fears, Apple and Google have started revamping the rules around online data collection. Apple, citing the mantra of privacy, has rolled out tools that block marketers from tracking people. Google, which depends on digital ads, is trying to have it both ways by reinventing the system so it can continue aiming ads at people without exploiting access to their personal data," the report states. But if Tech Giants and mom-and-pop shops alike can't do cookie-based marketing for data, what takes its place as the internet's currency? 
Read Story

EU authorities form cookie task force to handle influx in complaints 

The European Data Protection Board, the group comprising EU data protection authorities from the 27 member states, has announced it will form a cookie banner task force. The task force will respond to an influx of complaints with several data protection authorities over cookie banners. NYOB, the advocacy group led by Max Schrems, filed 422 complaints in August against websites it claims are using misleading cookie banners, a violation of the EU General Data Protection Regulation. 
Read Story 

At hearing this week, Senators to debate potential US privacy law

The lawmakers with jurisdiction over consumer privacy have finally set a date for this legislative session's first hearing, Politico reports. At the Senate Committee on Commerce, Science and Transportation hearing, slated for Wednesday, Sept. 29, senators will discuss the need for a comprehensive federal privacy law and examine how to protect consumer privacy rights adequately. It's been nine months since the committee last met on privacy. 
Read Story

UK marketers file complaint with European Commission over Google's Privacy Sandbox

A coalition of digital marketing firms and others has filed a formal complaint with the European Commission against Google's Privacy Sandbox. The Sandbox, orchestrated by the World Wide Web Consortium, aims to create web standards for sites to deploy online advertising without the use of third-party cookies, which Google is phasing out. In June, EU regulators said they were investigating Google's adtech practices, including the Privacy Sandbox proposal. TechCrunch reports that the Movement for an Open Web alliance says Google's technology changes impact user choice on privacy and hampers competition.
Read Story

South Korea one step closer to 'adequacy' agreement with the EU 

On Sept. 27, a group of EU data protection authorities (DPAs) said South Korea's privacy law aligns closely enough with the EU's to allow data transfers safely, EURACTIV reports. The opinion is "non-binding" and aims to advise the European Commission in its decision over whether to grant South Korea so-called "adequacy," as required for non-EU countries to transfer data across EU borders. However, the DPAs noted reservations about South Korean law enforcement's access to personal data under its law. Next, EU member states must weigh in before the Commission can finalize the deal. 
Read Story