The Interactive Advertising Bureau’s IAB Tech Lab has unveiled the Global Privacy Platform (GPP) to standardize U.S. and global privacy preferences for digital ads and wants input on the plan.

Getting the privacy part of targeted advertising right could be crucial to the continued health of what has been a booming online ad market. Statista.com predicted that digital ad spending in the U.S. alone will top $200 billion by 2025.

The fruits of Protect Rearc and two years in the making, the GPP is a single protocol for transmitting privacy, consent and consumer-choice preferences from websites and apps to advertising tech providers. The idea is to mitigate privacy risks and square those protections with Europe’s Transparency and Consent regime and the California Privacy Rights Act (CPRA) — the U.S. has no national privacy framework, but one of the reasons for coming up with GPP is the threat of a balkanized system of differing state (and international) approaches.

“Regulations are hitting the books faster than we can build individual solutions for,” said Andrea Giannangelo, CEO of Iubenda, which provides privacy compliance services.

“Privacy regulations such as the GDPR, CCPA, CPRA, PIPEDA and numerous new local privacy laws, create immense complexity and fragmentation in the market," IAB Tech Lab senior director Jason Raqueno said. "The GPP is intended to enable participants across the advertising supply chain to navigate the complexity of numerous overlapping global privacy laws through a single platform and consent signaling protocol."

Rearc was launched in 2020 in response to the limitations of third-party cookies and other targeted ad identifiers.

Also: IAB Says National Privacy Regime Is Job One

According to IAB Tech Lab, which is the digital ad industry’s standard-setting body, the GPP “enables advertisers, publishers, and technology vendors in the digital advertising industry to adapt to regulatory demands across markets," cuts the cost of managing privacy compliance, and helps reduce risk by "a single framework to encode and transmit consumer privacy preferences, which they can leverage globally and across all platforms and channels.”

IAB Tech Lab CEO Anthony Katsur said the GPP is ready for global adoption, but IAB is first seeking comment (it will give interested parties 60 days). IAB is looking for input from “publishers, brands, media companies and legislative officials.” ■

Concluding that it does not sufficiently protect data transferred from the EU to the U.S., the EU's Court of Justice has invalidated the "privacy shield." 

Related: FTC Cracks Down on Alleged Privacy Shield Pretenders 

The decision, which affects some 5,00 companies, will likely ramp up calls for Congress to pass the data privacy protection legislation both sides have said they support but have failed to agree on. 

The privacy shield replaced the safe harbor agreement that a European Union court invalidated in October 2015 over concerns about the U.S. being able to hold up its end of the agreement given the government surveillance revealed by the Edward Snowden leaks. The voluntary framework requires companies to provide notice of what personal information is being collected and stored, the purposes it is used for, and an "opt out" mechanism.

The shield was a way for those U.S. companies to be considered in compliance with the EU's General Data Protection Regulation simply by signing on to the shield's data protection guarantees rather than having to come up with individual policies and agreements to comply with the GDPR protections of cross-border data flows. 

But the court concluded the U.S. was not able to hold up its end of the agreement about protecting that data. 

The Department of Commerce said Thursday (July 16) that it is reviewing the decision but that, in the meantime, it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification. "Today’s decision does not relieve participating organizations of their Privacy Shield obligations," it said.

The FCC under former chairman Tom Wheeler approved privacy rules, but they were invalidated by the Congress despite pushback by privacy groups and Democrats who called for a privacy "bill of rights." 

Related: FCC, FTC Chairs Defend Privacy Rules Rollback

"In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law," the decision held. 

The European Union gave a thumbs up to the EU-U.S. Privacy Shield in its first annual review back in 2017, though the annual report said it could still use some work.

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Secretary Wilbur Ross in a statement. “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” 

“The interruption of transatlantic data flows resulting from this decision is a significant setback for all businesses and industries in the U.S. and EU who relied on Privacy Shield and hampers their ability to conduct day-to-day operations—everything from accessing the cloud to managing human resources and running payroll," said ITI president Jason Oxman. "The Court’s decision negatively affects the two economies’ shared efforts to facilitate trade while providing necessary privacy protections for EU citizens." 

Related: EU Says Privacy Shield is Working

“This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers," said Computer and Communications Industry Association public policy senior manager Alexandre Roure. "We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy. We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms.” 

"In spite of growing bipartisan momentum in Washington and among technology companies about the need to act, the absence of a single federal privacy policy has encouraged states and international governing bodies to fill the vacuum and effectively dictate how Americans operate online." -Jonathan Spalter, USTelecom

Whether or not Congress flips blue or remains red after the election, there is a purple issue the next Congress must immediately tackle. It is bipartisan, affects America’s global leadership, and is a priority for every consumer who uses the internet: digital privacy.

In our hyper-connected digital lives, consumers across the political spectrum expect and demand strong internet privacy protections. Internet users should be certain that sharing images, exchanging messages, visiting websites, engaging in commerce and sending sensitive data are the types of acts the entire internet ecosystem is obligated to respect and protect.

We agree.

America’s innovative broadband providers are united by the principle that digital privacy is sacred and government has a role in ensuring that consumers can both confidently use the internet and maintain their privacy to the degree that they are comfortable.

In spite of growing bipartisan momentum in Washington and among technology companies about the need to act, the absence of a single federal privacy policy has encouraged states and international governing bodies to fill the vacuum and effectively dictate how Americans operate online.

Unless Congress steps up on privacy, others are going to keep stepping in with well-meaning but counterproductive privacy plans.

The new California Consumer Privacy Act (CCPA), for example, gives consumers the right to prevent their personal information from being sold to third parties. This seemingly innocuous provision does not distinguish between sensitive and non-sensitive information and could impact how consumers receive online advertising or valuable discounts associated with store rewards programs.

The European Union’s General Data Protection Regulation (GDPR) includes a similarly expansive definition of personal information and makes consent to use or share information more difficult to obtain.

These first-mover laws have made constructive contributions to the privacy conversation and deserve credit for responding to mounting consumer concerns. But at the end of the day these patchwork approaches risk creating consumer “confusion” in the name of consumer “protection” and turns the EU, or a single state, into the de facto regulator of digital privacy in the United States.

Instead, all players in our internet economy should be working together to avoid further policy fragmentation and build on the strengths of existing approaches to develop our own comprehensive, unified privacy blueprint that puts consumers first, builds digital trust and applies to all companies interacting with individuals on the internet.

Congress should lead that effort by developing a framework with privacy principles that include: effective security, ample consumer choice and flexibility, and reliable notifications when breaches occur – also applied uniformly to all companies operating on the internet. This framework should have mechanisms that are interoperable with existing multinational privacy regimes.

We know the ones and zeroes of our digital infrastructure are neither red nor blue. From our largest global enterprises to our smallest digital entities, millions of consumers are counting on Congress – regardless of who wins the midterms – to come together to develop a pro-investment and pro-innovation privacy plan that delivers peace of mind to consumers.

Our companies are committed to doing our part to shore up digital trust and give Americans the confidence that no matter what platform, device or network they choose, guardrails will be in place to protect their digital privacy and support our growing and interdependent internet ecosystem.

Jonathan Spalter is the president and CEO of USTelecom, a telecommunications industry trade association representing broadband service providers, manufacturers and suppliers in the world of internet-based communications and entertainment.

The deadline to achieve compliance with the European Union’s General Data Protection Regulation (GDPR) has passed, and the global sense of panic that so many organizations felt as they rushed to meet that deadline has died down. But GDPR’s broad definition of what constitutes a consumer’s personal data, and its strict requirements governing how companies process and use that data, remain pervasive topics of an on-going global discourse around privacy regulation. Like any other internet consumer service, OTT video providers with subscribers in the EU must comply with GDPR because they typically handle data that fall under its purview. One example that OTT providers need to pay close attention to is device IDs.

Smart TVs and streaming digital media players such as Roku and Chromecast have their own unique device IDs that fulfill several functions for OTT services in addition to identifying a specific device. They can also be used to tie licenses for consuming content to a device or user, track user behavior to create personalized content recommendations, perform audience measurement and target interest-based advertising.

Collecting and using this information incurs several obligations on the part of OTT providers, ideally beginning with conducting a “data protection by design” review of their applications and services. This is a systematic technology and process review to ensure good privacy protections are built in, identify and mitigate potential privacy risks and document all the steps in accordance with the GDPR’s accountability requirement.  

Users should be informed about the collection of identifiers and the purposes they are used for prior to collection. Automated collection in the background without the user’s knowledge is problematic.

An OTT provider needs to decide on a legal basis for processing device IDs, which would typically be "consent" or "legitimate interest" of the provider. Where "consent" is the legal basis it should be "unbundled" to give users meaningful choices - and not simply a take-it-or-leave-it menu. For example, device identification may be strictly necessary for service delivery, and the utilization of identifiers for DRM purposes is arguably in the legitimate interest of the provider. However, the use for recommendation services or targeted advertising may require independent consent. 

If device identifiers are shared with third parties, put proper contractual safeguards in place. This includes provisions of how the identifiers can be used by any third party. Also, decide on data retention policies for identifiers and the usage data associated with them. 

 With regard to privacy by design and default, OTT service providers should apply good privacy engineering principles to the generation, collection and processing of device IDs. “Data minimization” is one such principle. Collecting only what’s needed will make it much easier to manage and secure personal data responsibly. 

 Another privacy engineering principle to embrace focuses on giving users more control over their data. For example, a user should be able to reset device IDs, where doing so is reasonably possible. If a class of device IDs is not resettable for justifiable reasons, then consider generating multiple device IDs for additional purposes. 

Even OTT video providers that do not need to comply with GDPR should conduct thorough audits of their policies and practices for managing personal data. GDPR and the scandal created by Cambridge Analytica’s misuse of Facebook data are just two events driving rising consumer demand for more control over the privacy of one’s data. In the U.S. that’s causing a ripple effect across state legislatures and in several departments and offices throughout the federal government. 

 Consider that California and Vermont this year passed legislation, which aggressively addresses data privacy that, like GDPR, has broad-reaching ramifications around how companies collect and use personal data. At the federal level, the Trump administration is reportedly crafting a set of data privacy protections to guide state and federal lawmakers as they consider similar legislation. 

 There is still some uncertainty about when it’s OK to use "legitimate interest" rather than opt-in consent as the legitimate basis for processing: it seems prudent to wait to see how these discussions shape up before making drastic decisions that could dramatically impact a product. What degree of unbundling of consents is expected will also become clearer as lawmakers are deciding complaints against big tech companies such as Google and Facebook on similar issues.In closing, it’s imperative that OTT video service providers strive to ensure compliance with all applicable laws and regulations that are “on the books” today and may be signed into law tomorrow. 

This can start with a straightforward two-step process: 

1. Conduct a detailed "data protection by design" review of OTT applications and services; 
2. Develop and implement a mitigation plan for any privacy risks and shortcomings. 

Dr. Tomas Sander is the data protection officer (DPO) and a senior research scientist at Intertrust Technologies. Tomas leads Intertrust’s Privacy and Data Protection program. He also conducts research on privacy enhancing technologies and their use in practice. Prior to joining Intertrust, Tomas worked for 14 years at Hewlett Packard Labs in Princeton, New Jersey where he was a member of the Security and Manageability Lab, which conducts research in security, privacy and cloud technologies.

"Laws and regulations intended to promote privacy may build protective moats around large companies ... making it more difficult for smaller companies to grow, for new companies to enter the market, and for innovation to occur," Federal Trade Commissioner Noah Phillips told the Internet Governance Forum USA conference in Washington on July 27. 

Phillips indicated that communications and technology companies, "some of which already possess significant amounts of data about people," will be of special interest when the FTC begins its extensive probe into privacy and other digital business practices starting in September.

"Competition must be part of ... our conversation about privacy," said the new commissioner in one of his first the public presentations since taking a Republican seat at the FTC in May. Echoing the words of FTC chair Joseph Simons, who also was sworn in two months ago, Phillips warned that, “If you do privacy in the wrong way ... you might end up reducing competition. You might create a situation in which you entrench the large tech platforms [and] make it very difficult for ... new entrants and smaller firms to get the attention of the consumers that they’re trying to reach.”

Related: Trump Taps Simons for FTC Chair

Phillips's prepared remarks were laden with objectives from both sides of the regulatory spectrum, ranging from pro-business protections to concerns that lobbying by incumbent technology providers could shut out innovative upstarts. Citing arguments about the risks inherent in “leveling the playing field” among firms doing different things with different kinds of data makes sense, Phillips insisted.

"We do not want the regulatory burden to be so onerous that it excludes potential market entrants or inhibits innovation," he said.

But Phillips also emphasized the "brand effect" advantage that big companies have in the marketplace, because consumers "are likely to trust the companies they know." That leads to "another, more insidious, effect that any regulatory regime can have: Large companies can manipulate legal requirements to their own benefit more easily than smaller competitors or new entrants."

"The benefit to incumbents is not just lobbying for laws that favor them; it is also implementing seemingly neutral laws or regulations in ways that benefit them at the expense of their would-be competitors," Phillips added.

Phillips' focus on privacy reinforced the opening keynote that morning by David Redl, assistant Secretary of Commerce for Communications and Information, and head of the National Telecommunications and Information Administration.

"We will be looking to strike a balance between prosperity and privacy that is in line with American values – and we’re listening to a broad cross-section of stakeholders to find that balance," Redl said. 

Redl cited NTIA's plan to publish the high-level principles along with a Request for Comment in order to "begin engagement on how to move forward to reach the goals set out in the document." He did not specify a timetable for this process.

Redl also summarized NTIA's cybersecurity and ongoing Intellectual Property projects, including its triennial review process under the Digital Millennium Copyright Act.

Learning from Europe's GDPR

Acknowledging the kerfuffle about Europe's recently imposed General Data Protection Regulation (GDPR), Phillips contended that for Europeans, it represents an expression in law of their view that the protection of personal data is a fundamental right.

"For the U.S., it may provide a test case for how a different privacy regime than our own might work," the FTC commissioner continued. "My concern is that early signs point to precisely the effects on competition that I fear." 

Phillips said that as U.S. regulators consider the potential benefits of new privacy protection, "We must consider the costs, too, on competition and innovation."

"GDPR provides us with a great opportunity to see how a large-scale privacy regime works in practice, and for us in the United States to learn from Europe’s experience."

Related: Sen. Blumenthal Preps U.S. Version of EU Privacy Framework

Phillips also used the IGF-USA platform to plug the FTC's multi-day, multi-part hearings that will explore privacy and other "broad-based changes" in the economy. The FTC expects its hearings, announced last month, to consist of up to 20 sessions from September through January 2019. Topics will include evolving business practices, new technologies and international developments that "might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy."

In announcing the comprehensive investigation, the FTC said it seeks initial input by Aug. 20 on factors such as the competitive effects of corporate acquisitions and mergers and analyses of monopsony power. It also invited comments about the role of intellectual property and competition policy in promoting innovation and implications about the use of big data, artificial intelligence and predictive analytics.

Twitter took, naturally, to Twitter to announce that it will shut down its TV apps for three platforms – Roku, Android TV and Xbox – on May 24.

Related: Disney to Develop Shows for Twitter

Twitter didn’t elaborate on the reason in a tweet announcing the decision, but reports are that it’s shutting them down as it works on tweaks to ensure they are compliant with the European Union’s General Data Protection Regulation (GDPR), when it takes effect May 25. For now, Twitter’s apps for Apple TV and Amazon Fire TV will continue.

[embed]https://twitter.com/TwitterSupport/status/998956840674193409[/embed]

TechCrunch said other factors contributed to the decision, including a lack support a “standard regular supported video player” on Roku and Xbox and that Twitter’s been trying to move more of its base to first-party mobile apps and its desktop website.

Still, the decision to cut back support for a set of TV-connected platforms so it can focus on compliance with the new data privacy law in Europe also arrives as social networking giant continues to carve out content deals with dozens of content programmers, including NBCU, ESPN, Viacom and Hearst.