In this Media Review, we bring together 4 stories, including the positive reception for FLEDGE, the French privacy regulator fining a game developer for leveraging IDFV (Identifier For Vendors), and the European Center for Digital Rights unifying the “dark patterns” interpretation in terms of cookie consent pop-up windows.
Table of Contents:
- As Cookies Wane, Retargeting Protocol Fledge Emerges as Privacy Sandbox Favorite – AdWeek
- DOJ sues Google over its dominance in online advertising market – CNN
- Report of the work undertaken by the Cookie Banner Taskforce – European Data Protection Board
- French privacy watchdog to Voodoo Games: use of the IDFV requires consent – Mobile Dev Memo
= The article points out that FLEDGE, an essential part of the Privacy Sandbox, is considered a “more viable” 3rd-party cookie replacement in the industry. There are many reasons for that: FLEDGE satisfies many digital advertising use cases and makes the audience 100% addressable while getting rid of any identifier associating internet users with their browsing history.
= It is also mentioned that an early tester of FLEDGE, RTB House, reported 9 new entities started testing FLEDGE since late Q3 2022, while Google claims FLEDGE’s live auction testing has more than tripled in the same time.
= At the same time, it is emphasized that while FLEDGE is increasing its adoption momentum, another (and simpler) solution under the Privacy Sandbox umbrella, Topics API, seems to be held back by a negative reception in the industry. The rejection of this concept by W3C’s TAG Working Group is due to its supposed lack of privacy enhancement as compared to 3rd-party cookies. This, however, was challenged by Google, which intends to keep working on Topics API and believes in its future adoption.
= It is reported that the DOJ filed a suit in Virginia’s Eastern District federal court against Google for allegedly “corrupting legitimate competition in the ad tech industry”. The article mentions that the DOJ demands that Google at least sells its online advertising exchange and its ad server for publishers.
= At the same time, Google commented in a blog post that competition in the digital advertising space has increased and lists the major competitors, which, according to Google, are thriving in that field. Moreover, it is underlined that the DOJ and other regulators had given a green light for the same acquisitions (of Doubleclick 15 years ago and AdMeld 12 years ago), which the DOJ is currently attempting to unwind.
Report of the work undertaken by the Cookie Banner Taskforce – European Data Protection Board
= It is reported that, as a result of the complaints filed by NOYB (non-profit European Center for Digital Rights organization), a special task force has been created, which unified the “dark patterns” interpretation in terms of cookie consent pop-up windows. A majority of its members have reached a common ground that the following behaviors presented by the website owners are going to be deemed incompliant in light of the ePrivacy directive:
- No “reject all” button on the first layer – in many cases, there is no option, which would constitute a 1-1 equivalent to the “Accept All” button on the first layer of the pop-up window.
- Pre-ticked consent boxes in the second layer of the pop-up. One has to untick them one by one in order to not give consent.
- Applying a link, rather than a button, to click in order to either reject or move to the second layer of the pop-up, which is often hidden (not-highlighted) in the paragraph of text or even somewhere outside of the pop-up, where “allow” is located.
- Attempting to make it seem that there is an “allow” option to move forward by obscuring the rejecting options.
- Unjustified usage of GDPR’s “legitimate interest” clause.
- Inaccurate “essential” cookies classification.
- No apparent way to withdraw once granting consent.
= It is reported that Voodoo, a games developer, has been fined by CNIL (French privacy regulator) with €3M for leveraging IDFV (Identifier For Vendors) on iOS to track user behavior for the purpose of advertising. This happened even though the very same users have opted out from tracking, in accordance to ATT (Apple’s App Tracking Transparency Policy).
= The article stated the difference between IDFA (Identifier For Advertisers) and IDFV. In the case of the former identifier, it is assigned to a single device and remains the same across all the apps within, while the latter can be treated as a 1st-party identifier as it only ties user behavior across the same developer’s properties. Although ATT only applies to IDFA, the regulator determined that using IDFV for advertising also requires explicit consent from the user, which wasn’t the case.
= Similar conclusions were derived from the judgment of the European Data Protection Board (resulting in a €390M fine for Meta). It ruled, based on GDPR, that Facebook and Whatsapp were unlawfully forcing users to give consent for personalized advertising by marking it as a “contractual necessity” in their Terms & Conditions. In that way, if users wanted to take advantage of their services, they had to agree to have their personal data harvested for advertising purposes. On top of the fine, Meta will have to apply amendments to its data processing operations.
= Last but not least in terms of applying 1st-party data processing, AdExchanger reports CNIL also identified that Apple had been tracking users within its own apps without asking for consent in older versions of iOS (14.6 and older). It had also been deemed a breach of GDPR. The proactive consent collection was applied only in iOS 15 onwards.
If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.