We are back with a whole collection of important news at the intersection of marketing, data, privacy, and technology.

ePrivacy and regulatory updates


Spotify received a 5m EUR fine for an insufficient Privacy Notice (which is directly connected with the GDPR’s transparency principle). According to the Swedish DPA, Spotify’s Privacy Policy “does not inform clearly enough about how this data is used by the company.” The IMY added that Spotify should be more transparent “about how and for what purposes individuals’ personal data is handled.” This enforcement originated in NOYB’s complaint concerning Spotify’s failure to respect access rights (by responding to data subject access requests), but the agency disagreed with the complaint on this particular issue.

Also in Sweden, Tele2 and others were pretty unlucky in terms of timing. The telco operator was fined 1m EUR, along with a few smaller companies, on July 3rd for using Google Analytics (i.e., sending data to the United States without enough additional safeguards to complement the Standard Contractual Clauses that the platform relied on after the PrivacyShield program was invalidated by Schrems II – a long debated impossible mission). The EU Commission found adequacy for such transfers under the new EU-US Data Privacy Framework seven days later.

Meta and Criteo got a taste of the headaches to come across multiple jurisdictions concerning their behavioral targeting practices. On July 4th, Norway asked the Facebook owner to stop processing personal data in the country while relying on contractual necessity or legitimate interest for ad targeting, while the CNIL imposed a 40m EUR fine on the latter for: a) Failing to verify that valid consent had been obtained from the estimated 370m EU-based individuals whose data it had been processing; b) Using an incomplete privacy policy in which certain processing purposes were missing and others were “expressed in vaguely and broad terms”; c) Failing to add key provisions concerning the exercise of user rights in its joint controllership agreements with partners; d) Failing to respect the individual rights of access, erasure, and consent withdrawal (identifiers remained in place even after blocking personalized ads on demand). 

In parallel, Meta made a few important decisions in connection with the enforcement actions that have kept us entertained for many months now: On July 17th WhatsApp adopted legitimate interest as a legal basis (for its processing of personal data), while Facebook and Instagram will revert to consent (from the contractual necessity basis they adopted in the months that preceded the arrival of the GDPR). Aside from this, Meta chose not to make Threads, its X-Twitter killer app, available in the EU, dodging what some called a privacy nightmare

Legal updates and guidelines

In case GDPR-related enforcement actions were not enough, additional headwinds are expected across the entire Real-Time Bidding/ programmatic advertising ecosystem worldwide in the face of: a) A string of State-specific privacy laws in the United States; B) The FTC’s specific agenda on this particular front; C) The EU Digital Services Act; D) The EU Digital Markets Act. 

In particular:

  • Applicable Privacy laws in Colorado, Connecticut, Utah, and Virginia impose an opt-out of targeted advertising which can be complied with by following a similar process to California’s “Do Not Sell or Share My Personal Information” choice. This includes the compulsory processing of Global Privacy Control signals from browsers that support it. The threshold for most companies (those that do not make a living out of “selling” personal data) is 100,000 unique visitors (or “processing data about 100,000 individuals in each state”) – a metric that few will be able to obtain in the absence of cookies and IP-based geolocation.
  • The FTC is closely scrutinizing the use of sensitive categories of data in cross-site tracking and social media advertising (see our Spring Newsroom update).
  • The EU Digital Services Act (in force since August 25th) has introduced a ban on targeted advertising for children or based on special categories of personal data. It also imposes increased levels of transparency in terms of applicable parameters in the relevance of a particular ad, and it obliges “very large online platforms” and “very large search engines” to allow consumers to opt-out of personalized ads and recommendations. 
  • The EU Digital Markets Act (with real teeth after March 2024) forces consent on “gatekeepers” willing to use personal data for targeted advertising. An initial list of companies qualifying as such was released last week (no surprises: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft).

The EU Commission gave the green light (ie. found “adequacy”) on the EU-US Data Privacy Framework (“DPF”) on July 10th. As shortly after clarified, this will not do away with the need for a Transfer Impact Assessment for Standard Contract Clauses and Binding Corporate Rules (which can however benefit from the new safeguards provided by the US Government), but temporary peace of mind is assured for EU businesses dealing with US providers which have registered under the DPF (it is mostly speculated that a new sequel of the Schrems saga will take some two years to spoil the party, but a French activist is already trying to beat the Austrian at his own game).

The Council and EU Parliament reached an agreement on the new Data Act, which will enhance the free flow of data generated by IoT devices and other digital products, effectively expanding portability rights beyond the two legal bases required by the GDPR for such a right to be triggered when personal data is involved (contractual necessity and consent). 

A new CJEU ruling confirmed that the right of access could in certain cases include the need to know the identity of specific employees of the data controller, as well as the time and instances in which such employees had been accessing a data subject’s individual records.

Spain’s DPA (AEPD) updated its cookie consent guidelines, at long last aligning them with the EDPB’s published criteria. A “Reject All” button should now be offered on the first layer (rather than hidden under “Configuration”), although the door is now open to “cookie walls” akin to those used by publishers in France or Germany (consent or pay). Companies have a January 2024 deadline to adapt. 

Cybersecurity-related laws keep piling up. As per new SEC rules, material cybersecurity incidents will have to be disclosed by public companies within four business days of a material determination. Also, an extended deadline expired at the end of June for financial services companies to comply with the FTC’s Safeguards Rule when it comes to holding customer records. For their part, EU-based financial institutions have until January 2025 to comply with DORA (importing the NIST Risk Management Framework for the detection, prevention, response to, and recovery from cybersecurity incidents).

Martech & AdTech

  • On September 7th the Privacy Sandbox reached general availability, after slowly finding its way into most instances of the Chrome browser. This was preceded by various updates on the manner in which the cookieless solution beats hushed email addresses or third party cookies in terms of performance.  

AI, Competition and Digital Markets

  • In early July the CJEU agreed with Germany’s Bundeskartellamt (Federal Court for matters of Unfair Competition) that privacy issues can be part of competition-related rulings. Specifically, the Bundeskartellamt had prohibited Meta from combining user data from several sources without specific consent from said users. 
  • At the end of the same month, France’s competition regulator filed an action against Apple for applying different tracking standards to its own services after the App Tracking Transparency (“ATT”) policy change made it harder for third parties to rely on unique device identifiers (IDFA). 
  • The aforementioned EU Digital Markets Act reached the “gatekeeper” designation date on September 6th. Amongst other things, Meta, Apple, Google, TikTok, Microsoft, and Amazon will have to introduce certain levels of interoperability (as well as share data with businesses operating on their platforms) by March 2024.
  • The hangover from OpenAI’s grand entrance in the public discourse continued to rip through existing regulatory initiatives: the last minute addition of article 28b to the EU AI Act (through the EU Parliament’s amendment) introduced a long list of obligations for foundation models, pitching open source Generative AI frameworks (Hugging Face, EleutherAI, etc.) against the commercial giants (Google’s Bard, OpenAI, Anthropic) and showed important cracks in the proposal. A Stanford University team attempted to expose the manner in which tools on both sides of the aisle would perform across various types of requirements. 
  • An avalanche of AI Governance and Responsible AI frameworks is making it harder to pick the most appropriate one for a company’s intended use of foundation models. Two Georgetown University researchers released a matrix to help with the selection.
  • Copyright took center stage in the same Generative AI debate. While many in the industry consider data scraping of public content a “fair use” (or “fair dealing”) exception to copyright protection under existing legal frameworks, with Google and others introducing changes to their Terms of Service to make it clear that they would rely on publicly available data for AI training purposes, Adobe made it clear that its Firefly image generator was only trained on stock images it owned, and a bunch of authors sued OpenAI for the use of their work in order to train ChatGPT. The company has since helped website owners to opt out of future training data sets (by including the GPTBot in the good old “robots.txt” file), but the trend is most likely to entrench those who have already done the deed. Microsoft, for its part, offered legal protection to customers of its Office360 or GitHub Copilot products who choose to create content or code with its own OpenAI-powered tools. 
  • Beyond copyrighted works, the very real possibility of dragging publicly-available personal information, often in the context of semi-public social media, into training data sets provoked a joint statement by multiple data protection agencies demanding compliance with the data protection frameworks already in place.
  • An even more concerning possibility of employing non-public personal data for said training purposes resulted in a separate public outcry. Zoom became an initial target after introducing this possibility in its updated Terms of Service – before it reverted to requiring prior user consent. 
  • The biggest antitrust case in some twenty years will kick off this week, when the US Department of Justice faces Google. A summary judgment ruling was made available a few weeks ago, narrowing the scope of the battle that follows. 

PETs and Zero-Party Data

  • The UK’s ICO issued new guidelines encouraging businesses to embrace Privacy Enhancing Technologies.The use of PETs is something that the US government has also been pushing for since at least 2021, and in fact both countries have joined forces to award specific prizes to companies innovating in the space. 
  • Google and Meta released separate AI assistants (Duet and AI Personas respectively), while LinkedIn founder Reid Hoffman helped launch Inflection AI’s Pi, a new AI-powered personal assistant. Whether any of them can fulfill the promise of real individual agency or Zero-Party Data remains to be seen.

Future of Media

Have a great rest of September 🙂

Comments are closed.