Media Review #23

Earlier Third-Party Cookie Deprecation, Record-Breaking GDPR Fine For Meta, Apple Blocks More Trackers

In this Media Review you can read about Google’s Privacy Sandbox advancements, Meta’s unprecedented GDPR fine, and Apple’s new preventive measures to third-party tracking.

Last Updated:
Published:

The next stages of Privacy Sandbox: General availability and supporting scaled testing – The Privacy Sandbox

Google officially confirms entering the General Availability stage of the Privacy Sandbox tests in July 2023 (along with Chrome’s M115 milestone), which is aligned with the roll-out timeline provided by Chrome in August last year. As a reminder, the General Availability stage depends on gradually rolling out from the current 5% of the Privacy Sandbox-enabled traffic up to 100% and then staying at that level to allow large-scale tests.

Moreover, as a result of the feedback from the industry (RTB House was very vocal about this), Chrome declared that there would be an earlier third-party cookies deprecation for a portion of the traffic. Firstly, starting in Q4 2023,  it plans to enable developers to simulate third-party cookie deprecation for a configurable percentage (up to 10%) of their users in Q4 of 2023. Aside from that so-called “opt-in testing”, third-party cookies will be deprecated for 1% of Chrome’s traffic in Q1 2024. The wider cookieless expansion is still supposed to start in Q3 2024, but its starting point will be 1% of users rather than the previously planned 0%. [Note: In April 2024, it was further postponed until early 2025].

The two announcements mentioned above were followed by an explainer about the bounce tracking mitigations test published on the Developer Chrome website. Firstly, it explains that there is an existing workaround used by bad actors (called “bounce tracking”) where users can be tracked by a third-party site even when their third-party cookies are blocked. Secondly,  Google Chrome’s article clarifies that its bounce tracking mitigation will fix the issue by occasionally erasing the state of these tracking sites, which allows for the exploit, and describes how one can join the tests of this new solution.

Last but not least, Google drafted a tentative timeline for deploying Protected Audience API (formerly known as FLEDGE API) for Android. It starts with the event-level reporting available in Q3 2023 and ends with the aggregate reporting integration a year after.

Meta ordered to suspend Facebook EU data flows as it’s hit with record €1.2BN privacy fine under GDPR – TechCrunch

The European Data Protection Board (EDPB) orders Meta to suspend Facebook’s EU data flows until October 2023, to bring its data processing and storage to compliance by November 2023, and impose the all-time highest fine under the GDPR – €1.2 B. The reason behind that was Meta’s breaching European regulation conditions regarding transferring personal data to countries outside the EU (in that instance – the US) without ensuring adequate protections. Meta responded that it would appeal the decision.

Another bit of news with roots in Europe comes from Wolfie Christl’s Twitter. The author of the post noticed that TrustPID (a digital ad platform joint venture set up by Deutsche Telekom, Orange, Telefonica, and Vodafone, which received European antitrust regulators’ clearance in February this year) had rebranded into Utiq. On top of that, Christl observed that Utiq would start offering its services in Spain, Germany, and Italy in June 2023 and later expand to the rest of Europe.

Apple WWDC 2023: Low-Key Privacy News And A Mixed Reality Headset Debut – AdExchanger

Apple introduced more preventive measures to third-party tracking during its WWDC23 event. As AdExchanger reported, those measures would depend on the total blocking of known trackers from loading on websites and removing URL tracking when internet users are in the “private browsing” mode.

The article also reported on the announcement of the so-called “privacy manifests” – a new method of allowing iOS app developers to provide information about their data practices. It is emphasized, though, that this self-reporting approach is a weaker attempt to fight fingerprinting than the one enforced in Android Privacy Sandbox – SDK Runtime API.

Although, as AdExchanger put it, Apple tries to “position itself as the main protector of consumer privacy”, some regulators might perceive it as anti-competitive behavior. For example, TechCrunch wrote about Apple’s ATT facing a competition probe in Italy for allegedly providing an unfair advantage for its own personalized ads which, contrary to the ones provided by third parties, are not subject to ATT. Regulators observed that Apple Ads Attribution, which Apple adopts for itself, is much more effective than SkAdNetwork – the solution proposed for third parties.

If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.