You know that feeling when you try to develop a post-cookie, privacy-focused advertising identifier but you end up getting sued for allegedly “secretly harvesting and monetizing directly identifiable user data from millions of US residents without their knowledge”?
In late March, The Trade Desk was hit with a pair of class-action lawsuits in California, which have since been consolidated into one, arguing that Unified ID 2.0, designed as a privacy-conscious alternative to cookies, is really just a rebranding of old-school profiling, just with stronger math and weaker disclosures.
UID 2.0 uses hashed and encrypted emails or phone numbers to create pseudonymous identifiers that advertisers can use to recognize and target people across devices and platforms without, ostensibly, exposing personal information and (also ostensibly) only with a user’s explicit consent.
The question of consent, or the lack thereof, is at the heart of these suits and others like them.
Old laws, new claims
Around three years ago, plaintiffs’ attorneys started glomming onto older privacy laws – particularly the Video Privacy Protection Act (VPPA) and the California Invasion of Privacy Act (CIPA) – as the basis for a wave of class-action lawsuits against digital platforms and publishers.
The trend gave rise to so-called “pixel suits” claiming that companies like Meta and Google illegally tracked sensitive user data through website pixels without consent, especially on health care and financial sites.
Some of these suits were tossed out as overreaching uses of laws that were written for another era. The VPPA was passed in 1988 to stop the disclosure of video rental records, and CIPA was passed in 1967 to prohibit wiretapping and the unauthorized recording of conversations.
But some were allowed to move forward, creating a confusing patchwork of precedents and costly settlements.
“Even though these laws were originally designed for telephone wiretapping and electronic communications, they’re now being interpreted by plaintiffs to address online tracking technologies like real-time bidding, cross-device tracking and data collection,” said Kyle Kessler, a partner at Womble Bond Dickinson.
“These UID2 lawsuits against The Trade Desk are just another example of plaintiffs getting creative,” she added.
Identity crisis
As of late September, the consolidated case against TTD is still active, although there is a motion to dismiss pending with a hearing set for December 5.
But say there is a trial. Do the plaintiffs have a viable legal argument?
“I think applying laws that were developed in the 1960s to internet technology is ridiculous; that’s just my personal opinion,” said David Wheeler, a partner at Neal, Gerber & Eisenberg. “We’ve already seen certain judges determine that this technology is not necessarily what the statutes were intended to protect against.”
Still, for the sake of argument, you could maintain, as the plaintiffs do, that UID2s remain identifiable because they map directly back to underlying personal information. Although UIDs are encrypted and don’t contain an actual email or phone number, they function as an equivalent, since the same UID2 is generated every time someone enters the same email or number on another website or platform.
This consistency arguably allows a UID2 to effectively serve as a persistent identifier linked to personal information.
“The theory is that even if it’s salted or hashed, it still represents an individual regardless of whether or not it’s readable without a key,” Wheeler said, playing the devil’s advocate. “Also, with AI getting increasingly precise – capable of looking at hundreds of data elements at once – we’re probably beyond the phase where hashing even matters.”
‘No good deed goes unpunished’
The question now is whether a judge lets the case proceed and, if so, whether a jury sides with the plaintiffs – which could be very disruptive not just for TTD but for the whole ad tech ecosystem, according to Kessler.
The court is being asked to decide on fundamental issues, such as whether pseudonymization constitutes personal information. There’s already some precedent for that, although nothing legally binding.
The Federal Trade Commission published a blog post last year warning that hashing doesn’t make data anonymous, because even though it obfuscates the original information, the hash creates a unique ID that can still be used to track and identify people.
“The opacity of an identifier cannot be an excuse for improper use or disclosure.” (The text is in bold here because it was also bolded for emphasis in the FTC’s blog post.)
If a court eventually rules in favor of the plaintiffs in the TTD case, it would set a rather awkward legal precedent by recognizing that practices like UID2 violate CIPA, which could potentially push the industry toward mandatory opt-in consent, Kessler said – something the current legal framework in the US doesn’t require for most types of personal data.
Meanwhile, a recent effort to try and rein in CIPA as a creative tool for privacy lawsuits just fell flat. A bill introduced in the California legislature earlier this year (Senate Bill 690, if you’re curious) aimed to exempt routine online tracking from CIPA. It unanimously passed the Senate in June, but stalled shortly after in the Assembly where it remains with no clear path to becoming law.
That legislative stalemate underscores the ongoing tension between efforts to clean up tracking and the lawyers who are lining up to call foul.
“The intent here was to develop a consumer-friendly tool that takes privacy into consideration, but the plaintiffs’ bar is always looking for ways to make these things seem nefarious,” Wheeler said. “It’s almost as if no good deed goes unpunished.”
🙏 Thanks for reading! This cat is unrelated to the theme of this newsletter, but I’m sharing it because I can relate (deeply). As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
