Home Data Privacy Roundup Putting UID2 Under the Legal Microscope

Putting UID2 Under the Legal Microscope

SHARE:
Creative template collage of furious man headless with tangled tape record suffer psychological problem stress solving difficulty

You know that feeling when you try to develop a post-cookie, privacy-focused advertising identifier but you end up getting sued for allegedly “secretly harvesting and monetizing directly identifiable user data from millions of US residents without their knowledge”?

In late March, The Trade Desk was hit with a pair of class-action lawsuits in California, which have since been consolidated into one, arguing that Unified ID 2.0, designed as a privacy-conscious alternative to cookies, is really just a rebranding of old-school profiling, just with stronger math and weaker disclosures.

UID 2.0 uses hashed and encrypted emails or phone numbers to create pseudonymous identifiers that advertisers can use to recognize and target people across devices and platforms without, ostensibly, exposing personal information and (also ostensibly) only with a user’s explicit consent.

The question of consent, or the lack thereof, is at the heart of these suits and others like them.

Old laws, new claims

Around three years ago, plaintiffs’ attorneys started glomming onto older privacy laws – particularly the Video Privacy Protection Act (VPPA) and the California Invasion of Privacy Act (CIPA) – as the basis for a wave of class-action lawsuits against digital platforms and publishers.

The trend gave rise to so-called “pixel suits” claiming that companies like Meta and Google illegally tracked sensitive user data through website pixels without consent, especially on health care and financial sites.

Some of these suits were tossed out as overreaching uses of laws that were written for another era. The VPPA was passed in 1988 to stop the disclosure of video rental records, and CIPA was passed in 1967 to prohibit wiretapping and the unauthorized recording of conversations.

But some were allowed to move forward, creating a confusing patchwork of precedents and costly settlements.

“Even though these laws were originally designed for telephone wiretapping and electronic communications, they’re now being interpreted by plaintiffs to address online tracking technologies like real-time bidding, cross-device tracking and data collection,” said Kyle Kessler, a partner at Womble Bond Dickinson.

“These UID2 lawsuits against The Trade Desk are just another example of plaintiffs getting creative,” she added.

Identity crisis

As of late September, the consolidated case against TTD is still active, although there is a motion to dismiss pending with a hearing set for December 5.

But say there is a trial. Do the plaintiffs have a viable legal argument?

“I think applying laws that were developed in the 1960s to internet technology is ridiculous; that’s just my personal opinion,” said David Wheeler, a partner at Neal, Gerber & Eisenberg. “We’ve already seen certain judges determine that this technology is not necessarily what the statutes were intended to protect against.”

Still, for the sake of argument, you could maintain, as the plaintiffs do, that UID2s remain identifiable because they map directly back to underlying personal information. Although UIDs are encrypted and don’t contain an actual email or phone number, they function as an equivalent, since the same UID2 is generated every time someone enters the same email or number on another website or platform.

This consistency arguably allows a UID2 to effectively serve as a persistent identifier linked to personal information.

“The theory is that even if it’s salted or hashed, it still represents an individual regardless of whether or not it’s readable without a key,” Wheeler said, playing the devil’s advocate. “Also, with AI getting increasingly precise – capable of looking at hundreds of data elements at once – we’re probably beyond the phase where hashing even matters.”

‘No good deed goes unpunished’

The question now is whether a judge lets the case proceed and, if so, whether a jury sides with the plaintiffs – which could be very disruptive not just for TTD but for the whole ad tech ecosystem, according to Kessler.

The court is being asked to decide on fundamental issues, such as whether pseudonymization constitutes personal information. There’s already some precedent for that, although nothing legally binding.

The Federal Trade Commission published a blog post last year warning that hashing doesn’t make data anonymous, because even though it obfuscates the original information, the hash creates a unique ID that can still be used to track and identify people.

The opacity of an identifier cannot be an excuse for improper use or disclosure.” (The text is in bold here because it was also bolded for emphasis in the FTC’s blog post.)

If a court eventually rules in favor of the plaintiffs in the TTD case, it would set a rather awkward legal precedent by recognizing that practices like UID2 violate CIPA, which could potentially push the industry toward mandatory opt-in consent, Kessler said – something the current legal framework in the US doesn’t require for most types of personal data.

Meanwhile, a recent effort to try and rein in CIPA as a creative tool for privacy lawsuits just fell flat. A bill introduced in the California legislature earlier this year (Senate Bill 690, if you’re curious) aimed to exempt routine online tracking from CIPA. It unanimously passed the Senate in June, but stalled shortly after in the Assembly where it remains with no clear path to becoming law.

That legislative stalemate underscores the ongoing tension between efforts to clean up tracking and the lawyers who are lining up to call foul.

“The intent here was to develop a consumer-friendly tool that takes privacy into consideration, but the plaintiffs’ bar is always looking for ways to make these things seem nefarious,” Wheeler said. “It’s almost as if no good deed goes unpunished.”

🙏 Thanks for reading! This cat is unrelated to the theme of this newsletter, but I’m sharing it because I can relate (deeply). As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.

Must Read

Google’s Meridian And Meta’s Robyn: A Gift To Measurement Or Trojan Horses?

Google and Meta are quietly rewriting the rules of ad measurement, and they’re doing it with open-source marketing mix modeling tools that many marketers don’t even realize they’re using.

This New Training Framework Gives Publishers A Say In How AI Uses Their Work

A new initiative called SAIL compensates publishers when AI scrapes their content and guarantees the outputs adhere to the same cultural standards they apply to their own coverage.

AI Is Spreading Inaccurate Information About Brands. This Tool Can Help Fix That

Brands can’t just focus on how often they show up in AI search. They also need to pay attention to accuracy – and know what to do when AI gets it wrong.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

This K-Beauty Brand Is Collapsing The Marketing Funnel To Grow Its US Customer Base

The “K” in “K-beauty” stands for “Korean.” But it should also stand for “kaboom” because Korean beauty product sales are exploding internationally, especially in the US market.

LinkNYC Kiosks Have Started Airing World Cup Games – TV Ads And All

The cinematic trope of people stopping to watch the news on a storefront TV display feels pretty out of date today. But sometimes, life can still imitate art.

How TIME’s CMS Transition Laid The Foundation For Its AI-Driven Content Overhaul

The CMS migration helped unify TIME’s fragmented content data after years of platform transitions under multiple owners. This enabled TIME to launch its own AI search product and convert archival content into AI-friendly “markdown” pages.