Privacy and Compliance Reader

Blog Posts & Video

This is a small sample of relevant blog posts.

This document provides some background on the threats to users' privacy that Javascript APIs help createon the Web, and provides some patterns to mitigate such threats at the API design level. Its primaryaudience is therefore people involved in the definition and implementation inside user agents of such APIs.

ReadArchived

A presentation on our responsibility as technologists to change the world which is well worth watching.

presentations, EthicsReadArchived

There has been ample debate in some tech circles as to just how much of a privacy war is really being waged. My personal sense is that it's not so much of a war as it is a reality check. It has become very painfully obvious that the same old simple solutions don't work — and some people are up in arms that reality is being inconvenient to them.

ArchivedRead

If you've spent any amount of time discussing reforms to improve privacy online, you've likely encountered the Big Knob Theory. Like Covid it comes in variants, but its core tenet can be summarised thus: there exists (metaphorically) a Big Knob that can either be turned towards "privacy" or towards "competition" — but it's very much a zero-sum game and you can't have both. It's a popular position; but is it true?

ArchivedRead

The New York Times has made substantial changes to how we handle reader data, with an eye towards increased reader privacy. This includes better privacy practices around marketing, advertising and a more readable privacy policy.

ReadArchived

Should we maintain pervasive data collection on the web under the guise of preserving competition? 

ArchivedRead

Programmatic technology continues to be used by parties on both sides of the Russia/Ukraine conflict as a platform to conduct psychological warfare.

Adalytics, Adverif.AI, Alisha Rosen, Amy Williams, Brand Safety Institute, David Murnick, facebook, featured, GeoEdge, Good Loop, google, Institute of Practitioners in Advertising, International Fact-Checking Network, MGID, Odnoklassniki, Or Levi, Rob Blackie, RT, russia ukraine war, Sergey Denisenko, Signal, Sputnik, Telegram, the trade desk, VK, WhatsApp, Online AdvertisingArchivedRead

In this digital hellscape of ours, what is it that we talk about when we talk about privacy? We talk about power. Concentrations of data are concentrations of power, or, as the freshly-minted first public draft of the W3C’s Privacy Principles states, “asymmetries of information and of automation create commanding asymmetries of power.” That’s the problem to which privacy is the solution.

ArchivedRead

Compliance APIs

APIs Privacy Engineers will have to deal with regularly.

IAB Europe, in partnership with IAB Tech Lab, announced on 21 August 2019 the launch of the second iteration of Transparency and Consent Framework (TCF) v2.0.

ReadArchived

Technical specifications to support US Privacy initiatives, starting with CCPA (California Consumer Privacy Act) - USPrivacy/USP API.md at master · InteractiveAdvertisingBureau/USPrivacy

ReadArchived

Exercise your privacy rights in one step via the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.

ReadArchived

The Site Engagement Service provides information about how engaged a user iswith a site. The primary signal is the amount of active time the user spends onthe site but various other signals may be incorporated (e.g whether a site isadded to the homescreen).

ReadArchived

This article covered feature detection in a reasonable amount of detail, going through the main concepts and showing you how to both implement your own feature detection tests and use the Modernizr library to implement tests more easily.

ReadArchived

The Global Privacy Control is making steady progress towards adoption. As a global signal supported by browsers, it's a natural question to ask what it means under regimes such as the GDPR. Here's my personal take.

ArchivedRead

Helping publishers comply with U.S. privacy laws through a standardized frameworkDeveloped by the IAB’s Tech Lab, the Global Privacy Platform (GPP) is a standardized framework for storing and passing

ReadArchived

The Berlin Regional Court found LinkedIn's ignoring of "Do Not Track" signals and publishing of profiles without permission to be illegal. The ruling supported consumer control over personal data.

ArchivedRead

Understanding Third Party Cookies

Learn about how cookies work and what are first-party and third-party cookies.

ReadArchived

Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection against CSRF attacks. Specifying the new None attribute allows you to explicitly mark your cookies for cross-site usage.

ReadArchived

The technology that shaped digital advertising and media is going away. What will replace it?

ArchivedRead

But he's also not convinced that any of the alternatives will be much better.

QuartzReadArchived

To replace the cookie in Chrome and Android, Google has an offering for the world called “Privacy Sandbox." Here's an exclusive peek into how it will work.

google, victor wong well, privacy sandbox, software, department of justice, privacy, facebook like button, netflix, victor wong, computing, terms of service, cloud clients, digital technology, technology internet, thomas, digital rights, iphone, apple, human rights, internet privacy, alphabet inc, Google, Victor Wong Well, Privacy Sandbox, Software, Department of Justice, Privacy, Facebook like button, Netflix, Victor Wong, Computing, Terms of service, Cloud clients, Digital technology, Technology, Internet, Thomas, Digital rights, iPhone, Apple, Human rights, Internet privacy, Alphabet Inc., GizmodoReadArchived

▶️ Listen now on Apple, Spotify, and YouTubeBig Martech is back with Season 2! We are doing things a bit differently this time around. Instead of doing a single topic per show, we’re doing deeper dives into the most pressing themes of Martech with three episodes at a time. Our first theme is about how our shift away from third party cookies is changing the Martech landscape. This week we’ll look at the history of the cookie, next week will be about how marketers are responding, and the third l

ReadArchived

We asked the engineer who invented cookies what they mean and how to handle them.

security, privacy, security advice, browsers, the web, advertising, cookies, textaboveleftsmall, web, tagsReadArchived

For the last decade, marketers have been sold the idea that microtargeting would help them improve digital marketing. I realize that it will be hard for you to accept that it didn't work -- at.

ReadArchived

I can make an HTML page with image tags that point at other people’s images: a page of Rembrandts from different art museums. If those images are open then it doesn’t matter whether my browser sends…

ReadArchived

Browsers ending 3p

Learn how to audit your code to look for third-party cookies and what action you can take to ensure you're all set for the end of third-party cookies.

ReadArchived

Take back your privacy Firefox is rolling out Total Cookie Protection by default to more Firefox users worldwide, making Firefox the most private and secur

ReadArchived

Apple has an update out for Safari’s Intelligent Tracking Prevention tool set that makes its web browser even more secure. Now, Safari blocks all third-party cookies by default, with no exceptions, thanks to fundamental changes to the way traffic is handled.

ArchivedRead

While we are all getting ‘ready’ for a cookieless future, there are two major considerations that just aren’t being discussed enough.

ReadArchived

In-Progress Standards

Privacy relevant standards.

Our latest news, updates, and stories about Privacy.

ReadArchived

Our latest news, updates, and stories about Security.

ReadArchived

Client Hints

Wouldn't it be nice if `User-Agent` was a (set of) client hints? - GitHub - WICG/ua-client-hints: Wouldn't it be nice if `User-Agent` was a (set of) client hints?

ReadArchived

Client Hints is collection of HTTP and user-agent features that enablesprivacy-preserving, proactive content negotiation with an explicit third-partydelegation mechanism:

ReadArchived

(slides)

ArchivedRead

Client Hint Reliability (Internet-Draft, 2020)

ReadArchived

Request for Mozilla Position on an Emerging Web Specification Specification Title: User Agent Client Hints Specification or proposal URL: https://tools.ietf.org/html/draft-west-ua-client-hints-00 M...

ReadArchived

IP Blindness

Contribute to bslassey/ip-blindness development by creating an account on GitHub.

ReadArchived

This research presents VPN⁰, the first distributed virtual private network offering a privacy preserving traffic authorization and validation mechanism.

ReadArchived

A technical explanation of how Analytics anonymizes IP addressesAt a glanceWhen a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically fea

ReadArchived

IsLoggedIn

Explainers from WebKit contributors. Contribute to WebKit/explainers development by creating an account on GitHub.

ReadArchived

Privacy Budget

Contribute to bslassey/privacy-budget development by creating an account on GitHub.

ReadArchived

Privacy Sandbox

A collection of proposed standards by Google intended to move the web away from third party cookies.

Privacy Sandbox is developing privacy-preserving technologies to protect your online privacy so you can browse the web without invasive tracking.

ReadArchived

2023 will be a critical year to prepare for a world without third-party cookies. Let’s take a closer look at how the advertising ecosystem might think about ad relevance in a cookieless future.

ReadArchived

Today on The Keyword, we outlined our vision for an initiative aimed at evolving the web with architecture that advances privacy, while co...

ReadArchived

A year ago we announced our intention to phase out third-party cookies and replace them with new browser features that are fundamentally mo...

ReadArchived

For its Chrome browser, Google wants to replace cookies with APIs developed according to its Privacy Sandbox. Here's a primer explaining what's entailed and at stake for the long term.

ArchivedRead

What lessons can be learned after FLoC had its wings clipped?

ArchivedRead

Private Attribution

Safari proposal

A typical website is made of numerous components coming from a wide variety of sources.

PrivacyReadArchived

When it comes to ad tracking in Safari, Apple usually taketh away. But sometimes Apple giveth advertisers a little something. Meet privacy-preserving ad click attribution for the web. Think of it as Apple throwing a bone to advertisers who need a way to measure the effectiveness of their ads in Safari, which is where tracking... Continue reading »

apple, attribution, Conversion Tracking, featured, Safari ITP, web browsers, Online AdvertisingReadArchived

This section is non-normative.

ReadArchived

Chrome proposal

Build the next generation of web experiences.

ReadArchived

Conversion Measurement API. Contribute to WICG/conversion-measurement-api development by creating an account on GitHub.

ArchivedRead

Build the next generation of web experiences.

ReadArchived

[public] Experiment with Attribution Reporting: Handbook Published on March 31st, 2022 This document is part of a collection of developer guides to experiment with the Attribution Reporting API. See all resources in this collection. Any questions? Please ask. We strongly recommend you...

ArchivedRead

Mozilla / Facebook proposal

Interoperable Private Attribution (IPA) Date Published: Jan 5th, 2022 Authors: Erik Taubeneck (Meta), Ben Savage (Meta), Martin Thomson (Mozilla) Purpose of this document: 1. Introduction 1.1 Major design choices 1.2 Acknowledgements 2. Components of the IPA proposal 2.1 Setting Match Keys 2.2 ...

ReadArchived

Android Proposal

Provide feedback

ArchivedRead

Storage Partitioning

Client-Side Storage Partitioning. Contribute to privacycg/storage-partitioning development by creating an account on GitHub.

ReadArchived

Trust Tokens

Potential alternative for anti-fraud/reCaptcha issues

Trust Tokens is a new API to enable a website to convey a limited amount of information from one browsing context to another (for example, across sites) to help combat fraud, without passive tracking.

ReadArchived

Public chromium.org document // davidvc@chromium.org, July 2021 What’s TrustTokenV3? “TrustTokenV3” is a collection of backwards-incompatible changes to Chromium’s Trust Tokens implementation arriving starting in Chrome 92, which will reach Beta (small number of users) in early June and Stable t...

ReadArchived

Chrome origin trials allow developers to safely experiment with web platform features

ReadArchived

This document describes a mechanism which allows HTTP servers to maintain stateful sessions with HTTP user agents. It aims to address some of the security and privacy considerations which have been identified in existing state management mechanisms, providing developers with a well-lit path towards our current understanding of best practice.

ReadArchived

IDs

The ad tech hordes are again congregating with the IAB Tech Lab's Annual Leadership Meeting taking place in New York City this week.

ArchivedRead

WebID / FedID

A privacy preserving federated identity Web API. Contribute to fedidcg/FedCM development by creating an account on GitHub.

ArchivedRead

WebID TPAC 2020 Ken Buchanan (kenrb@google.com) Majid Valipour (majidvp@google.com) Sam Goto (goto@google.com)

ArchivedRead

DID

Decentralized identifiers (DIDs) are a new type of identifier thatenables verifiable, decentralized digital identity. A DID refers to anysubject (e.g., a person, organization, thing, data model, abstract entity, etc.)as determined by the controller of the DID. In contrast totypical, federated identifiers, DIDs have been designed so that they maybe decoupled from centralized registries, identity providers, and certificateauthorities. Specifically, while other parties might be used to help enable thediscovery of information related to a DID, the design enables thecontroller of a DID to prove control over it without requiring permissionfrom any other party. DIDs are URIs that associate a DIDsubject with a DID document allowing trustable interactionsassociated with that subject.

ReadArchived

KILT DID Driver for the Universal Resolver. Contribute to KILTprotocol/kilt-did-driver development by creating an account on GitHub.

ArchivedRead

Engineering-relevant laws

After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center tracks proposed comprehensive state privacy bills from across the country to aid our members' efforts to stay abreast of the...

ReadArchived

GDPR

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...

GDPR OverviewReadArchived

General Data Protection Regulation, or GDPR, became law in May 2018. Our need-to-know GDPR summary explains what the changes mean for you

security, privacy, data, web, tagsReadArchived

How to conduct a Data Protection Impact Assessment (template included) A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that...

UncategorizedArchivedRead

The ruling will require companies to protect data that indirectly relates to sensitive information such as health or sexual orientation.

Corporate Crime/Legal Action, Regulation/Government Policy, Corporate/Industrial News, Political/General News, Crime/Legal Action, Privacy Issues/Information Security, Content Types, Factiva Filters, C&E Executive News Filter, C&E Industry News Filter, PRO, WSJ-PRO-NP, WSJ-PRO-CYBER, WSJ-PRO-WSJ.com, corporate crime, legal action, regulation, government policy, corporate, industrial news, political, general news, crime, privacy issues, information security, content types, factiva filters, c&e executive news filter, c&e industry news filterArchivedRead

CCPA

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

ReadArchived

Colorado

IAPP Westin Research Fellow Sarah Rippy breaks down the newly passed Colorado Privacy Act.

ArchivedRead

Virginia's CDPA

Introduced by:David W. Marsden |all patrons...    notes| add to my profiles

ArchivedRead

What Is the Virginia Consumer Data Protection Act (VCDPA)? Learn about the key components of the the state’s new comprehensive data privacy law.

ArchivedRead

Learn about the major provisions of the Virginia Consumer Data Protection Act (VCDPA) to prepare for compliance by the January 1, 2023 effective date.

ArchivedRead

March 2021 1. Governing Texts On 2 March 2021, the Virginia State Governor signed into law the Consumer Data Protection Act ('CDPA'), which is due to enter into effect on 1 January 2023. In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers.

ReadArchived

Maryland

Synopsis

ReadArchived

Synopsis

ReadArchived

ADPPA

People are justifiably excited about the American Data Privacy and Protection Act.

ArchivedRead

Japan

Understand how data breaches led to Japan’s Act on the Protection of Personal Information (APPI), and how businesses must adapt to comply...

ArchivedRead

White Papers and Non-technical Standards

This includes conversations about the mechanism and philosophy around privacy as well as useful documents–including privacy models–used by standard setting orgs as part of their process.

Models and Definitions of Privacy

A Potential Privacy Model for the Web: Sharding Web Identity - GitHub - michaelkleber/privacy-model: A Potential Privacy Model for the Web: Sharding Web Identity

ReadArchived

This document is at a very early stage. Many things in it are wrongand/or incomplete. Please take it as a rough shape for how we might document thetarget threat model, rather than as definite statements about what should be inthe target threat model.

ReadArchived

Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.

ReadArchived

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers.

ReadArchived

This document describes the online tracking practices that Mozilla believes, as a matter of policy, should be blocked by default by web browsers. These practices are potentially harmful to users and cannot be meaningfully understood or controlled by users.

ReadArchived

Setting the standard for a robust, policy-ready understanding of privacy.

ReadArchived

A tool to help organizations improve individuals’ privacy through enterprise risk management

ReadArchived

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995.[1][2] The privacy by design framework was published in 2009[3] and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.[4] Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.[5][6]

ReadArchived

Privacy chapter of the 2022 Web Almanac covers the adoption and impact of online tracking, privacy preference signals, and browser initiatives for a privacy-friendlier web.

ArchivedRead

Contents

ReadArchived

Principles and Documents

The Design Principles are directly informed by the ethical frameworkset out in the Ethical Web Principles [ETHICAL-WEB].These principles provide concrete practical advicein response to the higher level ethical responsibilitiesthat come with developing the web platform.

ReadArchived

When designing new features for the Web platform,we must always consider the security and privacy implications of our work.New Web features should alwaysmaintain or enhancethe overall security and privacy of the Web.

ReadArchived

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

ReadArchived

The Web suffers from large scale, frequent, and often invisible privacy violations. These pervasive privacy problems threaten the Web’s ability to serve as a preeminent application platform and information distribution system.

ReadArchived

When we are adding new web technologies and platforms,we will build them to cross regional and national boundaries.People in one location should be able to view web pagesfrom anywhere that is connected to the web.

ReadArchived

7 Foundational Principles

This document explains why the IAB believes that, when there is aconflict between the interests of end users of the Internet and otherparties, IETF decisions should favor end users. It also explores howthe IETF can more effectively achieve this.

ReadArchived

Pervasive Monitoring Is an Attack (RFC )

ReadArchived

Tracking user activity on the Web using methods other than those defined for the purpose by the Web platform (“unsanctioned tracking”) is harmful to the Web, for a variety of reasons. This Finding details the TAG's stance on different forms of tracking, and how they should be addressed.

ReadArchived

Web Advertising BG - https://www.w3.org/community/web-adv/ - web-advertising/support_for_advertising_use_cases.md at main · w3c/web-advertising

ReadArchived

AI & Advertising, a consumer perspective

ReadArchived

Weaponizing the Digital Influence Machine: The Political Perils of Online Ad Tech identifies the technologies, conditions, and tactics that enable today’s digital advertising infrastructure to be weaponized by political and anti-democratic actors.

ReadArchived

In scope, ambition, and animating philosophy, American privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s am

SSRN, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, Lindsey BarrettReadArchived

User agents are pieces of software that represent the user, a natural person, in their digital interactions. Examples include Web browsers, operating systems, s

SSRN, The Fiduciary Duties of User Agents, Robin BerjonReadArchived

Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and v

SSRN, Taking Trust Seriously in Privacy Law, Neil M. Richards, Woodrow HartzogReadArchived

This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering De-identification.

ReadArchived

This post first summarizes what browser fingerprinting is, and common defenses. Second, the post presents problems with “dynamic privacy approaches”, and why Brave is skeptical they are effective for protecting against fingerprinting. Third, the post presents Brave’s fingerprinting protections, current, upcoming and longer-term.

ReadArchived

F. Wang, R. Ko, and J. Mickens, “Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services,” in NSDI, Boston, MA, 2019.

ReadArchived

From Wikipedia, the free encyclopedia

ReadArchived

Amplification by Shuffling:
From Local to Central Differential Privacy via Anonymity

Context-Aware Local Differential Privacy

At The Times, we aim to create the best possible reader experience across every medium. This involves knowing certain things about our readership. For example, knowing which articles you read helps us understand your interests. That information lets us select the types of articles we show you in certain parts of the app or site. (This article selection process is still guided by our journalistic judgment, and doesn’t impact large portions of the app or site.)

ReadArchived

Merkle used Amazon Redshift and other AWS services to build a solution that enables companies to create targeted marketing campaigns while maintaining compliance with data privacy regulations.

ReadArchived

Since the COVID-19 pandemic we’ve seen a seismic shift around the world to online shopping and direct-to-consumer sales. Arguably, the consumer packaged goods (CPG) industry felt this shift more than any other industry. According to Statista, “Retail websites generated almost 22 billion visits in June 2020, up from 16.07 billion global visits in January 2020.” […]

AWS Glue, AWS Lake Formation, CPG, Industries, analytics, data lakes, Data Mesh, Machine Learning (ML)ReadArchived

"same-site" and "same-origin" are frequently cited but often misunderstood terms. This article helps you understand what they are and how they are different.

ReadArchived