Disclaimer: I work at Google and did some GDPR verification on some products, but I’m not a lawyer and will try to avoid legal speculation. I worked with the advertising team but not on it; my impression of those folks is that they took legal responsibilities _very_ seriously. We even had to make new controls in Firebase for you to enable sharing your Firebase analytics data with your Firebase Functions.
I’m curious which kind of party Brave is accusing Google of being (Controller or Processor). I’m also curious what kind of “leak” Brave is accusing Google of making.
The advertiser could certainly filter for some specific terms, but not PII. If you get a large group, differential privacy et. al. should protect the individual and protect a leak.
There’s some interesting theoretical attacks in the threads but they involved a host site asking for the PII after the ad campaign.
Do any attorneys want to comment who the Controller and Processor would be in this situation?
Do any multi-site owners want to comment on whether any advertising UserIDs are even shared across sites, or are they salted per recipient?
From what I can tell it looks like advertisers who already have user IDs can use this in their ad campaign but all google_ fields are stripped from ad redirects.
I’m curious which kind of party Brave is accusing Google of being (Controller or Processor). I’m also curious what kind of “leak” Brave is accusing Google of making.
The advertiser could certainly filter for some specific terms, but not PII. If you get a large group, differential privacy et. al. should protect the individual and protect a leak.
There’s some interesting theoretical attacks in the threads but they involved a host site asking for the PII after the ad campaign.
Do any attorneys want to comment who the Controller and Processor would be in this situation?
Do any multi-site owners want to comment on whether any advertising UserIDs are even shared across sites, or are they salted per recipient?