It’s been awhile, and some things have been happening I feel it’s good to be aware of. Some of these may eventually turn into posts of their own, should they actually happen.
Is the Death of CNAME Cookies still happening?
Note: This references the change referred to in this post.
Short answer: I think so.
Longer Answer: The Stepember and October Apple events have come and gone, and still no word from Apple on this change, but things are afoot none-the-less.
On October 8th we saw the release of Safari Technology Preview 114. While the change wasn’t specifically announced in that notice, we did see that on the in development version of Big Sur that the CNAME cloaking mitigation was enabled on that platform. The Safari build referenced was 14.1. However, that same build for Mac OS Catalina did not contain the change. As such, it’s not clear if it will be back-ported to Catalina, or will only be on Big Sur forward.
What is clear however, is the feature was no longer behind a feature flag and was enabled by default. Also of note, that this pull request in the Webkit repo has added a debugging string to the MacOS console which you can enable to determine what is being impacted by the feature.
As far as iOS – the change hasn’t been referenced at all, but seems to be present on the iOS 14.2 beta builds as enabled. There is no current deployment date expected for this update as iOS is still only on 14.0.
What is also not clear is even if both operating systems update – will the Safari build containing these changes launch at the same time, or later? This is still unknown, but all in all is still believed to be rapidly approaching.
What about the AppStore Changes?
Note: This references the change referred to in this post.
Apple released a statement delaying the enforcement of the permission prompts till early in 2021. While at the same time updating their user privacy page with some handy Frequently Asked Questions.
Additionally, on October 8th Apple extended the deadline for the phasing out of UIWebView, the legacy browser controller for iOS. There is no new timeline confirmed but this means that apps which have not updated their web view controller to WKWebView will not have the default Intelligent Tracking Prevention enabled by default as apps which have updated have. As a result, there will be a segment of the Apps on the AppStore which may still be collecting data where otherwise they would be restricted from doing so for a longer period of time than previously expected.
TCF 2.0, the IAB Europe and Failing the GDPR Standard
On October 16th Techcrunch reported that the Interactive Advertising Bureau’s Transparency and Consent Framework 2.0, and it’s use of Real Time Bidding (RTB) was found in violation of the General Data Protection Regulation by the Belgian data protection authority.
The investigation findings have been transferred to the Litigation Chamber, which could decide to bring charges against IAB Europe, and should that happen, any verdict against would also likely determine that programmatic advertising in the EU is illegal under GDPR.
Even if they choose not to take IAB Europe to court a number of other existing complaints exist about RTB and GDPR. In September Dr. Johnny Ryan submitted a lengthy document to the Irish Data Protection Commission about the state of the industry some 2 years on from his original complaint (which is still pending), and should any of those existing complaints be ruled on – we could end up in the same place.
While RTB is questionably legal (for now) in the EU, it remains to be seen how much longer it will remain so given the outcome of the Belgian investigation.