Tips to Reduce Risk of Exposure to UID2 Class Actions

Businesses need to remain vigilant regarding recent developments in consumer-based data privacy class actions. In recent weeks, the plaintiff class action bar has filed several lawsuits against The Trade Desk Inc. related to its role in the deployment of Unified ID 2 (UID2). At least three of these lawsuits​ claim The Trade Desk is illegally tracking millions of consumers through its advertising platform, which uses UID2 technology to collect personally identifiable information, including email addresses and phone numbers, without proper consent. The lawsuits also allege that The Trade Desk’s advertising technology uses pixels that operate like virtual data brokers, permit tracking individuals across websites and devices, and de-anonymizing their online activity without consent. 

UID2 is an open-source identity framework designed to replace third-party cookies for digital advertising and engage consumers in a more privacy-conscious way. UID2 works by generating hashed or encrypted identifiers based on a user’s email address or phone number. Consumers voluntarily provide their email address and phone number when they sign-up or login to services that use UID2. The new hashed or encrypted identifiers are periodically salted, making them secure and difficult to reverse-engineer. The intent of UID2 is to consensually enable advertisers and publishers to recognize users across the Internet in a more privacy-preserving way. Unlike cookies, UID2 is user-centric and offers users transparency, control, and opt-out options. UID2 is managed by independent governance entities, not a single company, and is meant to ensure broader accountability. Its goal is to support targeted advertising while respecting consumer privacy and regulatory standards like GDPR and CCPA.

UID2 operates in a way fundamentally different from third-party cookies. In short, cookies passively track you across sites; UID2 seeks permission and gives consumers control. Third-party Cookies track users as they move between websites by storing small text files in the user’s browser. These files enable behavioral profiling and ad targeting, but have come under fire for privacy concerns, lack of transparency, and user tracking without clear consent. Third-party cookies are being phased-out by browsers like Chrome and Safari due to these issues. UID2, by contrast, is a privacy-forward alternative. The technology allows for consistent user identity across platforms while offering user consent and opt-out options via the Transparency and Control Portal. Unlike cookies, UID2 is not browser-based and is designed to comply with modern privacy regulations like GDPR and CCPA.

The lawsuits are in their early stages, and no court has yet ruled on the legality of UID2. These cases highlight growing concerns over digital tracking practices and the importance of transparency and user consent in data collection. Like recent pixel tracking litigation, elements of the UID2 lawsuits are based on the California Invasion of Privacy Act (CIPA), codified in California Penal Code §§ 630–638. CIPA broadly prohibits unauthorized eavesdropping, recording, and interception of communications. Allegations of violation of CIPA typically include unlawfully: (1) recording or eavesdropping on a confidential communication (such as a phone call or in-person conversation) without the consent of all parties involved; (2) tapping into or intercepting a communication transmitted over wire or electronic means without consent; (3) recording communications involving cellular or cordless phones without the consent of all parties, even if the conversation is not confidential; and (4) disclosing, sharing or using information obtained through allegedly illegal recording or eavesdropping.

To help reduce the risk of being the target of these lawsuits, businesses should consider these UID2 disclosure tips:

For Privacy Policies:

1. Be Clear and Accessible
   • Clearly state that your website or app uses Unified ID 2.0 (UID2) to help deliver relevant advertising and improve user experience.
   • Avoid jargon. Say what UID2 is in plain terms, e.g., a privacy-focused tool that uses encrypted email addresses (with user consent) for advertising.
2. Explain How UID2 Works
   • Describe that UID2 generates an anonymized identifier from a user’s email or phone number, which is used for advertising but not shared in a personally identifiable way.
   • Note that UID2 does not rely on third-party cookies and is designed to be more privacy-compliant.
3. Include a Consent Statement
   • Make it clear that UID2 is used only when users provide their information and consent (e.g., during registration or login).
   • Provide a way for users to opt out, either directly or by linking to an industry-standard opt-out mechanism (e.g., TrustArc, NAI).
4. List Data Partners and Purposes
   • Disclose any third parties or advertising partners with whom you share UID2 identifiers, and for what purposes (e.g., targeting, analytics, measurement).

For Website Terms of Use:

1. Acknowledge Technology Use
   • Include a general clause stating that your service may use third-party identity and advertising technologies like UID2 to personalize content and ads.
2. Refer to Privacy Policy
   • Your Terms of Use should defer detailed explanations to the Privacy Policy, with a strong link: “For more information on how we use data and your rights, please see our Privacy Policy.”
3. Disclaim Liability/Changes
   • Let users know that technologies and practices may evolve and that continued use of the site constitutes agreement to any updates (as long as users are notified appropriately).