The passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the may have profound implications for the online advertising industry. This provision has revealed the divide between privacy advocates and industry groups, perhaps more than any other issue, in the ongoing effort to finalize the CCPA prior to its Jan. 1, 2020, operational date.
Recently, privacy advocates scored a victory in their effort to defeat a bill that would have removed at least a portion of online advertising activities from the act’s definition of “sale,” but other industry-backed amendments also moved forward.
The competing goals of the proposed amendments highlight the competing goals of industry groups and advocacy organizations that will continue to jockey for influence as the California Legislature debates amendments to the CCPA.
On Feb. 22, Senate Bill 753 was introduced by California State Sen. Henry Stern. The bill was scheduled for a hearing in front of the Senate Standing Committee on Judiciary April 23 but was pulled from consideration before it came up on the agenda. It would have added a provision to California Civil Code § 1798.140(t)(2) that removed the sharing and disclosure of unique identifiers to “another business or third party ... to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer” from the definition of sale, provided the transfer was governed by a contract that prohibited the business or third party from communicating it to additional parties, except as necessary.
The amendment faced criticism from privacy-focused organizations.
Johnny Ryan, chief policy and industry relations officer for Brave, a privacy-focused internet browser, sent a letter to Stern and the Judiciary Committee opposing the proposed carve-out language. He argued the proposed amendment would undermine the purpose of the CCPA, provide inadequate safeguards, and stifle innovation.
The amendment would “seriously undermine the [CCPA]” because it will exempt the type of information exchanged in a bid request during real-time-bidding advertising auctions, Ryan argues. He offered a list of the types of information that may accompany a bid request to illustrate the potentially privacy-invasive information exchanged: the URL of the content a person is consuming, the person’s age, IP address, and category codes corresponding to the content a person is loading (for example, Google uses codes to signify eating disorders, political affiliation, impotence, AIDS/HIV status), among others.
His organization also viewed as inadequate the requirement that transfers operate under the control of a contract, because “contractual provisions [would] be impossible to investigate and enforce” after the information has already been shared. And, carving out permission for online advertising to continue as normal suppresses privacy-focused innovation (like that of his own company).
In a further comment for The Privacy Advisor, Ryan said, "Online advertising auctions cause the most massive leakage of intimate personal information ever recorded, which the proposed advertising exception would [have] permit[ted]. As an industry participant, we know that leaking personal information is not required to serve and audit advertising. It is time for the industry to innovate, and for good law to put an end to bad practice."
The wholesale exclusion of online advertising activities from the CCPA was not certain, however.
The bill removed “an online identifier, an internet protocol address, a cookie identifier, a device identifier, or any unique identifier [which is defined in the CCPA]” from the definition of sale, but as Ryan emphasized, some of the potentially privacy-invasive information exchanged in a real-time-bidding auction goes beyond this list of identifiers. For example, the category codes used by Google or other customer-categorization information may not have been excluded from the definition of sale and therefore would still have been subject to a consumer’s opt-out request.
Simply put: The proposed carve-out may not have removed all pieces of information involved in online advertising from the definition of sale.
SB 753 also narrowed the carve-out because it stated that objects in the aforementioned list are removed from the definition of sale when they are shared “only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.” As with many provisions in the CCPA, the full effect of a clause would only be revealed after the definition of key terms. Here, necessary was not defined. Did the amendment require the sharing be necessary for the contract? Did it require the sharing fulfill a CCPA-specific interpretation of necessary? Or, did the amendment rely on a definition of necessary from another title of the California Civil Code?
"My stock reaction is that where one comes down on SB 753 depends on whether you think the privacy problems in ad tech are at the core of what the CCPA is intended to solve," Center for Democracy & Technology Privacy Counsel Joe Jerome, CIPP/US, said. "Considering some of the law's backers ... have increasingly suggested that the law is intended to be a shot in the arm to do not track, I'd say that's the case and that the bill will face stiff opposition."
Jerome’s instincts proved correct.
Further, said Jerome, the proposal "beg[ed] the honest question of whether the goal should be to exempt ad tech or to try to make the industry more responsible. Sen. Stern has argued that this contractual requirement would be a big improvement, but anyone involved in the buying and selling of ads already is bound to any number of contractual requirements, including limitations on use, prohibitions of certain ad types, and like a promise to not re-identify information. So how's that work? If the thinking is really that targeted advertising doesn't pose a privacy problem, let's just call a spade a spade here."
While SB 753 failed to advance out of the Judiciary Committee, it was not the only bill where industry and privacy advocates disagreed.
At the same time SB 753 was working its way through the California Legislature, State Assembly Member Buffy Wicks introduced Assembly Bill 1760, and State Sen. Hannah-Beth Jackson, D-Calif., introduced SB 561. Wicks’ bill went the way of SB 753 and was pulled from consideration before it looked likely to fail in front of the Assembly’s Committee on Privacy and Consumer Protection. It would have changed the CCPA’s right to opt out of the sale of information to an obligation for a business to receive opt-in consent from a consumer before sharing information in any manner, including a sale. Jackson’s bill, however, was approved by the Senate Judiciary Committee. It expands the CCPA's private right of action to include violations of the statute's privacy provisions — incorporating a change originally introduced in, and subsequently removed from, Wicks' bill — and removes a business's 30-day right to cure. The Electronic Frontier Foundation, Brave, DuckDuckGo, and ProtonMail are a few of the more than 30 organizations that indicated support for AB 1760 and may advocate for enhancing SB 561’s consumer protections after AB 1760’s downfall.
Jim Halpert, co-chair of DLA Piper’s Global Data Protection, Privacy and Security Practice, limited exemption for employees from the definition of consumer, a bill that narrows the scope of personal information and clarifies the definition of deidentification, and a bill that creates a public-record exemption for the definition of personal information, among others. Halpert also conjectured that Jackson, who chairs the Senate Judiciary Committee, may try to stop some of these bills or inject elements of SB 561 into them before they pass her committee.
Photo by Jordi Vich Navarro on Unsplash