Editor's note: This story has been amended to reflect the more recent vote in the California legislature, updating the April 23 version.
The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to third parties — a provision that may have profound implications for the online advertising industry. Currently, however, the California legislature is debating an amendment to the CCPA that will remove at least a portion of online advertising activities from the Act’s definition of “sale.”
Feb. 22, Senate Bill 753 was introduced by California State Senator Henry Stern. The bill is currently in front of the Senate Standing Committee on Judiciary and is scheduled for hearing on April 23. It adds a provision to California Civil Code § 1798.140(t)(2) that removes the sharing and disclosure of unique identifiers to “another business or third party ... to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer” from the definition of sale, provided the transfer is governed by a contract that prohibits the business or third party from communicating it to additional parties, except as necessary.
The amendment faces criticism from privacy-focused organizations.
Johnny Ryan, chief policy and industry relations officer for Brave, a privacy-focused internet browser, sent a letter to Sen. Stern and the Judiciary Committee opposing the proposed carve-out language. He argues the proposed amendment would undermine the purpose of the CCPA, provide inadequate safeguards, and stifle innovation.
The amendment will “seriously undermine the [CCPA]” because it will exempt the type of information exchanged in a bid request during real-time-bidding advertising auctions, argues Ryan. He offers a list of the types of information that may accompany a bid request to illustrate the potentially privacy-invasive information exchanged: the URL of the content a person is consuming, the person’s age, IP address, and category codes corresponding to the content a person is loading (for example, Google uses codes to signify eating disorders, political affiliation, impotence, AIDS/HIV status), among others.
His organization also views as inadequate the requirement that transfers operate under the control of a contract, because “contractual provisions will be impossible to investigate and enforce” after information has already been shared. And, carving out permission for online advertising to continue as normal suppresses privacy-focused innovation (like that of his own company).
In a further comment for The Privacy Advisor, Ryan said, "Online advertising auctions cause the most massive leakage of intimate personal information ever recorded, which the proposed advertising exception would permit. As an industry participant, we know that leaking personal information is not required to serve and audit advertising. It is time for the industry to innovate, and for good law to put an end to bad practice."
The wholesale exclusion of online advertising activities from the CCPA is not certain, however.
The bill removes “an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier [which is defined in the CCPA]” from the definition of sale, but as Ryan emphasized, some of the potentially privacy-invasive information exchanged in a real-time-bidding auction goes beyond this list of identifiers. For example, the category codes used by Google, or other customer-categorization information, may not be excluded from the definition of sale, and therefore would still be subject to a consumer’s opt-out request. Simply put: the proposed carve-out may not remove all pieces of information involved in online advertising from the definition of sale.
Senate Bill 753 also narrows the carve-out when it states that objects in the aforementioned list are removed from the definition of sale when they are shared “only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer” (emphasis added). As with many provisions in the CCPA, the full effect of a clause is only revealed after definition of key terms. Here, necessary is not defined. Does the amendment require the sharing be necessary for the contract? Does it require the sharing fulfill a CCPA-specific interpretation of necessary? Or, does the amendment rely on a definition of necessary from another title of the California Civil Code?
"My stock reaction is that where one comes down on SB 753 depends on whether you think the privacy problems in ad tech are at the core of what the CCPA is intended to solve," said the Center for Democracy and Technology Privacy Counsel Joe Jerome. "Considering some of the law's backers ... have increasingly suggested that the law is intended to be a shot in the arm to do not track, I'd say that's the case and that the bill will face stiff opposition."
Further, said Jerome, the proposal "begs the honest question of whether the goal should be to exempt ad tech or to try to make the industry more responsible. Sen. Stern has argued that this contractual requirement would be a big improvement, but anyone involved in the buying and selling of ads already is bound to any number of contractual requirements, including limitations on use, prohibitions of certain ad types, and like a promise to not re-identify information. So how's that work? If the thinking is really that targeted advertising doesn't pose a privacy problem, let's just call a spade a spade here."
At the same time SB 753 is working its way through the California Legislature, State Assembly Member Buffy Wicks introduced AB 1760 and State Senator Hannah-Beth Jackson introduced SB 561. The bills would expand a consumer’s right to opt out of the sale of information to an obligation for a business to receive opt-in consent from a consumer to share information in any manner, including a sale, remove a business's 30-day right to cure, and provide a consumer private right of action for violation of any provision of the CCPA, not merely for security violations as is currently the case. The Electronic Frontier Foundation, Brave, DuckDuckGo, and ProtonMail are a few of the more than 30 organizations that indicated support for the bill. The competing goals of SB 753 and AB 1760 highlight the competing goals of industry groups and advocacy organizations as the California Legislature debates amendments to the CCPA ahead of its operational date on January 1, 2020.
The implications of SB 753 are not entirely clear. It may provide a significant carve-out for the online advertising industry or it may only remove a portion of the data sharing that comprises the industry from the scope of the CCPA. Industry groups and advocacy organizations are sure to continue to express their opinions on the bill in the coming weeks.