Why California’s new consumer privacy law won’t be GDPR 2.0
The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts.
The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.
“The sweeping nature of this bill is really unprecedented in the privacy area, and its impacts are still far from known,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The law contains “broad sweeping definitions of personal information,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group. That personal information includes standard categories like people’s names, email addresses and Social Security numbers. But it also covers unique personal identifiers: IP addresses; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information.
The inclusion of unique identifiers — which ad tech firms use to anonymously track people around the web — means that any ad tech firm storing tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach, which would make the company subject to a class-action lawsuit.
On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information,” according to the law. If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers that run the online advertising ecosystem are or are not subject to the law, said Mayer.
The law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under its jurisdiction. However, digital advertising companies may argue that they meet the law’s exemption standard because they aggregate those identifiers into larger, anonymized audience pools.
“All of this is still in flux. But arguably, anonymized information doesn’t allow you to create that [consumer] profile, so that you can’t draw it to [an individual person]. With a cookie situation that’s tied to a device that’s tied to a person, that may not necessarily be the case,” said Donna Wilson, managing partner-elect at Manatt, Phelps & Phillips and chair of the law and consulting firm’s privacy and data security practice.
What’s more clear is that digital advertising companies shouldn’t take comfort that their practices would be exempt from the law. Even if a company claims that it has disassociated the information with an individual person, it will need to ensure that the disassociation cannot be undone and that the data is reconnected to the individual, said Camhi and Wilson.
A week after California’s governor signed the bill into law, many in the advertising industry are still scratching their heads over the possible loophole and defaulting to assuming that there is no loophole because “almost any kind of data connected to some other data is capable of being associated with somebody,” said Jaffe.
Ad tech firm Exponential Interactive buys data from third-party companies to use for ad targeting purposes. “But when we buy it, it is totally aggregated,” said Tim Sleath, the company’s vp of product management and data protection officer. However Exponential Interactive uses cookie IDs to be able to match the aggregated third-party data to its own audience pools in order to target people with ads without accessing the underlying data, such as people’s names or email addresses. That cookie-based matching process likely subjects the ad tech firm to needing to comply with the law, even if it were to somehow remove the cookie-based identifiers from the process.
“If you have a behavioral profile for someone, even if you strip the IP address and cookie ID, that behavioral profile, which I would classify as deidentified, remains personal information under this [law],” said Sleath.
Facebook and Google have already rolled out features required by the law, such privacy settings that categorize the information that the companies collect from people and tools for people to request that information be deleted. The companies claim that they don’t sell people’s information so they don’t need to give people a way to request that the companies stop selling their data. That would help to explain why Facebook COO Sheryl Sandberg said the company supports the California privacy law that has been passed, though the company donated money to the organization opposing a similar ballot initiative.
“For the major online platforms, I think this law will have very little impact,” said Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University and former chief technologist of the Federal Communications Commission.
There remains roughly 18 months until the law takes effect, and since the law was passed by the state legislature instead of by California voters, the details of the law can change before it is enacted. But before the industry can try to get California lawmakers to clarify, if not change, the specifics of the law, it will need to assess the impact of this initial version and identify what changes to request.
“The ANA has more than 2,000 members. We’ve gone out to our members asking how this will impact them. Clearly, we’ve not had time to get that input yet, and people are still trying to figure that out,” said Jaffe.
‘Exceeded our marketers readiness’: As e-commerce growth accelerates, Dentsu is adding a new practice to meet the demand
The commerce practice was already in the works but the pandemic and changing consumer behavior due to the pandemic accelerated it.
‘Hooked on the Facebook drug’: Media buyers say smaller brands will return to the platform, but bigger brands will continue to boycott
Large consumer brands aren’t happy with Facebook’s response to the boycott so far and will likely wait until fall to reconsider the boycott.
Nobody in elevators, fewer gag lines: How an agency is remaking its ads to fit the coronavirus era
The process has allowed the full-service agency to enlist its post-production arm to help its clients adjust ads rather than press pause on advertising due to the ad content.
SponsoredAs live sports roar back onto screens, brands capture a social-media lift
By TJ Adeshola, head of U.S. Sports Partnerships at Twitter Live sports are back and sports fans couldn’t be more excited. It’s no surprise that communities across the country are welcoming their teams back with open arms. For many, the return of sports brings a sense of normalcy — 67 percent of U.S. fans see […]
Member Exclusive‘People have to be more aware of bullshitters’: Why there’s a push for more realism in advertising now
In advertising, there’s long-been a “fraud problem” in that the industry has a surplus of poseurs or bullshitters.
Why beverage startup United Sodas is testing out a new out-of-home strategy
Out-of-home advertising has slowly picked back up in recent months. But now DTC brands, who've long favored the sleek subway ads, are finding new ways to target potential customers as pedestrian foot traffic picks up in cities.