Why California’s new consumer privacy law won’t be GDPR 2.0
The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts.
The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.
“The sweeping nature of this bill is really unprecedented in the privacy area, and its impacts are still far from known,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The law contains “broad sweeping definitions of personal information,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group. That personal information includes standard categories like people’s names, email addresses and Social Security numbers. But it also covers unique personal identifiers: IP addresses; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information.
The inclusion of unique identifiers — which ad tech firms use to anonymously track people around the web — means that any ad tech firm storing tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach, which would make the company subject to a class-action lawsuit.
On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information,” according to the law. If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers that run the online advertising ecosystem are or are not subject to the law, said Mayer.
The law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under its jurisdiction. However, digital advertising companies may argue that they meet the law’s exemption standard because they aggregate those identifiers into larger, anonymized audience pools.
“All of this is still in flux. But arguably, anonymized information doesn’t allow you to create that [consumer] profile, so that you can’t draw it to [an individual person]. With a cookie situation that’s tied to a device that’s tied to a person, that may not necessarily be the case,” said Donna Wilson, managing partner-elect at Manatt, Phelps & Phillips and chair of the law and consulting firm’s privacy and data security practice.
What’s more clear is that digital advertising companies shouldn’t take comfort that their practices would be exempt from the law. Even if a company claims that it has disassociated the information with an individual person, it will need to ensure that the disassociation cannot be undone and that the data is reconnected to the individual, said Camhi and Wilson.
A week after California’s governor signed the bill into law, many in the advertising industry are still scratching their heads over the possible loophole and defaulting to assuming that there is no loophole because “almost any kind of data connected to some other data is capable of being associated with somebody,” said Jaffe.
Ad tech firm Exponential Interactive buys data from third-party companies to use for ad targeting purposes. “But when we buy it, it is totally aggregated,” said Tim Sleath, the company’s vp of product management and data protection officer. However Exponential Interactive uses cookie IDs to be able to match the aggregated third-party data to its own audience pools in order to target people with ads without accessing the underlying data, such as people’s names or email addresses. That cookie-based matching process likely subjects the ad tech firm to needing to comply with the law, even if it were to somehow remove the cookie-based identifiers from the process.
“If you have a behavioral profile for someone, even if you strip the IP address and cookie ID, that behavioral profile, which I would classify as deidentified, remains personal information under this [law],” said Sleath.
Facebook and Google have already rolled out features required by the law, such privacy settings that categorize the information that the companies collect from people and tools for people to request that information be deleted. The companies claim that they don’t sell people’s information so they don’t need to give people a way to request that the companies stop selling their data. That would help to explain why Facebook COO Sheryl Sandberg said the company supports the California privacy law that has been passed, though the company donated money to the organization opposing a similar ballot initiative.
“For the major online platforms, I think this law will have very little impact,” said Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University and former chief technologist of the Federal Communications Commission.
There remains roughly 18 months until the law takes effect, and since the law was passed by the state legislature instead of by California voters, the details of the law can change before it is enacted. But before the industry can try to get California lawmakers to clarify, if not change, the specifics of the law, it will need to assess the impact of this initial version and identify what changes to request.
“The ANA has more than 2,000 members. We’ve gone out to our members asking how this will impact them. Clearly, we’ve not had time to get that input yet, and people are still trying to figure that out,” said Jaffe.
How Roblox is paving the way for a new era of branded gaming
Roblox is still in its infancy as a marketing tool. But over the last two years, the number of brands and retailers on Roblox has grown dramatically.
‘Email has become so cluttered’: Why DTC brands plan to use texting for Black Friday and Cyber Monday this year
With Black Friday and Cyber Monday nearing, text messaging is becoming a more common marketing channel for direct-to-consumer brands.
‘There’s more opportunity’: Publishers on TikTok are taking branded content into their own hands
As their audiences on the social app have grown, a flurry of publishers have turned to developing branded content campaigns to explore new commercial opportunities.
SponsoredPublishers will lead the charge as cookie-less advertising becomes the norm
Steve Wing, managing director, EMEA, Magnite As the advertising industry moves closer to a cookieless world — one in which browserless environments including connected TV (CTV) and mobile in-app are an increasingly large part of ad budgets — publishers will have an increasingly important role in developing the future of identity. Segment creation and identity […]
Member Exclusive‘A more hopeful future’: As the coronavirus surges, advertisers aren’t pressing pause
Spending has remained consistent, according to media buyers, who say that advertisers are more prepared this time around.
‘Time to test multiple offers’: Why Black Friday and Cyber Monday advertising is coming earlier than ever this year
The accelerated shift of consumer shopping to e-commerce and the expected surge of online holiday retail, has led to earlier Black Friday and Cyber Monday advertising.