Why California’s new consumer privacy law won’t be GDPR 2.0
The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts.
The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.
“The sweeping nature of this bill is really unprecedented in the privacy area, and its impacts are still far from known,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The law contains “broad sweeping definitions of personal information,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group. That personal information includes standard categories like people’s names, email addresses and Social Security numbers. But it also covers unique personal identifiers: IP addresses; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information.
The inclusion of unique identifiers — which ad tech firms use to anonymously track people around the web — means that any ad tech firm storing tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach, which would make the company subject to a class-action lawsuit.
On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information,” according to the law. If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers that run the online advertising ecosystem are or are not subject to the law, said Mayer.
The law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under its jurisdiction. However, digital advertising companies may argue that they meet the law’s exemption standard because they aggregate those identifiers into larger, anonymized audience pools.
“All of this is still in flux. But arguably, anonymized information doesn’t allow you to create that [consumer] profile, so that you can’t draw it to [an individual person]. With a cookie situation that’s tied to a device that’s tied to a person, that may not necessarily be the case,” said Donna Wilson, managing partner-elect at Manatt, Phelps & Phillips and chair of the law and consulting firm’s privacy and data security practice.
What’s more clear is that digital advertising companies shouldn’t take comfort that their practices would be exempt from the law. Even if a company claims that it has disassociated the information with an individual person, it will need to ensure that the disassociation cannot be undone and that the data is reconnected to the individual, said Camhi and Wilson.
A week after California’s governor signed the bill into law, many in the advertising industry are still scratching their heads over the possible loophole and defaulting to assuming that there is no loophole because “almost any kind of data connected to some other data is capable of being associated with somebody,” said Jaffe.
Ad tech firm Exponential Interactive buys data from third-party companies to use for ad targeting purposes. “But when we buy it, it is totally aggregated,” said Tim Sleath, the company’s vp of product management and data protection officer. However Exponential Interactive uses cookie IDs to be able to match the aggregated third-party data to its own audience pools in order to target people with ads without accessing the underlying data, such as people’s names or email addresses. That cookie-based matching process likely subjects the ad tech firm to needing to comply with the law, even if it were to somehow remove the cookie-based identifiers from the process.
“If you have a behavioral profile for someone, even if you strip the IP address and cookie ID, that behavioral profile, which I would classify as deidentified, remains personal information under this [law],” said Sleath.
Facebook and Google have already rolled out features required by the law, such privacy settings that categorize the information that the companies collect from people and tools for people to request that information be deleted. The companies claim that they don’t sell people’s information so they don’t need to give people a way to request that the companies stop selling their data. That would help to explain why Facebook COO Sheryl Sandberg said the company supports the California privacy law that has been passed, though the company donated money to the organization opposing a similar ballot initiative.
“For the major online platforms, I think this law will have very little impact,” said Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University and former chief technologist of the Federal Communications Commission.
There remains roughly 18 months until the law takes effect, and since the law was passed by the state legislature instead of by California voters, the details of the law can change before it is enacted. But before the industry can try to get California lawmakers to clarify, if not change, the specifics of the law, it will need to assess the impact of this initial version and identify what changes to request.
“The ANA has more than 2,000 members. We’ve gone out to our members asking how this will impact them. Clearly, we’ve not had time to get that input yet, and people are still trying to figure that out,” said Jaffe.
‘How much do we want to get screwed?’: Confessions of an agency exec on lack of payment due to coronavirus
In the latest edition of our Confessions series, we hear from one agency exec who says that the “times are tough” excuse for late client payments isn’t cutting it anymore.
‘Doubling down’: Inside the 49ers social and digital rush to replace lost in-stadium marketing dollars
Without the ability to deliver ads to the 70,000 fans who attend games in-person, the 49ers have had to pivot to focus on digital and social channels.
Member Exclusive‘Can’t really be ignored’: Marketers and media buyers are finally taking the on-going TikTok saga seriously
Marketers and media buyers have said that as long as people are still on TikTok they’ll want to be there, especially as they try to diversify from Facebook and Google.
SponsoredB2B events were broken before the pandemic, their online reinvention is creating positive change
Kim Darling, executive producer, Inbound Farewell lanyards, business cards and branded pens — it’ll be some time before people get their hands on these souvenirs of in-person events again. As the COVID-19 pandemic continues to transform the way people work, buy, sell, socialize and entertain themselves, the global events industry is facing its biggest-ever challenge. […]
‘Clever about how we rest’: As uncertainties drag into fall, agencies are facing a burnt out and fearful workforce
Agency employees and executives say that a feeling of fatigue due to the on-going uncertainty and the need to be always on has set in.
‘A credible voice’: Why Honda is doubling down on esports
Honda has struck deals with Riot Games, pro esports team Team Liquid and Twitch as it looks to maintain its appeal among first-time car buyers.