California’s new privacy chief could push for rules on email-based ad identifiers
As California gears up to write rules to enforce its privacy laws, the process will be led by an ad tracking critic who has spoken out against the email-based identity technologies currently flooding the ad tech market as replacements for cookies.
Ashkan Soltani will lead the agency charged with enforcing California’s updated privacy law, the California Privacy Rights Act. The regulator is preparing to write rules to guide that enforcement, and those rules could address the new forms of identity technologies advertisers and publishers are currently testing.
Soltani criticized email-based identifiers in March while still an independent privacy tech consultant. At the time, he told Digiday identifiers that use emails as the foundation for identifying people online are “more privacy-invasive than even cookies.” He alluded to California’s privacy law, adding that “regulators will not stand for” data transfers from publishers that include emails or even encrypted emails to enable tracking when people have opted-out from it.
“The appointment of Ashkan Soltani by the [California Privacy Protection Agency] heralds granular attention on the ad tech ecosystem,” said Dominique Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie. “It seems that [Soltani] will be bringing this perspective to the CPPA,” she added.
Soltani, 46, whose data privacy research has often centered on data tracking related to digital advertising, declined to comment for this story. However, his expertise could add a level of understanding of data use for advertising that’s unique in the halls of government. In addition to helping write both of California’s privacy laws, Soltani served as senior advisor under the White House’s chief technology officer and as chief technologist of the Federal Trade Commission during the Obama administration. More recently, he helped launch Global Privacy Control, a browser-based, Do Not Track-style tool that blocks ad trackers and has been backed by the California Attorney General as compliant with the California Privacy Rights Act, which goes into effect in January 2023.
Headaches for publishers
Publishers are among the top sales targets for companies selling email-based identity tech looking to proliferate their tracking products.
Already, digital publishers face technical hurdles when it comes to implementing the IDs, but privacy concerns and pressure from regulators in California and elsewhere could create additional obstacles that might hold back publishers from using them. One publishing executive who spoke on condition of anonymity told Digiday recently, “As consent has to become more and more explicit — which is probably the direction that we’re going — I think we’re going to see less and less people say ‘yes’ to allowing their email address to actually modify what they’re doing on the web.”
Lawyers advising digital publishers, advertisers and ad tech firms say there’s no controversy regarding whether emails are identifiable information in relation to California’s privacy laws. Indeed, email based IDs, even when emails are hashed to enable encryption for privacy purposes, are considered to be personal information under both the existing California Consumer Privacy Act and the CPRA which will subsume it. According to the laws, a transfer of an email to a third party would be prohibited if people have opted out from sharing or selling their information for purposes such as targeted advertising.
But the devil is in the details when determining whether use of an email-based identifier constitutes data sharing or a data sale in the eyes of enforcers for other purposes.
Because they use emails to recognize people who have asked not to have their data shared, some ad technologies require an email address to actually enable people’s privacy preferences. Right now, for example, publishers are sharing emails and email-based IDs inside so-called clean room data environments, which are set up to ensure data security and user privacy for private marketplace ad deals between select publishers and advertisers. Yet, California’s requirements are not entirely clear when it comes to how publishers can use emails in those clean room settings to prevent targeting of people who have opted out, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren.
New rules to come?
“I’ve seen companies working through operationally, ‘How do we suppress [email used as identifiers] from future [data] sales,'” said Hutnik, adding that the technologies companies use to manage people’s privacy choices will need to accommodate a variety of tracking methods including email-based IDs, not cookies alone.
It remains to be seen whether the Soltani-led state agency will devise rules specifically addressing email-based identity trackers. However, as part of its rulemaking process, the agency currently is seeking comments to help inform regulations, asking industry stakeholders for input on issues including the law’s definition for “unique identifier.”
Under the CCPA and CPRA, personal information already includes emails, and unique identifiers are a subset of personal information according to both laws. While the current definition for a “unique identifier” under both laws does not specifically refer to emails or hashed emails, an updated definition or new rule could address the use of these persistent pseudonyms in identity tech more directly.
“It will be really interesting, this rulemaking process” said Hutnik. Applying rules “has an effect on what and how identifiers are used that may be a share or may not be.”
Correction: This story originally incorrectly stated that the current definition for a unique identifier under the CCPA and CPRA does not include email addresses.
How chef influencer Tue Nguyen works with the BuzzFeed Creator Network
BuzzFeed's Creator Network has been valuable from an audience and production education standpoint, but Nguyen still drives most of her business on her own.
Dentsu’s new Web3 readiness tool shines light on the tech’s potential to complement AI
Dentsu's Innovation Initiative is launching a web3 readiness index next month — at a time when the industry is obsessed with AI. Could the two technologies actually make a good pair?
Digiday+ Research deep dive: Publishers large and small put their resources into first-party data
Eighty-two percent of publishers overall say they're already using first-party data to prepare for the end of the third-party cookie, and nearly half are requiring users to register and integrating first-party data segments into DSPs – indicating that first-party data is the clear path forward for publishers heading into the post-cookie world.
SponsoredHow enterprise-grade CDPs are enhancing data processes and improving customer experiences
Produced in partnership with Marketecture The following article highlights an interview between Martin Kihn, Salesforce’s senior vice president of Marketing Cloud, and Ari Paparo, founder and CEO of Marketecture Media. Register to watch more of the discussion and learn how brands are making the most of enterprise-grade CDP technologies. As brands expand across channels and […]
Media Briefing: Why publishers hope chatbots will be the latest retention tool
Publishers hope the chatbots they are developing will be the latest retention tool to keep readers onsite and to get them to consume more content.
How programmatic advertising will evolve this year on the heels of audio growth and privacy changes
Comscore’s programmatic division Proximic released a State of Programmatic study highlighting the growth of audio and podcasting, other digital advertising channels and challenges around third-party data.