California’s new privacy chief could push for rules on email-based ad identifiers
As California gears up to write rules to enforce its privacy laws, the process will be led by an ad tracking critic who has spoken out against the email-based identity technologies currently flooding the ad tech market as replacements for cookies.
Ashkan Soltani will lead the agency charged with enforcing California’s updated privacy law, the California Privacy Rights Act. The regulator is preparing to write rules to guide that enforcement, and those rules could address the new forms of identity technologies advertisers and publishers are currently testing.
Soltani criticized email-based identifiers in March while still an independent privacy tech consultant. At the time, he told Digiday identifiers that use emails as the foundation for identifying people online are “more privacy-invasive than even cookies.” He alluded to California’s privacy law, adding that “regulators will not stand for” data transfers from publishers that include emails or even encrypted emails to enable tracking when people have opted-out from it.
“The appointment of Ashkan Soltani by the [California Privacy Protection Agency] heralds granular attention on the ad tech ecosystem,” said Dominique Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie. “It seems that [Soltani] will be bringing this perspective to the CPPA,” she added.
Soltani, 46, whose data privacy research has often centered on data tracking related to digital advertising, declined to comment for this story. However, his expertise could add a level of understanding of data use for advertising that’s unique in the halls of government. In addition to helping write both of California’s privacy laws, Soltani served as senior advisor under the White House’s chief technology officer and as chief technologist of the Federal Trade Commission during the Obama administration. More recently, he helped launch Global Privacy Control, a browser-based, Do Not Track-style tool that blocks ad trackers and has been backed by the California Attorney General as compliant with the California Privacy Rights Act, which goes into effect in January 2023.
Headaches for publishers
Publishers are among the top sales targets for companies selling email-based identity tech looking to proliferate their tracking products.
Already, digital publishers face technical hurdles when it comes to implementing the IDs, but privacy concerns and pressure from regulators in California and elsewhere could create additional obstacles that might hold back publishers from using them. One publishing executive who spoke on condition of anonymity told Digiday recently, “As consent has to become more and more explicit — which is probably the direction that we’re going — I think we’re going to see less and less people say ‘yes’ to allowing their email address to actually modify what they’re doing on the web.”
Lawyers advising digital publishers, advertisers and ad tech firms say there’s no controversy regarding whether emails are identifiable information in relation to California’s privacy laws. Indeed, email based IDs, even when emails are hashed to enable encryption for privacy purposes, are considered to be personal information under both the existing California Consumer Privacy Act and the CPRA which will subsume it. According to the laws, a transfer of an email to a third party would be prohibited if people have opted out from sharing or selling their information for purposes such as targeted advertising.
But the devil is in the details when determining whether use of an email-based identifier constitutes data sharing or a data sale in the eyes of enforcers for other purposes.
Because they use emails to recognize people who have asked not to have their data shared, some ad technologies require an email address to actually enable people’s privacy preferences. Right now, for example, publishers are sharing emails and email-based IDs inside so-called clean room data environments, which are set up to ensure data security and user privacy for private marketplace ad deals between select publishers and advertisers. Yet, California’s requirements are not entirely clear when it comes to how publishers can use emails in those clean room settings to prevent targeting of people who have opted out, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren.
New rules to come?
“I’ve seen companies working through operationally, ‘How do we suppress [email used as identifiers] from future [data] sales,'” said Hutnik, adding that the technologies companies use to manage people’s privacy choices will need to accommodate a variety of tracking methods including email-based IDs, not cookies alone.
It remains to be seen whether the Soltani-led state agency will devise rules specifically addressing email-based identity trackers. However, as part of its rulemaking process, the agency currently is seeking comments to help inform regulations, asking industry stakeholders for input on issues including the law’s definition for “unique identifier.”
Under the CCPA and CPRA, personal information already includes emails, and unique identifiers are a subset of personal information according to both laws. While the current definition for a “unique identifier” under both laws does not specifically refer to emails or hashed emails, an updated definition or new rule could address the use of these persistent pseudonyms in identity tech more directly.
“It will be really interesting, this rulemaking process” said Hutnik. Applying rules “has an effect on what and how identifiers are used that may be a share or may not be.”
Correction: This story originally incorrectly stated that the current definition for a unique identifier under the CCPA and CPRA does not include email addresses.
How The Newsette’s founder built a $40M media company in 2021
Daniella Pierson diversified her newsletter business by building a creative agency to better serve the media company's advertising clients.
‘Inaccurate and inflammatory’: Google moves to have Texas AG-led antitrust case dismissed
Google has rebuked charges that it compels publishers to use its ad server, manipulates ad auctions and colluded with Facebook as it moves to have antitrust charges dismissed.
Publishers use subscriber-only events to sweeten subscription pitches
The Washington Post and The Information's events exclusively created for subscribers can add more value to paying readers.
SponsoredHow the relationship between live events and mobile devices is evolving in 2022
Sponsored by AdColony The pandemic has accelerated changes in the way people consume content — and live events are part of that transformation. For advertisers, the questions are the kind on which campaign success depends: In what ways (and numbers) have people returned to watching sports, e-sports and events such as the Grammys? Are they […]
‘Still understanding that behavior’: What BuzzFeed learned from a year of livestream shopping
BuzzFeed's shoppable live streams were watched for more than 1 million minutes in 2021.
Member ExclusiveMedia Buying Briefing: As independents set bullish goals for 2022, they grow their consultative powers
Many independent agencies enter 2022 extremely optimistic because they just closed the books on a banner '21. Will they be able to keep it up?