California’s new privacy chief could push for rules on email-based ad identifiers

The header image features an open laptop with an envelope on the screen and an alert bubble signaling a new email.

As California gears up to write rules to enforce its privacy laws, the process will be led by an ad tracking critic who has spoken out against the email-based identity technologies currently flooding the ad tech market as replacements for cookies.

Ashkan Soltani will lead the agency charged with enforcing California’s updated privacy law, the California Privacy Rights Act. The regulator is preparing to write rules to guide that enforcement, and those rules could address the new forms of identity technologies advertisers and publishers are currently testing.

The appointment of Ashkan Soltani by the [California Privacy Protection Agency] heralds granular attention on the ad tech ecosystem.
Dominique Shelton Leipzig, partner at law firm Perkins Coie

Soltani criticized email-based identifiers in March while still an independent privacy tech consultant. At the time, he told Digiday identifiers that use emails as the foundation for identifying people online are “more privacy-invasive than even cookies.” He alluded to California’s privacy law, adding that “regulators will not stand for” data transfers from publishers that include emails or even encrypted emails to enable tracking when people have opted-out from it. 

“The appointment of Ashkan Soltani by the [California Privacy Protection Agency] heralds granular attention on the ad tech ecosystem,” said Dominique Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie. “It seems that [Soltani] will be bringing this perspective to the CPPA,” she added.

Soltani, 46, whose data privacy research has often centered on data tracking related to digital advertising, declined to comment for this story. However, his expertise could add a level of understanding of data use for advertising that’s unique in the halls of government. In addition to helping write both of California’s privacy laws, Soltani served as senior advisor under the White House’s chief technology officer and as chief technologist of the Federal Trade Commission during the Obama administration. More recently, he helped launch Global Privacy Control, a browser-based, Do Not Track-style tool that blocks ad trackers and has been backed by the California Attorney General as compliant with the California Privacy Rights Act, which goes into effect in January 2023.

Headaches for publishers 

Publishers are among the top sales targets for companies selling email-based identity tech looking to proliferate their tracking products.

Already, digital publishers face technical hurdles when it comes to implementing the IDs, but privacy concerns and pressure from regulators in California and elsewhere could create additional obstacles that might hold back publishers from using them. One publishing executive who spoke on condition of anonymity told Digiday recently, “As consent has to become more and more explicit — which is probably the direction that we’re going — I think we’re going to see less and less people say ‘yes’ to allowing their email address to actually modify what they’re doing on the web.”

Lawyers advising digital publishers, advertisers and ad tech firms say there’s no controversy regarding whether emails are identifiable information in relation to California’s privacy laws. Indeed, email based IDs, even when emails are hashed to enable encryption for privacy purposes, are considered to be personal information under both the existing California Consumer Privacy Act and the CPRA which will subsume it. According to the laws, a transfer of an email to a third party would be prohibited if people have opted out from sharing or selling their information for purposes such as targeted advertising. 

I think we’re going to see less and less people say ‘yes’ to allowing their email address to actually modify what they’re doing on the web.
publishing executive

But the devil is in the details when determining whether use of an email-based identifier constitutes data sharing or a data sale in the eyes of enforcers for other purposes.

Because they use emails to recognize people who have asked not to have their data shared, some ad technologies require an email address to actually enable people’s privacy preferences. Right now, for example, publishers are sharing emails and email-based IDs inside so-called clean room data environments, which are set up to ensure data security and user privacy for private marketplace ad deals between select publishers and advertisers. Yet, California’s requirements are not entirely clear when it comes to how publishers can use emails in those clean room settings to prevent targeting of people who have opted out, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren.

New rules to come?

“I’ve seen companies working through operationally, ‘How do we suppress [email used as identifiers] from future [data] sales,'” said Hutnik, adding that the technologies companies use to manage people’s privacy choices will need to accommodate a variety of tracking methods including email-based IDs, not cookies alone.

It remains to be seen whether the Soltani-led state agency will devise rules specifically addressing email-based identity trackers. However, as part of its rulemaking process, the agency currently is seeking comments to help inform regulations, asking industry stakeholders for input on issues including the law’s definition for “unique identifier.” 

Under the CCPA and CPRA, personal information already includes emails, and unique identifiers are a subset of personal information according to both laws. While the current definition for a “unique identifier” under both laws does not specifically refer to emails or hashed emails, an updated definition or new rule could address the use of these persistent pseudonyms in identity tech more directly.

“It will be really interesting, this rulemaking process” said Hutnik. Applying rules “has an effect on what and how identifiers are used that may be a share or may not be.”

Correction: This story originally incorrectly stated that the current definition for a unique identifier under the CCPA and CPRA does not include email addresses.

https://digiday.com/?p=428245

More in Media

Media Briefing: Publishers search for new ways to grow (and authenticate) audiences, overheard at the Digiday Publishing Summit

“[Advertisers] already pay data providers for data. So why not pay the publisher?”

Research Briefing: Publishers’ revenue sources are top of mind at Digiday Publishing Summit

In this week’s Digiday+ Research Briefing, we examine which revenue streams were top of mind for publishers at the Digiday Publishing Summit, how TikTok is getting even more marketing spend from brands and retailers despite facing a potential U.S. ban, and how Disney is rolling out DRAX Direct, a direct integration with the industry’s largest DSPs, as seen in recent data from Digiday+ Research.

How Forbes is testing its SSPs to improve programmatic ad revenue

Forbes has been running tests with its SSPs to improve the ad tech firms’ contributions to the publisher’s revenue.