California’s privacy law will force publishers to be more upfront about subscriber data sales

When California’s privacy law takes effect in January 2020, companies that sell people’s personal information will need to feature a “Do Not Sell My Personal Information” link on their websites’ home pages and to let people opt out of their information’s sale through the site. Since the law applies to any company that makes more than $25 million a year in gross revenue or that buys, sells or shares the personal information of at least 50,000 people or devices, it will likely concern many of the major publishers that sell their subscribers’ data. That will force a change for publishers that typically disclose their data sales practices within their privacy policies and compel people to make their opt-out requests through the mail or email.

Publishers including The New York Times, Meredith and Condé Nast state in their privacy policies that they sell or rent their subscribers’ information to other companies for those companies’ own marketing purposes; the California privacy law considers renting to be the same as selling. Those companies do not explicitly disclose that practice on their online subscription sign-up forms; instead they link to their privacy policies. (Of those three publishers, only Meredith lets people opt out through an online form; The New York Times and Condé Nast require people to submit their opt-out requests through the mail or email.)

A spokesperson for The New York Times said the company is reviewing potential changes it may make to comply with the California privacy law. A Condé Nast spokesperson declined to comment and a Meredith spokesperson did not respond to a request for comment by press time.

“In the same way that GDPR necessitated that data controllers be more explicit about their collection consent policies, media that are actively reselling first party subscriber data should consider a similar approach. Giving consumers a direct means to understand where their data has been sold and request stoppage is one thing, but the more proactive step is to be more transparent at the point of purchase rather than requiring users to do the heavy lifting to seek this out,” said Jed Williams, chief innovation officer at the Local Media Association.

California’s privacy law isn’t the first law in the U.S. or even California to affect publishers’ data-selling businesses. A law passed in California in 2003 called the “Shine The Light” law gave people a way to request what information companies share for direct marketing purposes and with whom, though it exempted companies that provide an opt-out option in their privacy policies. And a 20-year-old Michigan law, the Video Rental Privacy Act, restricts certain companies including magazine publishers from selling subscribers’ information without consent or without providing notice.

Within the past month, both Hearst and Time Inc. (now owned by Meredith) have agreed to settle multimillion-dollar class-action lawsuits that alleged the publishers violated the law by selling the personal information, such as names and mailing addresses, of Michigan residents who subscribed to the companies’ respective magazines. Hearst and Time Inc. are only the latest publishers to agree to settle lawsuits for allegedly violating the Michigan law. In 2016 Rodale (now owned by Hearst) reached a similar agreement. Conde Nast has also been hit with a lawsuit for allegedly violating the Michigan law; that litigation is ongoing.

A Hearst spokesperson did not respond to a request for comment on whether the publisher sells its subscriber data and what changes the company may make to comply with the California law. According to Hearst’s privacy policy, the company “may provide” people’s contact information to outside companies for their own marketing purposes, but the company does not state what it receives in return for providing that information. According to the California law, if a company receives “monetary or other valuable consideration” for providing another company with its data, that qualifies as selling that data.

However there may be a loophole in the California law for publishers that only sell people’s names and mailing addresses, though taking advantage of that loophole would require jumping through some hoops.

“The interesting thing about the California law is it exempts data that’s already out in the public domain,” said Debbie Reynolds, data privacy officer and director of eDiscovery at law firm Eimer Stahl. For example, if a person posts something about their birthdate as a public post on Facebook or Twitter, “in theory companies could argue that really isn’t private information because it’s publicly available someplace else,” she said.

If California’s attorney general, who is charged with enforcing the state’s privacy law, upholds that theoretical interpretation, then publishers selling California subscribers’ names and mailing addresses may be able to skirt around the law if those names and addresses are found in public records. According to Reynolds, if a person has purchased a home or donated to a political campaign, their name and address are likely to be in the public domain. Of course publishers would have to take pains to ensure that they only sell the names and addresses of subscribers whose information is in the public domain, and even then they would be in uncertain territory.

“There isn’t a precedent because there was never a law related to it,” said Reynolds. She added, “No one up to this point in the U.S. has argued that someone’s address is private information.”