1. California AG publishes CCPA draft rules; sets four public hearings the week of Dec. 2; opt-out button upcoming; impact study required by law floats numbers in billions

The next big step in implementing the California Consumer Privacy Act got underway on Thursday (Oct. 10) when state Attorney General Xavier Becerra posted draft rules about how he will interpret and enforce the law. Public hearings are set for the week of Dec. 2 in Sacramento, Los Angeles, San Francisco and Fresno, with written comments allowed until Dec. 6. 

The text of the rules runs for 24 single-spaced pages. The regulations disclose the attorney general is going to develop a uniform “opt-out button” logo that websites will be required to display as part of their compliance with the law. 

The regulations establish the concept of a “notice of collection” — an online service must post publicly to describe categories of information it seeks, the commercial purpose for collecting it, including the prominent “Do Not Sell My Personal Information” opt-out link as required by the law. 

Key definitions within the draft rules likely to be the subject of comment include:

• The definition the AG is using to define “affirmative action” by a consumer to indicate consent or withdrawal of consent to use data. The regulation reads: “Affirmative authorization means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information.”

• The rules state that “categories of third parties” will mean “types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.

• “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer, including denial of goods or services to the consumer. 

As part of the announcement of public hearings, the attorney general also released a 24-page economic-impact study which was required by CCPA to be prepared. It says the CCPA will result in up to $55 billion in initial compliance costs — or about 1.8 percent of California’s gross state product. But in another document it also estimates $12 billion in overall public benefits. It assumes about 75 percent of California businesses will be affected by CCPA. The CCPA will fundamentally change how firms work with personal data,” the cost estimate concludes. “Some industries will be forced to completely revise their business models to incorporate the newly required data protections. The study’s assumptions are under assault by privacy advocates, however. 

OTHER LINKS ABOUT CCPA COSTS:

• Complying With The California Privacy Law Could Cost $55 Billion (Fahmida Y. Rashid, Duo)
• CCPA could cost $16.5 billion over a decade (Ken Silva, Global Data Review)
• Initial CCPA Compliance Costs Could Hit $55 Billion: Study (Scott Ferguson, Bank Info Security)

2. Competition to connect to open-source shared-identity platform emerges as work starts on W3C standard

Efforts to connect to an open standard for transferring users’ personal and interest data across the web are gathering steam a month after the World Wide Web Consortium (W3C) decided to start a two-year process to set the standard in stone. 

The standard would create “Decentralized Identifiers” (DIDs) for the public. BACKGROUND: “Manage your own “identity”? “DIDs” step closer to becoming an official W3C web standard” (Privacy Beat, Sept. 13, Item #4)

So far, here are examples of  three companies working in the area of DIDs, and others likely on the horizon. They are among at least 30 companies listed in the W3C’s method registry working on DIDs.

• Everym Inc., based near Salt Lake City, is adding proprietary services around open-source technology governed by the Sovrin Foundation. “DID documents are standard data files that contain the cryptographic public keys and other metadata needs to initiate trusted interactions with the person, organization, or thing identified by the DID,” explains Evernym’s Alex Andrade-Walz

• The Civil Media Company, a New York-based early-stage company, is working to create a new revenue ecosystem for publishers, including the ability to recognize user interests and credentials across multiple news websites. Following the emerging DID standard is also part of their roadmap, according to technologist Peter Ng.

• Portable Data Corporation (PDC), operating as JLINC Labs, based in Oakland, Calif., is among companies listed in the W3C’s method registry for the DID specification. JLINC technologist Victor Grey says they have code using their own DID specification up and running. “We plan to release an open-source DID client/resolver to register and lookup DIDs on the JLINC ledger very soon,” says Grey.

RELATED LINKS:

• WEBINAR: What are Decentralized Identifiers? (Brent Zundel & Drummond Reed, Evernym Inc.)

3. Brave pressures 28 EU member-state governments on ePrivacy; seeking to outlaw “cookie wall” RTB technology

Alternate web-browser software maker Brave is maintaining pressure on European Union regulators to take a tough stand in favor of robust ePrivacy regulations. An email newsletter sent by Brave’s technology spokesman, Johnny Ryan, carries a text of the letter, signed by the company’s “policy expert” Alan Toner. Ryan says the letter was sent to governments of 28 EU member states.  It also links to a technical submission by Ryan on EU competition issues.

Toner, in the letter dated Oct. 10, writes that Recitals 20 and 21 in Article 8 of the EU ePrivacy rules “will permit ‘cookie walls’ that make pervasive tracking a condition of access to a website.” He says such “cookie walls” — part of Google and Facebook business models — enable the continued use of real-time bidding (RTB) for advertising. 

Ryan says a working group of the EU’s Council of Ministers has removed the prohibition on cookie walls from draft language. 

Brave’s business model is to obtain and infer the interests of users of its browser and then use that information to pick and choose which advertisements to unblock and show to those users when they are on a publisher’s page. The advertiser or network pays Brave and Brave gives a cut to the browser user and the advertiser. The approach upends the current third-party-cookie, ad-tech ecosystem which Brave argues is now — or should be — illegal under EU law. 

“Many companies, including Brave, have developed advertising systems that support publishers with no privacy sacrifice,” Toner writes. “A robust ePrivacy Regulation will spur further innovation, whereas cookie walls would stifle it.”  Toner says cookie walls “would not serve the economic interests of publishers” because RTB is “economically inefficient, rife with fraud, provides the business model of disinformation and ins responsible for the largest data breach ever recorded.”