PRIVACY BEAT: California AG publishes CCPA draft rules; opt-out button upcoming; impact study required by law floats numbers in billions

Privacy Beat

Your weekly privacy news update.

1. California AG publishes CCPA draft rules; sets four public hearings the week of Dec. 2; opt-out button upcoming; impact study required by law floats numbers in billions

The next big step in implementing the California Consumer Privacy Act got underway on Thursday (Oct. 10) when state Attorney General Xavier Becerra posted draft rules about how he will interpret and enforce the law. Public hearings are set for the week of Dec. 2 in Sacramento, Los Angeles, San Francisco and Fresno, with written comments allowed until Dec. 6. 

The text of the rules runs for 24 single-spaced pages. The regulations disclose the attorney general is going to develop a uniform “opt-out button” logo that websites will be required to display as part of their compliance with the law. 

The regulations establish the concept of a “notice of collection” — an online service must post publicly to describe categories of information it seeks, the commercial purpose for collecting it, including the prominent “Do Not Sell My Personal Information” opt-out link as required by the law. 

Key definitions within the draft rules likely to be the subject of comment include:

  • The definition the AG is using to define “affirmative action” by a consumer to indicate consent or withdrawal of consent to use data. The regulation reads: “Affirmative authorization means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information.”

  • The rules state that “categories of third parties” will mean “types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.

  • “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer, including denial of goods or services to the consumer. 

As part of the announcement of public hearings, the attorney general also released a 24-page economic-impact study which was required by CCPA to be prepared. It says the CCPA will result in up to $55 billion in initial compliance costs — or about 1.8 percent of California’s gross state product. But in another document it also estimates $12 billion in overall public benefits. It assumes about 75 percent of California businesses will be affected by CCPA. The CCPA will fundamentally change how firms work with personal data,” the cost estimate concludes. “Some industries will be forced to completely revise their business models to incorporate the newly required data protections. The study’s assumptions are under assault by privacy advocates, however. 


So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.


2. Competition to connect to open-source shared-identity platform emerges as work starts on W3C standard

Efforts to connect to an open standard for transferring users’ personal and interest data across the web are gathering steam a month after the World Wide Web Consortium (W3C) decided to start a two-year process to set the standard in stone. 

The standard would create “Decentralized Identifiers” (DIDs) for the public. BACKGROUND: “Manage your own “identity”? “DIDs” step closer to becoming an official W3C web standard” (Privacy Beat, Sept. 13, Item #4)

So far, here are examples of  three companies working in the area of DIDs, and others likely on the horizon. They are among at least 30 companies listed in the W3C’s method registry working on DIDs.

  • Everym Inc., based near Salt Lake City, is adding proprietary services around open-source technology governed by the Sovrin Foundation. “DID documents are standard data files that contain the cryptographic public keys and other metadata needs to initiate trusted interactions with the person, organization, or thing identified by the DID,” explains Evernym’s Alex Andrade-Walz

  • The Civil Media Company, a New York-based early-stage company, is working to create a new revenue ecosystem for publishers, including the ability to recognize user interests and credentials across multiple news websites. Following the emerging DID standard is also part of their roadmap, according to technologist Peter Ng.

  • Portable Data Corporation (PDC), operating as JLINC Labs, based in Oakland, Calif., is among companies listed in the W3C’s method registry for the DID specification. JLINC technologist Victor Grey says they have code using their own DID specification up and running. “We plan to release an open-source DID client/resolver to register and lookup DIDs on the JLINC ledger very soon,” says Grey.


3. Brave pressures 28 EU member-state governments on ePrivacy; seeking to outlaw “cookie wall” RTB technology

Alternate web-browser software maker Brave is maintaining pressure on European Union regulators to take a tough stand in favor of robust ePrivacy regulations. An email newsletter sent by Brave’s technology spokesman, Johnny Ryan, carries a text of the letter, signed by the company’s “policy expert” Alan Toner. Ryan says the letter was sent to governments of 28 EU member states.  It also links to a technical submission by Ryan on EU competition issues.

Toner, in the letter dated Oct. 10, writes that Recitals 20 and 21 in Article 8 of the EU ePrivacy rules “will permit ‘cookie walls’ that make pervasive tracking a condition of access to a website.” He says such “cookie walls” — part of Google and Facebook business models — enable the continued use of real-time bidding (RTB) for advertising. 

Ryan says a working group of the EU’s Council of Ministers has removed the prohibition on cookie walls from draft language. 

Brave’s business model is to obtain and infer the interests of users of its browser and then use that information to pick and choose which advertisements to unblock and show to those users when they are on a publisher’s page. The advertiser or network pays Brave and Brave gives a cut to the browser user and the advertiser. The approach upends the current third-party-cookie, ad-tech ecosystem which Brave argues is now — or should be — illegal under EU law. 

“Many companies, including Brave, have developed advertising systems that support publishers with no privacy sacrifice,” Toner writes. “A robust ePrivacy Regulation will spur further innovation, whereas cookie walls would stifle it.”  Toner says cookie walls “would not serve the economic interests of publishers” because RTB is “economically inefficient, rife with fraud, provides the business model of disinformation and ins responsible for the largest data breach ever recorded.”

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

4. Tech columnist pens deeply linked post assessing the value of data and privacy — but no real conclusion

Facebook earns about $30 a year per user by mining individual digital data, but it may be that trying to quantify the relationship is the wrong approach to assessing privacy, says a respected tech writer in a deeply researched and linked think piece.

The long piece about the value of privacy and consumer data was first posted Sept. 17  on the Medium platform’s “OneZero” digital publication. It’s by veteran tech columnist and journalist Will Oremus, who has also has written for Slate, Mother Jones and Grist. 

“On one hand, we know people say they want more online privacy,” writes Oremus in the piece, “How Much is Your Privacy Really Worth?”   But he continues: “On the other hand, the vast majority of Americans still use free services such as Facebook and Google with business models that revolve around the collection and exploitation of our personal data.” 

He calls this the “privacy paradox” and he quotes research which reveals a difference between consumers’ willingness to pay for information (seen as relatively low, like $5/month), and their willingness to accept payment for their data (they want something like $80/month). 

Oremus reaches no firm conclusion in his piece, but it represents a thought compilation of linked research and thought. 










The digital advertising industry is changing. Third-party cookies are being rendered obsolete by recent browser updates including Safari’s ITP 2.2/2.3 and Firefox’s v69… As an industry, we are scrambling to find tactical solutions to each new browser update or legal regulation that comes out. Despite the need to address these emerging issues, we must keep our eye on the big issues… Consumers have a right to privacy. They also have a right to know how their data is used and shared and they have a right to determine if they are comfortable with their data being used for advertising. The industry needs to come together to align on governing principles that, at the core, have fundamental protections in place for user’s data across the entire ecosystem.

–  Amit Elisha, vice president-product at Outbrain, the web advertising platform that embeds links to sponsored content, in an Oct. 7 post at Digital Content Next, “With the cookie crumbling, the new recipe for data-driven success features consumer trust.”

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp