PRIVACY BEAT: Facebook plays hardball on CCPA, leading argument about definition of data “sale” in programmatic advertising

Privacy Beat

Your weekly privacy news update.

1. Facebook appears to be playing hardball on CCPA, leading argument about definition of data “sale” in programmatic advertising

Facebook signaled this week it may play legal hardball over the definition of data “sale” in the new California Consumer Privacy Act (CCPA) — leading the charge for the rest of the ad-tech industry, apparently.  

Facebook has told advertisers that its trackers’ data collection doesn’t constitute “selling” data under CCPA and it therefore doesn’t believe it is required to make changes, according to a report in The Wall Street Journal, “Facebook Won’t Change Web Trackiing in Response to California Privacy Law.”

The key question that California Attorney General Xavier Becerra must decide:  Will his office decide that passing user data as part of the programmatic advertising constitutes “sale” in violation of the law?  Facebook and others say no; the people who wrote CCPA’s initial language say yes. 

“We consider, and think the average consumer would consider, that when information is exchanged across devices and platforms, such that an ad follows the consumer from desktop to phone and from site to site, this constitutes a sale of their personal information from one business to another,” wrote Alastair A. Mactaggert, founder of California’s for Consumer Privacy, in a Nov. 5 letter. The originator of the CCPA language was commenting in a letter to the Interactive Advertising Bureau critical of its ad-tech consent “Framework.” 

The looming effect of CCPA is the top concern of ad-tech companies and their principal spokesman, the Interactive Advertising Bureau. “How do we encourage compliance and at the same time allow the market to function,” Michael Hahn, senior VP and general counsel at the IAB, was quoted Dec. 5 by AdAge’s George P. Siefo, as saying, adding: “Every privacy lawyer is working around the clock right now to make sure compliance is achieved.”

DigiDay’s Tim Peterson queried advertisers and law firms in their backgrounder on how “sale” is being interpreted. Writes Peterson: “The major ambiguity facing companies is how the CCPA’s broad definition of a “sale” of data applies to digital advertising. Under the law, a sale is not simply the exchange of California residents’ personal information for money but for any business value. A publisher passing a device ID to an ad tech firm to fill a programmatic ad impression or an advertiser sharing a list of IP addresses to an agency to plan a targeted ad buy could be considered a sale of data under the law. Or they could not be.”

The WSJ story said that in private conference calls with major advertisers in October, FB said its data collection qualified for the law’s exemption for sending data to “service providers” and didn’t count as a “sale” of data under the law. 

“We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data,” Facebook said in a Dec. 12  corporate blog post . “”“We encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law.”
(RELATED LINK)

UC-Berkeley professor and privacy advocate Chris Hoofnagle, in a tweet, said Facebook’s decision will drive public support for allowing plantiff’s lawyer to sue under a so-called private right of action.”Facebook is one of several companies in the $130 billion U.S. digital-ad industry that maintains that routine data transfers about consumers may not fit the law’s definition of  selling data,” Hoffnagle wrote in his tweet, adding: “The company would never come to this tendentious of a reading of the CCPA if the plaiintiff lawyers could sue.” 

Facebook’s apparently contentious approach extends across the Atlantic, where it is warning EU regulators that forcing FB to open its data troves to competitors would carry privacy and liability risks.  Meanwhile, Hungarian data regulators imposed a 3.6-million Euro fine on Facebook Ireland Ltd. for stating its services are free. 

TRACKING AND TECH

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

2. Assessing a Twitter plan to fund development of open-source platform for social media

Twitter CEO Jack Dorsey says its time to open-source a platform for social networking. 

In announcing an intenition to fund the hiring of five people, Dorsey was embracing the idea that social networking has become so pivotal to the Internet that — much like TCP/IP or email or other governed standards and protocols — it shouldn’t be proprietary or centralized.   His idea was questioned by some, however. 

“Twitter was so open early on that may saw its potential to be a decentralized internet standard, like SNTP (email protocol), Dorsey wrote in the opening tweet on Dec. 11. “For a variety of reasons, all reasonable at the time, we took a different path and increasingly centralized Twitter.”  He said new technologies make a decentralized approach more viable. He cites several authorities on this point. 

Wired reported on his idea with the headline: “Jack Dorsey wants  to help you to create your own Twitter.”

“This is about tech companies removing themselves from the community of the web, creating an alternative set of web standadrs, and making it harder for anyone to ever compete in the same way they did,” tweeted Washington Post ad technologist Aram Zucker-Scharff. He implied that Twitter should focus its attention on existing web standards efforts.

3. As California AG views comments on CCPA regs, he signals early enforcement strategy

California’s attorney general is sifting through suggestions and comments about how to enforce the California Consumer Privacy Act (CCPA) starting six months after it takes effect Jan. 1.  Key stakeholders in advertising, tech and privacy policy filed comments by last week’s deadline on draft regulations. And they also stepped forward in a series of four public hearings staged by state regulators. Multiple law firms  (also here and here and here) have been interpreting the draft regulations, released Oct. 10.

For his part, Becerra says he will be guided in early enforcement by whether a company appears to be willing to try to comply with Becerra’s interpretation of the law.

  • The Software Alliance — enterprise software companies — asked for three changes in the law to help data service providers. It wants them to be able to aggregate and use information from multiple sources when given consumer permission to do so, to “provide and maintain services.” And it doesn’t want service providers to have to respond to individual consumers’ requests to see data held on them — only from businesses. It issued a news release and full comments. 

  • Clarifying the definition of “third party” will have a key effect on the impact of CCPA, the Mozilla Foundation wrote in its comment letter to the attorney general, summarized in a public statement, citing a “crisis” for the Internet requiring clear and meaningful control via CCPA and other measures, including taking care to authenticate users’ data requests. Mozilla’s for-profit subsidiary makes the Mozilla browser.
     
  • Some “creative” ad-tech companies may try to circumvent CCPA’s intention to stop use of user data by third parties, Digital Content Next’s CEO Jason Kint wrote in a letter comment to the attorney general. “Unless and only when the consumer intentionally interacts with those services, Google and Facebook should be considered third parties,” Kint wrote, adding: “We are concerned that some third parties may try to implement creative interpretations of the CCPA which would run coutner to the law and consumer expectations.”

INTERPRETING CCPA  

4. Google, AOL ad-tech pioneer: Content compensation,  identity-based consent must replace third-party cookies

Without third-party cookies, media owners must find another way to provide relevant ad experiences, analytics and reports — a durable alternative as browsers increasingly refuse to allow cookies to do cross-site tracking, says Ben Barokas, a former Google and AOL executive and ad-tech pioneer. 

Barokas, (BIO) who now heads the Sourcepoint consultancy and venture-investment firm, says he is focusing on “content compensation” as the next evolution of the Internet. He sets out his thesis in a Dec. 12 op-end at ClickZ, “Cookies, consent and user experience — the great disconnect.” 

“Proliferating global data privacy regulations and the recent technology updates from the likes of Apple, Firefox and Google — that remove the utility of cookies — represent a fundamental shift in the way the internet works,” Barokas writes, adding: “At a time when media owners are struggling to find innovative ways to monetize their content, an identity-based consent strategy creates new opportunities to generate revenue, based on user identity and consent preferences.”

MORE RELATED TO IDENTITY:

5. A German report flags Amazon on privacy; urges no state pre-emption and forming a new U.S. data agency

Compared to Europe, U.S. consumers are poorly protected from privacy violations, a new study backed by a German foundation concludes. 

“In the US, the findings show that a baseline federal data protection and privacy law should be established that does not pre-empt (webinar link below) stronger state law and protections and that creates an independent data protection agency,” says the report by the Heinrich-Bill-Stiftung Brussels European Union in collaboration with the Trans Atlantic Consumer Dialogue. 

The 40-page report is called “Privacy in the EU and US: Consumer experiences across three global platforms”,  The researchers studied the Amazon, Netflix and Spotify platforms. They found that while Netflix and Spotify (GDPR investigation) were tending to extend privacy disclosures globally, Amazon was not disclosing tracking to U.S. shoppers, the report asserts.  

“Amazon treats U.S. users differently in terms of rights to access . . . each service appears to allow third-party tracking by default on their websites, with Amazon being the most and Netflix being the least intrusive of the three,” says an extract of the report.. “This results in tracking of user behaviour and targeted ads.”

MORE ON POLICY

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

QUOTE OF THE WEEK

Personal data has long been the fuel that fires marketing at every stage of the customer journey, and the drive to find new forms of fuel and devise new ways to leverage them seems to be boundless,” said Charles Golvin, senior director analyst in the Gartner for Marketers practice. “However, this quest has failed to meet marketers’ ambitions and, in some cases, has backfired, as consumers both directly and indirectly reject brands’ overtures.

– Charles Golvin, senior director analyst in the Gartner for Marketers practice, in a Dec. 2 report on personalization.

AD TECH 

GLOBAL REGULATION

PERSONAL PRIVACY | FACIAL RECOGNITION

GETTING READY 

OTHER LINKS OF THE WEEK 

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp