1. Facebook appears to be playing hardball on CCPA, leading argument about definition of data “sale” in programmatic advertising

Facebook signaled this week it may play legal hardball over the definition of data “sale” in the new California Consumer Privacy Act (CCPA) — leading the charge for the rest of the ad-tech industry, apparently.  

Facebook has told advertisers that its trackers’ data collection doesn’t constitute “selling” data under CCPA and it therefore doesn’t believe it is required to make changes, according to a report in The Wall Street Journal, “Facebook Won’t Change Web Trackiing in Response to California Privacy Law.”

The key question that California Attorney General Xavier Becerra must decide:  Will his office decide that passing user data as part of the programmatic advertising constitutes “sale” in violation of the law?  Facebook and others say no; the people who wrote CCPA’s initial language say yes. 

“We consider, and think the average consumer would consider, that when information is exchanged across devices and platforms, such that an ad follows the consumer from desktop to phone and from site to site, this constitutes a sale of their personal information from one business to another,” wrote Alastair A. Mactaggert, founder of California’s for Consumer Privacy, in a Nov. 5 letter. The originator of the CCPA language was commenting in a letter to the Interactive Advertising Bureau critical of its ad-tech consent “Framework.” 

The looming effect of CCPA is the top concern of ad-tech companies and their principal spokesman, the Interactive Advertising Bureau. “How do we encourage compliance and at the same time allow the market to function,” Michael Hahn, senior VP and general counsel at the IAB, was quoted Dec. 5 by AdAge’s George P. Siefo, as saying, adding: “Every privacy lawyer is working around the clock right now to make sure compliance is achieved.”

DigiDay’s Tim Peterson queried advertisers and law firms in their backgrounder on how “sale” is being interpreted. Writes Peterson: “The major ambiguity facing companies is how the CCPA’s broad definition of a “sale” of data applies to digital advertising. Under the law, a sale is not simply the exchange of California residents’ personal information for money but for any business value. A publisher passing a device ID to an ad tech firm to fill a programmatic ad impression or an advertiser sharing a list of IP addresses to an agency to plan a targeted ad buy could be considered a sale of data under the law. Or they could not be.”

The WSJ story said that in private conference calls with major advertisers in October, FB said its data collection qualified for the law’s exemption for sending data to “service providers” and didn’t count as a “sale” of data under the law. 

“We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data,” Facebook said in a Dec. 12  corporate blog post . “”“We encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law.”
(RELATED LINK)

UC-Berkeley professor and privacy advocate Chris Hoofnagle, in a tweet, said Facebook’s decision will drive public support for allowing plantiff’s lawyer to sue under a so-called private right of action.”Facebook is one of several companies in the $130 billion U.S. digital-ad industry that maintains that routine data transfers about consumers may not fit the law’s definition of  selling data,” Hoffnagle wrote in his tweet, adding: “The company would never come to this tendentious of a reading of the CCPA if the plaiintiff lawyers could sue.” 

Facebook’s apparently contentious approach extends across the Atlantic, where it is warning EU regulators that forcing FB to open its data troves to competitors would carry privacy and liability risks.  Meanwhile, Hungarian data regulators imposed a 3.6-million Euro fine on Facebook Ireland Ltd. for stating its services are free. 

TRACKING AND TECH

• Apple’s tracking protection — it actually ‘gets’ tracking protection | Thomas Claburn, The Register

• Apple updates Safari tracking protection — with help from Google | John Wilander, Apple 

• Apple’s tracking protection guru (and musician) — John Wilander | Twitter

• BACKGROUND: What is ‘intelligent tracking protection’? | Marciej Zawadzinski, ClearCode

• Apple privacy director Jane Horvath to speak at CES in January | Juli Clover, MacRumors

• Google’s Acquisition of FitBit Raises Data Privacy and Antitrust Concerns | Jay Shuffenhauer, Georgetown Law Technology Review

2. Assessing a Twitter plan to fund development of open-source platform for social media

Twitter CEO Jack Dorsey says its time to open-source a platform for social networking. 

In announcing an intenition to fund the hiring of five people, Dorsey was embracing the idea that social networking has become so pivotal to the Internet that — much like TCP/IP or email or other governed standards and protocols — it shouldn’t be proprietary or centralized.   His idea was questioned by some, however. 

“Twitter was so open early on that may saw its potential to be a decentralized internet standard, like SNTP (email protocol), Dorsey wrote in the opening tweet on Dec. 11. “For a variety of reasons, all reasonable at the time, we took a different path and increasingly centralized Twitter.”  He said new technologies make a decentralized approach more viable. He cites several authorities on this point. 

Wired reported on his idea with the headline: “Jack Dorsey wants  to help you to create your own Twitter.”

“This is about tech companies removing themselves from the community of the web, creating an alternative set of web standadrs, and making it harder for anyone to ever compete in the same way they did,” tweeted Washington Post ad technologist Aram Zucker-Scharff. He implied that Twitter should focus its attention on existing web standards efforts.

3. As California AG views comments on CCPA regs, he signals early enforcement strategy

California’s attorney general is sifting through suggestions and comments about how to enforce the California Consumer Privacy Act (CCPA) starting six months after it takes effect Jan. 1.  Key stakeholders in advertising, tech and privacy policy filed comments by last week’s deadline on draft regulations. And they also stepped forward in a series of four public hearings staged by state regulators. Multiple law firms  (also here and here and here) have been interpreting the draft regulations, released Oct. 10.

For his part, Becerra says he will be guided in early enforcement by whether a company appears to be willing to try to comply with Becerra’s interpretation of the law.

• The Software Alliance — enterprise software companies — asked for three changes in the law to help data service providers. It wants them to be able to aggregate and use information from multiple sources when given consumer permission to do so, to “provide and maintain services.” And it doesn’t want service providers to have to respond to individual consumers’ requests to see data held on them — only from businesses. It issued a news release and full comments. 

• Clarifying the definition of “third party” will have a key effect on the impact of CCPA, the Mozilla Foundation wrote in its comment letter to the attorney general, summarized in a public statement, citing a “crisis” for the Internet requiring clear and meaningful control via CCPA and other measures, including taking care to authenticate users’ data requests. Mozilla’s for-profit subsidiary makes the Mozilla browser.
   
• Some “creative” ad-tech companies may try to circumvent CCPA’s intention to stop use of user data by third parties, Digital Content Next’s CEO Jason Kint wrote in a letter comment to the attorney general. “Unless and only when the consumer intentionally interacts with those services, Google and Facebook should be considered third parties,” Kint wrote, adding: “We are concerned that some third parties may try to implement creative interpretations of the CCPA which would run coutner to the law and consumer expectations.”

INTERPRETING CCPA  

• One question: What is meant by “reasonable security measures”? | Alicia Balardo, McGuireWoods LLP

• “Sensitive info” and other elements of “son-of-CCPA” ballot initiative reviewed | David Kessler, Data Protection Report

• Non-compliant CCPA behavior could imperil M&A deals | Jennifer Post & Luke Sosnicki, Thompson Coburn LLP

• PRIMER: California’s rewriting online privacy: Here’s what you need to know | CalMatters 

• TRAINING: GWU professor offers CCPA training | Daniel Solove, TeachPrivacy.com