PRIVACY BEAT: Week One of CCPA — Latest Developments

Privacy Beat

Your weekly privacy news update.

1. Is Facebook frustrating EU research partners with vague data related to privacy and elections? Public statement sheds light

Philanthropic funders of a Europe-based data-privacy research effort have begun to withdraw support and the researchers have gone public with a statement implying Facebook has continuously delayed for more than 18 months release of aggregate URL data on privacy and politics which it had promised, the researchers say.

“The current situation is untenable,” says a statement posted in December and signed by 10 participants in the Social Science One initiative which is studying the effect of social media on democracies and elections. “Heated public and political discussions are waged over the role and responsibilities of platforms in today’s societies and yet researchers cannot make fully informed contributions to these discussions. We are mostly left in the dark, lacking appropriate data to assess potential risks and benefits. This is not an acceptable situation for scientific knowledge. It is not an acceptable situation for our societies.”

The statement credits Facebook with being the first platform to explore an academic partnership model, but asserts Facebook is not yet providing a promised URLs dataset, or access to Facebook APIs. “Delays in these matters can no longer be tolerated,” the statement says. 

Signers of the post include researchers on the European Advisory Committee of Social Science One, along with academicians at George Washington University, Harvard University and Stanford University.

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


As the CCPA took effect this week, there were these developments:

  • The office of California Attorney General Xavier Becerra developed and made public a three-page fact-sheet about the law aimed at consumers.

  • A GitHub contributor created an alphabetical list of “opt-out” links consumers can use and invited contributions to expand it. The list is at: 

  • One Twitter user posted screen captures which appeared to show Facebook was giving its users an either-or option — allow the company to retain personal data, or delete your entire Facebook account. 

Political compromise in Sacramento means CCPA doesn’t go far enough, says co-author now working in DC; implementation forces visiting dozens of sites; what is Facebook doing?

The CCPA doesn’t go far enough, says Mary Stone Ross, one of three principal authors of the original proposal that was amended into law in 2018. She now works for the Electronic Privacy Information Center (EPIC) in Washington D.C. “Regulation must shine a light on what data is collected and grant consumers control over its use and remedies for its misuse,” she writes in a opinion piece on

The CCPA co-author, Stone Ross, says that removed from CCPA in a political compromise was a provision allowing to directly sue, rather than leaving enforcement up to the California attorney general’s office alone.  And the law watered down language which prohibited companies from charging more or providing less service to people who “opt-out” of sharing their personal data.

“Although the legislative deal was struck in good faith, industry has relentlessly lobbied for legislation that will fundamentally undermine the CCPA, while simultaneously attempting to preempt it with equally aggressive lobbying campaigns in Washington,” Stone Ross writes, adding: “Weakened enforcement is one of the most egregious mistakes that was made in the legislative compromise in California.”

Increasingly, privacy advocates feel the idea of “notice and consent” which undergirds both the CCPA and the EU’s General Data Protection Regulation (GDPR) will be circumvented by companies. They are looking to Washington, D.C., and to a new California ballot initiative to instead make specific uses of data presumptively illegal without consumer permission.

In the meantime, the CCPA  is “more of a right to request and hope for deletion,” says Joseph Jerome, a policy director at privacy group Common Sense Media/Kids Action.

Another challenge for consumers under the CCPA is the sheer logistics of going to potentially hundreds of individual web sites to express privacy preferences and “opt-out” of their use of personal data.  Instead, new law could require that all data acquirers be forced to respect “do not track” (DNT) flags set within the user’s web browser or application no matter where the consumer is visiting.

“If you need a case study in why @AGBecerra needs to make certain DNT universal opt-out signals are clearly honored by all parties and Google/Facebook need to stop tracking across websites under CCPA, take a look at LA Times roll-out today,” tweeted Jason Kint, head of Digital Content Next, the trade association of large, legacy digital publishers. He added in another tweet: “All eyes now on the California Attorney General office as Facebook plays chicken.”  

Kint, the publishing-industry representative, says the current approach to CCPA compliance “makes it easiest to opt out of individual sites you visit and trust and near impossible to opt out of hundreds/thousands of trackers you have no idea exist and actually track you across the web…it mostly hurts $ of sites who make it easiest to opt out.”

Former ad-agency executive turned privacy champion “Doc” Searls tweeted that tracking-based advertising “should be opt-in, not opt-out” and that browser software should be equipped for that purpose.



Unlike LA Times, Mozilla joins Microsoft in extending CCPA protection globally to all browser users  

Mozilla, the nonprofit maker of the Firefox browser, reported in a Dec. 31 corporate blog post that it is extending new settings and privacy rights to all of its browser users globally, regardless of where they live.  This approach is similar to that announced by Microsoft and Amazon, but in contrasts to sites such as the Los Angeles Times, which depend heavily upon advertising revenues.

“Much of what the CCPA requires companies to do moving forward is in line with how Firefox already operates and handles data,” says the Mozilla policy blog post. “Changes we are making in the browser will apply to every Firefox user, not just those in California.” 

Mozilla allows browser users to create a profile for storing links and personal preferences.  It also gathers what it calls “telemetry data” about open tabs and session times. Now, Mozilla said, it will allow users to demand deletion of telemetry data, even though CCPA does not define such data as “personal data.”

The LA Times “notice of opt out” lists five different websites a user “must utilize” to opt out of the paper’s personal data tracking, and adds: “Your choices for this browser do not apply to our mobile app” and “if we reasonably believe that you are not a California resident, you may not exercise these rights.”

Most U.S. companies not ready for CCPA, Gizmodo wrapup story quotes security researcher as saying; ambiguity over “sale” flummoxes advertisers, others

In the first week under the California Consumer Privacy Act (CCPA), there are challenges around implementation and meaning.

“Most U.S. companies are far from CCPA ready,” Altaz Valani, director of research at the software security company Security Compass, told Gizmodo in an email. “U.S. companies with operations in the EU that have proactively made changes to their privacy practices when the GDPR [Europe’s General Data Protection Regulation] came into effect are ahead of the compliance curve, but the majority of companies are still in preparation-mode [and] are not expected to be compliant by the January 1, 2020 deadline.”

“The law has created an enormous challenge for the [advertising] industry as well as others that are information-based industries,” Michael Hahn, senior vice-president of the Interactive Advertising Bureau (IAB), told The Financial Times. “There’s no issue that has posed more of a problem to lawyers in the privacy and ad tech space than what does the definition of ‘sale’ mean in a digital advertising context.”

The “sale” has left companies like Facebook able to argue they do not “sell” consumer personal information, even though the company makes money selling advertising targeted based on that data. The question seems destined to end up in court once CCPA enforcement begins June 1.

Mozilla’s Don Marti, appeared to spend part of Jan. 1 testing implementations of CCPA.  He credited big consumer-data aggregator Experian with a “very slick” interface, tweeting: “I was able to opt out of having my personal info used for #surveillance #marketing without affecting the credit-reporting side.” Marti also created a generic opt-out request letter that he then posted for anyone to use. “Don’t know how well it works because I just started sending them today,” he added.

Over at Oracle, Marti noted the company had split its databases of user data into multiple pieces, require an individual opt-out submission at each one.  “Were in #CCPA does it say that you’re allowed to shard your database of people’s personal info and make people opt out of every shard individually?” Marti tweeted.

Axios’ Kia Kokalitcheva’s piece on the first day of CCPA includes links to pages at Google, Facebook, Apple and Amazon that show what information they gather. She also includes links to a typical hospital privacy implementation, the financial-service firm Intuit and the car-maker Tesla. She also links back to an April Axios story, “What the internet knows about you,” explaining how to opt out of data-gathering by a variety of Internet people-search services.



Above from:






Above linked from:



Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Forcing market competition can spur race-to-top on data protection

“There is strong evidence that highly competitive markets — which are lacking in the digital space — provides for competition between business models and a race-to-the-top on data protection standards…However, this is hampered by the lack of competition in markets for social media, ecommerce and search. Interoperability, where a customer could communicate freely between platforms — as emails can be exchanged irrespective of the email service provider — is another solution under discussion in competition circles. Or certain data processing by the dominant company could be simply prohibited as uncompetitive and incompatible with data protection rules…More than ever, there is a need to illuminate new paths for rewarding more sustainable business models that do not rely on the ubiquitous and constant tracking of human behaviour and relationships, a practice which has already damaged trust in digital services…Perhaps the more urgent need is to share ideas, instead of rushing to share people’s data.”

European Data Protection Supervisor Wojciech Wiewiorowski in a Dec. 13 website essay, “Sharing is caring? That depends…”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp