Advertising industry seeks enforcement delay in CCPA; saying time before June 1 makes compliance “nearly untenable”

The leadership of the U.S. advertising industry has appealed for a six-month enforcement delay for the California Consumer Privacy Act (CCPA), saying advertisers and ad-tech companies need time to get ready to follow the law once Attorney General Xavier Becerra publishes final regulations.

“The limited and quickly shrinking time before the existing enforcement deadline, however, will place business in a nearly untenable position,” the letter says. (see “Quote of the Week,” below)

Their appeal “to avoid consumer and business confusion” came this week in a letter to Becerra from the Association of National Advertisers (ANA), the American Association of Advertising Agencies (4A’s), the American Advertising Federation (AAF), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative. Without final published regulations, the groups said they are uncertain about how to comply.

But Becerra’s regulators have already warned that companies covered by the law “should be prepared to adhere to the law now.” The problem from ad-tech’s perspective is a set of disputes over how to interpret “sale” and “private information” in the law, and how privacy-preferences are expressed, among other things, the same groups said in Dec. 6 comments to Becerra.

CNBC.com’s Megan Graham, writing about the latest delay-request letter, said the ANA and 4A’s earlier released a statement asking Google to commit to not imposing the moratorium on third-party cookies until “effective and meaningful alternatives are available.”

The letter to Becerra was signed by Dave Grimaldi, IAB executive vice-president for public policy; Dan Jaffe, ANA group executive vice-president of government relations; Alison Pepper, the 4A’s senior vice-president; Christopher Oswald, ANA senior vice-president of government relations; David LeDuc, NAI vice-president of public policy; and Clark Rector, AAF executive vice-president of government affairs.

Last month, the U.S. Chamber of Commerce also sought a delay in enforcement, according to a MediaPost account. That group said enforcement shouldn’t begin until 2022,

AFTER THE COOKIE

• How publishers are planning for the end of the third-party cookie | Lucinda Southern, DigiDay.com

• Publishers: Have no fear of cookieless future | Tyler Bishop, CMO, Ezoic via DCN

• A key web standards group will help decide what comes after the third-party cookie | Lara O’Reilly, Digiday

• French data-protection agency seeks advice on “cookies and other trackers” | CNIL.FR website 

• The World Wide Web Consortium has a Privacy Community Group — chaired by Apple, Mozilla and Microsoft | GitHub Website  (WELCOME)

• Why it’s time to stop force-feeding cookies to users | Michael Do Rozario & Simon Johnson, Corr, Chambers Westgarth law firm (Australia) 

• Will Google’s “Privacy Sandbox” be better for privacy than cookies? | Scott Ikeda, CPO Magazine 

CCPA WEEK FIVE

• CCPA: A Compliance Guide With Everything You Need To Know | Allen Longstreet, Ezoic

• Practical guidance for complying with CCPA | Cheryl Yakkey & Jared Wilner, Clyde & Co. law firm

• California’s Data Broker Registration Deadline Looming | Timothy Tobin, Bret Cohen, Britanie Hall and Filippo Raso, Chronicle of Data Protection

• Accessibility and the CCPA | Lex Moyer & Karen Neuman, Goodwin Law Firm

Try opting out of data usage at Verizon-Yahoo under CCPA — you’ll be told to go to 300+ individual third-party trackers to do so 

Over the past month since CCPA went into effect, Big Tech has been pulling back the curtain by releasing new options for users to view and control their personal data.

On January 28th, International Data Privacy Day, Facebook offered a data privacy checkup at the top of users’ newsfeeds. Graphic and user-friendly, the pop-up offered links for updating four different categories of settings. What was not user-friendly was navigating to some of their more revealing data controls that were recently released, such as the ability to view (and delete) off-site website activity, companies that have uploaded lists with your email address, and in depth interest data the company has inferred about you.

A visit to a Yahoo News article now produces a pop-up to control privacy settings. No problem opting out of Yahoo or other Verizon Media properties, but their new privacy dashboard says you may have to opt-out individually to all of the ad partners. This list includes 325+ third-party ad partners.

Amazon’s updated privacy notice is hard to find and even harder to navigate how you actually control your data. Given the breadth of individual Google products, it takes extensive digging after entering their data & privacy dashboard, accessing each product individually, to see the data each tool has collected about you.

Watch future editions of Privacy Beat as we continue to test companies’ evolving privacy controls.

FACEBOOK PRIVACY TOOL

• Facebook’s new privacy tool lets you manage how you’re tracked across the web | Alfred Ng, CNET

• How to delete what Facebook knows about your life outside Facebook | Sara Morrison, Recode/Vox

• Facebook’s new  activity “tool” shows you how it tracks you even when you’re not on Facebook | Geoffrey Fowler, WashPost.com

• Facebook’s ‘clear history’ tool doesn’t clear poop | Shoshana Wodinsky, GizModo.com

PERSONAL PRIVACY

• Data protection worldwide — a digital-rights  2019 time line | AccessNow.org

• Firefox explains workings of  its “Focus” privacy browser | Mozilla Blog 

• Apple and Google’s tough new location privacy controls are working | Jared Newman, Fast Company

• Facebook wants to pay you for your data — read this before you sign up | Meera Jagannathan, MarketWatch

• What Your Period Tracker App Knows About You | Donna Rosato, Consumer Reports

• Avast antivirus soft had another purpose — aggregating data from  you | Sead Fadilpasic, ITProPortal

• Leaked Avast Documents Expose the Secretive Market for Your Web Browsing Data | Joseph Cox, Vice

• Consumers Are Demanding Companies Handle Their Data Differently. Here’s How Tech Entrepreneurs Should Respond | Joel Comm, Inc

• Galaxy users, take note: Samsung’s probably selling your data | JR Raphael, Computerworld

• Microsoft Exposes 250 Million Call Center Records in Privacy Snafu | Phil Muncaster, Infosecurity Magazine

• Hong Kong Considers Sweeping Changes to Privacy Laws | Latham & Watkins LLP

IDENTITY SERVICES

Ad-industry conundrum: How to serve appropriate advertising without any cross-site identity — email hash?

In a pair of reports over the last week, the ad-tech watching online news service DigiDay’s reporters suggest the “death” of third-party cookies is forcing advertisers and publishers to look at new ways to manage user identity, threading the tricky challenge of being able to support effective targeting advertising without identify individuals or their personal attributes.

Lucinda Southern, in her Jan. 22 report:  “How publishers are planning for the end of the third-party cookie,” says one effort underway is figuring how how to collect information about user attributes by studying the “context” of web pages they view, then putting that information into a database with other similar cohorts.  For such a service to work, Southern quotes insiders as saying, the Interactive Advertising Bureau (IAB) and others would have to decide on a standard taxonomy for defining the cohorts.

A key challenge then becomes, how to share the cohort attributes among websites — with end-user permission — without the technical means for doing so being blocked by browser makers, including Google, Mozilla, Apple and Microsoft, writes DigiDay’s Seb Joseph in “With third-party cookies on the way out, shared IDs face an existential crisis.” Joseph’s account assumes that the sharing would require third-party cookies. But he notes that the IAB is in meetings to seek alternative technologies.

“Other alternatives to shared IDs do not rely on cookies,” Joseph writes. “Companies like BritePool and Net ID are developing solutions that use encrypted email addresses from a publisher instead of a cookie to identify users; the encrypted email is then used by ad tech vendors to identify user across sites.”

The lack of a cross-site identifier will make it hard to cap the number of times a user sees the same advertising campaign, (“frequency capping”), or attribute compensation for ad views to multiple parties, wrote Southern in a third piece, “Beyond ad targeting, the demise of the third-party cookie will hit key digital media functions.”

RELATED LINKS

• With third-party cookies on the way out, can shared-identity services work? | Seb Joseph, DigiDay.com

• Amid privacy and security failures, digital IDs advance | Lucas Mearian, ComputerWorld

• Managing customer identity in the era of CCPA | Patrick Sullivan, CTO, security strategy, Akamai

• Control and human rights, not ownership and property? | Drummond Reed, Twitter.com

• Sovrin Network Self-Sovereign Identity | Anne Bailey, KuppingerCole

• TERMINOLOGY PRIMER: What are SAML and OAuth in federated identity management?  | Phil Goldstein, FedTechMagazine.com

• Will 2020 be the year of “people-based” identity services? | Simon Burgess, MarketingTechNews.net

ADVERTISING TECH

• Publishers press ad-tech firms to protect them from programmatic clawbacks | Tim Peterson, DigiDay.com

• Sen. Wyden urges FTC to investigation AdBlock Plus “whitelist” | Wendy Davis, MediaPost.com

• Microsoft’s Edge browser makes tracking prevent default install setting | Disconnect.me Blog 

• Browser makers now more powerful than regulators in ad tech? | Tim Peterson, DigiDay.com 

PRIVACY AND HEALTH

• Google Health’s partnerships raise privacy concerns | Sharon Klein & Karen Shin, Pepper Hamilton LLP law firm

• Data Privacy in the Health Field: What to Watch in 2020 | Alaap Shah, Patricia Wagner, Ebunola Aniyikaiye & Matthew H. Berger, Health Law Advisor

• Changing the Conversation About Sharing and Using Health Information | Linn Foster Freedman, Robinson+Cole

FACIAL RECOGNITION

• Facebook to pay $550M to settle Illinois facial-recognition suit | Natasha Singer & Mike Isaacs, New York Times

• Quick, cheap to make and loved by police – facial recognition apps are on the rise  | John Naughton, The Guardian

• EU Drops Idea of Facial Recognition Ban in Public Areas, Reuters reports | Reuters via NYTimes

• India’s railways to use facial recognition amid privacy fears | Annie Banerji, Reuters 

• Amazon’s Ring doorbell app caught spying on users, sharing data with third-parties | Mike Peterson, Apple Insider

• Ring doorbell app packed with third-party trackers | Bill Budington, Electronic Frontier Foundation

• Facial Recognition: The controversial and nearly ever-present technology that could replace the fingerprint | The California Sunday Magazine

STATES / WASHINGTON WATCH

• Federal and state antitrust lawyers plan summit re investigatory merger | John McKinnon, MarketWatch.com

• DC UPDATE:  Pending bills in the Senate and House | Christian Fjeld, Chris Harvie, Cynthai Larose, Mintz Law Firm 

• Additional U.S. States Advance the State Privacy Legislation Trend in 2020 | Gretchen A. Ramos & Darren Abernethy, Data Privacy Dish

• Illinois proposes CCPA-like privacy legislation with a twist | Billee MCAuliffe, Melissa Powers, Jack Terschluse, LewisRice law firm 

• New year, new laws: Washington re-introduces comprehensive privacy act among flurry of 2020 consumer privacy bills | Kimberly Gold, Sarah Bruno and Jim Barbuto, Technology Law Dispatch

• Microsoft advocates Washington state bill that goes beyond CCPA | Julie Brill | Microsoft Blog  (TESTIMONY) 

• Florida’s Next: FL Consumer Privacy Bill Introduced | Kate Black, Greenberg Traurig, LLP

• Proposed Legislation in Florida Includes Electing Insurance Commissioner and Consumer Data Privacy | Clyde & Co

• Privacy Commissioner of Canada argues for rights-based privacy laws in Annual Report | David Crane and Peter Quon | McCarthy Tétrault LLP 

PRIVACY BUSINESS

• Almost $10B invested in privacy/security companies during 2019 | Gene Teare, CrunchBase.com

• Cybersecurity sector attracting unprecedented VC interest | National Venture Capital Association

• BigID, identity intelligence company, raises $50M in new funding | Ameya Dusane, MarTechAdvisor.com

• Google CEO at Davos: Privacy should not be a luxury good | Sundar Pichai, YahooFinance.com

• Nonprofits “freakout out” over sales of dot.com domain registry business to GOP families | David Gilbert, ViceNews.com

• Italy’s competition watchdog launches non-compliance proceedings against Facebook | Reuters

• Startups Chase $55 Billion Boom Fueled by California Privacy Law | Eric Newcomer, Bloomberg