PRIVACY BEAT: California’s AG firms up some definitions as CCPA enforcement picture begins to take shape

Privacy Beat

Your weekly privacy news update.

California’s AG firms up some definitions as CCPA enforcement picture begins to take shape; Latest comment deadline ends Feb. 24 at 5 p.m.

Dozens of law firms and tech-policy blogs leaped this week to offer fresh takes on how the California Consumer Privacy Act (CCPA) will be enforced come July 1.  The office of state Attorney General Xavier Becerra released on Feb. 7 — and then revised three days later — both a clean and redlined version of how the office proposes to define and enforce CCPA. 

The revised regulations implementing CCPA respond to thousands of pages of comments received from the public, ad-tech, platform, publishing and financial-service firms affected by the law and set new guidelines defining such key terms as “personal data”, “sale”, “household” and “deanonymized.”  Below are links to a variety of analyses, mostly from law firms that are covering the law’s impact for their clients. 

“As has become familiar to companies impacted by the CCPA and the prior draft regulations, certain provisions leave plenty of room for debate as a result of ambiguous wording,” attorneys at the Manatt law firm wrote in a Feb. 11 unsigned blog post. “On balance, these proposed revised regulations introduce some practical improvements, but still require a significant amount of consideration in interpreting broad language and applying the newly proposed draft regulations to the practical implications of business operations.”

The latest regulatory guidance is not final — there is a fresh public-comment deadline of Feb. 24


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

What’s going on with the common tracking ID? Study says end of cookie-based tracking will cost smaller publishers and ad-tech companies billions; IAB and W3C both working on solutions 

Publishers, advertisers and ad-tech companies finally faced up last week to the the likely end of so-called third-party cookies as a method for tracking and targeting advertisements to individuals.  But there is deep angst over what to do about it, and a report (below) that predicts the change — if unmitigated — will cost small publishers and ad-tech companies billions by 2025.

Life after the TP cookie was dominant corridor conversation at the Interactive Advertising Bureau’s (IAB) spring leadership meeting in Palm Desert, Calif. IAB, which has a broad membership base mostly composed of advertising-tech companies, platforms, and a some publishers and advertisers, said it was launching an all-out effort to find a replacement for the “cookie” — but was light on specifics. 

An ode to the financial value of open-web user tracking to smaller publishers and ad-tech firms — funded by the Interactive Advertising Bureau (IAB) — was out this week, authored by a Harvard Business School professor and his consulting colleague.  (FULL REPORT)

(Read report excerpt at “QUOTE OF THE WEEK,” below.) 

“Tens of billions of dollars are at stake if third-party trackin ends without mitigation,” says the report, “The Socioeconomic Impact of Internet Tracking,” by Prof. John Deighton and Leora Kornfeld. They estimate that between $8 billion and $10 billion in ad revenues — large chunks in the hands of smaller publishers — will leave the “open web” and go to closed platforms like Google, Facebook or Amazon by 2025 if tracking of web user activity comes to an end.

Absent replacement of current third-party cookie tracking with a “mitigating technology,” they predict, the ad-supporte web  “would become more concentrated in the hands of a few very large publishers.” 

They write: “We propose, loss of tracking data will hurt two industries: the independent publishers (including startups), as well as the open web technology companies that handle programmatic ad technology, CRM, marketing technology,  measurement and analytics, data suppliers, and full-service advertising agencies.”

Their analysis says $24-$29 billion in annual publisher revenues would likely be absorbed by walled gardens (Google, Facebook and Amazon) and by other leading companies in industries such as telecommunications that hold stores of first-party data and are close to becoming walled gardens themselves. 

The authors explain how mobile device IDs can be used in place of cookies for tracking and they explain how tracking is used in ad placement, ad effectiveness and attribution and customer-relationship management.  They include a drawing depicting the process by which brands decided whether to serve an ad to a consumer who visits a publisher’s website. 

Meanwhile, companies and individuals are beginning to propose solutions, and the World Wide Web Consortium (W3C) has activated a community study group working on solutions, too.  That community group, and a related web-advertising study group, both license work under a publlic license scheme. 


Browser makers taking a stand on privacy and data — but where should the data be?

A battle is brewing over the location of your personal data. Where should it be? 

  • Stored in a “digital wallet” on your phone, laptop or desktop? 

  • Inside and integrated with the web-browser application you use? 

  • Stored “in the cloud” with Google, Facebook, Amazon, Apple or another platform? 

  • Managed and stored in your behalf by an “information fiduciary”? 

“The showdown is clearly just beginning over the best path for browsers to take,” writes Wired Magazine’s Lily Hay Newman at the end of her piece, The Fractured Future of Browser Privacy.”  She says disagreements abound, and privacy advocates say not all of their solutions are working for privacy. 

“While the browser vendors might want the browser to be the best place for your data that only makes sense from their perspective,” says Drummond Reed, a principal architect of the idea of “self-sovereign identity” (SSI) and user data stored in digital wallets on devices. “For about 100 other other good reasons, a usr’s SSI digital wallet makes more sense.”  A new Linux Foundation project called the Trust over IP Foundation will launch soon to explore that premise, says Reed. 

Finally, there is growing interest in the concept of an “information fiduciary,” Yale Law School Prof. Jack M. Balkin has also proposed the idea  — sort of like a trusted lawyer, doctor or real-estate broker — to safekeep and manage an individual’s personal data in a secure repository.  News organizations might function as “information valets.”   [See also “What do we mean by information valet?” ]

Tired of making “opt-out” requests? Ex-IBM consultant hopes her “Kanary” app can monitor your online persona and help

A musician, self-taught Python and SQL  programmer and former IBM consultant, Rachel Vrabec hopes now to make money helping people manage their online persona. Her Kanary app cleans up and monitors your online presence.

Vrabec, based in Chicago with a tech colleague, worked on political campaigns and analytics until she followed the unfolding Cambridge Analytica privacy scandal.  She and a colleague decided to start a company focused on helping consumers with privacy. does an automated scan of data brokers and automates data opt-out requests for users.  

How will Kanary make money? “Ideally, people would pay a few bucks a month,” she says. Most people have tried to remove unwanted personal information from the internet. Because our information is out there, we get spam calls, unsolicited advertisements, hacked accounts, and hundreds of trackers on every website. 

Legislation like the FCRA (Fair Credit Reporting Act), CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) put power back into the hands of individuals to exercise control over information, says Vrabec. “We have the right to be forgotten, the right to know what information is collected, the right to say ‘do not sell my data’ and  the right to class action against companies who do not comply. But how are people supposed to exercise these rights?”

Submitting removal requests takes hours of tedious management and follow up. Businesses make it difficult on purpose. Recently, Privacy Beat highlighted that Yahoo-Verizon requires users to manually opt-out of 300+ sites.

Kanary provides a solution to this problem. Kanary is an app that finds and removes information about you online. 







Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


“Tracking makes much of the content on the Web free, because it enables high-performing internet advertising. It allows services and systems to be addressed to individuals, not mass audiences. It enables entrepreneurs to find prospective customers for services built to capitalize upon existing digital businesses. By giving a view into consumers’ digital choices, it makes digital marketing more efficient and less wasteful than pre-digital marketing practices . . . The browsers that collectively hold 80% market share are all owned by firms that are part of the walled-garden ecosystem. Therefore, when they block tracking cookies (Safari) or make it easy for users to block them (Chrome), they do much less harm to their own ad revenues than to the ad revenues of open web publishers. They can sell ad space to advertisers that performs well because it is targeted to user profiles, while open web publishers sell their space with less targeting information at commensurately lower prices.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp