PRIVACY BEAT: Amid CCPA confusion, consumer law and antitrust law need common privacy ground, says key attorney

Privacy Beat

Your weekly privacy news update.


Amid CCPA confusion, consumer law and antitrust law need common privacy ground, says key attorney

Creating a better understood environment for privacy in cyberspace is going to end up involving elements of both antitrust law and consumer trade regulation and it would be useful for practitioners and advocates of both to begin coordinating their efforts, a prominent privacy and antitrust attorney says.

Alysa Z. Hutnik, a partner with the DC law firm of Kelley Drye & Warren LLP spoke by phone with Privacy  Beat after moderating a panel last week. (See: “In a word — conundrum — as ad-tech, agency and publisher lawyers consider terms, enforcement of CCPA”).

“There are different principles for consumer antitrust vs. consumer privacy,” said Hutnik. “It is just that they affect one and the other…privacy and antitrust concerns meet in the middle.”

Hutnik has major brand publishing clients, as well as ad-tech companies, but neither Facebook nor Google, she said. She chairs her firm’s digital-privacy and security practice and is the consumer-protection officer of the American Bar Association’s antitrust section.

The COVID-19 epidemic has largely shut down efforts by other states to adopt digital privacy laws similar to California’s, said Hutnik. However, if the California situation gets murkier this fall with a new ballot initiative and continuing regulatory uncertainty, it could rekindle efforts on Capitol Hill toward superseding federal law. Right how, however, she sees no likely DC action.

In a phone discussion, Hutnik made these additional points:

  • Publishers, advertisers, platforms and others who deal with the personal information and privacy preferences of the public are stuck with a period of uncertainty that could go on for years because of evolving law in California — yet little movement in Washington.

  • The California Consumer Privacy Act (CCPA) and emerging regulations are so fluid that it is impossible to be certain what business practices will be outlawed or subject to enforcement.  Thus, privacy officers should behave with good faith and follow emerging industry practices.

  • Draft CCPA regulations won’t be final until Oct. 1 at the earliest, and possibly not for months thereafter.

  • If Alastair Mactaggart’s new California new privacy initiative qualifies in the next few weeks for California’s November ballot, Mactaggart is unlikely to negotiate away the initiative in exchange for legislative action as he did with CCPA.  If voters pass it, the new law will add potentially years of new complications.

  • One of the most ambiguous parts of the CCPA is the question of when it is illegal to “discriminate” against an online user who chooses not to share personal information. That’s because it is not always clear what constitutes “sale” of data, nor how to value the data in an exchange for services.

  • Hutnik believes publishers are OK to maintain adjustable paywalls, although she says a service such as Scroll, which provides multi-site, ad-free content viewing (and thus reduced tracking) for $5/month, may raise CCPA issues. But she said draft CCPA regulations “add more confusion that clarity” to the discrimination question.

  • There is no common understanding yet of how to value consumer data, even though the idea of a “data dividend” was broached by California Gov. Gavin Newsome in 2019. 

“So for a publisher who is exercising good faith and efforts on the entire risk spectrum, what is the likelihood the attorney general’s office is going to enforce?” Hutnik asks. She thinks the likelihood is low, and adds: “That gives some breathing room.”  She continued: “[With CCPA] you have an omnibus type of law that has a whole lot of moving parts to it with a lot of ambiguity.”




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Privacy activist claims GDPR collaboration is ineffective, asks European Commission for sanctions

Hailed as a consumer-privacy breakthrough, Europe’s General Data Protection Regulation (GDPR) has growing pains as it reached two years of age this week, prompting a plea from the region’s most aggressive data-privacy advocate to get moving on complaints about Facebook and other platforms.

The activist and lawyer Max Schrems called on European authorities to push the Irish data-protection regulator to speed up its handling of cases he brought against Facebook. But regulators are plagued by too few regulators and too much business, others say, leaving them vulnerable to being swayed by big tech.  And there are those who question a premise of GDPR that “consent” is a key way to frame privacy protection.

In his 16-page, May 25, GDPR-second-birthday open letter, Schrems says lack of cooperation among data-protection commissions in the various European Union nations is making the GDPR “fundamentally dysfunctional.” He says French authorities were able to swiftly investigate and fine Google 50-million Euros in a few months, while, he alleges, his cases filed two years ago against Facebook, Instagram and WhatsApp are stalled in Ireland.

In his letter he makes these claims:

  • There have been “no penalties” under GDPR for two years, despite more than 7,125 complaints in 2019 alone.

  • Facebook fails to properly obtain consent to use consumer data which it collects, employing what he calls a “consent bypass.” He says authorities in Ireland, where Facebook has its main EU office, are engaging in “secret cooperation” with the company, something the authorities dispute.

  • An optional investigative phase has added more than a year to the process, demonstrating “poor procedure management” by the Irish authorities and uncovering lack of cooperation with equivalent authorities in Austria, where Schrems’ European Center for Digital Rights — “” — is based. 

Schrems asks the European Commission to sanction nations which are not promoting “effective application of the GDPR.” 







The IAB Tech Lab is moving ahead on its “Project Rearc” effort to find a replacement for the third-party cookie — a mainstay of web advertising that browser makers, including Google, are determined to gobble up and eliminate in response to consumer privacy concerns.

Third-party cookies continue to be the principal way that advertising networks “tag” and identify users across multiple independent websites to support real-time bidding (RTB) advertising. The problem is that the process is tech-and-bandwidth intensive, slows down websites, and results in data about users being stored opaquely all over the internet. And for publishers, it introduces a whole infrastructure of technology middlemen between the advertising and the publisher who must be paid.

The initiative began at IAB’s annual meeting over the winter in California and kickoff webinars on March 26 and 31 were designed to tell a “how did we get here and where are we today” story.  At least two more webinars are planned, the first sometime during June, entitled “What does the removal of identifiers mean for publishers?”  A third webinar will be entitled, “What does it mean for agencies and brands?”

IAB Tech Lab has also set up a task force and a series of working groups, some of which are open to the public. 



Backers of brand-safe publisher websites report more than 70 advertisers, agencies adopt “white list” for placements

A news-industry effort to encourage more brand advertising on publisher websites reports some success in its first month, two organizers said this week. 

The Local News Advertising Whitelist (LNAW) was announced April 2 after publishers endured a period of dramatic drops in programmatic advertising because some advertisers were telling computers not to put their ads on pages that carried news about the COVID-19 pandemic.  But the initiative has a longer-term goal — to provide an alternative to ad placements on unknown or untrustworthy sites that mimic news purveyors.

The LNAW is a list of more than 4,000 URLs of quality news and information websites of radio, TV, print and digital-only local news organizations in the United States and Canada. It has been downloaded by over 70 companies, including top advertising-agency holding companies and marketers in addition to ad tech and brand-safety verification vendors, said Fran Wills, CEO of the Local Media Consortium (LMC).

“Many of the buyers downloading the list have indicated the inclusion of 100-3,000 domains that were previously not included in their buying lists,” said Scott Cunningham, a founder of the IAB Tech Lab who put together the list and maintains it for LMC and the partnered Brand Safety institute. “This indicates a massive adoption of local news as a content vertical, further separating it from social media in large advertising audience buys.”

The Local Media Consortium has financially supported ITEGA, the sponsor of Privacy Beat.






Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


‘Doc’ Searls on marking GDPR turning two: The practice of ‘compliance’ isn’t working and tracking prevails

“Two years after the GDPR became enforceable, privacy would be the norm rather than the exception in the online world. That hasn’t happened, but it’s not just because the GDPR is poorly enforced. It’s because it’s too easy to claim compliance to the letter of GDPR while violating its spirit. Imagine if every shop you passed on the street sent someone outside to painlessly jab a needle into your neck, and then injecting a load of tracking beacons into your bloodstream. Would you be okay with that? Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice…Get this: There is also no way for you to know exactly how you are being tracked or what is done with that information, because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented. You also have no record of agreeing to anything, other than a cookie it’s hard to find, examine or explain, deep in your browser’s bowels. Consenting to a cookie notice leaves nothing resembling an audit trail. So let’s go back to a simple privacy principle here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one…[T]tracking is still worse than rampant: it remains a defaulted practice for both advertising and site analytics.”

– An excerpt from a May 25  blog post at the Harvard Berkman Klein Center for Internet & Society by web-advertising/turned privacy pioneer Doc Searls, author of The Intention Economy and The Cluetrain Manifesto. Searls has been a Berkman Klein fellow working on Project VRM.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp