PRIVACY BEAT: Mactaggart sues Cal AG after 27-minute filing delay imperils ballot spot for CCPA 2.0 privacy initiative

Privacy Beat

Your weekly privacy news update.


Mactaggart sues Cal AG after 27-minute filing delay imperils ballot spot for CCPA 2.0 privacy initiative; seeks court ruling by June 18

A 27-minute delay — and consideration of what  “immediate” means — could spell trouble for privacy advocates seeking to strengthen the California Consumer Privacy Act (CCPA). A court decision in Alastair Mactaggart, et al. v. Padilla could come June 18. The issue revolves around filing deadlines for initiative ballot questions in California.

Californians for Consumer Privacy (CCP) filed with 58 counties on May 1 petitions they said carried approximately 920,000 signatures of voters seeking to put a “California Privacy Rights Act” on the November ballot. If passed by voters, it would make changes in the CCPA. The counties had until May 13 to report to the state enough signatures received to start a certification process. The law says Secretary of State Alex Padilla must then “immediately” direct counties to begin sampling of the received petitions to make sure a total of 667,062 signatures are deemed by them to be statistically valid.

One county, Riverside, turned in its report at 5:27 p.m. on May 13. But the Secretary of State’s office — departing from typical practice — waited until 4:02 p.m. the next day — May 14 — to tell counties to start sampling. That then gave them 30 days to complete their work. If any council takes the full 30 days, they would be finished until the after (June 25) the Secretary of State must certify the question for the ballot.

CCP’s founder and petition proponent, Alastair Mactaggert, sued this week to compel Padilla’s office to in turn order the sampling completed by June 25 — after Padilla refused to do so. (See Quote of the Week, below).


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Future? Browser software protecting your privacy by checking your logins or related sites in W3C discussions

Your web-browser software may someday ask you if you want to be “logged in” to a particular website, and if you answer no, the site’s ability to store information about you on your machine would be restricted.

Or, the browser software may check to see if the website you’ve given permission to track you is a “relative” of another website; if not, no cross-site tracking.

Those are two ideas broached in respectful debate about re-designing the way identity and privacy work on the web, as web browser makers attempt to balance the privacy requests of users against the desire for advertising and publishers to “follow” their readers/customers across the web.

“The current behavior of the web is ‘logged in by default,” Apple WebKit engineer John Wilander wrote in April. “Meaning as soon as the browser loads a webpage, that page can store data such as cookies virtually forever on the device. That is a serious privacy issue. Long term storage should instead be tied to where the user is truly logged in.”

The discussions are occurring about every other week online in a public forum hosted by the World Wide Web Consortium (W3C), a respected, Cambridge, Mass.-based, nonprofit, technology standards promoter.  They involve the major web-software makers — Apple, Google, Mozilla, Microsoft and Brave — who otherwise compete but are able to talk with each other around public-benefiting standards development.

But the competition is not far below the surface. The “IsLoggedIn” idea is being championed by Apple for its Safari browser, with apparent support from Mozilla. The “First Party Sets” idea is advanced by Google, maker of the web-dominant Chrome browser.

Will they ever agree on a common approach? That’s the intriguing part of the W3C discussions. But one indication that anything is possible — until a few weeks ago, Google wasn’t participating formally in the W3C’s “privacy community group” where “IsLoggedIn”  is under consideration.  It was promoting “First Party Sets” in a different W3C’s “web platform incubator community group.

But this week, a Google software engineering manager, Kaustubha Govind, was online in the privacy group to talk about First Party Sets.

“Ideally, we do want a policy that’s standardized,” she said. “And common across browsers.”  As for Google’s official thinking about such matters as the blocking of cookies or other methods for cross-site registration, she observed: “I don’t have a written policy to share yet.”





IAB sets next webinar as it seeks consensus on how user data might be legally shared after “third-party cookies”

The Interactive Advertising Bureau Technology Lab (IAB) has set dates for its next webinar in a series aimed at searching for consensus about how user data can be legally shared for the benefit of advertisers (and publishers) once third-party cookies are no longer available.

The “What Does the Removal of Identifiers” webinar, on July 16 at 11 a.m. EDT and repeated July 21 at noon EDT, will include a virtual panel of “buy side” parties — including two global ad agencies, Jordan Mitchell, who is heading IAB’s “Project Rearc” effort, told Privacy  Beat. A third webinar, featuring publishers discussing how loss of cookie based identifiers will affect their ad business, is still planned.

Project Rearc is IAB’s effort to show leadership at re-architecting how identity and privacy work on the web.  Even within the ad-tech ecosystem, which IAB effectively speaks for, there is uncertainty about who or what will emerge.

Back in September, Mitchell floated the idea for a neutral “publicly owned” single identifier — “standardized privacy settings and consumer controls tied to a neutral, standardized identifier” — is how he put it. Mitchell has championed an identifier called “DigiTrust” which would be controlled by the IAB. (ITEGA, sponsor of this email newsletter, has written about an authentication and authorization service that it would govern as an independent, public-benefit 501(c)3).

Mitchell calls Project Rearc “a collaborative process to educate critical stakeholders within our industry, and facilitate key global inputs into the development of new technical standards and guidelines that will determine how our industry operates without the use of third-party cookies.”

One of IAB’s members and a major ad-tech player, is LiveIntent, which has partnered on identity sharing with PubMatic.  “Behind the scenes, at conferences and in meetings, we’re told of solutions that will emerge that use CNAMEs, Universal IDs, device IDs, IP addresses, or other Rube Goldberg-ian hijinks to create the supposed 1:1 replace for how marketing was previously done,” LiveIntent’s president, Brad Silver, wrote at on April 30.

Efforts to replace the third-party cookie ecosystem with something that meets emerging privacy and user-identity control standards in both Europe and the United States is the subject of talks at the World Wide Web Consortium (W3C) among browser-software makers, among public, advertiser and ad-tech trade organizations such as IAB — and is also affected by looming antitrust enforcement and privacy-advocating legislation which could change the business of the biggest ad-tech player of all, Google.

“We have to get to some sort of negotiated resolution on what the agreed-upon solution looks like, with buy-in from all parties,” one observer remarked to Privacy Beat. “In the meantime, more large organizations are coming in and staking their ground. The policy people think it’s a policy problem/solution; the business people think it’s a business problem/solution and the tech folks a tech problem/solution.”


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Ad-tech pioneer Nadini Jammi joins with Claire Atkin to launch a “Check My Ads” brand-safety consultancy

Former ad-tech pioneer Nandini Jammi, best known for her Sleeping Giants campaign to discourage advertisers from using right-wing, fake news sites such as Gateway Pundit, has now co-founded a brand safety consultancy with Canadian colleague Claire Atkin called “Check My Ads.”

In an email to followers this week starting a newsletter called “Branded,” they take on ad-tech retargeting firm Criteo, asserting in a blog post the company did not in one case alert Vancouver, B.C.-based to where some of their ads were going.

In a webcast panel discussion also this week, Atkin said key-word blocking by advertisers around topics like COVID-19 and black lives matter is costing legitimate publishers in lost programmatic ad placements because of indiscriminate block of of news domains. At the same time, she said: “We don’t want our brands funding hate speech and disinformation,” said.

The subject of a business-front-section New York Times feature in July 2018, Jammi returned to her native United States after working for tech startups in London and Berlin. She has said the goal of perfect ad targeting and personalization is illusory and most of the third-party ad-tech ecosystem doesn’t benefit advertisers or publishers.

“Ad-tech companies have basically misinformed marketers for the last 10 years about what marketing should be,” she says. “Marketers have been taught to segment to the point of nonsense.  The reality is they don’t need that much third-party scraped data to have an effective campaign — but they don’t seem to know that.”










A mere 27 minutes could delay new privacy protections for Californians for two years, Mactaggart says in legal brief

“The COVID-19 pandemic has underscored both the value and utility of personal information, and the risk that the misuse of such information could pose to consumers. The initiative addresses these concerns by expanding the right of consumers to limit the use of their sensitive personal information, including health data and precise geolocation, and by creating a new agency to implement and enforce the law. Critically, the Initiative would also restrict the Legislature’s authority to amend the law by requiring that any amendments further clearly delineated purposes. If the measure does not qualify in time for the Nov. 3, 2020 ballot, California voters would be denied the right to consider the timely and important issues presented by the Initiative, and over the ensuing two years the Legislature, under pressure from businesses, could dramatically weaken or even repeal the existing consumer-privacy protections afforded by the CCPA…in this case, a mere 27 minutes could mean the difference between the initiative’s qualification for the Nov. 3, 2020 ballot.”

– Excerpted from Alastair Mactaggart vs. Alex Padilla, California Secretary of State, a complaint filed June 8, 2020,  in Sacramento [Calif.] Superior Court by the principal backers of the California Privacy Rights Act initiative petition (See story, above).


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp