PRIVACY BEAT: As CCPA becomes enforceable, attention turns to November ballot for round two

Privacy Beat

Your weekly privacy news update.


As CCPA becomes enforceable, attention turns to November ballot for round two; Wesleyan team builds browser extension to signal “Do Not Sell”

Welcome to a new California data-privacy world — but don’t get too comfortable because it’s almost certain to dramatically change in as little as three years. And expect to start deciding whether to stop “selling” user data or defend its use in court.

The California Consumer Privacy Act (CCPA) is legally enforceable as of July 1. 

But the bigger news may be the announcement by California’s Secretary of State this week, following a court ruling, that a tougher privacy initiative, the proposed California Privacy Rights Act (CPRA) has qualified to appear on the state’s November ballot. Law firms and privacy advocates raced this week to summarize what the CCPA now requires, as well as what will be added if voters approve CPRA.

Meanwhile, an initiative by engineers at Wesleyan University has the potential to provide an easy method for consumers to uniformly transmit a “Do Not Sell My Data” (DNS) command to all the web services they use — an idea bitterly opposed at the regulatory-comments stage by most of the nation’s advertisers and tech platforms.

Wesleyan University computer-science professor Sebastan Zimmick advocated his “implementing privacy rights” technology in an open discussion of the Privacy Community Group of the World Wide Web Consortium (W3C). Under CCPA, browser DNS signals “should be respected, must be respected, actually,” said Zimmick. He said Wesleyan students are now building a browser extension that transmits such signals.

A key engineer at The Washington Post, commented favorably, saying its important for a standard to evolve around how websites respond to user signals about data privacy. 

“I agree, I think that this is needed,” said The Post’s Aram Zucker-Scharff. “The new CCPA guidance has led to different interpretations (about responding to DNS signals) than most in the marketplace were imagining.”  He said “the idea of a function that supports the CCPA opt-out process…seems to be the best next step.”  However, Zucker-Scharff said it is likely a DNS signal will not be respected by everyone globally when received from non-California-related users.

There is much uncertainty about how to interpret aspects of CCPA. For example, what does it mean to “sell” user data? Facebook says it doesn’t do so; privacy advocates say that is a semantical argument that will have to be sorted out in court. And even the California attorney general is refusing to set a general regulation for how or if to respond to automated “do-not sell” signals.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

CCPA, GDPR change privacy focus from government actions to the behavior of companies; but value of information remains “fuzzy”, says lawyer

Last week’s decision by a French appellate panel to uphold a $57-million fine against Google illustrates the sea change occurring in privacy regulation, and shows how privacy is increasingly at issue in relationships with companies, not just governments, a U.S. privacy attorney says. (See: French Highest Administrative Court Upholds 50 Million Euro Fine against Google for Alleged GDPR Violations | Privacy & Information Security Law Blog.)

CCPA and GDPR really changed the conversation from sectoral to comprehensive data privacy law and shifted the discussion from privacy being about the Fourth Amendment and the government to being about privacy and privacy companies,” Odia Kagan said in an interview with Privacy Beat. Kagan practices with the Philadelphia firm of Fox Rothschild.

In a June 19 decision, the supreme French Council of State affirmed a Jan. 2019 decision by France’s data-protection authority, CNIL, that said Google LLC had violated the General Data Protection Regulation (GDPR) because: (1) Privacy notices that were neither clear nor easily accessible across Google services and (2) A default pre-checked box supposedly collecting user consent for processing related to ad personalization did not comply with GDPR.

The change is also evidenced, Kagan says, in the level of interest in the CCPA, which elicited hundreds of comments  over 480 pages in a year-long process by the California attorney general to develop implementing regulations. Two issues she sees as yet-to-be-resolved with CCPA enforcement:

  • How to value data in an exchange for services. This issue elicited more comments than any other, says Kagan, who believes the attorney general needs to provide more guidance to go along with regulations. Trading data for services, if done transparently, may be legal under the CCPA, even though it probably is not under GDPR, she says. But the whole situation is “fuzzy,” she says.

  • There is no technology yet that matches the CCPA requirement to respond to a user’s request not to have data about them sold. “This is one for the industry to pick up and try to reserve,” says Kagan. “And figure out a solution that will work.


Browser makers and Facebook in discussions about eliminating general user tracking – but how?

Engineers from Google, Apple, Facebook and Brave are focusing attention on how to create a technical firewall between advertisements and the web pages they appear on, as they discuss ways to eliminate web tracking of consumers without user permission.

This week’s discussion came during a virtual meeting of a “Privacy Community Group” hosted by the non-profit World Wide Web Consortium (W3C). Broadly, the group was considering ways to change the technology that governs how web-browser software controls access by various parties to stored user information.

An idea from Google, emerging from its “Privacy Sandbox” initiative, is called ‘enclaves’, or a data-isolating page within a page said Josh Karlin, a Google engineer. “What we are trying to prevent is broad user tracking,” he said. The company wants to be able to see some cross-site information, Karlin said, but make sure it isn’t leaked to others and the “enclaves” idea could help. “We haven’t come up with something reasonable enough go share publicly,” he said earlier. “But we hope do in the next week or two.”

Brave Inc.’s Peter Snyder said the browser maker was working on something similar that would not allow “leakage” of data from an advertising placed on a page between the ad networks and the owner of the website where it appears. “We also would like to be part of this discussion,” he said.

Facebook’s Ben Savage said the idea being discussed was similar to a related Google proposal, TurtleDove, which would provide for ad rendering with limited viewability and connectivity to the hosting page. Google’s Michael Kleber, the TurtleDove originator, said that was being discussed in another W3C group. “I would love to have you participate in that discussion with the people who care about it,” he said.

Apple representative John Wilander thanked “the Google folks” for presenting the “enclaves” idea. He said it seemed to involved “personally identifying” ads in a proposal distinct from the storage-access API discussion underway.

Until May, Google was perceived as generally not active in the browser privacy community group discussions, focusing on a W3C advertising business group. 


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Is Admiral an example of business that puts user in control of their data in collaboration with publisher?

A Gainsvilla, Fla., ventured-back company, launched in 2015 trying to help publishers with recovering revenue lost from ad blocking. But now Admiral (a d/b/a of Leven Labs Inc.) is betting that it can also make money by helping publishers to help their readers to manage their own personal data.

Admiral’s core insight: Publishers need help acquiring and managing direct, “first-party” user relationships that span multiple services — email, subscriptions, advertising, etc. That could include helping with federated single-sign on (SSO) across a network of sites, says CEO Dan Rua.

So Admiral the first example of a commercial “information fiduciary”? Not yet, says Rua. “It’s too early to put a category on it,” he says. “But thematically what you are talking about is spot on.” 

There is growing interest in the concept of an “information fiduciary,” Yale Law School Prof. Jack M. Balkin has also proposed the idea — sort of like a trusted lawyer, doctor or real-estate broker — to safekeep and manage an individual’s personal data in a secure repository. News organizations might function as “information valets.”   [See also “What do we mean by information valet?” ]

In a discussion with Privacy Beat, Rua and Admiral’s co-founder and CTO, James Hartig, summarized what Admiral is doing and why. Publishers ask them to install code which begins to monitor the “user journey” across a publisher site, and in some cases acquire and manage registration information as a processor for the publisher. 

“We thought, users would want to start to control that and decide whether they want to share preferences with this site or that site,” addes Hartig. “We had the vision that this needed to be a permission-based system…and data segregated by property, so we don’t have a global identifier for users that can be used to track them across sites.”

Admiral has raised $5.1 million and says it has relationships with thousands of publishers, including a partnership agreement with the Local Media Consortium. Rua says competitors like Crux, Blue Conic and Piano each handle aspects of user-data management but, unlike Admiral, do not “manage the visitor journey from beginning to end.”












Awaiting status of CPRA ballot bid; websites must now acknowledge browser “Do Not Share” signals, 

There’s a cliffhanger in California as a state court suit seeks to make sure a bureaucratic delay doesn’t prevent these state’s voters from having another change to enact digital privacy safeguards by November ballot petition. Meanwhile, it’s pretty clear the state’s attorney general thinks the California Consumer Privacy Act (CCPA) requires that websites now must respond to a “Do Not Share” signal sent by a user’s web-browser software.

The AG’s office said it had studied public comments on its draft CCPA regulations and concluded that  “[t]he regulation is thus necessary to prevent businesses or ignoring consumer tools related to their CCPA rights and, specifically, the exercise of the consumer’s right to opt-out of the sale of personal information.” (for this language, see Page 38).









Facebook succeeds by managing user identity — when will publishers learn to do the same?

“Facebook has built a business on capturing the attention of people who use the social network to stay in touch with others, who basically provide content for free. Last year, the company started to pay publishers for content that appears in its Facebook News section, but the money is unlikely to replace all the ad revenue they’ve lost over the years. Facebook’s key strength has been its requirement that people use their real identities to set up an account, and collecting vast amounts of information about their activities to help with ad targeting. However, its biggest weakness is that user-generated content can be inflammatory, hurtful and divisive. The company has a mixed record of removing objectionable content, while also wavering between espousing free speech or blocking it. Publishers have enormous advantages in providing brand-safe, value-added content to self-selecting audiences, and it’s those characteristics that need to be central in their marketing efforts. Instead of seeking state-ordered subsidies, publishers need to respond to the threat of digital ad giants by gathering more information about their readers.”

– Excerpt from “Facebook Doesn’t Need News Content to Survive,” a June 16  opinion column at by contributing editor and former Bloomberg L.P. editor Rob Williams.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp