As CCPA becomes enforceable, attention turns to November ballot for round two; Wesleyan team builds browser extension to signal “Do Not Sell”

Welcome to a new California data-privacy world — but don’t get too comfortable because it’s almost certain to dramatically change in as little as three years. And expect to start deciding whether to stop “selling” user data or defend its use in court.

The California Consumer Privacy Act (CCPA) is legally enforceable as of July 1. 

But the bigger news may be the announcement by California’s Secretary of State this week, following a court ruling, that a tougher privacy initiative, the proposed California Privacy Rights Act (CPRA) has qualified to appear on the state’s November ballot. Law firms and privacy advocates raced this week to summarize what the CCPA now requires, as well as what will be added if voters approve CPRA.

Meanwhile, an initiative by engineers at Wesleyan University has the potential to provide an easy method for consumers to uniformly transmit a “Do Not Sell My Data” (DNS) command to all the web services they use — an idea bitterly opposed at the regulatory-comments stage by most of the nation’s advertisers and tech platforms.

Wesleyan University computer-science professor Sebastan Zimmick advocated his “implementing privacy rights” technology in an open discussion of the Privacy Community Group of the World Wide Web Consortium (W3C). Under CCPA, browser DNS signals “should be respected, must be respected, actually,” said Zimmick. He said Wesleyan students are now building a browser extension that transmits such signals.

A key engineer at The Washington Post, commented favorably, saying its important for a standard to evolve around how websites respond to user signals about data privacy. 

“I agree, I think that this is needed,” said The Post’s Aram Zucker-Scharff. “The new CCPA guidance has led to different interpretations (about responding to DNS signals) than most in the marketplace were imagining.”  He said “the idea of a function that supports the CCPA opt-out process…seems to be the best next step.”  However, Zucker-Scharff said it is likely a DNS signal will not be respected by everyone globally when received from non-California-related users.

There is much uncertainty about how to interpret aspects of CCPA. For example, what does it mean to “sell” user data? Facebook says it doesn’t do so; privacy advocates say that is a semantical argument that will have to be sorted out in court. And even the California attorney general is refusing to set a general regulation for how or if to respond to automated “do-not sell” signals.

CPRA ANALYSES

• CPRA provisions analyzed | Robert Bowman & David Stauss, Husch Blackwell LLP 

• California Privacy Rights Act Poised to Push Past CCPA Protections | Jason Schwent and Melissa Ventrone, Clark Hill PLC – JDSupra

• California Privacy Rights Act to Appear on November 2020 Ballot | Bret Cohen, Mark Brennan, Timothy Tobin and Filippo Raso, HL Chronicle of Data Protection

• The California Privacy Rights Act: CCPA Part Two | Chiara Portner, The Privacy Hacker

CCPA UPDATES

• TechRepublic: CCPA: How to prepare for California’s new privacy law before enforcement starts July 1 | Veronica Combs, Tech Republic

• Enforcement of the California Consumer Protection Act Begins July 1, 2020: Quick Compliance Tips | Krishna Jani and Donna Urban, Flaster Greenberg PC – JDSupra

• Analyzing the Calif. attorney general’s comments on cookies and tracking technologies | David Stauss and Malia Roger, IAPP

• Does CCPA’s Cross-Country Reach Render it Unconstitutional? | Jenny Colgate, Privacy Zone

• CCPA Regulations: Does an Online Form Constitute Valid ‘Notice at Collection?’ | Odia Kagan, Privacy Compliance & Data Security

• CCPA Enforcement — Ready, Set, Sue! | Morgan Jones and Scott Smedresman, McCarter & English, LLP

• TEXT: CCPA 2.0 judge’s opinion

• Helping Businesses Comply With the California Consumer Privacy Act (CCPA) | Facebook for Business

• If a business does not identify a specific use for information in a notice at collection, is it prohibited from using information in that manner? | Bryan Cave Leighton Paisner

• What steps must a business take if it sells personal information? | Bryan Cave Leighton Paisner

CCPA, GDPR change privacy focus from government actions to the behavior of companies; but value of information remains “fuzzy”, says lawyer

Last week’s decision by a French appellate panel to uphold a $57-million fine against Google illustrates the sea change occurring in privacy regulation, and shows how privacy is increasingly at issue in relationships with companies, not just governments, a U.S. privacy attorney says. (See: French Highest Administrative Court Upholds 50 Million Euro Fine against Google for Alleged GDPR Violations | Privacy & Information Security Law Blog.)

CCPA and GDPR really changed the conversation from sectoral to comprehensive data privacy law and shifted the discussion from privacy being about the Fourth Amendment and the government to being about privacy and privacy companies,” Odia Kagan said in an interview with Privacy Beat. Kagan practices with the Philadelphia firm of Fox Rothschild.

In a June 19 decision, the supreme French Council of State affirmed a Jan. 2019 decision by France’s data-protection authority, CNIL, that said Google LLC had violated the General Data Protection Regulation (GDPR) because: (1) Privacy notices that were neither clear nor easily accessible across Google services and (2) A default pre-checked box supposedly collecting user consent for processing related to ad personalization did not comply with GDPR.

The change is also evidenced, Kagan says, in the level of interest in the CCPA, which elicited hundreds of comments  over 480 pages in a year-long process by the California attorney general to develop implementing regulations. Two issues she sees as yet-to-be-resolved with CCPA enforcement:

• How to value data in an exchange for services. This issue elicited more comments than any other, says Kagan, who believes the attorney general needs to provide more guidance to go along with regulations. Trading data for services, if done transparently, may be legal under the CCPA, even though it probably is not under GDPR, she says. But the whole situation is “fuzzy,” she says.

• There is no technology yet that matches the CCPA requirement to respond to a user’s request not to have data about them sold. “This is one for the industry to pick up and try to reserve,” says Kagan. “And figure out a solution that will work.

GDPR AND EUROPE

• European Commission says GDPR has met ‘most of its objectives’ | Martin Banks, The Parliament Magazine

• Facebook Dealt Blow as German Court Strikes Business Model | Karin Matussek, Bloomberg

• DPC Ireland 2018-2020 Regulatory Activity Under GDPR | Data Protection Commission

• What US companies can learn from GDPR enforcement | Barry Fishley and Robert Brown, IAPP

• The Federal Court of Justice provisionally confirms the allegation of abuse of a dominant position by Facebook | Press Release, German Federal Court of Justice

• GDPR’s two-year review flags lack of “vigorous” enforcement | Natasha Lomas, TechCrunch

• EU’s Privacy Watchdogs Urged to Use Full Force of New Powers | Stephanie Bodoni, Bloomberg

• Europe struggles to implement GDPR 2 years on, report finds | Financial Times

• EU admits it has been hard to implement GDPR | Javier Espinoza, Irish Times

• Ireland needs more muscle to police tech giants, EU report says | Foo Yun Chee, Irish Examiner

• LEAK: Commission pushes UK for ‘high degree of convergence’ in GDPR review |  Jorge Valero and Samuel Stolton, Euractiv

• The CNIL Can’t Legally Forbid Cookie Walls Under GDPR | Allison Schiff, AdExchanger

• Ireland, Luxembourg need more muscle to police tech giants, EU report says | Foo Yun Chee, Reuters

• EC calls for harmonization, addresses data transfers in GDPR review | Joe Duball, IAPP

• Antitrust case against Facebook’s ‘super profiling’ back on track after German federal court ruling | Natasha Lomas, TechCrunch

Browser makers and Facebook in discussions about eliminating general user tracking – but how?

Engineers from Google, Apple, Facebook and Brave are focusing attention on how to create a technical firewall between advertisements and the web pages they appear on, as they discuss ways to eliminate web tracking of consumers without user permission.

This week’s discussion came during a virtual meeting of a “Privacy Community Group” hosted by the non-profit World Wide Web Consortium (W3C). Broadly, the group was considering ways to change the technology that governs how web-browser software controls access by various parties to stored user information.

An idea from Google, emerging from its “Privacy Sandbox” initiative, is called ‘enclaves’, or a data-isolating page within a page said Josh Karlin, a Google engineer. “What we are trying to prevent is broad user tracking,” he said. The company wants to be able to see some cross-site information, Karlin said, but make sure it isn’t leaked to others and the “enclaves” idea could help. “We haven’t come up with something reasonable enough go share publicly,” he said earlier. “But we hope do in the next week or two.”

Brave Inc.’s Peter Snyder said the browser maker was working on something similar that would not allow “leakage” of data from an advertising placed on a page between the ad networks and the owner of the website where it appears. “We also would like to be part of this discussion,” he said.

Facebook’s Ben Savage said the idea being discussed was similar to a related Google proposal, TurtleDove, which would provide for ad rendering with limited viewability and connectivity to the hosting page. Google’s Michael Kleber, the TurtleDove originator, said that was being discussed in another W3C group. “I would love to have you participate in that discussion with the people who care about it,” he said.

Apple representative John Wilander thanked “the Google folks” for presenting the “enclaves” idea. He said it seemed to involved “personally identifying” ads in a proposal distinct from the storage-access API discussion underway.

Until May, Google was perceived as generally not active in the browser privacy community group discussions, focusing on a W3C advertising business group. 

AD TECH AND PRIVACY

• Apple’s privacy changes represent ‘tectonic shift’ for digital ad industry | George P. Slefo, Ad Age

• IAB Tech Lab Releases Data Deletion Spec Ahead of CCPA Enforcement | Andrew Blustein, AdWeek

• Transparency and trust in the media business | Chris Pedigo, Digital Content Next

• B2B Publishers Call to End Data Misuse in Online Ad Auctions | Greg Dool, Folio

• “Google paying publishers” is more about PR than the needs of the news industry | Joshua Benton, Nieman Lab

• Publishers see digital events as a new route to audience data | Lucinda Southern, Digiday