An early clash between the advertising industry and privacy advocates is shaping up over how California will enforce the “opt-out” provisions of the California Consumer Privacy Act (CCPA).

Research by the non-profit Consumer Reports (CR)  released this week shows that an aspect of the law which can be read to allow consumers to designate an “information agent” to submit hundreds of opt-out demands to data brokers, is the forcing issue.  That’s because California Attorney General Xavier Becerra, the CCPA enforcer, is saying the law requires companies to respect such automated bulk opt-out requests.

Last week, Becerra Tweeted his intention, and a co-author of CCPA, Ashkan Soltani, reacted.  This week CR reported that a 100-user research study found significant trouble gaining compliance from a small group of data companies to which CR submitted opt-out requests.  Read: “Why It’s Tough to Get Help Opting Out of Data Sharing,” by Kaveh Waddell, on the Consumer Reports website, and a story by MediaPost’s Wendy Davis: “Companies Fall Short of Compliance with CCPA, Consumer Reports Finds.”  Also, “On Operating a Do Not Sell Authorized Agent Under CCPA,” by CR’s Ginny Fahs.

At the same time, ad-industry trade groups drew a line in the sand, saying the law is supposed to only allow users to make one-by-one manual requests.

• Ad industry panic attacks over Becerra support for global privacy consent  | Wendy Davis, DigitalNewsDaily/MediaPost.com

The dispute is important, because without an efficient way for consumers to register their distaste for use or sale of their data without their knowledge, CCPA loses much of its teeth. “Without an agent, it would take you 33 hours to opt out of the 400 registered data brokers in California, if you spent five minutes on each one,” says Don Marti, co-author of the CR study. (Marti is also an advisor to ITEGA, sponsor of this newsletter).

In the CR study, no user’s personal data was submitted or requested.  But on his own, Marti says he submitted an opt-out request to data brokers Oracle and Jira that included a request for what they had opaquely collected about him personally.  “Somehow I’m a single dad who drinks a lot of Diet Coke, and I’m in the market for eight luxury cars,” Marti, who is married, said in a blog post.

The issue of whether automated agents can execute opt-out demands is a do-or-die issue for ad-tech because if a large percentage of consumers do so, it could choke off a key source of target-marketing data.  But CR will keep testing.  Also this week, it announced a new round of funding from Craig Newmark Philanthropies and Omidyar Network for its research.  Becerra is awaiting confirmation for a Biden cabinet position, so there is a possibility of both sides lobbying whoever is appointed to succeed him as California AG.

CALIFORNIA PRIVACY 

• “Dark Pattern” privacy screen alerts probed by lawmakers | Tom Simonite, Wired.com
• How CPRA affects service providers, contractors and third parties | Caitlin Fennessey IAPP Privacy Advisor
• Assess data practices to comply with CPRA, law firm suggests | Brian G. Cesaratto
• Deanna L. Ballesteros,  Epstein Becker & Green, P.C.
• Top-10 operational impacts of the CPRA | IAPP article series

IDENTITY 

• FuboTV Is The First CTV Platform To Join Unified ID 2.0 | Allison Schiff, AdExchanger.com
• VENDOR VIEW: Browser or server: Two approaches to identity and what they mean | Joel Meyer, OpenX via AdExchanger.com
• VENDOR VIEW: Tapad exec provides thoughtful overview if identity-privacy mix | Ajit Thupil, Tapad via StreetTalkMag.com

PLATFORM ANTITRUST 

• Klobuchar unveils sweeping revamp of antitrust enforcement | Lauren Feiner, CNBC.com | PROPOSALS SUMMARIZED (via Benton)
• Toronto Star leaves front page blank to push antitrust regulation of Google, Facebook | Zack Budryck, TheHill.com | REPORT: Leveling the playing field
• Why Google’s approach to replacing the cookie is drawing antitrust scrutiny | Kate Kaye, DigiDay.com
• Google’s Privacy Sandbox: positive move or more fuel to the Google monopoly? | Mickey Feilden, TheDrum.com
• Will ending cookies just tighten Google’s grip on world ad marketplaces? | Matt Burgess, Wired.com
• Google And Facebook Hit With Antitrust Lawsuit By West Virginia Newspaper | Wendy Davis, DigitalNewsDaily/MediaPost.com | RELATED STORY | DOCUMENT LINK
• How Strong Is A Local Publisher’s Antitrust Suit Against Google, Facebook? | Rob Williams, PublishingInsider/MediaPost.com

Apple’s Safari browser will soon begin keeping track when users buy something in response to an ad, but the company’s developers say that information will not been accessible to Apple or anyone other than the publisher or advertiser running the ad campaign.

The feature is called “Private Click Measurement,” (PCM) and Apple’s John Wilander has been talking about it for months in the open privacy-interest group of the World Wide Web Consortium (W3C).  In posting a detailed description about PCM he candidly acknowledged the desire for PCM to become an open web standard.  “We are working with them to get there,” Wilander says. But no other browser maker has committed to use it as yet.  So Apple is going ahead unilaterally.

• Apple debuts WebKit tech to measure click-through ad campaigns; is it privacy friendly? | John Leyden, TheDailySwig.com

Advertisers want to know when an ad “converts” to some action, like a purchase, or a visit to a product website and they have been used to getting that through third-party cookies.  But with diminishing use of cookies, Apple and others are seeking alternatives to assist the ad industry’s measurement desires.  The big issue: Should the measurement be controlled within the browser, or done across web servers?  Some points Wilander makes in the announcement: 

• PCM is not technically tied to advertising, so functional descriptions use more generic terms.  An interesting question: Could PCM be used to attribute, say, linking to a piece of content for copyright attribution or payment? 
• An app-to-web path is supported, but not yet a web-to-app path.
• The browser user will be able to look up their stored reports of purchases or other “conversions,” but the click reports will only be stored for seven days.
• PCM is already included in downloads of Safari in test/debug mode, and the production version, in iOS and iPadOS 14.5 betas and will be turned on by default, although a user can disable it.
• When a user makes a purchase, the browser won’t send a report immediately. Instead it will way as long as 48 hours and do so randomly, Wilander says. This is a privacy feature to make unauthorized user tracking difficult.

“IF PCM is being misused for tracking purposes or being used in conjunction with unrelated means of tracking users, events or devices, we may block the offending party from using PCM and potential future measurement features,” Wilander warned on behalf of Apple.

BROWERS, ADS AND PRIVACY

• Will third-party data survive the end of third-party cookies? | Joseph Zappa, StreetFightMag.com

• Publishers lament: Move away from TP cookies slows websites and leaks data? | Andrew Bluestein, AdWeek.com

• BACKGROUND BRIEFING: An up-to-date guide to Google’s Privacy Sandbox | Vishveshwar Jatain, BlockThrough.com

• Google’s FLoCs: “Advertisers and Publishers Are Right to Be Wary” |Joseph Zappa, StreetFightMag.com FLOC BACKGROUND

• OPINION: Why Marketers for an Open Web (MOW)  is lobbying against Privacy Sandbox | James Rosewell, MOW via TheDrum.com

• VENDOR VIEW: How might advertisers re-learn ad-tech after TP cookies? | Myles Younger, MightyHive, via AdMonsters.com

PRIVACY FACEOFF . . . 

• In a new test, Facebook pre-empts Apple’s required prompt with its own | Samuel Axon, ArsTechnica
• Apple and Facebook’s Privacy War, Explained; why Facebook’s worried | Kirk Miller, InsideHook.com
• Privacy Spat Between Facebook and Apple Is Just the Beginning | Kurt Wagner, Bloomberg Quint
• Opinion: Apple’s privacy changes are affecting more than just Facebook | Therese Poletti, MarketWatch.com

 . . . APPLE’S VOLLEY

• Apple’s app TrackingTransparency requirement update | Apple Developer Blog
• RELATED: Tim Cook’s 12-minute privacy video
• I checked Apple’s new privacy ‘nutrition labels.’ Many were false | Geoffrey Fowler, WashPost.com
• Snap and Unity both warn investors about impact of Apple IDFA opt-in rule | Megan Graham, CNBC.com
• Advertisers scramble for answers after Apple’s IDFA update | Seb Joseph, DigiDay.com

 . . . FACEBOOK SHOOTS BACK

• Facebook prompt will encourage ad tracking opt-in ahead of Apple’s privacy push | Nick Staff, TheVerge.come | RELATED STORY
• Harvard Business Review piece questions Facebook claim of harm from Apple | Debashis Sarkar, Gadgets Nows | LINK TO HBR STORY | RELATED STORY/
• Listen Carefully to What Facebook Isn’t Saying About Apple’s Upcoming Privacy Change | Jason Aten, Inc.com
• Facebook claims benefits of data collection ahead of Apple privacy change | Samantha Murphy Kelly, CNN Businessl
• Facebook’s New Privacy Pop Up Shows the Company Just Doesn’t Get It | Jason Aten, Inc.com

 . . . GOOGLE PARRIES 

• Google still hasn’t updated its iOS apps, while pondering Android privacy controls | Wesley Hilliard, AppleInsider.com
• Google revising some of its iOS apps to avoid having to make “nutrition” disclosure | Caleb Chen, Privacy News Online
• Here are 12 Google apps that have been updated with the App Store privacy label | Christian Zibreg, iDownloadBlog.com
• Google explores ‘less stringent’ knockoff of Apple’s anti-tracking privacy feature for Android | MacDailyNews.com
• Google Explores Alternative to Apple’s New Anti-Tracking Feature | Mark Gurman and Nico Grant, Bloomberg Technology
• Android could copy the iPhone’s best privacy features — what you need to know | Tom Pritchard, TomsGuide.com

Two economists have penned a preview of a forthcoming research paper which calls for regulation of Google, Facebook and other platforms’ use of personal data, including a requirement that no data be collected without a user’s explicit permission — as required in the European  Union.

The two scholars are Nicholas Economides of the Stern School of Business at New York University and Ioannis Lianos, a professor at University College London.  Their new essay (see QUOTE OF THE WEEK, below, for excerpts) was posted this week to a blog run by the University of Chicago’s Booth Stiglitz Center, and titled, “Giving Away Our Data for Free is a Market Failure.”

“A required first remedy is to make ‘opt-out’ the default regime in the collection of personal information, and sellers would opt-in if they so wish,” the two economists write.  The authors of the California Privacy Rights Act (CPRA) have said they avoided an default “opt-out” (which would have been similar to European Union law) because it might have been vulnerable to U.S. constitutional challenge on First Amendment grounds.  Their essay previews a 72-page journal paper, which is already in pre-release form and to be published by the Networks, Electronic Commerce and Telecommunications Institute. 

“We have shown that the acquisition of private information by default without compensation by digital platforms such as Google and Facebook creates a market failure and can be grounds for antitrust enforcement,” the duo writes in a draft conclusion to the full-length article. They continue: “To avoid the market failure, the default in the collection of personal information has to be changed by law to ‘opt-out.’ “

The make several other recommendations, including a call for antitrust enforcement or the breakup of the platforms. Also, they suggest a system for management of data transactions and compensation, licensing of data and data portability and interoperability standards.

PERSONAL PRIVACY 

• OPINION: Surveillance marketing or democracy — an either-or choice? | Shoshana Zuboff, via NYTimes.com
• STUDY: 59% Would Opt In To Apple’s Privacy Tracking If They Received Relevant Content | Rob Williams, MediaPost.com1/
• SURVEY: Consumers have poor understanding of data privacy, but are trying | Tom Formeski, ZDNet.com
• The “Privacy Paradox” is a misunderstood phenomenon | Daniel J. Solove, TeachPrivacy.comn/
• Van drivers concerned about Amazon’s use of monitoring cameras | TechInvestorNews.com | RELATED STORY

STATEHOUSE WATCH 

• ROUNDUP: State Privacy Bills Gain Momentum | Alysa Zeltzer Hutnik et al., Kelley Drye law firm
• Now Washington state legislature considering “opt-in”-required data law | Wendy Davis, DigitalNewsDaily/MediaPost.com
• State ACLU release statement supporting opt-in Washington state bill | ACLU
• Okla. lawmakers eye required-“opt-in” computer-privacy bill | Grant Crawford, Tahlequah Daily Press | BILL TEXT
• New York’s Gov. Cuomo unveils his own data-privacy proposal | Deborah A. George, Robinson & Cole LLP law firm
• Virginia may have optional opt-out data-privacy law by end of February | Joseph Duball, IAPP Privacy Advisor

WASHINGTON WATCH 

• Will states’ moves on privacy push Congress to act? | Alexandra S. Levine, Politico.com
• Democrat warns tech companies to ‘step up in big way’ or risk Section 230 changes | Rebecca Klar, TheHill.com
• Personal data cleanup company offers 10 tips for Biden privacy action | Harry Maugans, PrivacyBee via VentureBeat.com
• Media reporter expects Congress to tackle privacy law and Section 230 | Sara Fisher, Axios.com

EU PRIVACY

• WhatsApp Reportedly Facing $60.7M EU Privacy Fine | Robert Bateman, Digital Privacy News
• EU agency’s report explains importance of pseudonymisation to privacy | HelpNetSecurity.com
• Webinar summary: How corporations can avoid Schrems II cross-border liability | Magali Feys, Anonos.com
• Quartz: Netherlands says Google privacy policy is breach of privacy law | Leo Mirani, Quartz.com/

BIOMETRIC PRIVACY 

• Fears raised over facial recognition use at Moscow protests | Umberto Bacchi, Reuters PLC
• Facial recognition firm Clearview  violated privacy laws, Canadian authorities say | Ryan Chiavetta, IAPP Privacy Advisor | GOVERNMENT’S STATEMENT
• Here’s a Way to Learn if Facial Recognition Systems Used Your Photos | Cade Metz and Kashmir Hill, New York Times
• Facial-recognition privacy bill offered in Maryland | IAPP Privacy Advisor | MARYLAND TEXT
• Alabama bill would limit use of facial recognition technology by law enforcement | Brandon Moseley, Alabama Political Reporter