Will California drive privacy as DC abdicates? | What is “sharing” and does it cover RTB?

Privacy Beat

Your weekly privacy news update.



POLL: Some 80% of Americans support many parts of privacy bill | Chris Teale, MorningConsult.com 
Advertisers, tech, business don’t like the ADPPA so far;  neither does Sen. Cantwell. Leaving California driving?

Ongoing reaction to a “bipartisan” effort to enact a new U.S. data privacy law is lining up along the same fault lines that have blocked congressional action for years.  The advertising and technology industries don’t like the latest proposals and privacy advocates are generally supportive, while looking for additional protections. And Senate Commerce Committee chair  Maria Cantwell, D-Wash., remains unconvinced.

The likely result: No action this year, leaving California privacy regulators to lead U.S. privacy policy by default.

“Federal privacy legislation cannot undermine California’s groundbreaking privacy laws,” Rep. Anna Eshoo, D-Calif., said during a hearing. Similarly unconvinced, via Tweet, is Sen. Ron Wyden, D-Ore., an ardent tech-privacy advocate.

The American Data Privacy Protection Act (ADPPA) proposes a compromise on the preemption of state laws and individuals’ ability to sue, two hot-button issues that have stymied legislative progress. Cantwell reacted earlier this month: “For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes.” She added: “Consumers deserve the ability to protect their rights on day one, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data.”


Staffers working for the GOP and Democratic supports of the draft bill prepared a  roundup up supportive comments, including from a lawyer for the Future of Privacy Forum, a moderate, industry back policy group, and Free Press.

Under the draft bill, big tech companies would be limited to collecting, processing and transferring only the data that is reasonably necessary to provide their services, the Wall Street Journal reported. And for some sensitive categories of data, such as geolocation data or biometric information, the bill would prohibit transfer or restrict it to very limited circumstances.

“Our members remain concerned that it’s too broad,” John Miller of the Information Technology Industry Council, was quoted by the Wall Street Journal’s John McKinnon as saying, calling the draft bill “a recipe for a flood of lawsuits.”

The powerful U.S. Chamber of Commerce said the draft was ‘unworkable and should be rejected,’  The chamber continued: “Unfortunately, the ADPPA was released with less than two months before the August recess, and we believe that a bill that is so novel, complex and far-reaching into the businesses practices of nearly every industry like the manufacturing, retail, financial services, hospitality, and innovation sectors should not be rushed through the last six months of the 117th Congress.”

The most prominent advisor to the ad-tech industry, lawyer Stuart Ingis, opposes the bill, arguing the provisions regarding tracking are too restrictive. “I don’t think the bill as written is fixable,” Venable attorney Stuart Ingis, advisor to the industry coalition Privacy for America, says. “It’s going to have huge negative implications on the whole internet economic model — which will be bad for consumers and bad for businesses,” Ingis says.

Privacy for America — a coalition that includes the Interactive Advertising Bureau, Association of National Advertisers, American Association of Advertising Agencies, Digital Advertising Alliance, and Network Advertising Initiative — stated earlier in week that the draft bill “unfortunately falls short in terms of protecting responsible data use.”


Data minimization one focus of questions at ADPPA hearing | Joseph Duball, IAPP Staff


Warren, Wyden, Murray, Whitehouse, Sanders Introduce Legislation to Ban Data Brokers from Selling Americans’ Location and Health Data |. U.S. Senate news release



ITEGA’s mission: Trust, identity, privacy and information commerce.

ITEGA calls for support of ‘public option’ user privacy/identity ecosystem — led by journalism-aiding nonprofit

Learn More


Legality of RTB data “sharing” questioned  in U.S. federal court — and separately in legal threat from Ryan

A tech-savvy federal judge in California, in a preliminary ruling, is setting the stage for a monumental battle over the legality of “real-time bidding” (RTP) for companies that must comply with the California Privacy Rights Act (CPRA) beginning next year.  So is Johnny Ryan, the Irish privacy advocate.

U.S. District Judge Yvonne Gonzalez Rogers’ rejected a request by Google Inc. to dismiss a class-action lawsuit launched last year. Missouri resident Kimberley Woodruff and other users say the RTB system violates privacy by sharing personal information with third parties. Google’s main argument is that the information shared is not “personal,” consumers have no expectation of privacy, and the company’s privacy statements disclose its practices adequately.

Rogers disagrees in her June 13 decision. “While plaintiffs might have been informed about Google’s use of information for its own internal purposes such as directing targeted advertising to plaintiffs, the referenced disclosures do not discuss the challenged conduct here — the sale and disclosure of plaintiffs’ personal information to third parties without plaintiffs’ consent or knowledge.”

The judge ruled the suit alleges enough facts to infer that personal information is shared by Google via the RTB process, and the case can therefore move forward. “Google argues that such information routinely shared and thus cannot support a reasonable expectation of privacy,” she ruled. “Not so,” she concludes.

Meanwhile, Irish Council for Civil Liberties privacy advocate Johnny Ryan says his organization is determined to challenge use in the European Union of a new initiative of the IAB Tech lab called “Global Privacy Platform (GPP).” (THIRD ITEM)  In a June 8 letter  to the IAB’s chief executive, Ryan says GPP relies upon a transparency-and-consent framework already found by EU regulators to violate the EU’s General Data Protection Regulation (GDPR).  “”Therefore, we will be obliged to take legal action if you persist,” Ryan wrote in the letter to the IAB’s Anthony Katsur.




Facebook Sued For Allegedly Collecting Patient Data From Hospital Sites | Wendy Davis, DigitalNewsDaily/MediaPost.com





As California develops CPRA enforcement rules for 2023, law firm details challenges with “sharing” of user data

As regulators works through the process of making rules for the Jan. 1, 2023 enforcement of the California Privacy Rights Act (CPRA), a law firm has provided a heads up on why the definition of “sharing” vs. “selling” will become a big deal at that time.

“The CPRA concept of ‘sharing’ . . . focuses on whether personal information is used by third parties for cross-context behavioral advertising, rather than on whether there is monetary or other valuable consideration for disclosure,” write W. James Denvil and Sophie Baum of the Hogan Lovells law firm in their blog/newsletter analysis entitled, “CPRA countdown: The new concept of ‘sharing.’ “   (See, QUOTE OF THE WEEK, below, for an excerpt)








Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


What is the difference between “sharing” and “selling”? With CPRA it matters

A key distinction in privacy regulation emerging in both California and within the European Union is distinguishing between “selling” and “sharing” information about consumer users of web services, especially for targeting advertising. In an excerpt below HoganLovells attorneys W. James Denvil and Sophie Baum describing the distinction which becomes effective next year in California.

“What is the difference between “sharing” and “selling”?

“Sharing” means “communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”

“A key difference between the concepts of “sale” and “sharing” is that “sales” of personal information under the [California Privacy Rights Act] CPRA require consideration; “sharing” does not.  To understand what constitutes “sharing,” therefore, one must understand what cross-context behavioral advertising is and what entities are third parties.  The CPRA defines the term as:

‘the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.’

“CPRA sharing therefore involves the disclosure, transfer, or other communication of personal information to third parties for purposes of advertising that is targeted based on a consumer’s activities on third-party and distinctly branded digital platforms.  

“Under the CPRA, third parties are entities that are not:

  • The business that a consumer intentionally interacts with;
  • Service providers or contractors to such businesses that provide services to the business for specified purposes.

“Therefore, if businesses engage online advertisers, cookie providers, or other adtech providers to support cross-context behavioral advertising in the roles of service providers or contractors, the disclosure of personal information will not be considered “sharing.”  The key questions for assessing whether information is “shared” are, therefore:

  • Is the personal information of California residents disclosed to an entity for cross-context behavioral advertising (e.g., interest-based advertising targeted based on activities across the digital properties of other businesses or distinctly branded digital properties)?
  • Is the recipient a third party, rather than a contractor or service provider?
  • If the answer to both questions is, “yes,” the practice likely constitutes sharing, subject to the exceptions discussed below.

[To learn more about the CPRA’s opt-out rights, see the HoganLovells post here.



Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2022 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp