The California Consumer Privacy Act is scheduled to take effect Jan. 1, 2020, although it may not be enforced for at least six months after that. That’s because sometime in the early fall California Attorney General Xavier Becerra will release of regulations interpreting many aspects of the CCPA.
What is a sale?
The act defines “sale” broadly to include selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating “personal information” to another business or a third party for monetary or other value.”
What is personal information?
It defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
What is Real Time Bidding?
On June 30, 2019, the UK Information Commissioner’s Office (ICO) published a 35-page report on the ad-tech system and it contains this definition of Real Time Bidding (RTB):
When you visit a website, some of the ads you see have been specifically selected for you. As the site was loading, the website publisher auctioned a
space on the page you are viewing, and an advertiser bought it because it specifically wants to reach people like you. The process can involve many
companies, and happens in milliseconds. Billions of online ads are placed on webpages and apps in this way every day. The process – known as real time bidding – relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.
What information is in a RTB “header bid request”?
The UK Information Commissioner’s Office (ICO) 35-page report says GDPR-defined “personal data” in a header bid request may include:
- a unique identifier for the bid request;
- the user’s IP address (possibly with the final set of numbers removed,
- eg in Google’s Authorized Buyers framework);
- cookie IDs;
- user IDs;
- a user-agent string identifying the user’s browser and device type;
- the user’s location;
- the user’s time zone;
- the detected language of the user’s system;
- the device type (desktop/mobile, brand, model, operating system);
- other information relating to the user (this can vary); and
- information relating to the audience segmentation19 of the user.
Other information about the user can include:
- referring sites (where the user came from);
- user journey on the site (including mouse cursor movement);
- events (scrolling, clicking, highlights, media views);
- search queries;
- session time;
- site behavior (contextual and thematic preferences to certain topics
- and pages, interactions such as downloads, transitions to other pages through clicking on advertisements and links); and demographic data.
- A slide-show guide to the CCPA by Stacey Brandenburg, an attorney with ZwillGen in Washington, D.C. (June 4, 2019)
- California lawmakers sidetrack amendments sought by privacy advocates but advance amendments to ease restrictions on “de-identified” aggregate data; and allowing charging non-sharing users
- Pre-law student’s paper examines the potential for constitutional challenges to CCPA | No firm conclusion
- Big tech, others, seek CCPA changes to allow trading of ‘premium features’ for user data; open up use of publicly available information
- PRIVACY: Last-minute provision in California data-privacy bill may actually create a marketplace that values personal information, observers say; also nonprofits not covered?