Final California Privacy Regs & Adtech

benisaacson
The Lucid Privacy Group
7 min readAug 18, 2020

--

The Un-United State of California

The Lucid Privacy Group provides you this commentary for educational purposes only. Please seek legal counsel before relying upon the information below.

On Friday August 14, the California Office of Administrative Law issued a final approval of the Attorney General’s (AG) regulations related to the California Consumer Privacy Act (CCPA). With the final approval came some additional changes to the regulations, some of which may have a material impact on your existing compliance efforts. The Lucid Privacy Group breaks down the latest changes, as well as a recap of the most relevant portions of the regulations that impact the online advertising industry.

August ’20 AG Regulations Changes:

  • Websites must not change or shorten the ‘Do Not Sell My Personal Information’ link such as by using the word ‘Info’ or ‘Do Not Sell’ (or our newest favorite acronym-DNSMPI).
  • Online companies may now refer offline consumers to their online privacy policy to opt-out rather than supplying an offline notice with opt-out mechanism.
  • While the opt-out notice still needs to be easy to read and understandable, the opt-out method itself no longer needs to be ‘easy to execute’ with ‘minimal steps’.
  • For companies who collect significant volumes of personal information, the AG increased the record-keeping and metrics reporting threshold from the prior 4,000,000 to 10,000,000 unique records. In other words; if your business annually collects personal information from less than (<) 10 million California Consumers per year, then you will not have to post metrics on your website about received rights to know (aka: ‘access’), deletion and opt-out requests nor be required to provide enhanced training for your employees.
  • The provision that required ‘explicit consent’ to make any material changes with the use of previously collected information was removed. The AG clarified that the FTC already has stated that material retroactive changes require consent from individuals prior to going into effect.

While the items above are mostly neutral to businesses, there was one change that may prove to be problematic;

  • A removal of a ‘proof’ requirement for agents to submit ‘know’ and ‘deletion’ (not DNSMPI) requests on behalf of consumers. This change makes it easier for agents to make these types of requests, as they are only required to provide “consumer’s signed permission” which could make automated requests easier than with a proof requirement.

For adtech and ‘digital native’ companies, here is a quick primer on some key provisions of the final AG regulations:

  1. The AG went beyond the legal text (*see footnote below) of the CCPA to require businesses to honor a new opt-out mechanism through the use of plug-ins, browser settings, device settings, or ‘other mechanisms’. In other words, businesses should expect a slew of new types of tools that consumers may use to send adtech-specific opt-out requests that may not align with the existing opt-out methods provided through privacy policies or DNSMPI notices.
  2. The AG clarified that not all unique identifiers are always ‘personal information’, and that there may be ‘fact or scenario-specific’ considerations such as with session-only cookies or geographic-only IP addresses. However, it should be clear from the text of the CCPA and regulations that all other persistent identifiers, regardless of the type (including ‘probabilistic’ IDs) are considered personal information.
  3. If a business is sharing data with another business and the contract does not specify the receipt as a ‘service provider’ and identify the specific business purposes as defined by the CCPA (or regulations), then you may want to consider the shared data to be a ‘sale’. The AG does not state it directly, but it is implied from the language they used in their commentary about the use of analytics products or reference to service providers simply ‘sharing’ data with third parties that either scenario could be a violation of the CCPA.
  4. There are no references to ‘cookie consent banners’ in the text of the CCPA or clarity in the AG regulations. While the adtech industry has seemingly adopted this approach similar to compliance with European laws, there are some potential flaws in its use, notably:
    * The AG expressly did not address requests to determine if cookie consent through a web banner satisfies the ‘intentional interaction’ language of the law that would direct a website to share cookie-related information with a third party.
    * In addition, there may be ‘fact-specific’ scenarios presented for each type of website and/or cookie partner similar to what we’re now seeing with the EU IAB’s approach to the ‘Transparency and Consent Framework’. Specifically, a CCPA cookie banner should, in theory, clarify which cookies are ‘service providers’, which are ‘sales’ that consumers can opt-out of, and perhaps which are ‘intentional interactions’ to be shared with consent. As a result, the current binary ‘Accept/Reject’ approach may be considered out of compliance.
    * Finally, if we can assume the AG considers third party interest-based advertising cookies to be ‘sales’, then a cookie consent banner for this type of sharing should not offer consumers an ‘Accept/Reject’ (or just ‘Reject’) option, but rather a simple ‘Do Not Sell My Personal Information’ banner/link.
  5. The AG regulation’s instructions for companies handling rights related to ‘households’ are confusing, complex and potentially inapplicable to online advertising companies. The AG requires household requests to be jointly with each member of the household, with each individually verified, including their residency in the household as well as parental verification for those under 13. If the only identifier a business has is a cookie ID, IP address, hardware MAC address or MAID with no known content directed to children under 13, then how is a digital company to complete such a household and parental verification?
  6. The AG regulations clarified that there may be scenarios where a business may still be considered a service provider beyond the narrow ‘7 business purposes’ expressly defined in the text of the CCPA. Notably, the AG has seemingly expanded ‘purpose 4’ to now state;

“For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.”

Compare this to the more narrow ‘purpose 4’ definition within the CCPA text which provides for;

“Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.”

Please note that, in this author’s opinion, it is legally unclear if the AG has the authority to change the breadth of the legislative text to expand this purpose, and that any such use of data for ‘services improvements’ should be expressly clarified in a service provider agreement.

A Final Author’s Note

I continue to believe that the CCPA violates the Commerce Clause and 1st Amendment of the U.S. Constitution, and that the Attorney General’s final regulations further this conclusion. The CCPA emulates other state laws that have been struck down by various courts on similar grounds, including:

  • American Libraries Assn v. Pataki (969 F. Supp. 160 (S.D.N.Y. 1997): Striking down a NY state law because the ‘burdens the Act imposes on Interstate Commerce exceed any local benefit.’ In similar fashion, the CCPA imposes significant burdens on businesses to identify and provide unique privacy rights to California Consumers, where they are often technically unable to do so based exclusively on digital identifiers without a location. This results in great expenses in processing and verifying CA residents where no such personal information is typically processed by the business.
  • Backpage.com, LLC v. McKenna (881 F. Supp. 2d 1262). Ruling that a WA State law “regulates conduct that occurs wholly outside the state of Washington.” Again, the CCPA’s AG regulations offer no clarity how a digital business is to authenticate, verify or otherwise treat California consumers visiting websites or apps without any knowledge of their location, and in most cases, from outside of California.
  • The Washington Post et al v. McManus et al (355 F. Supp. 3d 272 (D. Md. 2019). A Maryland state law was struck down on 1st Amendment grounds for compelling businesses to disclose information to regulators. With the AG’s final regulations continuing to require ‘publicized record keeping’ for large online businesses who process 10 million or more unique identifiers per year (again, with no knowledge of their CA residency), the same analysis can be made that this activity is ‘compelled speech’ under the 1st Amendment.

These are just a few of the arguments, and there are many others that should conclude that the CCPA, with AG regulations, discriminates against digital-only businesses. It is clear from all measures that the CCPA has incurred a tremendous expense and impact on businesses outside of California and their interstate commerce activities, and requires federal judicial review. I am not suggesting that companies avoid CCPA compliance in order to challenge the legality of the CCPA, but rather be mindful that should the AG’s enforcement go beyond activities that are verifiably related to CA consumers, that such an action could be met with a robust challenge.

  • Footnote: The text of the CCPA does not introduce the concept of consumers using ‘third party tools’ or ‘proxies’ for an opt-out request, and instead only offers the concept of an authorized agent who is a ‘another person’ to complete an opt-out request on their behalf. The CCPA text only authorized the AG to “to facilitate and govern the submission of a request by a consumer to opt-out.” Yet, the final AG regulations state “User-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.” This new AG regulation raises thorny legal questions when a company may draw the line between an automated ‘bot request’ through a proxy or tool and an actual ‘person’ request, since no such ‘bots’ are explicitly authorized under the text of the CCPA.

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.

--

--

benisaacson
The Lucid Privacy Group

Privacy juggler. Principal@In-House Privacy (legal) & The Lucid Privacy Group (consulting).