The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts.
The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.
“The sweeping nature of this bill is really unprecedented in the privacy area, and its impacts are still far from known,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The law contains “broad sweeping definitions of personal information,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group. That personal information includes standard categories like people’s names, email addresses and Social Security numbers. But it also covers unique personal identifiers: IP addresses; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information.
The inclusion of unique identifiers — which ad tech firms use to anonymously track people around the web — means that any ad tech firm storing tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach, which would make the company subject to a class-action lawsuit.
On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information,” according to the law. If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers that run the online advertising ecosystem are or are not subject to the law, said Mayer.
The law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under its jurisdiction. However, digital advertising companies may argue that they meet the law’s exemption standard because they aggregate those identifiers into larger, anonymized audience pools.
“All of this is still in flux. But arguably, anonymized information doesn’t allow you to create that [consumer] profile, so that you can’t draw it to [an individual person]. With a cookie situation that’s tied to a device that’s tied to a person, that may not necessarily be the case,” said Donna Wilson, managing partner-elect at Manatt, Phelps & Phillips and chair of the law and consulting firm’s privacy and data security practice.
What’s more clear is that digital advertising companies shouldn’t take comfort that their practices would be exempt from the law. Even if a company claims that it has disassociated the information with an individual person, it will need to ensure that the disassociation cannot be undone and that the data is reconnected to the individual, said Camhi and Wilson.
A week after California’s governor signed the bill into law, many in the advertising industry are still scratching their heads over the possible loophole and defaulting to assuming that there is no loophole because “almost any kind of data connected to some other data is capable of being associated with somebody,” said Jaffe.
Ad tech firm Exponential Interactive buys data from third-party companies to use for ad targeting purposes. “But when we buy it, it is totally aggregated,” said Tim Sleath, the company’s vp of product management and data protection officer. However Exponential Interactive uses cookie IDs to be able to match the aggregated third-party data to its own audience pools in order to target people with ads without accessing the underlying data, such as people’s names or email addresses. That cookie-based matching process likely subjects the ad tech firm to needing to comply with the law, even if it were to somehow remove the cookie-based identifiers from the process.
“If you have a behavioral profile for someone, even if you strip the IP address and cookie ID, that behavioral profile, which I would classify as deidentified, remains personal information under this [law],” said Sleath.
Facebook and Google have already rolled out features required by the law, such privacy settings that categorize the information that the companies collect from people and tools for people to request that information be deleted. The companies claim that they don’t sell people’s information so they don’t need to give people a way to request that the companies stop selling their data. That would help to explain why Facebook COO Sheryl Sandberg said the company supports the California privacy law that has been passed, though the company donated money to the organization opposing a similar ballot initiative.
“For the major online platforms, I think this law will have very little impact,” said Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University and former chief technologist of the Federal Communications Commission.
There remains roughly 18 months until the law takes effect, and since the law was passed by the state legislature instead of by California voters, the details of the law can change before it is enacted. But before the industry can try to get California lawmakers to clarify, if not change, the specifics of the law, it will need to assess the impact of this initial version and identify what changes to request.
“The ANA has more than 2,000 members. We’ve gone out to our members asking how this will impact them. Clearly, we’ve not had time to get that input yet, and people are still trying to figure that out,” said Jaffe.