Cali new PHOTO

Why California’s new consumer privacy law won’t be GDPR 2.0

The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts.

The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.

“The sweeping nature of this bill is really unprecedented in the privacy area, and its impacts are still far from known,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.

The law contains “broad sweeping definitions of personal information,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group. That personal information includes standard categories like people’s names, email addresses and Social Security numbers. But it also covers unique personal identifiers: IP addresses; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information.

The inclusion of unique identifiers — which ad tech firms use to anonymously track people around the web — means that any ad tech firm storing tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach, which would make the company subject to a class-action lawsuit.

On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information,” according to the law. If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers that run the online advertising ecosystem are or are not subject to the law, said Mayer.

The law suggests that online tracking cookies and mobile advertising IDs, which are used to collect information about individual devices, may fall under its jurisdiction. However, digital advertising companies may argue that they meet the law’s exemption standard because they aggregate those identifiers into larger, anonymized audience pools.

“All of this is still in flux. But arguably, anonymized information doesn’t allow you to create that [consumer] profile, so that you can’t draw it to [an individual person]. With a cookie situation that’s tied to a device that’s tied to a person, that may not necessarily be the case,” said Donna Wilson, managing partner-elect at Manatt, Phelps & Phillips and chair of the law and consulting firm’s privacy and data security practice.

What’s more clear is that digital advertising companies shouldn’t take comfort that their practices would be exempt from the law. Even if a company claims that it has disassociated the information with an individual person, it will need to ensure that the disassociation cannot be undone and that the data is reconnected to the individual, said Camhi and Wilson.

A week after California’s governor signed the bill into law, many in the advertising industry are still scratching their heads over the possible loophole and defaulting to assuming that there is no loophole because “almost any kind of data connected to some other data is capable of being associated with somebody,” said Jaffe.

Ad tech firm Exponential Interactive buys data from third-party companies to use for ad targeting purposes. “But when we buy it, it is totally aggregated,” said Tim Sleath, the company’s vp of product management and data protection officer. However Exponential Interactive uses cookie IDs to be able to match the aggregated third-party data to its own audience pools in order to target people with ads without accessing the underlying data, such as people’s names or email addresses. That cookie-based matching process likely subjects the ad tech firm to needing to comply with the law, even if it were to somehow remove the cookie-based identifiers from the process.

“If you have a behavioral profile for someone, even if you strip the IP address and cookie ID, that behavioral profile, which I would classify as deidentified, remains personal information under this [law],” said Sleath.

Facebook and Google have already rolled out features required by the law, such privacy settings that categorize the information that the companies collect from people and tools for people to request that information be deleted. The companies claim that they don’t sell people’s information so they don’t need to give people a way to request that the companies stop selling their data. That would help to explain why Facebook COO Sheryl Sandberg said the company supports the California privacy law that has been passed, though the company donated money to the organization opposing a similar ballot initiative.

“For the major online platforms, I think this law will have very little impact,” said Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University and former chief technologist of the Federal Communications Commission.

There remains roughly 18 months until the law takes effect, and since the law was passed by the state legislature instead of by California voters, the details of the law can change before it is enacted. But before the industry can try to get California lawmakers to clarify, if not change, the specifics of the law, it will need to assess the impact of this initial version and identify what changes to request.

“The ANA has more than 2,000 members. We’ve gone out to our members asking how this will impact them. Clearly, we’ve not had time to get that input yet, and people are still trying to figure that out,” said Jaffe.


United States needs law ‘a lot like GDPR’ says Salesforce CEO Marc Benioff

Salesforce CEO Marc Benioff thinks the US needs “a national privacy law … that probably looks a lot like GDPR.”

“This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”

Benioff went on to say that as artificial intelligence is used in customer service, “that starts to cross the line on what is trust. And that’s where our industry really has to come forward and say we’re going to make sure that these technologies are trust-based. And I think the Europeans definitely got that figured out.”

Salesforce, meanwhile, seems to have figured out growth and profitability. The company reported Q1 revenue of US$3.01 billion, up 25 per cent year-on-year and a few million ahead of guidance. Net income hit $344m and future revenue under contract tops $20bn.

The company therefore issued full-year guidance of US$13.125bn, ahead of previous forecasts.

And why wouldn’t it after also reporting that Sales Cloud grew at 16 per cent, Service Cloud grew 29 per cent and Marketing and Commerce grew 41 per cent. The company’s Lightning PaaS also grew 36 per cent The company also revealed that it plans to expand its UK data centres, to serve local demand.

Acquiring Mulesoft dented Q1 results by about $150m, with more to come in Q2, but execs were positive about the combined companies’ fortunes. Benioff said Mulesoft will help Salesforce to achieve its goal of a “360 degree customer” by easing integration of information silos so that Salesforce gets more data on which to act.

And that increasingly means bringing the company’s “Einstein” AI to bear: Benioff said it answered two billion queries in the quarter.

Salesforce shares popped by about four per cent after the bell, a sign that investors like these results.

And why wouldn’t they? As Benioff said, Salesforce is the fastest-growing of the top five enterprise software companies, scored its largest-ever deal in Q1, and has long-term commitments from plenty of its customers.


Facebook and Google are already facing lawsuits under new data rules

Europe’s sweeping data protection law came into force on Friday. And legal experts say big tech companies are already violating the new rules.

Facebook (FB) and its subsidiaries Whatsapp and Instagram, as well as Google (GOOGL), are facing lawsuits for failure to comply with the General Data Protection Regulation (GDPR).

The companies could face billions of dollars in fines if European regulators agree they failed to comply.

“We’re looking for big companies that really willfully violate the law, that kind of try to ignore it and try to get away with it,” said Max Schrems, an Austrian lawyer whose NGO, None of Your Business, filed the lawsuits.

The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators and Instagram with Belgian regulators as soon as the law went into effect at midnight.

From Friday, European data regulators can impose fines of up to 4% of global annual sales each time the companies run afoul of the new law.

“There is no grace period,” James Dipple-Johnstone, the deputy commissioner of the UK’s data protection authority. “We will be looking at the algorithms they use to profit off data to make sure they are fair,” he added.

Schrems has been fighting Facebook over data protection for almost a decade. His earlier lawsuit successfully challenged Facebook’s ability to transfer data from the European Union to the United States.

The next battleground with the company is GDPR.

According to Schrems and other legal experts, Facebook is breaking a GDPR rule intended to prevent companies from hoovering up sensitive information like political opinions, religious beliefs, ethnicity and sexuality without their users’ consent.

Michael Veale, a Technology Policy Expert at University College London, said that even if users’ completely remove sensitive traits from their profiles, Facebook can still glean information such as sexual orientation by analyzing their behavior on the platform and other websites.

“Facebook has trackers on 40% of websites that are visited in the world,” Veale said. “So really, Facebook can infer things from the great amount of data it has about you from across your mobile devices and apps that also send data to Facebook. The law forbids Facebook from making these inferences without explicit consent.”

Testifying in front of the European Parliament leaders on Tuesday, Facebook CEO Mark Zuckerberg insisted his company would follow the new regulations.

“We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information,” Facebook’s Chief Privacy Officer Erin Egan said in a statement emailed to CNNMoney.

Egan also said the company is building a new tool called “Clear History” which will allow users to “see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

The suit against Google alleges that users of the company’s Android software are forced to turn over personal data to use an Android-powered mobile device.

The lawsuit alleges this “forced consent” amounts to a violation of GDPR, which guarantees individuals the right to consent when companies want to collect and process their personal data.

Google told CNNMoney it is committed to complying with the new law.

Schrems says the new rules are tough enough to prevent the kind of data scraping that Cambridge Analytica before the 2016 U.S. election. He’s taking legal action to ensure GDPR is properly enforced.

“If we enforce the properly, we can actually get a balance in this digitalized age,” says Schrems. “In the end, you should be able to use Facebook without worrying 24/7 about your data,” he added.