CCPA set to be enforced on July 1
Hello, everybody! (Hi Dr. NickI)
Quick housekeeping note: A few have reached out to me that they haven’t been getting these emails. I suggest checking your spam folder and marking this address as ‘not spam.’ Or if it’s in your Promotions tab, marking it as important. Then again, I guess if you’re seeing this, you’re having no problems getting the newsletter, and the ones who don’t can’t see these tips. So essentially, I’m talking to no one. Happy Tuesday.
Last week, California’s Attorney General submitted final proposed regulations for the California Consumer Privacy Act (CCPA).
The law, which was passed in 2018 and went into action on Jan. 1, 2020, but with a six-month enforcement delay, says that California residents can get control of the personal information companies collect on them when visiting their websites. Californians “have the right to know, the right to delete and the right to opt-out of the sale of personal information that businesses collect.”
But as the state (and nation and world) shut down because of the coronavirus, many, including the Association of National Advertisers, asked the AG’s office to postpone final regulations for another six months. He declined.
Compliance Week (yes, there is a trade publication for every industry with the word “Week” in its title) reports:
On June 1, the AG’s office submitted its final CCPA rulemaking package to the California Office of Administrative Law (OAL). Because of disruptions from the pandemic, Gov. Gavin Newsom (D) has issued an executive order extending the OAL’s typical 30-day approval period to 90 days. With the extension, OAL could take until Oct. 1 to approve the CCPA. However, the AG’s office has requested an expedited review, according to an AG’s office spokeswoman, so the law can be enforced starting July 1.
As part of the final statement, the AG takes a page out of the GDPR playbook, saying that:
“a “service provider” as one who “processes information on behalf of [the] business” that provided the personal information, pursuant to a contract that prohibits “retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.”
Relatedly, a business does not “sell” personal information when it transfers that data to a service provider, provided that the service provider does not “collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose” of the business that provided the personal information. (Civ. Code, § 1798.140, subd. (t)(2)(C).) Thus, the intent of the CCPA is to prohibit a service provider from using personal information collected from one business for its own business purposes or to then provide services on behalf of a different business.
Translation: your data is yours, not the company whose website you use. This is at the heart of Europe’s GDPR. Philosophically, the Continent believes that you, as an entity, own the rights to the data you put out into the world. This makes sense. Your data is yours and you should have the ability to not have that data sold to the highest bidder.
The U.S., however, believes that it’s not your data, but the company whose service you use/visit. As soon as you log on, you lose your right to your information. CCPA aims to fix this.
Late last week, the IAB Tech Lab introduced new specs, to help “translate” the final rules in practice. Writing on its blog, the IAB says:
A publisher who utilizes ad tech vendors to be “service providers” (as defined in the CCPA) can use the new spec to signal that a user exercised her right to deletion. This could easily come in the form of explanatory text and button hosted on a publisher page designed to handle those requests—that’s up to each publisher using the spec. The technical spec also provides those vendors serving as a publisher’s service provider a standard way to listen for those requests emanating from publisher pages.
(Here’s a great roundup of what you need to know about the final regulation from a legal site)
The debate for who controls your data continues to move forward. At the beginning of May, there was a new California ballot initiative for even tighter privacy legislation called the California Privacy Rights Act. This has received the requisite number of signatures to get to November’s ballot.
Also interestingly, perhaps related, perhaps not, Facebook filed for a patent in January that lets Facebook users turn their photos into ads, and most importantly, monetize their data. Buried in its filing: “In other examples, Block S170 can reward the user with a monetary reward or promoted distribution of the image within the social networking system.”
Here’s a good thread walking you through what this can look like, and the potential implications of this:
California continues to be, in the words of former Supreme Court Justice Louis Brandeis, a “laboratory; and try novel social and economic experiments without risk to the rest of the country.”
Other states have followed in California’s footsteps, like Nevada and Vermont, passing data privacy regulations. Other states like Washington and Hawaii currently are considering data privacy laws. As the wave of data privacy regulation goes coast-to-coast, it will force a national privacy law, as it will be pretty challenging to have 50 separate laws.
It will require brands, publishers, agencies and vendors to align on pathways forward. Each segment has its own incentives and motivations, but the overriding principle should be us, the people. The first thing the industry needs to do is take off their professional hat and put on their normal person hat. Look at your policies through the lens of the everyday human being and the answer should be obvious.
It’s a conversation I used to have with sales folks and media buyers when discussing branded content. It may be a great idea for you, the brand, but if you were reading it as a regular reader, would you click? If the answer is no (and it almost always is) why would you put it out into the world?
Of course, data privacy laws are not that simple, as we butt up against various legal philosophies. In a September speech to the National Automobile Dealer’s Association, EPA head Andrew Wheeler said: “We embrace federalism and the role of the states, but federalism does not mean that one state can dictate standards for the nation.”
This was in reference to the Trump administration rolling back Obama-era federal emission standards that started out, as these things tend to do, as a California law. History is full of Brandeisian logic, where states led the way and the federal government caught up. When it comes to data privacy, it’s time for a rational federal law to take hold.
Thank you for allowing me in your inbox. If you have tips, or thoughts on the newsletter, drop me a line!
Warren Zevon, “Lawyers, Guns and Money”
Some interesting links:
Apple Plans to Announce Move to Its Own Mac Chips at WWDC (Bloomberg)
Microsoft's robot editor confuses mixed-race Little Mix singers (The Guardian)
The Attention economy is here: how measuring attention to ads can bring fairness and transparency to media trading (WARC)
What it’s like to get doxxed for taking a bike ride (New York Magazine)
Coronavirus-related keyword blocking is a problem for 43% of all publishers (Digiday)