California Privacy Rights Act to define and limit “cross-context behavioral advertising”

Following a court decision on Friday, it is now highly likely that California will introduce legislation that curtails “cross-context behavioral advertising”. 

A court decision on Friday (19 June 2020) makes it highly likely that Californians will vote on the California Privacy Rights Act (CPRA), the successor to the CCPA. Disclosure: I have contributed to the text of this bill. 

On Friday a decision at the Sacramento County Superior Court cleared a bureaucratic hurdle that would have delayed a referendum on the California Privacy Rights Act for two years.[1] The Act will now be voted on in November 2020, as planned.

The CPRA is the second round of privacy law proposed by Californians for Consumer Privacy campaign, a private group by Alastair MacTaggart. Polling conducted by Mr MacTaggart in late 2019 shows that 88% of Californians say they will vote in favor of the ballot initiative.[2] Only 4% say they would vote to oppose it.

Impact on “adtech”

A “yes” vote in November will have a significant impact on the business of online advertising. The Act introduces a definition introduced of “cross-context behavioral advertising” for the first time:

“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.[3]

This is significant, because the Act envisages a specific opt-out from cross-context behavioral advertising.[4]

In addition, the Act broadens the CCPA definition of “sale” of personal information by adding “collection” and “sharing”.[5] It also expands the CCPA right to opt out from the “sale” of one’s personal information. The CPRA will provide for a broader “right to opt-out of sale or sharing”.[6]

The definition of “sharing” covers conventional tracking-based advertising technology methods such as syncing and the broadcasting of RTB bid requests:

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.[7]

Advertising technology businesses and their partners will have to disclose what they are doing. Personal information sharing must be disclosed.[8] People may be particularly alarmed when they learn of the sharing of “sensitive” personal information, which would also have to be disclosed under the Act.[9]

(Sensitive personal information is broadly similar to the GDPR’s “special category personal data”. It includes geolocation, ethnicity, race, political leaning or creed, health data, sex life, and so forth, unless the information also happens to be publicly available.[10])

Impact on ‘big tech’

The Act would apply to the private sector the same protections that have applied to the Federal Government since 1974. These are the “FIPPs”: data minimization, purpose specification, security, transparency, accuracy, accountability.[11]

This would create another antitrust hazard for ‘big tech’. Purpose specification, provided for in §3(B)(2) of the Act, provides that:

“Businesses should only collect consumers’ personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.”[12]

As I have argued for some time,[13] enforcement of this principle would limit the internal data free-for-all that big tech firms have used to create cascading monopolies. The cross-use of data forecloses new entrants and limits innovation and choice in the market.

WHY IS THIS HAPPENING?

A second ballot initiative is necessary, as Alistair MacTaggart wrote in an early draft of the ballot initiative:

Even before the CCPA had gone into effect, however, businesses began to try to weaken the law. In the 2019-20 legislative session alone, members of the Legislature proposed more than a dozen bills to amend the CCPA, and it appears that business will continue to push for modifications that weaken the law.[14]

(This paragraph does not appear in the final draft of the Act).

Our colleagues in the tracking industry lobbied too hard against the CCPA. The new California Privacy Rights Act is the consequence. Unlike the CCPA, it will not go through the normal legislative processes and become subject to dilution and compromise. Instead, the text will go before the citizens of California in November 2020 for a yes or no vote. Few are expected to say no.

Notes

[1] Order granting petition for writ of mandate, MacTaggart et. al. v Padilla, case No. 34-2020-80003402, 19 June 2020 (URL: https://elections.cdn.sos.ca.gov/ballot-measures/pdf/1879-court-order.pdf).

[2] A poll of 777 people conducted for Californians for Consumer Privacy, seen by the author.

[3] California Privacy Rights Act, §13(k). (URL: https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf).

[4] California Privacy Rights Act , §1798.185(a)(19)(A).

[5] California Privacy Rights Act, §1798.100 (d) —- OTHER REFERENCES?

[6] California Privacy Rights Act , §1798.120(a).

[7] California Privacy Rights Act , §1798.140(ah)(1).

[8] California Privacy Rights Act , §1798.100(a)(1). See also §1798.115(a).

[9] California Privacy Rights Act , §1798.100(a)(2).

[10] California Privacy Rights Act, 1798,140 (ae).

[11] “Fair Information Practice Principles”  originally devised in the United States in 1973, and provided for in the 1974 US Privacy Act. These are provided for in §3 of the California Privacy Rights Act.

[12] California Privacy Rights Act , §3(B)(2); see also §1798.100(c) and (a)(3).

[13] For example, see Johnny Ryan testimony at US Senate Judiciary Committee, 21 May 2019 (URL: https://brave.com/ryan-testimony-may-2019/), and Johnny Ryan to Margrethe Vestager, 16 March 2020 (URL: https://brave.com/wp-content/uploads/2020/03/Letter-to-Margrethe-Vestager.pdf).

[14] Previous draft of the CPRA, filed on 23 September 2019 (URL: https://oag.ca.gov/system/files/initiatives/pdfs/19-0017%20%28Consumer%20Privacy%20%29.pdf).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s