Privacy in California

While the digital publishing ecosystem nervously awaits May 25, the effective date of GDPR, this law only tells part of the story. Two additional measures may add further challenges to the digital marketing ecosystem and bolster privacy efforts online. The first is the European ePrivacy Regulation. Though not completely finalized, this may make cookie usage even more difficult within the EU than the GDPR (this new ePrivacy Regulation will likely be discussed in a subsequent Lift Letter). The second is the California Privacy Initiative. We discuss the latter in more detail. 


The California Consumer Privacy Act of 2018, is at is formally known, has four pillars. The first is that it allows consumers to request from companies a complete disclosure of all the information that it has collected about them; the second is the right to, upon request by the consumer, have the company not sell the data or share it with any third parties for any business purposes (via a conspicuous link labelled "Do Not Sell My Personal Information" on the homepage); the third is that companies may not discriminate against, or refuse service for those who have opted opted out, and finally, the right to damages for violations (at least $1,000 per consumer per violation). It is noteworthy that companies are still allowed to use personal data for their own purposes, including selling advertising - the primary scope of the prohibition would be against selling or disclosing that data to third parties, upon request. To appear on the ballot in November, the initiative required 366,000 signatures. It has thus far collected over 600,000. Though it has yet to be formally certified, it is expected to appear on the ballot. 

That it is a California privacy initiative is significant for many reasons. The first, of course, is that California is enormous. The state recently overtook the UK, to be the 5th largest economy in the world (behind only the USA, China, Japan and Germany). It is also the home to many of the largest tech companies, including Google and Facebook, who are implicitly the primary targets. Both have have mounted meaningful opposition to the initiative - though Facebook dropped its position in the wake of the Cambridge Analytica scandal, as part of its new image to support privacy. That said, Facebook (along with each of Google, Verizon, Comcast, and AT&T) made a $200,000 donation to "The Committee to Protect California Jobs" - the opposition lobbying group - before withdrawing support, and has not withdrawn its donation. 

Much like the GDPR, the California initiative takes an expansive view of personal data. This includes identifiers including name and email address, but also unique identifiers and IP addresses. It also includes browsing history, interactions with ads, geo data, or any inferences drawn from any personal data. Unique identifier is defined aggressively to mean any persistent identifier that can be used to recognize a consumer or device across different services - explicitly including IP addresses, cookies, etc - and even includes probabilistic identifiers to the extent that they resolve to an identity with more than 50% certainty.  

The proposed Initiative may not substantially change how Facebook and Google run the primary parts of their business. This turns substantially on the definition of the word "sell." When a marketer buys an ad targeting "women, 18-34, that like cats" - Facebook may not actually be selling that data, as in the buyer of the ads does not obtain that particular data about the targeted users. It's Facebook's use of Facebook's own data, and not letting third parties access that data. As defined in the Initiative, "selling" means: (A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating [...] a consumer's personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes. Thus it is unclear that third parties leveraging a first party's collected data can be prohibited under the proposed Initiative if that data is not actually transferred.

Assuming this Initiative were to go in effect tomorrow, publishers - which are the primary endpoints to consumers, as with all companies that collect any personal data as defined under the Initiative (nearly all tech companies) would need to enable opt-outs on their homepages. Upon an opt-out, no data could be shared with third parties, which includes ad tech platforms, Thus, the technical infrastructure to prevent downstream cookie / personal information sharing on a per-user basis would have to be developed, much like the consent management platforms in Europe for GDPR. Further, a key component of the law is producing the data that is held by the various companies - this may require publishers develop integrations with all their downstream partners to allow disclosure of all relevant data. Companies like Facebook and Google might, out of an abundance of caution, decide that this applies to them and also implement opt-outs. The Initiative would not, however, cause the same level of mass uncertainty on day 1 as GDPR, where the actual overall ability to monetize is in question - because only when users proactively opt out would cookies etc be impacted. Finally, if implement, along with the new ePrivacy, GDPR, and various proposed South American privacy laws, publishers and ad tech will need to implement an increasingly complex patchwork of privacy regulations with potentially massive fines.