A tech spec to supercharge CCPA

Most of you are reasonably familiar with CCPA, the California privacy law that went into effect in July of this year.

A tech spec to supercharge CCPA

Most of you are reasonably familiar with CCPA, the California privacy law that went into effect in July of this year.

For more Lucid background on CCPA, and it’s coming update, CPRA:

For digital businesses, one of the oddest implications of CCPA has been the imposition of a publisher specific opt-out of personal information ‘selling.’ Bear in mind that ‘selling’ in the context of CCPA really means ‘sharing with any company that will independently benefit from your data.’ If CCPA contemplated a cross-internet version of this functionality, it might have in mind something like the NAI opt-out of interest based advertising of 2001, or the Digital Advertising Alliance versions of the same functionality. Instead, CCPA requires publishers to post much more conspicuous opt-out buttons (‘Do Not Share My Personal Information’) that need only apply to the sharing initiated from the current website. And then again on the next site. And so on. It’s really a terrible vision of effectuating control that, on balance, sets the consumer back relative to longstanding tools.

When the California AG issued final regulations in August, a new section was introduced that pulled into scope plug-ins, browser settings, device settings, or ‘other mechanisms’ that might also be able to invoke the CCPA’s opt-out provision. When we dissected this at the time, we noted that this had no immediate applicability, but this area of the law, as expanded by the AG, had the potential for enormous impact if the right confluence of factors came together.

This week, a new coalition that calls itself ‘Global Privacy Control,’ announced the release of a (very lightweight) technical standard (Wired coverage) that intends to make CCPA opt-out signals easy to embed in just the kinds of tech platform tools that the AG teed up. The spec was released in draft form, and has no web standards adoption so far. It also has no clear legal hooks into the CCPA yet, so don’t expect the AG to be coming after companies ignoring these signals any time soon.

Nonetheless, this is an important development that has the attention of folks in the tech and digital media industries.

For one, the coalition already has the public support of a fairly diverse set of leading companies and organizations, including:

  • Automattic
  • Consumer Reports
  • EFF
  • Financial Times
  • Mozilla
  • The New York Times
  • The Washington Post

How firm is this support? We don’t know yet. These organizations have not released binding commitments to honor the signals. Regardless, these organizations cannot be ignored.

Note also that the coalition does not calls itself ‘California Privacy Control.’ The coalition has global ambitions, and recall that the FTC and European Commission have at various times called for a standards based approach very much like this, previously in the form of DNT signals. If this takes flight, it has the potential to become a new global standard, with the force of law behind it in the major market jurisdictions.

Previous passengers on the slow moving DNT train wreck will find the technical spec reminiscent:

Unlike DNT, this spec is not being ‘negotiated’ and suffers from nothing resembling cumbersome complexity.

The path to impact is clear:

  1. Sneak out of the gate with some leading publishers and privacy focused browsers and extensions. Brave is already incorporating the signal as well as EFF’s Chrome extension Privacy Badger. Step one is already complete.
  2. Rely initially on commercial enforcement from the launching publishers.
  3. Inspire a second wave of publishers sympathetic to the cause and an additional major browser. Expand the circle of privacy extensions.
  4. Pick up endorsement (and CCPA applicability) from the AG.

If we get this far, the standard is just waiting for Chrome or iOS adoption before being locked in as the global opt-out standard, with broader US and EU legal applicability inevitable.

So if we go down this road, we have some questions:

  • Will we have any standards for how a signal this powerful will need to be presented to the user?
  • How will the market interpret this basic ‘NO’ signal across global markets with unique requirements?
  • Can browsers reasonably set this as a default? Does it depend on the value proposition of the browser?
  • What are the second order commercial consequences? Will publishers alter their position when they become evident? At this point, will they have any ability to change course?
  • What constraints are imposed on the publisher and the various 3rd parties that load on the publisher’s site when the signal is enabled?

The last question is a wormhole that we’ll be spending a lot of time in over the coming months. To the extent that we’re connecting this standard to the CCPA, the modifications of ‘sale’ that have been lined up in the coming ballot initiative, CPRA, are particularly relevant. CPRA would expand the opt-out of sale to ‘Opt-Out of Sale and Sharing,’ where ‘Sharing includes the transferring or making available personal information to a third party for cross-context behavioral advertising, regardless of whether consideration is exchanged.’

In other words, while some argue that CCPA does not require an opt-out of interest based advertising, CPRA would conclusively shut the door on that debate.

CPRA is on the ballot in California in less than four weeks.

And this just in … CPRA is currently polling at 77% in the affirmative.

I don’t want to get too far ahead of where we are. This is a light weight spec, with a lot of remaining uncertainty. But a fairly clear path is open to make this the seed that blooms into an easy, global, legally binding, enabled by default, opt-out of cross site advertising.

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.