Why a tweet from California’s AG about a global privacy tool has companies scrambling

silver bullet robot

From retail brands to small publishers, a flurry of companies have been calling privacy lawyer Dominique Shelton Leipzig about a recent tweet from the California Attorney General regarding a new global privacy opt-out tool called Global Privacy Control. The successor to Do Not Track has some in the media and ad industry scrambling to understand its implications for complying with the California Consumer Privacy Act (CCPA) and future privacy regulation.

“I woke up to it,” Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie, told Digiday about the Jan. 28 tweet from Xavier Becerra, California’s AG. Becerra has been nominated by President Joe Biden to be the secretary of health and human services; a replacement for his spot overseeing the enforcement of the California’s privacy law has yet to be named.

Developed by a small group of privacy researchers and introduced in October, GPC is an opt-out tool that works like the Do Not Track method that garnered so much attention around 2013, but eventually fizzled. The idea is to make it easier for people to prevent companies from selling their personal information. Rather than having to notify each individual company or website separately, they can use the tool that enables their browsers to automatically send a signal requesting websites and ad tech intermediaries to opt-out from selling their data.

Both the CCPA and Europe’s General Data Protection Regulation give people the right to opt-out from data sales and sharing. The California law specifically calls on businesses to allow opt-outs via “user-enabled global privacy controls, such as a browser plug-in or privacy setting.”

Becerra’s implication that the tool serves as a valid opt-out request under the CCPA, which went into effect on Jan. 1, 2020, clarifies the industry’s uncertainty around how the AG’s office is thinking about technical standards for compliance, according to Shelton Leipzig. “It just accelerated the timeline,” she said.

“I think that your readers should take it very seriously that our attorney general has tweeted that the GPC standard meets the current CCPA regulations,” said Shelton Leipzig, who practices in California.

“Every company that has a website where third-party cookies are there and users can approach the website via one of these browsers that have signed up are vulnerable,” said Shelton Leipzig said. She added that companies doing business in California that do not respect the browser opt-out request will be subject to consumer complaints or compliance enforcement from the AG’s office. Several lawsuits have been filed in relation to CCPA.

It remains to be seen how widely people will adopt GPC. People who have installed the DuckDuckGo Privacy Essentials browser extension on desktop browsers, including Google Chrome, Mozilla Firefox or Microsoft Edge, now have the Global Privacy Control setting turned on by default. Same goes for Apple and Android mobile users who use the DuckDuckGo Privacy Browser.

More than 40 million downloads, but…

The GPC tool has been downloaded by more than 40 million users, according to the group behind GPC. But if site publishers and ad tech firms don’t recognize the opt-out signal, all those downloads are meaningless.

For now, there are only a few companies that have publicly agreed to acknowledge the GPC opt-out. Top newspaper publishers including The Financial Times, The New York Times and The Washington Post are on board. So are ad management tech firm CafeMedia and Meredith Digital, publisher of brands like Martha Stewart and AllRecipes.

Ashkan Soltani, a privacy researcher who helped launch the GPC program told Digiday, “There are a number of other publishers as well as browser vendors that have expressed interest, but I’m not at liberty to say at this time.”

Meredith spokeswoman Jill Davison said, “We believe in giving consumers a mechanism to inform us of their choices with a framework like GPC, which relies on the consumers having the option to make a selection, not the decision being made for consumers.”

“We are committed to adopting [GPC] this quarter,” said Paul Bannister, chief strategy officer of CafeMedia, which manages ad operations and sales for 3,000 digital publishers. While the company has been keeping track of instances when the websites it works with recognize the GPC signals, CafeMedia has not yet taken the next step of actually preventing data sales for opted-out users, said Bannister. That will require more technical implementation that he said is expected to be completed by the end of February.

“Not expecting any impact on ad revenue”

Any tangible impact of the browser tool is contingent on more adoption by publishers and ad tech firms, as well as people who don’t already use ad blockers or other privacy controls, suggested Bannister. However, he doesn’t expect a negative financial outcome for CafeMedia’s publisher partners if there is wider adoption, in part because the tool hasn’t hit the mainstream yet. “We’re not expecting any impact on ad revenue,” he said, in part because “for now, the users who are enabling GPC are already using browsers like Brave [which enables GPC in its desktop and Android browsers] or ad blockers, so we won’t see any impact.”

He also said he plans to employ other forms of targeting that don’t rely on blocked third-party data sharing such as contextual targeting. Ultimately, said Bannister, “It’s better to be in front of it and understand how it works and not be late to the game.”

The GPC project also has support from Consumer Reports, which in addition to vetting product quality, has a consumer advocacy arm. Justin Brookman, head of tech policy at Consumer Reports, questioned whether the California AG’s office actually would enforce GPC opt-out adoption, or at least how soon that enforcement would start.

“I don’t know if the AG is going to start enforcing it, because few people in practice are honoring it now,” he said.

Brookman has seen Do Not Track initiatives stumble before. In his previous role as director of consumer privacy at the Center for Democracy and Technology, he was involved in the original Do Not Track discussions among browser companies, privacy wonks, technologists and ad industry stakeholders. Hosted under the auspices of the Worldwide Web Consortium, the contentious process flailed by 2013 when key players including industry group the Digital Advertising Alliance and prominent privacy advocate and technologist Jonathan Mayer walked away citing a lack of any real progress.

Shelton Leipzig recalled Do Not Track’s demise, having listened in on a particularly heated W3C Do Not Track meeting back then. But the resurgence of the Do Not Track concept in this new GPC form, she said, is something she takes seriously. “For those companies that are in a litigation-avoidance, regulation-avoidance mode,” she said, “they’ll probably want to begin ASAP to get on the GPC website… and figure out how they’re going to effectuate that opt-out.”

http://ec2-34-225-151-148.compute-1.amazonaws.com/?p=393916
Digiday Top Stories