The California legislature has sent to Governor Jerry Brown an amendment to the CA Online Privacy Protection Act (CA OPPA), Bus & Prof. Code 22575-22579, with respect to which the CA Attorney General has been active in threatening and bringing enforcement actions. See CA Assembly Bill 370.
There is no reason to think the Governor will not sign the bill, which was sponsored by CA Attorney General Kamala Harris, so industry should start to prepare. Violations of CA OPPA can be brought by the Attorney General or potentially class action litigants. The effect of the bill is that many web sites, mobile apps, ad networks and other online and mobile services will need to update their privacy policies. They should take this opportunity to conduct a complete audit of their data practices and make sure their privacy policies are complete and accurate and look to evolving them to layered policies that give better notice of material term to consumers.
Some web browsers have already developed signals users can use to indicate whether they want their online behavior tracked across sites or not; in some cases lack of consent is the default. The amendment is in response to the technical development and an ongoing debate with respect to what kind of choice users should have over online and mobile activity tracking and related ad targeting.
If the amendment is signed into law by the Governor, online and mobile operators will need to explain in privacy policies that comply with CA OPPA’s notice requirements how the operator itself responds to so-called “do not track” signals or other mechanisms that provide consumers a choice regarding collection of personally identifiable information about an individual consumer’s online activities over time and across web sites or online services This part of the amendment primarily affects parties that are themselves operating cookies or tracking devices.
The final bill also requires operators to disclose whether other parties (such as ad networks they use) may collect personally identifiable information about an individual consumer’s online activities over time and across third-party sites and services when a user uses the operator’s site or services. This part affects web site and app publishers that give access to their sites to vendors to ad networks and others that operate such tracking technologies. This happens when publishers want to sell behavioral ads, which command a higher price than non-targeted ads because they are more effective in reaching a relevant consumer (e.g., a car ad to a consumer that has been visiting auto manufacturer web sites—an “auto intender”—or ads for a product you left in a check-out cart on another site without completing the purchase).
It is important to keep in mind that the CA Attorney General interprets “personally identifiable information” very broadly. In her January 2013 report “Privacy on the Go: Recommendations for the Mobile Ecosystem.” she defined that term as follows: “Personally identifiable data are any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.” (emphasis added).
By such logic, data linked to an Internet browser by IP Address or other unique identifier would seem to also be personally identifiable data in the CA AG’s mind. This seems broader than the definition of identifier in CA OPPA that describes an identifier that is personally identifiable information as one that “permits the physical or online contacting of a specific individual.” Nonetheless, it is what the CA AG is on record as believing is covered. Accordingly, this would seem to capture how much online behavioral advertising tracking and targeting works, notwithstanding that the tie back is only to a device and not a specific “individual consumer.” Expect this issue to be litigated in the inevitable enforcement actions that will follow.
The amendments to CA OPPA fall short of the kind of “do not track” proposals supported by some consumer and privacy advocacy groups and many, but far from all, in the World Wide Web Consortium. Those proposals call for a requirement that operators and publishers look for and honor signals by browser operators and others that a consumer does not wish to have their behavior across sites and services tracked and to have an opt-in or opt-out requirement for any such tracking.
The advertising and publishing industry have argued instead for a notice and opt-out of ad targeting based on profiles built from tracking across third-party sites and services, but no restriction on such tracking without targeting. In other words, “do not target.”
The CA OPPA amendments would take somewhat of a middle ground – if you permit others to track, you must disclose that, and if you track you must disclose not just the details of that (already arguably required under CA OPPA based on the AG’s reading of “personally identifiable information”), but also how you respond to do not track signals. It will come as a disappointment for the online advertising industry, but less so than a mandate to honor “do not track” signals would be. The “do not track” verses “do not target” controversy promises to continue and whether this middle ground will become the final word on the subject is far from clear. In the meantime, those involved in the online and mobile advertising ecosystem need to stay abreast of the ongoing regulatory, self-regulatory and litigation evolution of behavioral advertising.