Alastair Mactaggart’s view on privacy: past, present and where we’re headed – Privacy

After leading the charge to enact the California Consumer Privacy Act (CCPA) and changing the data privacy landscape in the United States, Alastair Mactaggartchairman of the board and founder of the privacy rights group Californians for Consumer Privacy, spearheaded the movement to pass the California Privacy Rights Act (CPRA).

Like the CCPA, the CPRA has monumental implications for how businesses operate in the United States, particularly in the ad tech ecosystem, and builds on the unprecedented rights and data protections the CCPA has afforded consumers. Californians.

The following is an excerpt from a Fireside Chat discussion between Alastair Mactaggart (AM) and partner Davis+Gilbert Richard Eisert (RE) on what to expect once the CPRA comes into force on January 1, 2023, and the issues the CPRA is meant to address:

RE: The CCPA has just come into force [at the beginning of
2020]. Why ACRP now?

A M: I was surprised in 2019 when the industry launched a full-scale, in my view, assault on the CCPA right after it was passed in 2018. It felt like we were going to need something more robust in terms of defending the law against the inevitable attacks. It was a good opportunity to strengthen the law and, in terms of bringing it up to world-class standards, to make it more GDPR-centric. That was the goal, and I think we did.

RE: A number of changes to the CPRA appear to relate to the ad tech industry and what is now defined as cross-contextual behavioral advertising. What does the new distinction between sharing and selling in the CPRA say about the concept of selling under the CCPA, and what does this new distinction mean for cross-contextual behavioral advertising in the future?

A M: I think the CCAC wording is clear, and I think the intent is clear. I was really surprised to see a thread growing among some lawyers saying, “don’t worry about ‘sell’, because that means exchanging for valuable consideration”, and basically, “we can ‘share’, and all will go well .” While I don’t think the CCPA is ambiguous, if some people say it’s ambiguous, let’s make sure we shut it down. It is now abundantly clear, when it comes to sharing consumer information for cross-context behavioral advertising, that the law gives consumers the right to opt out.

RE: The CPRA appears to effectively remove service provider status and the benefits of the more limited responsibilities that service providers have for entities that facilitate cross-context behavioral advertising. Can you explain to us the intention of this change?

A M: I think this is just trying to reinforce and clarify that under the CPRA you are either a business, service provider or contractor, or a third party. Service providers and contractors are fundamentally very similar. In either case, you are permitted to transfer information for a marketing purpose, but that purpose may not be behavioral advertising to an unsubscribed consumer.

The problem is that sometimes you want to sell or share information. Credit card fraud detection is a good example. In many cases, a sale is in progress because the fraud detection team makes money from the transaction, as does the business by closing the sale with you. It’s a good type of sale. Then there’s the kind where the consumer says, “No, I don’t want to be tracked from site to site.”

The CCAC included wording saying that [for non-third parties]consumer information cannot be disclosed outside of the direct business relationship between the business and the entity. It’s now in the CPRA for service providers and contractors. We cleared it up.

RE: In your opinion, can companies engage in cross-context behavioral advertising in a way that is both privacy-friendly in accordance with the CPRA and will work in the future, or do you think, basically, is this going to window?

A M: If you access a music sharing service and all of a sudden it’s like 500 other companies you’ve never heard of are now sharing your information and also using it as a portal to watch what you do on your phone while the other app is open, most people say, “I don’t like it.” I think it really depends on the company’s relationship with the consumer. You can imagine a lot of things in the future, because the law is quite flexible. It allows a number of arrangements which are voluntary.

Also, in terms of behavioral advertising, remember that this law isn’t as draconian as a law could be, in that first-party data that the company has can be used in the way that the company wishes with this consumer. If you have a relationship with the consumer, you should be able to use it.

RE: Intentional interactions are excluded from selling or sharing personal information. Let’s say there is a disclosure to the user that the company is providing the user’s personal information to a third party. The user then clicks on a consent box, much like GDPR. Would that be considered an intentional interaction that somehow exempts it from being a share or a sale?

A M: At this point, I’m just a citizen. Regulations will come out for the new law [this year], and I hope they will answer your question. But I’ll just keep coming back to the language [of the CPRA]— by now, it’s pretty clear that shoving consent down someone’s throat isn’t “intentionally interacting.”

RE: Why was the breach remediation period not included in the CPRA?

A M: If you look at the FTC model, which is notice and remedy, it’s frustrating in some cases to almost have to have a consent decree and then violate it. Essentially, 30 days notice and a cure is a “fix” ticket. Went to a speeding ticket where if you get caught speeding you are responsible. I think this is a better app model.

It is really important to also note that [Cal. Civ. Code
1798.199.45]has a language saying that the [California Privacy
Protection Agency] is empowered to examine the behavior of the company. Was it intentional? Are they trying to fix it? Did they come forward and leak it? I would say that one of the main tasks of the Agency must be education.

RE: With respect to the private cause of action in CPRA, it doesn’t seem much different than in CAPP – whether there was an intention to do anything or is that stay pretty much as it is?

A M: Listen, I understand both sides. I understand companies that think it’s just a “stick”. I understand advocates who think an underfunded agency won’t be able to keep up. What I will say is that I am not so negative about the prospect of effective regulation
[from the Agency].

The other thing, which I don’t think gets a lot of attention, is that because exclusive enforcement is removed in this act–under the CCPA it was exclusively for the Attorney General–now the agency can apply it. The GA can also intervene. Under the Unfair Competition Act, any district attorney or city attorney in California’s four largest cities can also prosecute an infringement. If a company thinks, “oh, we’re just going to ignore the law,” that’s probably not a wise course of action.

RE: How do you think the Virginia law compares to the CPRA?

A M: It’s not as strong in terms of security and it allows for unhindered pseudonymous tracking. Sales are specifically designated for monetary consideration, so you may share information, especially pseudonymous information. It’s sort of business-as-usual for tracking.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

Source link

Comments are closed.