working toward ccpa consensus lessons learned from the ... · 10/15/2019 · overview of ccpa and...

© 2019 Akin Gump Strauss Hauer & Feld LLP

Working Toward CCPA Consensus –Lessons Learned from the GDPR and Industry Guidance

Natasha G. Kohne, Partner, Akin Gump Strauss Hauer & Feld LLP

Alice Lincoln, Senior Vice President, Data Policy & Governance, MediaMath

Michael Hahn, SVP & General Counsel, Interactive Advertising Bureau, Inc. (IAB)

October 15, 2019


Overview of CCPA and its Impact on AdTech

2


Overview of CCPA and its Impact on AdTech

• Businesses cannot “sell” CA residents’ “personal information” without triggering

additional requirements:

– “Sale” is broadly defined

– CA residents have the right to opt out of “sales”

– “Third parties” cannot “sell” the “personal information” unless CA resident

receives notice and opt out

• Opt-out right could be read to be all or nothing

• Compliance will require technical and policy solutions

3


IAB CCPA Framework Proposal

• Proposes technological solutions to enable compliance

• Contemplates use of notice boxes and standardized notices to inform CA residents of

potential for “sale” of their information down the line

• Seeks to enable clear and efficient opt-out operationalization from a single device and

to reduce burden on consumer

• Utilizes contractual arrangements to further opt-out operationalization

4


CCPA Proposed Regulations

5

• On October 10th, Attorney General Becerra held a press conference to announce the release of proposed regulations concerning CCPA

• Kicks off a 45-day comment period

• Will also be collecting comments at five public hearings they will hold in the coming weeks


CCPA 2020 – New Efforts to Restrict

• Enables consumers to opt-out of the use or disclosure of their “sensitive personal

information” in advertising or marketing

• Includes additional restrictions on “profiling”

• Defines “sale” to include the use of “personal information” in “cross-context behavioral

advertising,” so consumer has opt-out right

• Excludes “cross-context behavioral advertising” from certain exceptions to definition of

“sale”

• Maintains “household” and defines it to be cohabiting group that share devices or

services

6


Lessons Learned from GDPR

7


GDPR AdTech Complaints

• Since May 2018 AdTech specific complaints have been filed with Data Protection

Authorities (DPAs) in seven EU member states

• Most recently complaints were filed in May 2019 and concerned Real-Time Bidding

(RTB) in the online advertising industry

• Complaints have been filed by data rights activist groups such as:

8

• Belgium

• Luxembourg

• Netherlands

• Spain

• United Kingdom

• Poland

• Ireland

© 2019 Akin Gump Strauss Hauer & Feld LLP 9

GDPR Compliance


Public Pressure Led to Rushed Legislation

10


GDPR Activity: Basics

• We are over a year into the GDPR and we have seen a rise in data subject complaints and data breach reporting by companies

• As of May 22, 2019, the European Data Protection Board (EDPB) reported that DPAshave received over 144,000 queries and complaints* and logged over 89,000 data breaches

• According to the EDPB 63 percent of these have been closed and 37 percent are ongoing

11European Data Protection Board, 1 year GDPR – taking stock, https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en (May 2019).

https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en


GDPR Activity: Key Areas

12

Transparency

Lawful Basis for

Processing

Data Subject Rights

Data Security & Data

Breaches

Consent

Data Processing

Agreements


Cooperation with Regulators

13


“Explicit Notice”

• Not clear how entities that do not have direct relationship with consumers can ensure

consumers receive “explicit notice”

• Not defined in the CCPA; it is only used in Section 1798.115(d)

• Legislative history offers no explanation for why “explicit notice” and not simply

“notice” was included

• “Explicit notice” may mean notice that is specific or concrete in terms of alerting the

consumer to how their data may be used

14


Practical Effects

15


Finding a Balance

16


Cost of Privacy

• A recent study from professors at Boston University, University of Colorado and

students and Northwestern University estimated that European web traffic and revenue

declined by nearly 10 percent after the GDPR went into effect in May 2018

– The study does not reach a definitive conclusion about why the web activity dropped, but suggests that the cause

is company- rather than user-driven: instead of users deciding to visit sites less, companies may have cut back on

using advertising to attract consumers

– The researchers use this as evidence that privacy concerns are playing little to no role in why web traffic is

decreasing, “which suggest that GDPR may not actually be delivering that much value to the majority of users”

• Publishers with small footprints in Europe not wanting to participate in GDPR

• Other costs?

17


Federal Privacy Policy and Enforcement

18


John Thune

(R) South Dakota

Maria Cantwell

(D) Washington

Jerry Moran

(R) Kansas Richard Blumenthal

(D) Connecticut

Roger Wicker

(R) Mississippi Brian Schatz

(D) Hawaii

What About a Federal Fix?

19

Senate Working Group

• Senate working group divided and unlikely to reach agreement

• Activity across houses in Congress

• CCPA floor?

• Empower federal agency?

• Private right of action

• Scope of preemption

• Address “sensitive” data


How is AdTech Working Together?

20


FTC Enforcement C

hitik

a (

Marc

h ’11)

•Chitika tracked consumer’s activity, even after opting out

•FTC settlement bars Chitika from making misleading statements about the extent of data collection

•Requires a clear opt-out mechanism

• ScanScout used Flash cookies, which browser settings cannot block

• FTC settlement bars ScanScount from misrepresenting the extent of data collection

• Requires an opt-out notice on home page

• ScanScout must disclose that it collects data to send targeted ads

• Epic Marketplace used history sniffing to gather data from consumers about their interest in sensitive medical and financial issues

• FTC settlement bars Epic Marketplace from using history sniffing

• Bars future misrepresentation by Epic Marketplace

• Requires Epic Marketplace to destroy all unlawfully gathered information

Turn

, In

c. (D

ec. ’1

6)

• Turn tracked consumers online activity, even after consumers took steps to opt out of tracking

• FTC settlement bars Turn from misrepresenting the extent of its online tracking or the ability of users to limit the company’s use of their data

• Must provide an effective opt-out mechanism

YouT

ube (

Sept. ’19) • YouTube tracked visitors

to channels directed towards children without disclosing the practice or obtaining parents’ verifiable consent, violating COPPA

• Proposed FTC settlement requires YouTube and parent company Google to notify channel owners that their child-directed content may be subject to COPPA Rule

• YouTube must implement and maintain a system that lets channel owners to identify content as child-directed

• YouTube must provide annual COPPA compliance training

21

Epic

Mark

etp

lace (

Dec.

’12

)

ScanS

cout

(Nov.

’11)


Takeaways

• Practical regulation that understands the ecosystem

• Recognition and use of self-regulatory efforts

• Stability and consensus to empower compliance

• Safe harbor for companies that comply

• Liability limitations for downstream misuse, if compliant

22


Team Contact Information

23

Natasha Kohne, CIPP/US

Partner, Akin Gump Strauss Hauer & Feld LLP

San Francisco

T: +1 415.765.9505

[email protected]

Alice Lincoln, CIPP/US

Senior Vice President, Data Policy & Governance, MediaMath

New York

T: +1 646.840.4252

[email protected]

Michael Hahn

SVP & General Counsel, IAB

New York

T: +1 212.380.4721

[email protected]


Locations

London

Ten Bishops Square

Eighth Floor

London E1 6EG

United Kingdom

+44 20.7012.9600

Longview

Austin Bank Building

911 West Loop 281

Suite 412

Longview, TX 75604

+1 903.297.7400

Los Angeles

1999 Avenue of the Stars

Suite 600

Los Angeles, CA 90067-6022

+1 310.229.1000

Moscow

Geneva House

7 Petrovka Street

Moscow, 107031 Russia

+7 495.783.7700

New York

One Bryant Park

Bank of America Tower

New York, NY 10036-6745

+1 212.872.1000

Frankfurt

Opern Turm

Bockenheimer Landstraße 2-4

60306 Frankfurt/Main

Germany

+49 69.677766.0

Geneva

54 Quai Gustave Ador

1207 Geneva, Switzerland

+41 22.888.2000

Hartford

100 Pearl Street

14th Floor

Hartford, CT 06103-4500

+1 860.263.2930

Hong Kong

Units 1801-08 & 10

18th Floor Gloucester Tower

The Landmark

15 Queen’s Road Central

Central, Hong Kong

+852 3694.3000

Houston

1111 Louisiana Street, 44th Floor

Houston, TX 77002-5200

Tel. +1 713.220.5800

Irvine

4 Park Plaza

Suite 1900

Irvine, CA 92614-2585

+1 949.885.4100

Abu Dhabi

Abu Dhabi Global Market Square

Al Sila Tower, 21st Floor

P.O. Box 55069

Abu Dhabi, United Arab Emirates

+971 2.406.8500

Beijing

Unit 401 North Tower

Beijing Kerry Centre

1 Guanghua Road

Chaoyang District

Beijing 100020, China

+86 10.8567.2200

Dallas

2300 N. Field Street, Suite 1800

Dallas, TX 75201-2481

+1 214.969.2800

Dubai

Boulevard Plaza

Tower Two, 23rd Floor

P.O. Box 120109

Dubai, United Arab Emirates

+971 4.317.3000

Fort Worth

201 Main Street

Suite 1600

Fort Worth, TX 76102

+1 817.886.5060

Philadelphia

Two Commerce Square

2001 Market Street

Suite 4100

Philadelphia, PA 19103-7013

+1 215.965.1200

San Antonio

112 E. Pecan Street

Suite 1010

San Antonio, TX 78205-1512

+1 210.281.7000

San Francisco

580 California Street

Suite 1500

San Francisco, CA 94104-1036

+1 415.765.9500

Singapore

2 Shenton Way

#16-01 SGX Centre 1

Singapore 068804

+65 6579.9000

Washington, D.C.

Robert S. Strauss Tower

2001 K Street, N.W.

Washington, DC 20006-1037

+1 202.887.4000

working toward ccpa consensus lessons learned from the ... · 10/15/2019 · overview of ccpa and...

Documents