working toward ccpa consensus lessons learned from the ... · 10/15/2019 · overview of ccpa and...
TRANSCRIPT
© 2019 Akin Gump Strauss Hauer & Feld LLP
Working Toward CCPA Consensus –Lessons Learned from the GDPR and Industry Guidance
Natasha G. Kohne, Partner, Akin Gump Strauss Hauer & Feld LLP
Alice Lincoln, Senior Vice President, Data Policy & Governance, MediaMath
Michael Hahn, SVP & General Counsel, Interactive Advertising Bureau, Inc. (IAB)
October 15, 2019
© 2019 Akin Gump Strauss Hauer & Feld LLP
Overview of CCPA and its Impact on AdTech
2
© 2019 Akin Gump Strauss Hauer & Feld LLP
Overview of CCPA and its Impact on AdTech
• Businesses cannot “sell” CA residents’ “personal information” without triggering
additional requirements:
– “Sale” is broadly defined
– CA residents have the right to opt out of “sales”
– “Third parties” cannot “sell” the “personal information” unless CA resident
receives notice and opt out
• Opt-out right could be read to be all or nothing
• Compliance will require technical and policy solutions
3
© 2019 Akin Gump Strauss Hauer & Feld LLP
IAB CCPA Framework Proposal
• Proposes technological solutions to enable compliance
• Contemplates use of notice boxes and standardized notices to inform CA residents of
potential for “sale” of their information down the line
• Seeks to enable clear and efficient opt-out operationalization from a single device and
to reduce burden on consumer
• Utilizes contractual arrangements to further opt-out operationalization
4
© 2019 Akin Gump Strauss Hauer & Feld LLP
CCPA Proposed Regulations
5
• On October 10th, Attorney General Becerra held a press conference to announce the release of proposed regulations concerning CCPA
• Kicks off a 45-day comment period
• Will also be collecting comments at five public hearings they will hold in the coming weeks
© 2019 Akin Gump Strauss Hauer & Feld LLP
CCPA 2020 – New Efforts to Restrict
• Enables consumers to opt-out of the use or disclosure of their “sensitive personal
information” in advertising or marketing
• Includes additional restrictions on “profiling”
• Defines “sale” to include the use of “personal information” in “cross-context behavioral
advertising,” so consumer has opt-out right
• Excludes “cross-context behavioral advertising” from certain exceptions to definition of
“sale”
• Maintains “household” and defines it to be cohabiting group that share devices or
services
6
© 2019 Akin Gump Strauss Hauer & Feld LLP
Lessons Learned from GDPR
7
© 2019 Akin Gump Strauss Hauer & Feld LLP
GDPR AdTech Complaints
• Since May 2018 AdTech specific complaints have been filed with Data Protection
Authorities (DPAs) in seven EU member states
• Most recently complaints were filed in May 2019 and concerned Real-Time Bidding
(RTB) in the online advertising industry
• Complaints have been filed by data rights activist groups such as:
8
• Belgium
• Luxembourg
• Netherlands
• Spain
• United Kingdom
• Poland
• Ireland
© 2019 Akin Gump Strauss Hauer & Feld LLP 9
GDPR Compliance
© 2019 Akin Gump Strauss Hauer & Feld LLP
Public Pressure Led to Rushed Legislation
10
© 2019 Akin Gump Strauss Hauer & Feld LLP
GDPR Activity: Basics
• We are over a year into the GDPR and we have seen a rise in data subject complaints and data breach reporting by companies
• As of May 22, 2019, the European Data Protection Board (EDPB) reported that DPAshave received over 144,000 queries and complaints* and logged over 89,000 data breaches
• According to the EDPB 63 percent of these have been closed and 37 percent are ongoing
11European Data Protection Board, 1 year GDPR – taking stock, https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en (May 2019).
© 2019 Akin Gump Strauss Hauer & Feld LLP
GDPR Activity: Key Areas
12
Transparency
Lawful Basis for
Processing
Data Subject Rights
Data Security & Data
Breaches
Consent
Data Processing
Agreements
© 2019 Akin Gump Strauss Hauer & Feld LLP
Cooperation with Regulators
13
© 2019 Akin Gump Strauss Hauer & Feld LLP
“Explicit Notice”
• Not clear how entities that do not have direct relationship with consumers can ensure
consumers receive “explicit notice”
• Not defined in the CCPA; it is only used in Section 1798.115(d)
• Legislative history offers no explanation for why “explicit notice” and not simply
“notice” was included
• “Explicit notice” may mean notice that is specific or concrete in terms of alerting the
consumer to how their data may be used
14
© 2019 Akin Gump Strauss Hauer & Feld LLP
Practical Effects
15
© 2019 Akin Gump Strauss Hauer & Feld LLP
Finding a Balance
16
© 2019 Akin Gump Strauss Hauer & Feld LLP
Cost of Privacy
• A recent study from professors at Boston University, University of Colorado and
students and Northwestern University estimated that European web traffic and revenue
declined by nearly 10 percent after the GDPR went into effect in May 2018
– The study does not reach a definitive conclusion about why the web activity dropped, but suggests that the cause
is company- rather than user-driven: instead of users deciding to visit sites less, companies may have cut back on
using advertising to attract consumers
– The researchers use this as evidence that privacy concerns are playing little to no role in why web traffic is
decreasing, “which suggest that GDPR may not actually be delivering that much value to the majority of users”
• Publishers with small footprints in Europe not wanting to participate in GDPR
• Other costs?
17
© 2019 Akin Gump Strauss Hauer & Feld LLP
Federal Privacy Policy and Enforcement
18
© 2019 Akin Gump Strauss Hauer & Feld LLP
John Thune
(R) South Dakota
Maria Cantwell
(D) Washington
Jerry Moran
(R) Kansas Richard Blumenthal
(D) Connecticut
Roger Wicker
(R) Mississippi Brian Schatz
(D) Hawaii
What About a Federal Fix?
19
Senate Working Group
• Senate working group divided and unlikely to reach agreement
• Activity across houses in Congress
• CCPA floor?
• Empower federal agency?
• Private right of action
• Scope of preemption
• Address “sensitive” data
© 2019 Akin Gump Strauss Hauer & Feld LLP
How is AdTech Working Together?
20
© 2019 Akin Gump Strauss Hauer & Feld LLP
FTC Enforcement C
hitik
a (
Marc
h ’11)
•Chitika tracked consumer’s activity, even after opting out
•FTC settlement bars Chitika from making misleading statements about the extent of data collection
•Requires a clear opt-out mechanism
• ScanScout used Flash cookies, which browser settings cannot block
• FTC settlement bars ScanScount from misrepresenting the extent of data collection
• Requires an opt-out notice on home page
• ScanScout must disclose that it collects data to send targeted ads
• Epic Marketplace used history sniffing to gather data from consumers about their interest in sensitive medical and financial issues
• FTC settlement bars Epic Marketplace from using history sniffing
• Bars future misrepresentation by Epic Marketplace
• Requires Epic Marketplace to destroy all unlawfully gathered information
Turn
, In
c. (D
ec. ’1
6)
• Turn tracked consumers online activity, even after consumers took steps to opt out of tracking
• FTC settlement bars Turn from misrepresenting the extent of its online tracking or the ability of users to limit the company’s use of their data
• Must provide an effective opt-out mechanism
YouT
ube (
Sept. ’19) • YouTube tracked visitors
to channels directed towards children without disclosing the practice or obtaining parents’ verifiable consent, violating COPPA
• Proposed FTC settlement requires YouTube and parent company Google to notify channel owners that their child-directed content may be subject to COPPA Rule
• YouTube must implement and maintain a system that lets channel owners to identify content as child-directed
• YouTube must provide annual COPPA compliance training
21
Epic
Mark
etp
lace (
Dec.
’12
)
ScanS
cout
(Nov.
’11)
© 2019 Akin Gump Strauss Hauer & Feld LLP
Takeaways
• Practical regulation that understands the ecosystem
• Recognition and use of self-regulatory efforts
• Stability and consensus to empower compliance
• Safe harbor for companies that comply
• Liability limitations for downstream misuse, if compliant
22
© 2019 Akin Gump Strauss Hauer & Feld LLP
Team Contact Information
23
Natasha Kohne, CIPP/US
Partner, Akin Gump Strauss Hauer & Feld LLP
San Francisco
T: +1 415.765.9505
Alice Lincoln, CIPP/US
Senior Vice President, Data Policy & Governance, MediaMath
New York
T: +1 646.840.4252
Michael Hahn
SVP & General Counsel, IAB
New York
T: +1 212.380.4721
© 2019 Akin Gump Strauss Hauer & Feld LLP
Locations
London
Ten Bishops Square
Eighth Floor
London E1 6EG
United Kingdom
+44 20.7012.9600
Longview
Austin Bank Building
911 West Loop 281
Suite 412
Longview, TX 75604
+1 903.297.7400
Los Angeles
1999 Avenue of the Stars
Suite 600
Los Angeles, CA 90067-6022
+1 310.229.1000
Moscow
Geneva House
7 Petrovka Street
Moscow, 107031 Russia
+7 495.783.7700
New York
One Bryant Park
Bank of America Tower
New York, NY 10036-6745
+1 212.872.1000
Frankfurt
Opern Turm
Bockenheimer Landstraße 2-4
60306 Frankfurt/Main
Germany
+49 69.677766.0
Geneva
54 Quai Gustave Ador
1207 Geneva, Switzerland
+41 22.888.2000
Hartford
100 Pearl Street
14th Floor
Hartford, CT 06103-4500
+1 860.263.2930
Hong Kong
Units 1801-08 & 10
18th Floor Gloucester Tower
The Landmark
15 Queen’s Road Central
Central, Hong Kong
+852 3694.3000
Houston
1111 Louisiana Street, 44th Floor
Houston, TX 77002-5200
Tel. +1 713.220.5800
Irvine
4 Park Plaza
Suite 1900
Irvine, CA 92614-2585
+1 949.885.4100
Abu Dhabi
Abu Dhabi Global Market Square
Al Sila Tower, 21st Floor
P.O. Box 55069
Abu Dhabi, United Arab Emirates
+971 2.406.8500
Beijing
Unit 401 North Tower
Beijing Kerry Centre
1 Guanghua Road
Chaoyang District
Beijing 100020, China
+86 10.8567.2200
Dallas
2300 N. Field Street, Suite 1800
Dallas, TX 75201-2481
+1 214.969.2800
Dubai
Boulevard Plaza
Tower Two, 23rd Floor
P.O. Box 120109
Dubai, United Arab Emirates
+971 4.317.3000
Fort Worth
201 Main Street
Suite 1600
Fort Worth, TX 76102
+1 817.886.5060
Philadelphia
Two Commerce Square
2001 Market Street
Suite 4100
Philadelphia, PA 19103-7013
+1 215.965.1200
San Antonio
112 E. Pecan Street
Suite 1010
San Antonio, TX 78205-1512
+1 210.281.7000
San Francisco
580 California Street
Suite 1500
San Francisco, CA 94104-1036
+1 415.765.9500
Singapore
2 Shenton Way
#16-01 SGX Centre 1
Singapore 068804
+65 6579.9000
Washington, D.C.
Robert S. Strauss Tower
2001 K Street, N.W.
Washington, DC 20006-1037
+1 202.887.4000