Interactive Advertising Bureau
888 17th Street NW
Re: IAB CCPA Compliance Framework for Publishers & Technology Companies
Please find attached Californians for Consumer Privacy‘s comments with respect to the IAB CCPA Compliance Framework For Publishers And Technology Companies Draft for Public Comment dated October 2019.
Please note that CCP is in the midst of finalizing our own language with respect to our upcoming privacy ballot measure first submitted to the California Attorney General in late September, and thus we are reserving this time for certain high-level commentary. This letter does not include a comprehensive review of the IAB proposal.
In addition, given the nature of our concerns below, we have chosen to focus our comments on the most pressing consequences the Proposed Framework which, if adopted, would result in significant misrepresentations of the law in our view.
To preview our conclusion, certain of the Framework’s conclusions are so contrary to the letter and spirit of the California Consumer Privacy Act (“CCPA”), that we are uncertain as to the rationale for their inclusion in the Framework, and we expect a revised draft to be published.
As written, the Framework would contravene certain express tenets of CCPA, which is a perplexing outcome given the current focus on CCPA, its prominence, and at least in our opinion, the fact that these areas are black-letter law.
The most extreme misinterpretation, in our opinion, is with respect to the expressed belief that certain industry participants may transfer personal information of consumers to those who are not service providers as defined by CCPA, and yet fall outside the scope of “sale” as defined by law.
See for example Framework II(6), “…certain industry participants believe they can transfer certain personal information of consumers to those who are not “service providers” (as defined by CCPA) and not have that constitute a ‘sale…’”
Perhaps what the Framework means to express in this instance, is that such a transfer would be pursuant to the pathway in CCPA Section 1798.140(w)(2) governing persons who do not qualify as Third Parties; but if the implication is that there is some other method where businesses can transfer personal information without such transfer constituting a sale, we would expect a professional organization like IAB to highlight that as incompatible with the text and intent of CCPA.
As with the interpretation of ‘sale’ outlined above, CCPA clearly states that the transfer of any personal information from a business is a sale unless it is pursuant to a written contract with an entity covered in Section 1798.140(w)(2), or pursuant to a written contract with a service provider.
We consider, and think the average consumer would consider, that when information is exchanged across devices and platforms, such that an ad follows the consumer from desktop to phone and from site to site, this constitutes a sale of their personal information from one business to another.
We think, and our research confirms, that consumers want the option to be able to opt out of this behavior with respect to certain businesses.
Second, it is extremely disconcerting that the Framework appears to indicate that the opt-out of sale only applies to information 90 days old or less.
Please see Framework III Signals (1)(d)(6) “The consumer may receive ads tailored to his or her interests based upon personal information that (i) pre-dated the opt out by more than 90 days” and Framework III Signals (1)(e) “clicking the do not sell my personal information link...will not opt you out of the use of previously collected and sold personal information (except for personal information sold within 90 days prior to your exercising your right to opt out)...”
In diametric contrast, please see CCPA Section1798.135(a)(4) “For consumers who exercise their right to opt-out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.” (Emphasis added). There is literally no mention of any 90-day period in CCPA, let alone constraining one of the fundamental rights in the law, that of the Right to Say No to the sale of personal information.
CCPA Section 1798.140(e) defines “Collected” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively,or by observing the consumer’s behavior.”
In the California Attorney General’s proposed regulations, Section 999.315(f) proposes that following an opt-out request, “…a business shall notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information. The business shall notify the consumer when this has been completed.”
As written, nothing in CCPA or the proposed regulations suggests, even remotely, that upon a consumer exercising their right to opt out of the sale of their information, it is only the most recent 90 days that is subject to this right.
The inclusion of this provision as a central feature of the Framework is so perplexing that we are hopeful we have misunderstood the intention of the Framework. It is, however, central to the interpretation of the Framework; and if true, would represent a fundamental disagreement between our organizations— one which, we hasten to add, we believe any regulatory authority would resolve quickly in favor of our interpretation.
In sum, while there are certain positive aspects to the Framework, we request clarification on these two key points before submitting additional, detailed feedback.
To the extent the IAB’s position on these key fundamentals is consistent with the points in the Framework, we would have to oppose the Framework vigorously, as it would then represent to us an attempt to work around law almost entirely in substance and spirit.
Alastair A. Mactaggart
Board Chair and Founder