California’s new law on consumer privacy that is scheduled to come into effect on 1st January 2020 is not compliant with the provisions of the GDPR. This is despite the fact that the law is being viewed as the US’s most aggressive and strongest step in the sphere of privacy protection.
California Online Privacy Law vs EU’s GDPR
AB-375 vs GDPR
The new law stipulates that from 1st January 2020 onwards, companies will need to inform California state residents what information they are collecting about state residents and also how they propose to use it in the future.
The law will also people to direct such companies to stop selling or delete such private information. However, neither will the statute prevent businesses from collecting information about people nor give California residents the choice to legally order a company to acquire their information.
This legal aspect, experts feel, differentiates the law distinctly from the GDPR. They also opine that the bill’s sweeping nature may be unprecedented in terms of privacy but its final impacts are yet to be known.
The concept of “personal information” has some broad and sweeping definitions and includes the usual categories such as people’s names, their social security numbers, and email IDs.
However, it has also brought within its purview some unique personal identifiers like geolocation data; IP addresses; browsing, search and shopping histories; and profiles of consumers, based on inferences drawn from available personal information.
It is seen that unique identifiers are used mostly by ad tech firms to track people anonymously on the web. This implies that an ad tech firm that stores tracking cookies on consumers’ devices shall now have to offer people the option of asking the company to delete such information garnered by way of those cookies.
They shall also have to ensure that such cookies and any corresponding or relevant information doesn’t get exposed should there be a data breach in the future. This would make the business susceptible to facing a class-action lawsuit.
After having gone through the draft of the law, some of California’s leading legal luminaries have pointed out a loophole in the statute. This is in the sphere of any “de-identified” personal information or information about the “aggregate consumer.”
Interpretations of this section imply that personal information, which cannot be bracketed with a particular consumer, would be deemed to be de-identified. Again, it’s still not clear whether the identifier types that operate the digital advertising ecosystem will fall within the ambit of the law.
Exempt from the law
However, the law has suggested that IDs for mobile advertising and online tracking cookies, used for collecting information on individual devices, are likely to come within its jurisdiction. Digital advertising businesses may argue here that they are exempt from the law because they assemble such identifiers into anonymous, larger audience pools.
This particular area continues to be in flux and is somewhat confusing, feel legal experts. Arguably, however, anonymous information doesn’t allow the creation of a consumer profile because it can’t be linked to a particular individual. Even then, there are certain provisions in the law that don’t exactly exempt digital advertising agencies totally.
This is because even if an agency claims that it has disassociated any information from an individual, it will have to ensure that this type of disassociation can’t be undone and that such data may be reconnected to the aforesaid party.
Even though the bill is now a law, the advertising industry is still confused over this possible loophole, assuming that it doesn’t exist.
The industry feels there can be no loophole because any data which is linked to other data can be associated with an individual or group of individuals. For instance, Exponential Interactive, an ad tech company purchases data from third parties for use in ad targeting campaigns. However, when such data is bought, it’s totally aggregated.
Exponential Interactive makes use of cookie IDs to match such aggregated 3rd party data with its own audience pool to target specific audiences with ads. This it does without accessing any underlying data that includes people’s names or their email IDs.
This cookie-based process of matching is likely to subject ad tech firms to comply with provisions of the law, even though they may eliminate cookie-based identifiers from the process. An individual’s behavioral profile may be stripped of its cookie ID and IP address to assume a de-identified status, but shall be deemed to be personal information under the law.
Long Way to Go
A segment of legal professionals, however, feel that the law will have minimal impact on the leading online platforms.
Moreover, there’s still enough time for it to be amended or changed as it has been passed by the California state legislature and not California voters. Thus, there is enough scope to ask the lawmakers for necessary clarifications on specifics while experts continue to work out its final impact.