In a world where consumer data is freely shared, bought, sold and analysed without consent, January 2020 was a month that put the spotlight on data privacy, thanks to two disparate events that occurred in two different parts of the world. The month began with the California Consumer Privacy Act (CCPA) coming into effect, a sweeping law that allows consumers to know what personal data is being collected about them and how it’s being used. Consumers can opt out of having their data sold and have the right to ask businesses to delete their personal data. Firms can be fined for not complying with the law, which will be enforced by July 2020. CCPA applies to companies that either have annual revenues over $25 million, collect the personal information of 50,000 people or more each year, or those that derive 50% or more of their revenue from selling consumers’ personal information.
The law covers all California residents as well as all companies that do business in California. It is the first data protection law enacted in the US, and though only applicable to California, promises to have a far-reaching impact. The law is being likened to the EU’s General Data Protection Regulation (GDPR), which, however, is broader in its scope. The very same month the law came into effect, a report detailing data leaks highlighted the need for data protection legislation. The report, titled Out of Control, was published by the Norwegian Consumer Council in mid-January, and detailed how consumers are exploited by the online advertising industry. The report highlighted massive consumer data leaks by companies including those headquartered in California, like the dating app Tinder as well as Grindr, a networking and dating app for the LGBTQ community.
After the report was published, the Norwegian Consumer Council filed complaints of GDPR breaches against Grindr, MoPub and four other adtech companies. A coalition of American consumer groups wrote to the US Federal Trade Commission and the attorneys general of California, Texas and Oregon to carry out an investigation based on the Norwegian Consumer Council report. Out of Control tracked 10 apps “transmitting user data to at least 135 different third parties involved in advertising and/or behavioural profiling”.
According to the report, the dating app OkCupid (owned by the same company that owns Tinder) shared very personal data about sexuality, drug use, political views and more with Braze, an analytics company. Over 70 third parties received personal data from users of the makeup app Perfect365. Menstrual cycle tracker MyDays shared the GPS location of users with third parties in the field of behavioural tracking and advertising. Data including gender, age and location of people using LGBTQ dating app Grindr were shared with third parties involved in profiling and advertising. The report noted that MoPub, a subsidiary of Twitter involved in adtech, was used as a mediator for Grindr’s data sharing. After the release of the report, Twitter suspended Grindr from its ad network.
The report showed that, 20 months after the EU data law came into effect, data sharing by the adtech industry remained out of control. Adtech, a term that’s short for advertising and technology, refers to the range of digital tools used for advertising. It encapsulates the complicated processes used to direct ads to consumers. Interestingly, in the run-up to California’s data privacy law coming into effect, tech companies lobbied hard for a dilution of the law including exemptions for adtech. The Electronic Frontier Foundation, a nonprofit defending civil liberties in the digital world, wrote of how the new law had fended off “a year of targeted efforts by technology giants who wanted to gut the bill”. Tech companies backed bills that would have weakened the act.
The Washington Post carried a detailed report in September 2019 on how residents in and around Sacramento, California’s capital city, were inundated with social media ads warning of how new government legislation would destroy the internet and force consumers to pay for websites that were otherwise free. The ads were found to have been run by a trade group that represents big tech companies. “The group claims that surveillance-based advertising technology, which slurps up and broadly spreads consumers’ personal data without their knowledge, should be exempted from the CCPA. In truth, surveillance-based adtech is one of the worst privacy hazards that the law was designed to stop. It also provides little benefit to online publishers, and erodes trust between companies and their consumers,” says a piece by the Electronic Frontier Foundation.
CCPA has come into effect without the major revisions sought by tech companies. For residents in California, it has meant that virtually every time they visit a new site on the internet, they’re met with pop-up messages informing them about their right to privacy and opting out of having their data collected. An online search for CCPA throws up ads offering to help businesses comply with CCPA.
While CCPA applies only to California, there is hope that companies will apply the principles of CCPA across the US. Microsoft has already promised to do so.
The Wall Street Journal, in a piece on how companies are scrambling to comply with the new law, points to the difficulty involved in maintaining a “separate protocol for California’s 39.6 million residents” adding that many businesses were choosing to apply the changes they make for California to the rest of the US, making the California law a sort of de facto national standard. While consumer bodies and privacy activists have sought to further strengthen the provisions in the CCPA, there is no doubt that the bill is an important step in the road to data privacy, and is forcing companies to take a long, hard look at their privacy policies.
For residents in California, it has meant that virtually every time they visit a new site on the internet, they’re met with pop-up messages informing them about their right to privacy ... Due to the difficulties involved in maintaining a separate protocol for California’s 39.6 million residents, many businesses are choosing to apply the changes they make for California to the rest of the US
Anahita Mukherji
An independent journalist based in the San Francisco Bay Area Tweets @newspaperwalli