California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the measure on the November ballot.
On May 3, 2018, Californians for Consumer Privacy announced that about 625,000 signatures in support of the initiative were filed with the California Secretary of State. A total of 365,880 valid signatures are needed to qualify the initiative, 58.5 percent of those submitted, suggesting that the measure is all but certain to make the ballot this fall. Given the size of California’s population and economy, California privacy and other consumer protection legislation has in the past had national impact. In the wake of growing public concerns over the improper use of online user information and data breaches, such as those illustrated by the Cambridge Analytica scandal and Russian election meddling, the ballot initiative could well garner sufficient support for passage.
California May Change the US Privacy Landscape
Indeed, at first blush, an overview of the proposal might sound appealing to consumers. The California Attorney General’s Title and Summary for a California ballot initiative titled “The Consumer Right to Privacy Act of 2018” (the Initiative):
ESTABLISHES NEW CONSUMER PRIVACY RIGHTS: EXPANDS LIABILITY FOR CONSUMER DATA BREACHES. INITIATIVE STATUTE. Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers the right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumer data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses …
The Initiative would regulate “personal information,” broadly defined to include IP addresses, cookie or pixel tag IDs, device IDs, and other unique identifiers, as well as more traditional types of personal information, and “inferences drawn” from that data. Unlike a federal consumer privacy bill recently introduced and discussed below, the Initiative is an opt-out scheme rather than an opt-in scheme. In some ways, then, it has similarities to the current US interest-based advertising self-regulatory opt-out program. However, the Initiative would prohibit conditioning service on consent, something neither the EU’s General Data Protection Regulation (GDPR) nor the current US self-regulatory program does.
While the proposed federal legislation would also restrict take-it-or-leave-it consent choices, it would allow the potential for commercially reasonable differential access terms, such as through pricing based on incentives and discounts for consent. The Initiative would thus not only restrict the ability of publishers and service providers of currently free-to-consumer, advertiser-supported content and services to require consent to interest-based advertising, but also prohibit them from even pricing access to interest-based-ad-free content and services differently than access to interest-based-ad-supported content.
Much like the current California Shine the Light Act, which gives consumers the right to learn about the sharing of their personal information with third parties for direct marketing purposes if they are not given choice regarding that sharing, the Initiative gives rights only to California residents. However, the scope of regulated activity and data is far more expansive than current California law, which is more about transparency than choice. Also, unlike the Shine the Light Act or proposed federal legislation, the Initiative provides an express private right of action, with no need to show injury beyond a violation of the statute for standing, and statutory damages of a minimum of $1,000 and up to $3,000 per violation, which would make filing claims very attractive to class action lawyers if it were to pass. Further, a security breach of the regulated data would also be subject to such statutory penalties.
A full copy of the Initiative is available here.
Proposed Federal Legislation Also Threatens the Status Quo
And California is not alone in proposing strict EU-inspired consumer privacy legislation. On April 10, Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act (or the Bill). CONSENT would provide the Federal Trade Commission (FTC) with new authority to establish regulations aimed at protecting the privacy of information belonging to customers of so-called edge providers, the content and content-enabling services that use the internet – websites, web services, search engines, social media platforms, online advertising services, web and mobile applications, and content-hosting and content-delivery services. Most notably, the Bill proposes to regulate the collection and use of online service usage data, which is deemed sensitive regardless of its nature and without being tied to a personally identifiable person.
The Bill, if passed in this form, would require, among other things, an edge provider to obtain opt-in consent from the customer to use, share or sell certain types of data, including usage data – the data that drives interest-based advertising. It would also prohibit requiring consent to use and sharing for “commercial purposes” as a condition of service. However, rather than banning price breaks or incentives for providing consent as the Initiative does, the Bill would give the FTC the authority to determine whether providing consideration to customers in exchange for consent is reasonable under the circumstances. Unlike the Initiative, the Bill proposes that only the FTC, certain other federal agencies, and state attorneys general may enforce the law, and there is no express private right of action.
For a more detailed analysis of the Bill, click here.
Both the Initiative and the Bill pose a material risk to digital advertising as practiced in the United States today. But unlike the Bill, which can be reworked during the legislative process, the Initiative would become law based on the current draft if California voters were to pass it – that is, unless the Bill or some other federal consumer privacy legislation were to include a provision that expressly preempts state laws in the area, something the current Bill does not propose to do. If both were to pass in their current form, the Bill would create a floor providing for opt-in consent, and the Initiative would add higher restrictions as applied to California residents, such as prohibiting offering incentives to consumers for providing consent.
We will continue to follow and report on these and other legislative efforts that affect interest-based advertising, e-commerce and digital publishing.