My observations on @AGRobBonta's first major #CCPA enforcement action, announced today against @Sephora - big news for U.S. privacy. 1/16
✨Complaint: oag.ca.gov/system/files/a…
✨Settlement: oag.ca.gov/system/files/a…
✨Complaint: oag.ca.gov/system/files/a…
✨Settlement: oag.ca.gov/system/files/a…
First, @Sephora is a strategic choice. The most significant outcome is their 2-yr agreement to honor Global Privacy Control (GPC) signals. It's very important for the AG to get this on the books, because it bolsters CCPA's key (only) redeeming feature: the universal opt-out. 2/
Despite CCPA's underlying weaknesses (advocates have rightly criticized it as an ineffectual notice & choice law), the concept of a decentralized "universal opt-out" browser mechanism has taken hold in the US and been adopted in CO, CT - with great promise. 3/
Unfortunately, unlike CO/CT, CA's statutory authority on global opt-outs is hotly debated and remains unclear (arguably undercut by #CPRA - see @keir_lamont's fpf.org/blog/public-co…). Most larger or primarily ad-supported businesses would challenge it, if they aren't already. 4/
However, Sephora is a multi-national luxury retail brand with reputation interests at stake, lacking (I suspect) a strong lobbying presence in CA, and is (again I assume) already complying with #GDPR. 5/
This suggests to me that cleaning up U.S.-facing websites/apps for integrations (analytics, ad partners, location SDKs etc) simply hasn't been a high priority, but was a relatively straightforward thing to do without threatening revenue; 6/
...and #GPC is perhaps easier to implement than launching a cookie banner, which I observe they've chosen not to do, at least for US visitors. (That's interesting! I'm really curious about the cost-benefit on effectiveness and user experience there.) 7/
All this means that settling is the reasonable path forward, while giving @agbonta a huge win with a settlement that reflects their position that honoring #GPC is required in all cases. 8/
But the complaint leaves out some important details... Specifically, the AG glosses over how the #GPC signal was communicated. Did they use PrivacyBadger? Brave? Blur? OptMeowt? 🐈⬛ 9/ 
Again unfortunately, the implementation matters because the CCPA/CPRA contains requirements that signals reflect user choice (i.e. not being on by default), which means that the messaging in the specific tool matters, not just the signal specification itself. For example... 10/
... an unrelated plug-in (a screen reader or, arguably, an ad-blocker) that started sending #GPC as a default, with no notices or configurability would probably not be CCPA-compliant - just based on most people's reading of the law (but the AG's office may not agree). 11/
#adtech, esp. brand publishers, will be paying close attention to this #GPC result and weighing whether to adopt, challenge, or wait and see (recognizing that in two years, #CPRA will be in effect). A settlement =/= judicial decision in setting precedent, but still important. 12/
Finally - I think equally important - the OAG took this opportunity to drop (today) a new set of Enforcement Case Examples: oag.ca.gov/privacy/ccpa/e…
Lots to digest here - including: more retailers adopting #GPC voluntarily upon receiving enforcement letters; and an interesting tip that some companies are now using IP address to geofence CA customers and stop third-party advertising for those visitors. 14/
Finally, since we're all thinking it: would all of this be possible under #ADPPA? Probably. #ADPPA should clarify its global opt-out language, but at the same time would likely render most/all 3p advertising here illegal, or require opt-in consent. Much stronger. Plus the #PRA.
Anyway, that's my take. I wish I had better analysis on #ADPPA, but candidly I still find the bill's #adtech provisions to be needlessly complex. In the meantime... can't stop California from laying down a privacy #foundation! 🙃16/16
• • •
Missing some Tweet in this thread? You can try to
force a refresh
