Stacey Gray Profile picture
Aug 24 16 tweets 8 min read
My observations on @AGRobBonta's first major #CCPA enforcement action, announced today against @Sephora - big news for U.S. privacy. 1/16
✨Complaint: oag.ca.gov/system/files/a…
✨Settlement: oag.ca.gov/system/files/a…
First, @Sephora is a strategic choice. The most significant outcome is their 2-yr agreement to honor Global Privacy Control (GPC) signals. It's very important for the AG to get this on the books, because it bolsters CCPA's key (only) redeeming feature: the universal opt-out. 2/
Despite CCPA's underlying weaknesses (advocates have rightly criticized it as an ineffectual notice & choice law), the concept of a decentralized "universal opt-out" browser mechanism has taken hold in the US and been adopted in CO, CT - with great promise. 3/
Unfortunately, unlike CO/CT, CA's statutory authority on global opt-outs is hotly debated and remains unclear (arguably undercut by #CPRA - see @keir_lamont's fpf.org/blog/public-co…). Most larger or primarily ad-supported businesses would challenge it, if they aren't already. 4/
However, Sephora is a multi-national luxury retail brand with reputation interests at stake, lacking (I suspect) a strong lobbying presence in CA, and is (again I assume) already complying with #GDPR. 5/
This suggests to me that cleaning up U.S.-facing websites/apps for integrations (analytics, ad partners, location SDKs etc) simply hasn't been a high priority, but was a relatively straightforward thing to do without threatening revenue; 6/
...and #GPC is perhaps easier to implement than launching a cookie banner, which I observe they've chosen not to do, at least for US visitors. (That's interesting! I'm really curious about the cost-benefit on effectiveness and user experience there.) 7/
All this means that settling is the reasonable path forward, while giving @agbonta a huge win with a settlement that reflects their position that honoring #GPC is required in all cases. 8/
But the complaint leaves out some important details... Specifically, the AG glosses over how the #GPC signal was communicated. Did they use PrivacyBadger? Brave? Blur? OptMeowt? 🐈‍⬛ 9/ Image
Again unfortunately, the implementation matters because the CCPA/CPRA contains requirements that signals reflect user choice (i.e. not being on by default), which means that the messaging in the specific tool matters, not just the signal specification itself. For example... 10/
... an unrelated plug-in (a screen reader or, arguably, an ad-blocker) that started sending #GPC as a default, with no notices or configurability would probably not be CCPA-compliant - just based on most people's reading of the law (but the AG's office may not agree). 11/
#adtech, esp. brand publishers, will be paying close attention to this #GPC result and weighing whether to adopt, challenge, or wait and see (recognizing that in two years, #CPRA will be in effect). A settlement =/= judicial decision in setting precedent, but still important. 12/
Finally - I think equally important - the OAG took this opportunity to drop (today) a new set of Enforcement Case Examples: oag.ca.gov/privacy/ccpa/e…
Lots to digest here - including: more retailers adopting #GPC voluntarily upon receiving enforcement letters; and an interesting tip that some companies are now using IP address to geofence CA customers and stop third-party advertising for those visitors. 14/
Finally, since we're all thinking it: would all of this be possible under #ADPPA? Probably. #ADPPA should clarify its global opt-out language, but at the same time would likely render most/all 3p advertising here illegal, or require opt-in consent. Much stronger. Plus the #PRA.
Anyway, that's my take. I wish I had better analysis on #ADPPA, but candidly I still find the bill's #adtech provisions to be needlessly complex. In the meantime... can't stop California from laying down a privacy #foundation! 🙃16/16

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stacey Gray

Stacey Gray Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @staceygraydc

Jun 12, 2019
My observations on the Spanish DPA #GDPR fine (thread): First, @LaLigaEN still arguing a yr later that their tech is misunderstood. App uses "audio fingerprinting" by which tiny fragments of audio sent for comparison w/content library & then discarded. 1/9
& on this basis they argue that the processing =/= personal data. The use case (detecting unlicensed soccer streaming) makes it challenging: wouldn't a common ID be needed to cross-reference audio + geo? But if not associated w/ user at point of collection? Maybe. 2/9
Side note: audio fingerprinting is pretty common: Shazam, the latest Pixels, & in most Smart TVs for viewing measurement. Greatest concerns for privacy advocates are if/when used between devices (e.g. phone/laptop surreptitiously "listening" for TV content, as done here). 3/9
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(