California’s attorney general Rob Bonta is getting tougher on privacy enforcement when it comes to use of a controversial tool enabling universal opt-out from data collection.
In the past two weeks, the AG’s office sent at least 10 and possibly more than 20 companies letters that call on them to honor the GPC, according to four lawyers with clients in the digital publishing and advertising industry.
“We all have clients who got some [letters],” said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren, speaking on behalf of a small group of lawyers she communicates with regarding privacy regulations.
“[The letters] are implying that companies must follow the GPC signal,” said another lawyer who spoke on condition of anonymity. Despite previous doubt among some ad firms, some of the new letters make it clear that the use of data passed among third-parties for behavioral advertising is indeed a data sale under the CCPA in the eyes of the state’s attorney general, according to the lawyers.
A spokesperson for AG Bonta’s office declined to confirm that the letters were sent, but told Digiday, “Enforcement of the CCPA hit its one-year anniversary in July and enforcement continues on a regular basis.”“Under law, [GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information,” stated a July 14 update to CCPA-related frequently asked questions on California’s Department of Justice website.
GPC is a browser-based opt-out tool that automatically sends out a signal requesting websites and ad tech intermediaries to opt-out from selling people’s data. People using Brave and DuckDuckGo’s Privacy Essentials browser extension have the GPC setting turned on by default, for example.
Slow-ish adoption“At least 50 million people” worldwide are sending out the GPC signal today, up from around 40 million when the tool was launched in October, said Ashkan Soltani, a privacy researcher who helped launch the GPC program.
However, support of GPC is limited to “privacy-preserving browsers and tools,” Soltani said. He added, “A lot of the browser vendors are reluctant to engage in enabling it.” For instance, some browsers that incorporate other privacy-protective features, including Apple’s Safari, haven’t gotten on board with GPC. Meanwhile, without Google’s Chrome — the world’s most popular browser — in the mix, GPC may not make much of a dent in limiting data collection
That means GPC doesn’t necessarily pose a threat to publishers when it comes to how they gather data, said Don Marti, vp of ecosystem innovation at ad management firm CafeMedia, an early adopter of the tool on behalf of its publisher partners. Because “none of the major browsers have turned it on,” Marti said GPC has little impact on publishers’ ability to gather data that helps generate ad revenue.
Other publishers including The New York Times and The Washington Post signed on to honor the tool when it launched, and Soltani said he’s spotted several small publishers recognizing the GPC signal over the past few months.
Confusion remains without technical standardsIn the absence of technical specifications from the AG’s office for how companies should honor global privacy opt-out signals, companies remain somewhat confused, said Hutnik. “There’s no technical standard for it,” she said. For that reason, companies are reluctant to invest in possibly costly technical fixes. Just how expensive implementation of changes are to acknowledge GPC signals seems to vary from publisher to publisher.
“My clients want to comply with the law,” said Hutnik. “But it requires a lot of money and investment, and if you’re interpreting it wrong and you have to do a 180, it’s not a good use of resources or good for consumers. It’s confusing.”