A worrying adtech exemption to California’s new privacy law
Brave writes to the California Senate Judiciary Committee, opposing a new adtech exemption in the California Consumer Protection Act (CCPA). Brave also co-signs today’s letter from 28 technology companies supporting the Privacy For All amendment to fix loopholes in the CCPA.
Senate Bill 753 proposes an advertising exception to the new California Consumer Protection Act’s privacy protections. As we argue today in a letter to the California Senate Judiciary Committee, this would grievously harm the California Consumer Protection Act.
The Bill proposes that:
“a business does not sell personal information if the business, pursuant to a written contract, shares, discloses, or otherwise communicates to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer.”
Online advertising auctions cause the most massive leakage of intimate personal information ever recorded, which the proposed advertising exception would permit. As an industry participant, Brave strongly opposes this. The full text of Brave’s letter to the Californian Senate Judiciary Committee is copied below. You can download the PDF here.
Also today, Brave also co-signs a letter from 28 technology companies in support of Assembly member Buffy Wicks’ “Privacy For All” amendment to the CCPA. Privacy For All (AB 1760) is intended to close several significant loopholes in the CCPA, as the EFF explains here. This fixes some of the issues raised in Brave’s letter to California’s Attorney General of March 2019.
The Honorable Henry Stern
State Capitol, Room 5080
Sacramento, CA 95814
cc: Senate Judiciary Committee
16 April 2019
Opposition to Senate Bill No. 753
Dear Senator Stern,
As an innovative digital business that participates in the online advertising industry, we strongly oppose S.B. 753. The bill’s proposed amendments to Civil Code Section 1798.140(t) would permit disclosure of personal information for the purpose of serving and displaying advertising. In our view, the bill would seriously undermine the California Consumer Privacy Act.
For example, the amendment would permit companies to broadcast intimate personal information to hundreds of companies every time an ad is served using “real-time bidding”, one of the most common ways that advertisements are sold and served on the Internet. Before an ad is served to a person loading a web page, a “bid request” is sent to an advertising auction, and then to tens or hundreds of subsequent parties, in order to solicit bids from them for the opportunity to show an ad to that specific person. A “bid request” broadcast about a particular visitor to a website can include:
- The URL of what the person is reading/watching/listening to.
- The person’s age.
- The person’s GPS coordinates.
- The person’s IP address (Google anonymizes this, but other companies do not).
- Category codes of content the person is loading, which can reveal their interests, medical conditions, and other sensitive facts.
Example Google codes: 571 eating disorders, 410 left-wing politics, 202 male impotence, 862 Buddhism, 625 AIDS & HIV, 547 African-Americans.
Example IAB codes: IAB7-9 Bipolar disorder, IAB 7-18 Depression, IAB 7-3 AIDS/HIV, IAB 23-10 Latter-Day Saints, IAB 23-8 Judaism.
- Unique codes and device descriptions that allow the latest personal information about the person to be added to existing profiles about them.
Real-time bidding happens at a staggering scale: hundreds of billions of such auctions every day.1 Each of these broadcasts can be received by hundreds of companies, which may then pass it on to hundreds more.
These codes, and other personal information in the bid request, allow unknown parties to build and share individual profiles without allowing consumers to discover who has access to their personal information.
The real-time bidding process represents the most massive leakage of sensitive personal information ever recorded, and yet it would fit under the exception that S.B. 753 proposes. That exception would allow a massive leak of personal information and grievously harm the California Consumer Protection Act.
We do recognize that S.B. 753 includes a provision attempting to limit further sharing of data by mandating contracts. This is unfortunately inadequate, because contractual provisions will be impossible to investigate and enforce.
The IAB, the tracking industry’s foremost lobby group, has observed in internal documents that “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/budding on/after delivery of an ad”.2 In other words, once every Internet user’s intimate information has been shared, there is no way to control it, or to undo the harm of sharing.
The exception would stifle innovation
We as industry participants know that there is no technical need, or business justification, for the mass-distribution of personal information for online advertising and auditing.
Brave’s own privacy-focused advertising system, currently in testing with the Dow Jones Media Group, and its blockchain token of attention that already pays 80,000 online creators and publishers, is an example of privacy-friendly innovation that is already happening.
High standards in the Act will enable better innovation. The real-time bidding system can and should operate without the inclusion of personal information and unique identifiers.
Californians deserve both strong privacy protections and innovation from industry. As industry innovators, we believe that strong legal privacy protections promote the best technologies. Therefore, we oppose S.B. 753.
Dr Johnny Ryan FRHistS
Chief Policy & Industry Relations Officer
- Evidence to United Kingdom Information Commissioner’s Office, and to Irish Data Protection Commission on the scale of RTB bid requests, submitted on 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/4-appendix-on-market-saturation-of-the-systems.pdf).
- “Pubvendors.json: transparency & consent framework”, IAB TechLab, May 2018, presented in evidence to United Kingdom Information Commissioner’s Office, and to Irish Data Protection Commission on the scale of RTB bid requests, submitted on 20 February 2019 (URL: https://fixad.tech/wp-content/uploads/2019/02/2-pubvendors.json-v1.0.pdf).