Skip to content
Naked Security Naked Security

Ad industry groups ask that the CCPA keep its mitts off their cookies

Ad-blocking technologies can block the cookies that record consumers' privacy choices, they claim.

Five ad industry groups have asked California Attorney General Xavier Becerra to change stipulations about cookie-blocking in the state’s impending, far-reaching, almost-GDPR-but-not-quite privacy law, which goes into effect in the new year.

It’s for the sake of consumer choice, they said.

Initially, the language in their letter seemed to be requesting a ban on privacy tools such as extensions that block ads and tracking scripts, but the comments turned out to be asking for something a bit more nuanced than that: MediaPost reporter Wendy Davis later said that the groups clarified, saying that they only want the AG to prohibit browsers from blocking the industry’s opt-out cookies – AdChoices – as opposed to all cookies.

The five groups submitted 13 pages worth of comments to the Office of the Attorney General (OAG) on Friday – the last day that comments were still being accepted in the rule-making run-up to the enactment of the California Consumer Privacy Act (CCPA).

Last month, it looked like that law would become the ipso facto privacy law of the land – a scenario that has tech businesses fretting over the prospect of what compliance will cost – given the failure of Congress to enact a federal privacy law. Having said that, a last-ditch effort at the national level cropped up in the last days of November, when Senator Maria Cantwell introduced the Consumer Online Privacy Rights Act (COPRA).

And having said that, experts say that there’s zero chance of bipartisan agreement on that bill, or any bill at the federal level.

The five ad industry groups that want the CCPA tweaked are the American Association of Advertising Agencies (4As), the Internet Advertising Bureau (IAB), The Association of National Advertisers (ANA), the American Advertising Federation (AAF), and the Network Advertising Initiative (NAI). They said in their letter that their requested tweaks are meant to protect consumer choice.

They say that people like the ad-supported internet and either wouldn’t want to or couldn’t afford to access an internet where they have to pay subscription fees:

If a subscription-based model replaced the ad-based model, many consumers would likely not be able to afford access to, or would be reluctant to utilize, all of the information, products, and services they rely on today and that will become available in the future.

But what about all of us who use adblockers and/or set our browsers to block cookies?

The ad big boys say that what the CCPA needs is to enable opt-out mechanisms for businesses that don’t collect personally identifiable information (PII):

Many businesses in the online ecosystem may maintain personal information that does not identify a consumer on its own, for example, IP addresses, mobile advertising identifiers, cookie IDs, and other online identifiers.

For businesses that maintain this non-identifying information, webforms may not work to facilitate consumer requests to opt out, because the consumer’s submission of identifying information such as a name, email address, or postal address may not be easily matched to non-personally identifying information the business does not maintain.

The CPPA, as written, would actually force companies to re-identify PII by using techniques the industry avoids in order to “enhance consumer privacy,” they said. So how about this instead: how about we let businesses offer a way for consumers to opt-out of the sale of their PII?

The OAG has indicated that it may, in fact, issue a button or logo that would enable consumers to do just that.

What the law now says:

If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request [under the law].

Consumers’ rights under CCPA can be grouped into these general categories:

  1. Businesses must inform consumers of their intent to collect personal information.
  2. Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
  3. Consumers have the right to prevent businesses from selling their personal information to third parties.
  4. Consumers can request that businesses remove their personal information.
  5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

The ad groups say that if you let consumers block cookies, you let them block cookies that actually let them set privacy preferences:

…intermediaries, such as browser and operating systems, can impede consumers’ ability to exercise choices via the internet that may block digital technologies (e.g. cookies, JavaScripts, and device identifiers) that consumers can rely on to communicate their opt out preferences.

…which is the exact opposite of what the CCPA is supposed to be about, they continued:

This result obstructs consumer control over data by inhibiting consumers’ ability to communicate preferences directly to particular businesses and express choices in the marketplace. The OAG should by regulation prohibit such intermediaries from interfering in this manner.

1 Comment

This puzzles me greatly, as the ad group seems to have missed the first step in their argument… the one that nullifies their objection.

If I visit a web page, what am I unsubscribing from? *I* instigated the connection. Surely the cookie is there so that they can recognise my return to the site.

The connection with ‘unsubscribe’ seems tenuous at best.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?