On January 1, the California Consumer Privacy Act of 2018 (CCPA), came into force with the aim of granting consumers greater control over the use of their personal information. The new California legislation is just one example of a global legislative trend in recent years, where policymakers worldwide are advancing new data protection laws. The most significant of the trend is the European General Data Protection Regulation (GDPR), which came into force in May 2018.
The GDPR’s effect on Israel-based organizations is indisputable, due to its extraterritorial scope as well as the European Union’s requirements from business partners. The GDPR also accelerated the enactment of Israel’s Protection of Privacy Regulations, to make sure Israeli companies adhere to legislation enabling them to manage the personal data of EU residents.
Similarly to the GDPR, the CCPA also has extraterritorial applicability. Due to the broad definition of a consumer under the CCPA (any individual which is in California for other than a temporary purpose, or domiciled in California but is outside the state for a temporary purpose), and since California is the state with the largest population in the U.S., the CCPA will basically apply to any organization conducting business in the U.S. Hence, Israeli organizations that are conducting such business will need to comply with the CCPA requirements. Such compliance will also be required by their California based business partners, which are obligated to have adequate contractual terms in place with their service providers.
While the CCPA is not as stringent as the GDPR on other issues, its broad definition of personal information, referring to data usually collected in the course of online behavior tracking operations, means the CCPA will have the most material effect on Israeli organizations operating in the online ecosystem, including adtech, e-commerce, and digital media. Under the CCPA, personal information includes names, aliases, unique personal identifiers that could identify an individual consumer, family, or device over time and across services, online identifiers, email addresses, account names, and commercial information, such as records of products and services purchased and purchase histories or tendencies. This definition explicitly includes browsing and search histories, geolocation, and consumer interactions with websites, ads, and apps.
Over the past year, the online advertising industry has grappled with the practical challenges of complying with CCPA. Now that the new law—the first of its kind in the U.S.—has gone into effect with the new year, businesses operating in California are required by law to provide California residents with explicit notice and the opportunity to opt-out of the sale of their personal information, thus establishing powerful individual rights that represent a major step forward in U.S. privacy legislation.
Practically speaking, however, the law’s notice and do-not-sell obligations present unique structural challenges for ad tech companies, many of whom operate as intermediaries, lack a direct relationship with users, and may or may not have formal contractual relationships with data supply chain partners, including publisher properties where the personal information and insights about user activity are utilized to power data-driven advertising.
In Europe, the GDPR has similarly created challenges for ad tech, with industry efforts to create compliance systems that can provide the detailed disclosures and permissions required facing regulatory scrutiny. New laws in Brazil and soon in India will only make compliance more challenging in important emerging markets.
But those focused on legal compliance will miss the more significant challenges to the ad tech business model. Ad tech tracking of consumers is dependent on the cooperation of browsers and mobile operating systems, which are taking more and more steps to prevent the data collection that powers many of today’s advertising business models. Apple’s Safari has long blocked third-party tracking cookies, a factor that could be ignored when its market share was limited to Mac computers but has a serious impact on mobile devices. Mozilla’s Firefox and Microsoft’s Internet Explorer have also rolled out new cookie limitations. A February update to Google’s Chrome will block all third-party cookies unless a new policy declaration is made by developers and future Chrome plans may implement major changes to tracking. Anyone using an iOS or Android mobile device is aware of the new limits placed on location tracking by apps but many additional steps have already been implemented and more are on the way, including a planned ban by Apple of all third party tracking on apps targeting children.
Adtech plays a critical role today in supporting the economic viability of many publishers, but it is clear that the long term viability of the sector is under pressure. The challenge for these companies is clear and they must take steps to gain the trust of consumers and provide relevant advertising while ensuring individual privacy. Adtech startups have been prominent in the Israeli tech ecosystem, but today’s adtech innovator faces more complicated issues. Will local companies rise to the challenge? The fate of the ad tech sector and all those who depend on its revenue stream to provide access to online content may depend on it.
Adi El-Rom is a partner at Israel-based law firm Amit, Pollak, Matalon & Co. and leads the firm’s digital technology and regulations department.
Jules Polonetsky is the CEO of Washington D.C.-based think tank the Future of Privacy Forum, and the founder of Tel Aviv-based policy think tank the Israel Tech Policy Institute.