'Californian GDPR': the first US attempt at protecting users' privacy faces resistance from ad industry groups

A recent news article caused a public outcry in ad blocking community. After the story broke, we discussed the situation in detail and came up with the same conclusion.

The bottom line of it is that a new law, California Consumer Privacy Act (CCPA), is being prepared. The act is going to provide California citizens with privacy protections bigger than in any other state, its final rulemaking is scheduled for January 2020.

Under the new law, companies will be required to:

• specify as detailed as possible the ways of collection, processing, use and transfer of personal data of users in confidentiality agreements,
• notify users about the transfer of their personal data for commercial purposes and give them the opportunity to withdraw consent to the sale,
• protect users' personal information.

Users, for their part, will be able to request access to their personal information and delete it.

Those principles may be consolidated into a requirement that businesses should honor the privacy choices of Internet users.

The European Union was the first to take a major step towards the protection of user data by adopting the General Data Protection Regulation (GDPR)

What happened next? Without losing further time, five ad industry sharks have appealed to California Attorney General Xavier Becerra and asked him to remove this requirement. Moreover, they want to legally prohibit browsers and other intermediaries (operating systems, extensions) from blocking opt-out cookies. Opt-out cookies communicate to ad servers that a user doesn't want to see personalized ads.

We in AdGuard consider their initiative to be risky and dangerous and here is why:

1. Opt-out cookies are usually set on domains of ad servers.
2. Ad blockers’ job is to block advertising domains.
3. It’s impossible to block domains without affecting cookies.
4. Therefore, such a legislative measure (a ban on blocking cookies) would create a loophole allowing an advertiser to demand unblocking of ANY ad server.

Such loopholes are a slippery slope that might lead to terrifying consequences.

In the beginning of the article we mentioned requirements of a new privacy law. Ideally, they should become universal rights of Internet users. There are four basic ones:

• a right to know whether (and what kind of) personal data is collected,
• a right to access own personal data and to delete it,
• a right to refuse collection of personal information,
• a right to refuse to have personal data sold.

As ad industry groups wrote in a letter to Becerra, blocking opt-out cookies will result in obstructing consumer control over their personal data distribution. In the US, Canada and Europe there is AdChoices. This program screens its users' interests and shows them 'relevant' internet-based advertising.

They call AdChoices a standard and say that browser extensions, conversely, are just baffling and it's unclear how they work. But here’s the thing:

1. By installing a blocker, users actually opt out of tracking and behavioral ads.
2. AdChoices are far less popular than ad blockers. According to SimilarWeb, around 4M users visit AdChoices and DAA, whereas there are over 300M users of ad blockers.

We believe that nothing good will come out of attempts to push AdChoices.
A simple comparison of user bases of AdChoices with ones of ad blockers makes it clear that blockers are considered de facto as standard for opt-out.

We agree with the CCPA and would like to draw your attention to its provisions, because it seems important to discuss what is happening in the industry.