The California Consumer Privacy Act (CCPA) goes into effect as the new year begins, but it appears Facebook will not be changing any of their web tracking practices in response to it. The Wall Street Journal reports that Facebook has told advertisers that it does not need to make changes as the social media company does not directly sell the data it collects about users.
Bearing some similarity to Europe’s General Data Protection Regulation (GDPR), the CCPA is currently the strongest data privacy law in the United States and threatens to force companies in the personal information business to make major changes to their operations. Companies must do more to disclose what data is collected and how it is used in order to comply with the law, as well as give users greatly increased ability to request that data not be sold or that it be removed entirely.
Why would Facebook’s web tracking be exempt?
To follow Facebook’s argument against the new California law, it helps to know a little about how the company collects data and then monetizes it.
Facebook’s web tracking system is called Pixel, and the company pitches it as a business-to-business ad service. When Facebook users visit the site, it uses a single invisible pixel to deliver cookies to the end user’s browser. Those cookies track web user movement beyond Facebook, building a personal profile based on the sites you visit.
The catch that Facebook thinks will get them out of CCPA is that businesses are able to install Pixel free of charge, and pay only for Facebook to deliver targeted ads based on the information they harvest. Facebook believes that they are excepted from the CCPA terms given that they are not directly selling the personal data they collect to these businesses, and given that it is never made visible to them. The business simply provides Facebook with the general demographics to target ads to, things like location and age range, and Facebook targets their ads to users it believes fit the requested profile.
The results of this legal debate will likely have national implications for all enterprise-scale businesses that sell data. It’s very troublesome for companies of this size to have one set of terms in California and one in the rest of the nation, not to mention the possibility that other states will adopt their own privacy standards similar to the CCPA (Maine and Nevada have just passed new laws and 16 other states have some sort of bill under consideration). Microsoft announced in November that the company would apply CCPA terms to all of its web tracking and data collection in the United States, and many other companies are expected to follow suit.
Can Facebook get out of the CCPA?
Facebook believes that they can sidestep the CCPA by defining themselves as an ad tech “service provider” that essentially acts as a middleman delivering anonymized data to clients. Vox’s Recode spoke to three legal experts who all seem to believe that Facebook’s bid to be exempted from the CCPA will fail. One technology law expert pointed out that any internal use of the collected web tracking data for business purposes would render Facebook’s argument invalid, while another noted that the transfer of personal data as part of the web tracking services would be regarded in the same way a sale would under the CCPA terms so long as the company is deriving some sort of “monetary or other valuable consideration” from it.
As with the GDPR, the CCPA will be primarily complaint-based. California users will need to bring an action with the state Attorney General’s office, which has yet to comment on Facebook’s status. The new California law requires consumers to first notify the company that is selling user data, and the company is given 30 days to remedy the complaint. It will still be half a year before the AG’s office can really force tracking services to comply with the new law.
Facebook is likely counting on such challenges being reviewed and their status being clarified by the AG’s office prior to the July 1 start of enforcement actions. If the company is found to be subject to the CCPA, it would face potential fines of $2,500 for each unintentional web tracking violation and $7,500 for each intentional violation.
Making sense of Facebook privacy settings
Facebook’s case for an exemption for their particular form of web tracking may well hinge on a single argument. The company needs to successfully convince courts that users can easily tweak their privacy settings and opt out of having their data sold should they so desire.
That looks to be an uphill battle for the company. Facebook rolled out new privacy settings options in mid-2018 in the wake of the Cambridge Analytica scandal, but some aspects of personal data management on the platform remain anywhere from confusing to inaccessible to most users. In September, the company was forced to suspend tens of thousands of apps due to misappropriation of personal data. The company has also faced legal pushback and the threat of FTC intervention over data transfers and integration from companies it has acquired, such as WhatsApp and Instagram.