Dear Mr. Soublet,
Boltive, a privacy technology company doing business in California, appreciates the opportunity to comment on Proposed Regulations Under the California Privacy Rights Act (CPRA). We thank the California Privacy Protection Agency (CPPA) for seeking input from stakeholders in developing regulations.
Over five years, Boltive software has been used by hundreds of online companies to identify and block malicious and non-compliant advertising. We monitor 100 billion ad impressions per month. Recently, many of our clients have asked us to help them comply with data privacy regulations because they understand the risks posed by consent errors (see Figure 1).
Our software utilizes synthetic personas as secret shoppers for data privacy compliance. We enable companies to audit and remediate their practices so they follow CCPA/CPRA terms. Somewhat surprisingly, over 90% of the companies we work with find consent flaws that could cause unauthorized data selling or sharing. We believe our findings can be useful to the current rulemaking process.
We are pleased with the changes the CPPA has made in the rules, especially regarding third parties in 7026(f) and 7053(b). However, we believe the Agency can go further in 7026(a)(4) and 7053(a)(4) to provide better consumer protection.
Our comments can be summarized in four areas:
Section 7053(b) helps ensure businesses contract with third parties to check and honor consumer opt-outs. In some cases, businesses have authorized third parties to act behalf of businesses or for their own purposes.
Section 7026(f) states the obligations to businesses and third parties to pass opt-outs throughout the chain of vendors. In 7026(f)(2)-(3), when a consumer requests to opt-out, businesses must notify all third parties and “forward the request to any other person” with whom personal information has been disclosed or shared. Section 7026(f)(4) calls for a confirmation signal, defined as “providing a means by which the consumer can confirm that their request to opt-out of sale/sharing has been processed by the business.”
These are critical points because of the prevalence of what we call “dark signals.” Consumer opt-outs are mis-transmitted between the chain of cross-context behavioral advertising vendors over one-third of the time. This means opt-out signals elected by consumers are lost in the series of technical hand-offs between adtech vendors, causing consumer harm as data is shared illegitimately. We illustrated dark signals in a prior written submission November 5, 2021, and spoken testimony to the CPPA on May 5, 2022
The problem of failed opt-outs largely rests with lesser-known third parties in cross-context behavioral advertising. These are more often intermediaries in the consent chain rather than the better-known advertisers and publishers.
Privacy and security go together. CPRA rules follow security principles from CCPA and the California OAG requiring companies to implement reasonable security procedures. These principles include “reasonable security measures” that are different for online advertising than email and are described in CCPA FSOR Appendix A at 134 (response 431) and at 311 (responses 431, 924).
We strongly support the regulations as currently drafted and encourage the CPPA to leave them unamended.
Statements referring to reviews, audits and scans of service providers in 7051(a)(7) should also refer to third parties in 7053(a)(4). We welcome 7051, where various contract provisions are consolidated. Further, under 7051(a)(7), contracts between businesses and service providers or contractors grant a business the right to undertake “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
We are puzzled as to why this language is missing from 7053(a)(4), which merely states a “business may require the third party to attest” to their compliance. It is not clear to us why third parties are granted relief from the reasonable and appropriate steps in 7051(a)(7).
In our software trials with dozens of online brands, we’ve found the greatest vulnerabilities in data sharing come from transmissions to third parties for cross-context behavioral advertising. These vulnerabilities have been overcome through the evidence from our software audits. The best way to ensure third parties don’t misuse personal data is to require businesses to audit them.
The safe harbor clarifications applying to service providers in 7051(e) also should apply to third parties in 7053(e). You have wisely updated rules in 7051(e) and 7053(e) and are closing loophole in CCPAs. Ignorance of lapses by service providers, contractors, or third parties should not be a defense. But section 7053(e) addressing third parties should carry the same language as section 7051(e) addressing service providers.
Section 7051(e) makes it clear there is no safe harbor with service providers if you don’t exercise audit rights. It states, “a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA”
In 7053(e), which applies to third parties, the statement is similar, but omits “exercises its rights to audit or test the [third party’s] systems.” Instead, the business is advised simply to enforce its contract with the third party. We propose you add the audit and test language to ensure best practice.
In our analysis of opt-out consent failure rates, handoffs from the business to third parties or in between third parties is a greater source of errors than the hand-off from consent management platforms. In fact, third-party consent handoffs fail 24% of the time (see Figure 2).
2. These handoffs continue to be grey areas of deniability. The solution is to apply the language from 7051(a)(7) and 7051(e) to the appropriate clauses that apply to third parties in section 7053.
One might argue against our two recommendations on the grounds that testing and auditing third parties creates an unfair burden to businesses. Fortunately, the necessary scanning can be accomplished with low-cost software automation that avoids a manual burden on companies.
The ISOR explanation for the rejection is because they “concern the collection of personal information and not the sale or sharing of personal information. An acceptable method for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information.”
We disagree with this interpretation because preference centers commonly bundled with cookie banners can integrate with on-page tags and cross-context behavioral advertising vendors to address the sale and sharing of personal information.
Furthermore, cookie banners are a widely accepted method of opting out, particularly with cross-context behavioral advertising. Our data shows these technologies have limitations, but they are correctable. We are unaware of other commonly used methods for opting out of OBA that are superior. If web publishers opt for homegrown solutions, consent is even more likely to be lost than if solutions by specialist vendor are used.
We understand this method may be insufficient with respect to other forms of data sharing such as through data brokers. But we urge the CPPA to reconsider the interpretation cookie banners and controls are not acceptable for advertising opt outs.
Consumers may change their minds about data sharing for any number of reasons. Their life circumstances may change. Businesses may add intrusive terms to their privacy policies. Fortunately, other laws have provided language we can reference.
GDPR has consent revocation as a definitive right. Article 7 of the GDPR expressly states that a “data subject shall have the right to withdraw his or her consent at any time.”
The CTDPA, Connecticut’s consumer privacy law, specifically states users have the right to revoke consent. Exercising this right must be easy, “at least as easy as the mechanism by which the consumer provided the consumer’s consent” (Section 6(6)). Upon revocation, the controller as defined under Connecticut law must stop processing data as soon as feasible, but no later than 15 days after receipt of request.
Finally, as of this writing the draft text of the American Data Privacy and Protection Act (ADPPA) says a company must “provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent previously provided” (Section 204(a)).
We do not see this clause in the CCPA revised language. We recommend adding it to 7002(a). Requiring businesses to honor withdrawal of consent at any time recognizes consent, like nearly every agreement between individuals and businesses, is not permanent and irreversible.
Closing
Failing to hold third parties accountable creates far more issues than just consumer inconvenience. Unauthorized data sharing can reach malware providers and even sanctioned entities (see Figure 3).
We continue to monitor and gather data around consent opt-outs and unauthorized data collectors so companies can comply with CCPA, CPRA, and industry standards such as generally accepted privacy principles (GAPP), privacy by design, and the like. Thank you for consideration of our comments. Please do not hesitate to reach out if you have any questions.
Respectfully submitted,
Dan Frechtling
CEO
Boltive