CPPA Testimony on Dark Signals
I am Dan Frechtling, CEO of Boltive, a software company doing business in California that exposes personal data leakage.
I wish to speak on the ways current technologies and methods used today routinely interfere with Consumer Rights to Opt-Out. As important as it is to address dark patterns, it’s just as important to address dark signals.
Dark signals are consumer opt-outs that fade as they are passed to downstream parties in cross-context behavioral advertising. Consumers choose to opt-out or opt-in, but with dark signals the choice is never received by those buying ads. Dark signals endanger consumer opt-out rights.
Realtime bidding is a technical protocol that powers cross-context behavioral ads. It’s an auction in 200 ms. It plays a worthy role by delivering relevant messages to consumers. But there are vulnerabilities.
Here’s an illustration, starting with a mobile website. For opt-outs to work within real-time bidding, websites must shake hands with supply side platforms, exchanges & networks, then demand side platforms in order to communicate to advertisers. This can involve 50 or more vendors. Leaks can happen anywhere, at any interface between parties. And these third parties make code changes periodically, which can cause leakage.
Critics of real-time bidding say it passes personal information about geolocation, health, religion, sexual preference, and ethnicity.
Because CPRA came about partly to restrain excesses in cross context behavioral advertising, Boltive recently completed a study see how many of the Fortune 100 use opt-out technologies that are both compliant with the law and work with Web protocols like real-time bidding.
Boltive’s auditing tool creates secret shoppers to expose exactly where the leakage is. We found 2/3 of the Fortune 100 use consumer opt-out methods that are either legally unapproved or cause dark signals.
We classified five methods of opting out of data sharing. Industry Consortia, used by 69 firms; Web Forms, by 47 firms; Consent Management Platforms, by 42 firms; Offline, by 11 firms; and User-enabled methods like GPC, accepted by zero firms. Firms are required under CCPA to use 2 or more methods. Here is where they succeed and fail…
1. The industry consortium model, such as the Digital Advertising Alliance and the Network Advertising Initiative with 127 vendors participating, is the most popular. The underlying technology works 98% of the time. But the consortia appear to be voided by two OAG published notices of alleged noncompliance.
2. Online web forms are second most common. They have precedent since consumers use them to opt out of email communications. They are permitted by CCPA in section 135(a) . But they, too, don’t integrate well with real-time bidding when not logged in. Boltive has found 62% don’t delete some or all third party
browser cookies, so personal information is still shared down the chain of vendors.
3. Consent management platforms are the third most common. They are allowed by CCPA. But Boltive software finds these handshakes fail 25% of the time in real-time bidding
4. Offline methods such as phone, and email are fourth most common. These are specifically mentioned in 11 CCR 999.315(a). But they are incompatible with real-time bidding unless the user is logged in to an account with the company, which is extremely rare
5. Lastly, User-enabled methods, also called Global Opt-Out Preference Signals like the Global Protection Control (GPC) and the Advanced Data Protection Control (ADPC) are permitted. But none of the Fortune 100 have adopted them based on our research.
Our research shows 2/3 of the Fortune 100 are not effectively handling consent. And dark signals endanger consumer opt-out rights.
In one example, Boltive found a foreign company known for ad fraud extracting personal data to build profiles of consumers. In another example, Boltive recently found advertising to manipulate public perception of the Russian invasion of Ukraine.
But most of the time, data leakage is unintentional. Usually, companies are acting in good faith. But they and their vendors use opt-out methods that don’t work. We need rules to ensure opt out methods are both legal AND effective.
To address this, CPPA rulemaking must ensure dark signals DO NOT endanger consumer opt-out rights in cross-context behavioral advertising.
Clearly the intent of CPRA goes beyond advertisers and data controllers to downstream partners and data processors. But the statute is not clear in this regard.
The CPPA can clarify “requirements and technical specifications for an opt-out preference signal” in section 185(a)(19)(A) must include accurate transmission of opt-outs to all third parties in cross-context behavioral advertising.
Companies should then be audited for transmission of such opt-outs and action taken by parties in the advertising chain. Only then can consumers feel safe their opt-outs are not misinterpreted as opt-ins.
Without this supervision, dark signals endanger consumer opt-out rights. The rules today are like delivering goods when a stranger presents a payment method but not checking if the payment actually went through.
Furthermore, the CPPA can ensure the audit authority mentioned in section 185(a)(18) includes verifying that opt-outs are authentically passed and received by parties in the advertising chain.
Monitoring the multitude of opt-outs by consumers every day may seem a tall task. Fortunately, businesses or the CPPA can audit using privacy-enhancing software like Boltive’s that requires no installation.
With cloud software it’s possible to orchestrate 100% compatibility, something both online firms and regulators may find of interest.
If rules don’t require opt-out signals to function down the chain, companies may do just enough to meet the letter of the rules, leaving gaps. But if CPPA rulemaking mandates that consumer choices accurately flow through vendors, similar to checking the payment actually goes through, CPRA will ensure dark signals DO NOT endanger consumer opt-out rights.