CCPA, GDPR and the Future of Cross-Device Tracking

CCPA-GDPR-image-300x300Efforts to regulate cross-device tracking have increased since we last addressed the topic in 2017, following the release of the FTC’s Staff Report. Significant developments include the implementation and enforcement of the EU’s General Data Protection Regulations (GDPR), and the fast-approaching implementation deadline for the California Consumer Privacy Act (CCPA). These regulations, while not targeting cross-device tracking specifically, seek to limit the way in which consumer data is tracked and sold.

Cross-device tracking refers to the practice of following a consumer’s activity across their devices, in order to provide a seamless customer experience, prevent fraud, and more visibly, to provide targeted advertising. Such tracking is usually conducted through first- or third-party data sharing. First-party data refers to the information collected and analyzed by the creator of the content or products you consume. Third-party data refers to the information gathered by entities that collect and analyze your information, such as Google searches or online shopping history, in order to make inferences about you.

The CCPA targets third-party data sharing, requiring that “third parties” (entities that process data but are neither the business collecting the data nor specifically defined service providers) provide notice and an opportunity to opt out before selling a consumer’s personal information. This will affect companies that work in the background, exchanging information they’ve gathered on consumers with businesses seeking to reach a more targeted audience. More generally, the CCPA applies to companies wherever they are located that are doing business in California, that collect information about California residents, and that meet certain thresholds.

The CCPA goes into effect on January 1st, 2020, and enforcement is scheduled to begin on July 1, 2020.

In addition to the CCPA, Europe’s GDPR has garnered significant attention. The GDPR went into effect on May 25, 2018, and applies to the entirety of Europe, as well as to American companies with a presence in the EU. The territorial scope of the GDPR extends to organizations not physically established in the EU, but that monitor or process the personal data of EU subjects as it relates to the “offering of goods or services,” regardless of whether or not payment is required.

GDPR restrictions on access and exchange of consumer information are wide-reaching and affects the ability of platforms, publishers, and advertising tech companies to track user data across devices.

The Information Commissioner’s Office (ICO), charged with enforcement of the GDPR in the UK, has issued fines to companies not in compliance. The size of these fines indicates that the ICO is serious about enforcement, and affected companies are starting to look for alternatives, including a move away from third-party cookies towards first-party data and contextual advertising.

The good news for companies affected by these regulations is that the GDPR and the CCPA are very similar, so companies that have made the changes necessary to comply with the GDPR should have an easier time preparing for the advent of the CCPA. Nontheless, there are significant differences between the two, and additional adjustments will be necessary to ensure CCPA compliance. DataGuidance and Future of Privacy Forum have published a useful guide comparing the scope, definitions, legal basis, rights, and enforcement of both regulations.

While this regulatory crackdown will not abolish cross-device tracking entirely, it will certainly affect the things you see and how you interact with platforms and publishers across all your devices.


Cross-Device Tracking and the Trouble with Talkative Tech

Superman and the CCPA: Not-So-Secret Identities and the Power of “Personal Information” under the California Consumer Privacy Act

UK Privacy Regulator Takes Aim at the AdTech Industry