California, that innovative economic juggernaut that so often takes the regulatory lead on matters such as automobile emissions, is once again establishing the ground rules to a vital industry. The California Consumer Privacy Act (CCPA), signed into law by Governor Jerry Brown in June, is the improbable result of a wealthy real estate investor, with the colorful name of Alastair Mactaggart, and a gang of volunteers taking an interest in consumer privacy. Mactaggart used California’s zany ballot initiative system (and his personal fortune) to get a version of a proposed privacy law onto the November ballot. Faced with the horrifying prospect of a well-funded privacy evangelist jamming regulation down the throats of the state’s golden-goose tech companies, legislators quickly devised their own alternative. This rollicking policy adventure is recounted at length in a cover story by Nicholas Confessore for The New York Times Magazine.
Look through the rah-rah triumphalism of the piece, however and you’ll see that far from succumbing to some irresistible activist push, incumbents Google and Facebook craftily shaped the legislation to suit themselves. When in the history of American democracy have state legislators voted to severely and onerously regulate trillion-dollar companies in their home districts, motivated only by an overweening concern for consumer rights (and not donor pressure)? Never, is the answer—which is why the implications of CCPA could use some further scrutiny. (Spoiler alert: Facebook doesn’t hate the law).
First, what the law does.
CCPA resembles a weaker form of Europe’s General Data Protection Regulation, or GDPR, which took effect in May. The California law requires companies to provide an opt-out to data sharing (GDPR required an opt-in), clear statements of what data is being collected or shared with third parties (as does the GDPR), and the right to delete data about yourself. The unique element, and the only one that the tech giants really pushed back on, was a provision granting individuals the right to sue companies for violating their privacy. The clause was effectively neutered when a political compromise limited the right to cases of egregious data loss or theft.
This resemblance to GDPR, if you’re a privacy activist, is more bug than feature: Companies like Facebook and Google already comply with GDPR (or comply as much as anyone) and have extended those GDPR protections to US users. When the CCPA takes effect on January 1, 2020, the average Facebook user will likely not notice.
To understand why the CCPA won’t impact Facebook in any meaningful way requires understanding (at a high level, not to worry) how Facebook’s ads ecosystem treats data and outside partners. Unlike much of the ad-tech world, Facebook lives in a walled garden where no data leaves and very little enters. When an advertiser wants to retarget you, it exchanges your contact information with Facebook, both sides agreeing to a pseudonym for you, before placing you in one or more targeting buckets (“shoe shoppers,” for example). For Facebook’s most powerful and invasive micro-targeting, almost no data is shared between advertiser and publisher, and data middlemen are largely absent. Which is why, if you download your data from Facebook, the juiciest information is in the least remarkable section: “Advertisers Who Uploaded a Contact List With Your Information.” Users and journalists fixate on the supposed creepiness of Facebook having a call log for you, for example, but the real targeters are buried in that list of companies sharing contact information. The CCPA won’t change this.
So who is impacted by the CCPA?
Primarily, companies you’ve never heard of like Drawbridge and LiveRamp (now owned by Acxiom, another company you’ve never heard of, but which knows everything about you). Drawbridge, using data that it managed to beg or borrow, like your IP address or GPS-derived location, figures out all the devices you own. Why? So that an online retailer that notices you browsing for a new handbag on your work computer can serve you an ad for that handbag on your mobile device on your commute home. Such “cross-device targeting and attribution” is one of the holy grails of modern digital advertising.
What does LiveRamp do? Ever notice how you seem to get served ads online for products you bought in physical stores? That’s not because Facebook is eavesdropping on your phone. It’s done via what’s known as “data onboarding,” where personal data like your name, address, or phone number (which retailers know through loyalty-card programs and the like) are converted into ways to target you online. Middlemen like LiveRamp join online with offline by buying your personal data and then working with publishers—email newsletters, dating sites—to identify your browser cookies. Don’t sweat the details; the net of all this hackery is a table with your personal data plus a browser cookie or mobile device ID, which allows, say, a pharmacy chain that knows your phone number (which you entered at checkout to save 5 percent) to link all your purchases to your online presence.
Together, these relatively small players provide an alternative targeting ecosystem that competes with Facebook’s one-stop-shop. If you’re Walgreens, you can use LiveRamp (or its competitors) to target people via real-time ad exchanges. Or you can upload your customers’ contact details to Facebook. The advertiser is agnostic, so long as the pixels reach the right audience.
Here’s why Facebook is better positioned for CCPA, or GDPR: It has a direct relationship with you. How does it know every device you use? Because the first thing you do when you buy a new device is log into Facebook, Instagram, or WhatsApp. How does it know your name, phone number, and address? Because you told it those things, or opted into sharing your location via the Facebook app.
The California and European privacy rules favor these first-party relationships. Data coming from elsewhere—known as third-party data—is viewed with more suspicion, so this privileged state of affairs is unlikely to change soon. So long as Facebook’s apps remain as addictive as they are, Facebook will know who you are, where you are, and every digital pseudonym for you, whether a browser cookie or a mailing address.
You might now be wondering if this approach to advertising was a piece of far-sighted strategy by Facebook, to avoid the inevitable privacy storm. I can state, with some authority since I was at Facebook at the time, that the answer is no. This closed system of identity-matching with minimal data sharing was conjured mostly to assuage the mutual suspicions of Facebook and its advertisers: Advertisers didn’t trust Facebook not to recycle their precious consumer data, and Facebook didn’t trust advertisers not to repurpose its user data. A minimalist data join, with all Facebook data remaining safely within its walls and Facebook not touching often dubious outside data, was the result. It’s just a happy accident (for Facebook) that this is the optimal architecture for weathering privacy regulation like the CCPA and GDPR.
Ultimately, the CCPA is a fatal blow not to Facebook but to the competing middlemen. Shortly before GDPR took effect, Drawbridge announced it was leaving the European market. Then it announced it was leaving advertising altogether. LiveRamp is reported to be up for sale. Facebook itself shut down its Partner Categories program that used targeting segments from data brokers like Acxiom, cutting off its last connection to that world. Under CCPA and GDPR, if you want to target consumers across devices, or use your trove of offline consumer data online, you’ll have to use Facebook instead of the few competitors that once eked out a business outside its walled garden.
It’s as if the privacy activists labored to manufacture a fearsome cannon with which to subdue giants like Facebook and Google, loaded it with a scattershot set of legal restrictions, aimed it at the entire ads ecosystem, and fired it with much commotion. When the smoke cleared, the astonished activists found they’d hit only their small opponents, leaving the giants unharmed. Meanwhile, a grinning Facebook stared back at the activists and their mighty cannon, the weapon that they had slyly helped to design.
The good news is that while the activists missed their big, showy target, they hit the often sketchy data arbitragers who do the real dirty work of the advertising machine. Facebook and Google ultimately are not constrained as much by regulation as by users. The first-party relationship with users that allows these companies relative freedom under privacy laws comes with the burden of keeping those users engaged and returning to the app, despite privacy concerns. Acxiom doesn’t have to care about the perception of consumers—they’re not even aware the company exists. For that reason, these third-party data brokers most need the discipline of regulation. The activists may not have gotten the legal weapon they wanted, but they did get the legal weapon that users deserve.