In a continuing bid to make California's new privacy law more marketer-friendly, the Association of National Advertisers Tuesday urged the state to narrow the scope of information covered by the law.
The California Consumer Privacy Act, slated for enforcement next year, allows consumers to learn what personal information about them is held by businesses, and to opt out of the sale of that information.
The law's definition of “personal information” includes data that could potentially be linked to households or individuals -- like cookies, persistent identifiers, browsing history and IP addresses.
The ad industry, which relies on device identifiers, cookies and browsing history to serve targeted ads, has long contended that only data that definitively identifies individuals -- like names or email addresses -- is “personally identifiable.” The industry says data that potentially identifies specific individuals -- like cookies -- is “pseudonymous.”
Earlier this month, Christopher Oswald, ANA senior vice president of government relations, testified to Attorney General Xavier Becerra that the law's definition of personal data is too broad, arguing that any data theoretically can be connected to individual consumers.
Becerra, who is tasked with crafting regulations for the law, is currently holding a series of forums throughout the state.
On Tuesday, Oswald raised another argument against the law's definition of personal information. Testifying at a forum in Sacramento, he said companies may have to connect people names or email addresses with “pseudonymized” information in order to provide people with their data.
“The CCPA could have the unintended effect of forcing business to associate non-identifiable, pseudonymized device data with a specific person seeking to exercise their CCPA rights,” Oswald stated in prepared testimony.
Oswald urged Becerra to distinguish “pseudonymized data” from names, email addresses or other definitive identifiers, and to impose “DAA-like safeguards against the processing of pseudonymized data.”
The self-regulatory group Digital Advertising Alliance requires ad companies to notify consumers about the use of their data and allow them to opt out of receiving targeted ads -- but not out of the collection of information for ad purposes.
The DAA also prohibits members from collecting or using data to determine web users' eligibility for employment, credit, health care or insurance.