California’s sweeping privacy law is officially live, but not everyone plans on falling into line.
The state’s Consumer Privacy Act, dubbed CCPA, went into effect on Jan. 1. But one of the companies it was intended to rein in, Facebook (FB) - Get Report, has claimed that the law doesn’t apply to its web tracking practices, setting the stage for what could be a closely-watched showdown between California enforcement authorities and one of the world’s largest proprietors of consumer data.
The Wall Street Journal reported last month that Facebook is telling advertisers that it does not need to make changes to its web-tracking services -- a key component of Facebook's ad targeting capabilities -- in order to comply with CCPA, arguing that its activities don’t constitute a “sale” of consumer data under one of the law's provisions.
“Facebook seems to be trying to evade the CCPA by having it both ways -- they are claiming they are only a service provider, using a ‘business purpose’ exception that allows servicers who don’t sell data to transfer it in their normal course,” said Braden Perry, attorney at Kennyhertz Perry, LLC who specializes in privacy law.
The California law dictates that consumers may opt out of having their data sold, and request that their information be deleted, in addition to requiring greater disclosures to consumers on what personal information is collected and for what purposes. A Facebook spokesperson told TheStreet that for California residents, it complies with CCPA rules that apply to "service providers" regarding data it gets from third parties, by way of tools such as Pixel.
Facebook’s argument -- that it is just a middleman -- strikes many privacy experts as dubious, given that its multibillion-dollar empire is based on collecting vast troves of consumer data and offering it to advertisers. Ad sales constitute the vast majority of Facebook's revenue, which totaled $17.65 billion in the third quarter of 2019.
“If Facebook sticks with this questionable rationale for failing to follow the law of the state in which it is based, it will likely be the first big test of the CCPA by the California Attorney General,” Perry added. “With such a high-profile company trying to evade a law that is designed to regulate Facebook-like behavior, it will be critical to challenge that rationale and show that the CCPA has teeth.”
The California Attorney General’s office has not commented on Facebook’s posture regarding the law or on that of any other individual companies. While the law is in effect today, it isn’t enforceable for six months. And in order to compel Facebook to comply, the AG’s office would need to bring legal action against the company, meaning it could be awhile before any courts arrive at a decision regarding Facebook’s position that it merely serves as an intermediary. The law itself allows for civil penalties for violations, and for consumers to sue companies under certain circumstances.
Even if Facebook’s legal reasoning ultimately fails, however, it buys the company time to lobby for a federal law that would pre-empt any state privacy laws, such as CCPA, which is now the strongest privacy-related U.S. state law on the books. It also buys Facebook time until it is forced to implement any large-scale operational changes.
On Facebook’s third quarter earnings call, Facebook CFO David Wehner didn’t say what precise impacts Facebook anticipates from CCPA but called the law “a work in progress.” On the same call, CEO Mark Zuckerberg also reiterated the company’s position that a federal law is needed, a stance that is widely shared among large tech firms.
“I mean, we could handle that if we needed to,” Zuckerberg said, referring to potentially having to comply with a patchwork of state laws. “For the market overall, I just think it would be a lot better if we add a very clear set of rules at the federal level on privacy. So we’ll continue trying to work with folks to try to do what we can to help there.”
Regulators in California aren’t likely to be swayed by Facebook’s altruistic rhetoric. California’s AG has clashed with Facebook in the past, notably over Cambridge Analytica-related privacy violations -- which figure into the “spirit of the law” around CCPA, said Andrew Burt, chief legal officer at the data governance firm Immuta.
“I think the more important consideration here is the political environment -- [Facebook's] interpretation will clearly not sit well with the regulators or the legislators in Sacramento. Any exemptions Facebook is ultimately able to carve out, even in the best case for the company, are likely to be temporary,” Burt added. “The ‘move fast and break things’ approach, which I think this is a symptom of, is simply not a good long-term approach to the regulatory environment.”