The California Consumer Privacy Act, which regulates data collection, doesn’t go into effect until next month, but it may already be heading for a showdown with one of the biggest data collectors of them all: Facebook.
When the CCPA (full text here, if you really want to dig in) goes into effect on January 1, it will be the strictest digital privacy law in the United States to date, and the first law in the country that gives adults some rights over the collection of their data. Companies will be required to tell California residents what data about them is being collected, if it’s being sold, and to whom. It will give California residents the ability to opt out of having their data sold, and in some cases let them access and delete data a company has about them.
Though this is a state law, it will likely affect all Americans. It’s both easier and safer for companies to apply it nationally, and it’s expected that most of them will follow Microsoft’s lead and do exactly that. You may have noticed several websites sending you notifications about updated privacy policies recently; this is likely why.
Facebook is taking a different tack for its web tracker, Pixel. Pixel’s name comes from its physical appearance on a website that installs it: literally, one square pixel. But behind that pixel is a code that that installs cookies on your browser, allowing it to track your activity across the internet. Facebook is able to link your browser (and its activity) to your Facebook account, which gives it valuable data about you as an individual as well any categories it has placed you in — things like your location, age, gender, and interests.
Facebook provides this code to businesses free of charge, and those businesses can then purchase ads based off the information that Pixel collects. But that information only goes one way; Facebook knows who you are, but the business doesn’t. It can then purchase ads from Facebook that target, say, women ages 30-44 who live in Los Angeles, or advertise a certain product to site visitors who interacted with that product in some way.
That’s why you might see an ad for a shirt you placed in an online retailer’s shopping cart (but didn’t buy) on your Facebook timeline.
According to the Wall Street Journal, Facebook will claim that it doesn’t sell the data that its web trackers collect; it simply provides a service to businesses and websites that install Pixel on their sites. Because of this, it believes its web trackers are exempt from CCPA’s regulations, which have exceptions for data exchanged with a “service provider” that is “necessary to perform a business purpose.”
Legal experts who spoke to Recode disagreed with Facebook’s interpretation.
“CCPA allows data transfers to service providers so they can provide services and says those transfers don’t count as selling user data,” Roger Allan Ford, a law professor at the University of New Hampshire who specializes technology law, said. “But Facebook also seems to use the data for its own purposes, separate from providing ad services, and can’t rely on the service provider exception for those uses. So if Facebook does use tracking data for its own business purposes, then its argument is wrong.”
Basically, Ford is saying that if Facebook uses the data it collects from Pixels in any way other than providing ads to the businesses it collected that data from, it can’t claim a business purpose exemption.
Ari Waldman, director of the Innovation Center for Law and Technology at New York School of Law, said that Facebook’s attempt to get around part of the CCPA was “par for the course for this company.”
“Just because Facebook doesn’t ‘sell’ data to others (the company sells ads based on its vast data collection), that doesn’t mean this rule doesn’t apply,” Waldman said, adding, “By not changing its practices and arguing, with all likelihood, that the company falls under [the] ‘business purpose’ exception, Facebook is taking advantage of some ambiguity in the law to reframe the law’s requirements to suit its own purposes.”
Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, also doubted that Facebook’s exemption argument would hold up.
“When a website delivers massive volumes of personal information to Facebook, that’s a sale under the CCPA,” he said. “Facebook’s plans to disregard the law is but another example demonstrating that industry will do anything to protect their bottom line at the expense of Californians’ rights.”
Facebook addressed this in a blog post last week that seemingly put the onus on the sites that install its tracker to make sure their use of it complies with the CCPA: “We encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law. ... We will only use our partners’ data for the business purposes described in our contracts with them.”
As for the rest of its services, Facebook also said in the post that it believes it already gives users the ability to “easily manage their privacy and understand their choices with respect to their data,” and that it will be posting a “supplemental notice” to further explain its data policy as the CCPA goes into effect.
Assuming Facebook sticks to its guns, the final say will most likely rest on the California attorney general’s office, which is in charge of enforcing the CCPA and declined to comment on the record for this story.
Correction: An earlier version of this story misstated the name of the California privacy law. It is the California Consumer Privacy Act.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.