The California Consumer Privacy Act (CCPA), arguably the most sweeping data privacy law in the United States, went into effect on January 1, 2020. The CCPA requires companies that buy or sell data on at least 50,000 California residents per year to disclose what they do with the data and to whom they sell it. The law also gives consumers the right to prohibit such companies from selling their data to third parties or to delete all of their personally identifiable information (PII). Specifically, websites with third-party tracking capabilities are required to add a “Do Not Sell My Personal Information” button, which bars transactions that send consumers’ data to third parties. Although the Attorney General will not completely enforce the law until July, California’s Attorney General Xavier Becerra said that potential violations in the first six months will be open to prosecution “as warranted.”
Many companies, such as Microsoft, are seeking to comply with the CCPA on a nationwide scale, and industry juggernaut Google has created a new protocol to prevent third parties from sending them data from consumers who have chosen to opt out. Facebook, however, is taking a different approach. Although Facebook has supplemented its data policy page with an additional “California Privacy Notice,” it has told its advertisers that it does not need to make any changes to its web-tracker, Pixel, because its data collection does not constitute a “sale” of consumer data under the CCPA.
Pixel, appearing as a single square pixel on websites that install it, allows the installation of small data packets, called cookies, on users’ browsers. These cookies can track users’ activity across the Internet and build a personal profile based on a user’s browsing history. Third party companies can then purchase ads based off the information that Pixel collects and associates with Facebook users’ profiles. Since Facebook provides Pixel to companies free of charge, it argues that its web-tracker’s activity does not constitute an actual “sale” of consumer data. In addition, Facebook argues that Pixel’s data collection falls into an exception in the CCPA for data exchanged with a “service provider” that is “necessary to perform a business purpose.”
Several legal experts have voiced skepticism or outright disagreement with Facebook’s interpretation of the CCPA. Roger Allan Ford, a law professor at the University of New Hampshire who specializes in technology law, says if Facebook uses the data collected by Pixel for its own purposes, separate from providing ad services, then it cannot rely on the “business purpose” exception to avoid enforcement action. Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California says that “when a website delivers massive volumes of personal information to Facebook, that’s a sale under the CCPA.” Chris Hoofnagle, an adjunct professor at the University of California, Berkeley, School of Law, contends that Pixel’s use constitutes a sale because the purpose of the data transfer “is for identity and attribution,” putting Pixel “at the core of the concern of the CCPA.” Ari Waldman, director of the Innovation Center for Law and Technology at New York School of Law, has been especially critical of Facebook’s legal strategy: “Facebook is taking advantage of some ambiguity in the law to reframe the law’s requirements to suit its own purposes” by arguing for the “business purpose” exception.
In a December blog post, Facebook attempted to further distance itself from any liability for selling consumer data by shifting the onus of interpreting the CCPA onto the companies that install Pixel. “We encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law,” the post says. It further states that “we will only use our partners’ data for the business purposes described in our contracts with them.”
Only time will tell whether Facebook’s unique strategy will persuade California Attorney General Xavier Becerra. Becerra has indicated that “aggressive, early, decisive enforcement action” would only target violations involving children’s data. Echoing the concerns of other legal experts, James Steyer, CEO of children’s privacy advocacy organization Common Sense, says that “as has unfortunately become the custom, Facebook is the single biggest outlier…Becerra is going to have to focus on holding companies like Facebook to account.” Facebook is unlikely to change its web tracking policies before the July enforcement date. If Steyer and other experts are correct, a high-profile CCPA enforcement battle could be just around the corner.