The other thing on the ballot: Big changes to online privacy in California’s Prop 24

Editor’s note: at we like to look at conversations happening around the use of algorithms to highlight information online. This is one of the occasional posts we do speaking to someone with something to say on topics that we find interesting.

By Christopher Brennan

While the eyes of the world were (and as of this writing still are) fixed to the presidential race in the U.S., voters in California were also casting their ballots on a measure with wide implications for data privacy, and some for digital media.

The Golden State’s Proposition 24, with highlights including the creation of a specific agency to enforce data privacy and stricter rules on sensitive personal data, has passed. The updates it makes to California’s current law, the CCPA, are varied and, similar to other laws that deal with data like Europe’s General Data Protection Regulation, it is broad, impacting many aspects of the digital space. Here is a piece by Shoshana Wodinsky over at Gizmodo that dug into some of the details of the California Privacy Rights Act and controversy around the campaign for it.

One of the people most cited in the run up to the passage of CPRA has been Gary Kibel, a partner at law firm Davis & Gilbert who specializes in digital media, technology and privacy. During an interview after the passage this week he told me that the most significant aspect was the creation of the California Privacy Protection Agency, the equivalent of national Data Protection Authorities in individual European countries and a first in the U.S., because “establishing a standalone agency that has nothing to do all day but enforce privacy laws is a big game changer, because that’s exactly what they’re going to do.”

But CPRA also has repercussions closer to advertising and publishers, many of whom have relied on money from ads that include tracking of personal data from their readers. Jason Kint, the head of an association for digital content companies who wrote about the issue in Vox last month, was optimistic about the changes and said they could be beneficial for online media, because they limit what third-parties can do with readers’ data after they get it while “allowing publishers to continue to use data they generate on their own sites.”

Kibel told that in his view the primary impact on publishers would be a new mandate to let their readers protect their data and opt out of trackers. While the big player third-parties like Google and Facebook will likely make tools so that their offerings to clients work around the new law, publishers working with other data companies will have to figure something out.

“That makes it harder for those sort of middle-tier players. You know, if you’re a relatively small publisher, but you have all these different pixels on your site to monetize it, you now have to build the ability to process all these opt-outs. If you’re a small organization you may not have the resources, the personnel to do it,” he said.

This got me thinking about whether there would be a boost to potential alternatives to the current system of having ads displayed to news readers based on all the information that has been stored about them as they browse online. Some in the privacy community have highlighted data from the Dutch broadcaster NPO earlier this year that saw its ad revenue grow (during the pandemic) despite ditching “creepy ads” for contextual ones based on characteristics of the content the media outlet is showing. Contextual advertising can work on metrics such as the quality score that Deepnews provides, rather than personal data.

While Kibel said that most publishers will still be drawn to behavioral tracking ads because of the amounts of money in play, going forward, the passage of CPRA and other potential data privacy regulations means that some will now be taking a second look at how they do business and whether the tracking is worth it.

“[CPRA] certainly makes contextual easier and it makes behavioral advertising more complex. I’ve worked with clients who have looked at the pixel providers on their website and decided to remove some of them,” Kibel said. “I’m going to remove you from my website because I don’t want to put a ‘do not sell’ link at the bottom of a page. So it does require some companies to take a look at their business practices, decide are they going to go headfirst into some new compliance practices, or are they going to scale back some of their activities.”