---

blog: Don Marti

---

custom audiences laundering

17 August 2022

Everyone else getting ready for the CPRA rulemaking?

It looks like a tricky CCPA loophole is catching on, and I'm not sure of the best way to address the problem.

As I have mentioned before, the easiest way to catch a company violating the CCPA is:

  1. Buy something with Global Privacy Control turned on.

  2. Log in to Facebook and check Ad Settings. Look at Audience-based advertising.

  3. If the name of the company you bought from is in there, they sold (exchanged for something of value) your info, probably by sending it to Facebook as part of a Custom Audience, or possibly by using Facebook Conversions API. Anyway, they broke the law and got caught.

Simple, right? Looks like a way to make open-and-shut CCPA cases at scale. The new California privacy agency will be able to just copy over the same paperwork, because all the surveillance marketers are following the same tutorials.

Unfortunately, surveillance marketers already have a workaround. I have seen this doing RtKs (which is a good example of why RtKs matter).

  1. The original company (the business) collects customer email address from an opted-out customer, and possibly hashes it.

  2. Business passes the email address, or hash, to a third party.

  3. The third party passes the email address or hash to Facebook, and then deletes it. They can't tell which of their client businesses passed information on which people (or they claim not to be able to).

That way, the name of the third party, not the name of the business, shows up in Facebook Ad Settings. Under the draft CPRA regulations, the third party is required to comply with a Right to Know or Right to Delete, but as far as I can tell, there's no additional requirement for the third party to disclose who the original business was, or to be able to.

So a business that wants to violate the CCPA can run their Custom Audiences through a third party, and switch to a new third party if the old one builds up too many RtDs.

It looks like all we can really do is list the third parties involved in this scheme and RtD them? I know this is a good argument for why everybody needs an Authorized Agent service, but it would be less total work if there were a better way to find the original business that broke the law.

Any better ideas?

The War Economy: Sizing up the New Axis

In-app browsers like those in Facebook and Instagram are a big privacy risk, developer shows

Does your rewards card know if you're pregnant? Privacy experts sound the alarm : NPR

Californians for Consumer Privacy Announce Opposition to ADPPA

Amazon’s One-Stop Shop for Identity Thieves

Firefox locks the cookie jar

This is what happens when marketing theory meets the real world in a tech startup

Facebook's least surprising news ever