custom audiences laundering
17 August 2022
Everyone else getting ready for the CPRA rulemaking?
It looks like a tricky CCPA loophole is catching on, and I'm not sure of the best way to address the problem.
As I have mentioned before, the easiest way to catch a company violating the CCPA is:
Buy something with Global Privacy Control turned on.
Log in to Facebook and check Ad Settings. Look at
If the name of the company you bought from is in there, they
sold(exchanged for something of value) your info, probably by sending it to Facebook as part of a Custom Audience, or possibly by using Facebook Conversions API. Anyway, they broke the law and got caught.
Simple, right? Looks like a way to make open-and-shut CCPA cases at scale. The new California privacy agency will be able to just copy over the same paperwork, because all the surveillance marketers are following the same tutorials.
Unfortunately, surveillance marketers already have a workaround. I have seen this doing RtKs (which is a good example of why RtKs matter).
The original company (the
business) collects customer email address from an opted-out customer, and possibly hashes it.
Business passes the email address, or hash, to a third party.
The third party passes the email address or hash to Facebook, and then deletes it. They can't tell which of their client businesses passed information on which people (or they claim not to be able to).
That way, the name of the third party, not the name of the business, shows up in Facebook Ad Settings. Under the draft CPRA regulations, the third party is required to comply with a Right to Know or Right to Delete, but as far as I can tell, there's no additional requirement for the third party to disclose who the original business was, or to be able to.
So a business that wants to violate the CCPA can run their Custom Audiences through a third party, and switch to a new third party if the old one builds up too many RtDs.
It looks like all we can really do is list the third parties involved in this scheme and RtD them? I know this is a good argument for why everybody needs an Authorized Agent service, but it would be less total work if there were a better way to find the original business that broke the law.
Any better ideas?