Many players in the AdTech ecosystem are still evaluating what their businesses will look like through the lens of the California Consumer Privacy Act (CCPA) and other potential new privacy laws. The CCPA has already required various parties in this space to re-think their targeting practices and redesign their bidding processes. Organizations and their advertising vendors, including specifically those who serve digital and programmatic advertising, are in the process of determining whether core activities like sharing a device ID to fill a programmatic ad impression or sharing a list of IP addresses with an agency to plan a targeted ad buy constitutes a “sale” of personal information as it is broadly defined under the CCPA (if the activity does constitute a sale of personal information, the AdTech vendor would be ineligible for “service provider” status under the CCPA). The answer across the industry so far has been a resounding “hmm...”
Is your AdTech Vendor a Service Provider or a Third Party?
The answer to whether your AdTech vendor should be a service provider for CCPA purposes (i.e., no sale of personal information) or a third party for CCPA purposes (i.e., a potential sale of personal information) requires an analysis of the definition of a “sale” under the CCPA. Under the CCPA, a covered business can provide a service provider with personal information, without identifying the disclosure as a “sale,” and therefore without having to offer an opt-out.
In order for a CCPA-covered business to take advantage of the advantages associated with designating a vendor as a service provider (i.e., no requirement to offer the opt-out or identify the sale and no associated liability for a failure to do so), the vendor should agree, among other things, to be contractually restricted in an agreement with the covered business from using or disclosing the personal information for any purpose other than provision of services to the covered business.
However, the contract alone is not enough. When a covered business knows or has reason to believe that the “service provider” is using the personal information for purposes other than those for which they have been contracted, the “service provider” is no longer deemed a service provider for CCPA purposes. Accordingly, due diligence about the AdTech vendor use of the personal information becomes equally as important as the contract itself.
Key Diligence Considerations for whether your AdTech Vendor is a Service Provider or a Third Party
In the AdTech ecosystem, there are many examples involving the use of a business’s personal information for “additional purposes,” including to improve the effectiveness of the service offering to benefit additional business customers that are pervasive in the AdTech framework, which, in fact, may be broader than the exact services described within the service provider construct. This intrinsic broader use of personal information in the industry requires advertisers and publishers to decide whether they are comfortable taking on the risk associated with continuing to use these services under a service provider contract with their AdTech vendors or whether they should simply agree that the disclosures are a sale and comply with the applicable provisions of the CCPA .
The typical use cases include, but are not limited to AdTech vendors that (i) employ third party ad tracking cookies that collect and process personal information; (ii) submit programmatic bid requests involving bundled personal information; (iii) data matchers and on-borders using personal information from multiple customers to improve their targeting match rates for all customers; and (iv) AdTech vendors using personal information, for internal purposes only, to improve their products and services. Many covered businesses have taken the position that the sharing of personal information with their AdTech vendors is not a “sale,” placing the burden on publishers and advertisers to determine whether they can credibly share the information under the service provider exemption.
The significance of whether disclosures to AdTech vendors constitute a sale or not, became illuminated when the California Attorney General release updated CCPA regulations on February 7, 2020. The second draft of CCPA regulations provide additional guidance on whether internal use cases are permissible under the service provider construct. The amended regulations make it clear that service providers may use customers’ personal information for internal research and product development, with a carve out for certain “high-risk” use cases involving profiling. Specifically, the guidance makes it clear a service provider may use customer data to build a better product or service, provided that use doesn’t venture into “building or modifying consumer or household profiles, or cleaning or augmenting data received from another source.” This clarification may give covered businesses comfort in their ability to rely on service provider contracts for vendors who use their data for internal purposes, but further highlights the importance of conducting additional vendor due diligence to understand exactly what those internal uses entail.
In the specific context of conducting due diligence in the AdTech ecosystem, the Network Advertising Initiative (NAI) recently issued its analysis of what constitutes a sale under the CCPA which may assist covered businesses. The NAI’s analysis breaks down the definition of “sale” into the following three elements that, if satisfied, make the case that digital or programmatic advertising likely involves the sale of data:
- Does the advertising involve personal information? Programmatic or digital advertising typically requires at least an IP address/cookie ID and browsing history in order to serve a personalized advertisement. The CCPA’s expansive definition of personal information sweeps in these types of identifiers, provided the business maintains the information in manner that can identify, relate to, describe, is reasonably capable of being associated with, or could be reasonably linked indirectly or directly with a particular consumer or household.
The updated regulations issued on February 7, 2020 state that “if a business collects the IP address of a visitor to its website, but could not reasonably link it with a person or household, the IP address would not be personal information.” This clarification raises the question of whether businesses may colorably argue that certain online and digital advertising activities are not considered a “sale” because they don’t involve “personal information” shared by the collecting business.
For online programmatic marketing and digital advertising activities, businesses regularly retain data that they cannot link to any individual (e.g., cookie ID or IP address collected via a tag or pixel employed on their website) – but when shared with analytics and AdTech vendors can be linked to an individual, household, or device. If the business could never link that data to an individual on its own, it’s arguably not “personal information” under the updated regulations. It is not clear that the AG intended the consequence of such a restrictive reading of the definition of “personal information” that would enable the above result in the updated regulations. Thus, businesses engaging in these types of activities should exercise caution and consult with counsel prior to changing their position solely based off the new definition of personal information.
- Does the advertising involve the disclosure of personal information from a business to another business or third party? The answer to this question requires advertisers and publishers to conduct due diligence by evaluating their contracts to determine whether their AdTech vendors are using the personal information received to serve targeted advertising for their own purposes, likely triggering the service provider carve-out, and resulting in a new status of a “third party” under the CCPA; and
- Does the digital advertising involve the exchange of monetary or other valuable consideration for the personal information? This inquiry is highly fact-specific and will force advertisers and publishers to determine whether they are receiving anything of valuable consideration in exchange for the personal information. While many advertisers will likely argue that nothing of value is received in exchange for the provision of personal information, this argument may be a stretch in the programmatic space.
Programmatic advertising frequently involves the disclosure of personal information in ad calls to increase the value of an impression and the addition of certain identifiers may improve an organization’s effective cost per mille (eCPM), or the amount an advertiser pays a website per one thousand visitors who see the ad. It remains to be seen if regulators will view the exchange of information for a more valuable bid, or whether the information passed along the programmatic supply chain to facilitate a programmatic ad buy will be considered a “sale” under the CCPA. For now, covered businesses should proceed with caution if they enter service provider agreements for programmatic ads.
AdTech Approaches to “Do Not Sell” Will Likely Continue to Vary
To date, we’ve seen AdTech businesses take a variety of approaches to CCPA compliance. While some choose to maintain the status quo until additional guidance is released, others have changed their service offerings significantly to avoid activities that could constitute a “sale” under the CCPA. While it’s still too early to tell, the latter approach may result in less effective advertising and targeting for AdTech businesses that depended on using the personal information for additional purposes in order to enhance their service offerings for customers. In an effort to support and streamline CCPA compliance in AdTech, two industry groups have proposed frameworks aimed at the protection of consumer privacy, while preserving the AdTech ecosystem. The frameworks summarized below apply primarily to publishers that sell data (e.g., data onboarding and matching companies, for instance that buy publisher audience data) or that use publisher’s first party data in programmatic ads.
- Interactive Advertising Bureau (IAB): The IAB recently proposed a framework that acknowledges a “sale” has taken place and an opt-out is required. Once a customer initiates an opt-out, it triggers compliance with a service provider provision in the contractual framework. From that point on, the provider is only able to use that consumer personal information for permissible purposes under the service provider construct. This allows for the transfer of data, even post opt-out, provided the AdTech provider strictly limits use of the data to provide to the contractual restrictions of the marketing and advertising services set forth in the service provider provision. For example, a consumer that has opted out may still receive advertising from the publisher or advertiser via the AdTech vendor, but it may not be personalized based upon that person’s preferences or behaviors across multiple websites if personalization would require the AdTech provider to share the customer’s personal information across customers.
- Digital Advertising Alliance (DAA): The DAA unveiled its own compliance mechanism utilizing their existing icon-based system. When an end user clicks on the icon, they will be re-routed to a user-friendly tool that facilitates their right to opt-out under the CCPA.
The various approaches we have seen to date across the AdTech community highlights the need for guidance on the applicability of the CCPA’s “Do Not Sell” rights to the AdTech industry, from the California Attorney General. Meanwhile, now that the CCPA is in effect, businesses should carefully evaluate their online advertising and tracking practices to determine the approach that is best suited for their business. If you have further questions about how these developments apply to your business, please contact our privacy and cybersecurity attorneys at Michael Best & Friedrich.