CCPA - Adtech Update
Cybersecurity and Privacy Alert
Have you recently received an update from Google or another adtech provider on their CCPA position? Some industry players are rolling out their approaches, and any business that uses website widgets needs to take note. See below for an outline of the issue, some updated positions, and some considerations for an approach.
CCPA requires businesses to either affirmatively state that they do not sell information or provide a “Do Not Sell” link/button allowing consumers to “opt-out” of the sale of their information. The definition of selling goes beyond an exchange for monetary consideration to include exchanges for valuable consideration. In sum, this definition may include a wide variety of widgets used on websites for various purposes if the widgets collect and share information about site users with third parties and the business realizes a benefit from the use of these widgets. The adtech industry that is responsible for behavioral advertising involves a large number of behind-the-scenes participants. It is standard practice in that industry for those participants to build profiles on individuals from this data, which they in turn can use for their own benefit. Prior to the CCPA there was little restriction on this use and arguably the CCPA was drafted with the intent of classifying these practices as selling. There were not meaningful carve-outs or changes to the scope of the CCPA regarding this issue prior to it being signed into law, but many adtech providers were apparently waiting until it was signed to take a position on their compliance.
The default use of many adtech and related widgets may fall into the definition of “selling” under CCPA if a business can be considered to be providing data to a third party through the widgets and the business is getting a benefit from doing so. If so, the remaining question is whether there is some exception that makes the particular practice meet an exception to “selling” under CCPA. There are two possible applicable exceptions to selling. The first is that even if it would otherwise be considered selling, if the consumer directs the business to share it, it would not be considered selling. This allows for the possibility that a consumer wants a business to share for a particular reason, but it requires more than passive consent. To be used in the adtech context the direction required would be much more onerous than a “Do Not Sell” opt-out because it would effectively be an opt-in and also limit the use to whatever particular consent was obtained, so that option is not really viable. The remaining viable exception is when the “business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose...” If this exception is met, the practice is not considered selling and a “Do Not Sell” link or button is not required (as to that practice).
II. Adtech and the Service Provider Exception
The full service provider exception to selling reads as follows:
(2) For the purposes of this title, a business does not sell personal information when:
. . .
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the
following conditions are met:
(i) The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
(1798.140(t)(2) (emphasis added))
Under normal circumstance most of the widgets do not meet this exception because of prohibition on further sale or use of the information. The party that provides the widgets typically uses the information for its own purposes (e.g., building profiles to use to sell services to others), and under the CCPA definition they also arguably further sell it by providing it to downstream third parties that use if for their own benefit as well.
In response to CCPA and this analysis, some adtech providers are allowing businesses to instruct them to handle data differently in a way that they presumably contend qualifies for the service provider exception to selling. At a high level, this instruction can be thought of as instructing the widget providers and all downstream participants to act in a “limited” or “restricted” way that meets the service provider exception of selling and therefore takes the practice outside of selling when the instruction is provided. It is important to note that whether the specific limitations or restrictions will be seen by the California regulators as meeting the service provider exception remains to be seen, but it is clearly the intent of these restrictions and integral to the proposals set out below.
A. Interactive Advertising Bureau (IAB)
The IAB boasts over 650 digital ad marketing related company members, and they have introduced a framework for CCPA compliance. In short, the concept is that IAB is having all the members in the ecosystem agree to a “limited service provider” agreement that provides that when a signal is sent all of the participants will limit their use of the data such that they would be considered service providers under CCPA. This signal, dubbed the “U.S. Privacy String,” can be thought of as a signal that tells the downstream participants to switch from practices that are or may be considered selling to practices they consider being a service provider. One important note is that under this scheme, when the signal tells the downstream participants to act as service providers it does not mean they cannot share, or that they cannot ultimately serve ads. [BJ1] The scheme relies on the limited service provider agreement such that when the signal is sent the intent is that the entire ecosystem works together to fulfill the “business purpose” and, importantly, does not individually further “collect, sell, or use the personal information.” If this signal is effective as intended, it would limit the downstream participants to all work together to only use the information for the limited business purpose and nothing else; therefore they collectively would be no different than another service provider bound to fulfill a specific business purpose.
Assuming a business has widgets from IAB participants, the signal can be set up in two ways. A business can avoid using a “Do Not Sell” link by always sending the signal for the downstream participants to be limited service providers as a default. This can also be viewed as opting everyone out of selling by default. The alternative is to link the signal to a “Do Not Sell” link and have the signal sent on a per device basis. This would be opting-out individuals on a one-off basis.
Google recently set out a similar concept to IAB, but they refer to their practices that they contend qualify them as a service provider as “restricted data processing.” As with IAB’s limited service provider concept, one can think of instructing Google to act in restricted data processing mode as instructing them to act as a service provider -- restricting the practice to take it out of being considered selling. Google has taken the position that most of their products “already operate using restricted data processing” (see list). The presumption is that products used in that manner would already fall outside of CCPA’s selling definition, and Google already considers itself a service provider as to those products. A few of their other products, including Google Ads, “require action to enable restricted data processing.”
Google provides the ability for restricted data processing to be enabled on a per product basis, as well as individually, in response to a signal for certain products. They even raise the prospect of being able to restrict processing it for California residents only in some circumstances:
For products where action is required to enable restricted data processing, partners must decide for themselves when and how to enable it. Some may decide to enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a “Do Not Sell My Personal Information” link). Alternatively, for products that support it, some partners may decide to enable restricted data processing for all users in California. (see here)
As with IAB, the intent here is that a business can set products to use restricted data processing (and avoid using a “Do Not Sell” link or button for that reason) or they can choose to send the signal in response to a “Do Not Sell” link or button.
One concern for businesses is that there are some very large industry participants that haven’t taken a position. For example, Facebook’s site says “[w]e are currently in the process of evaluating and, where necessary, adapting our practices to ensure we will be compliant with the requirements of the CCPA, including when and how we collect California residents' personal data. We will share more as the deadline gets closer” (see https://www.facebook.com/business/m/privacy-and-data). Beyond that, there are likely far more other participants big and small that are not in IAB or may not adopt the IAB framework. This means some businesses still need to wait on adtech providers taking a position on these issues and providing a mechanism or affirming their operation as service providers.
III. Business Options
One beneficial provision in CCPA is that a business is not liable for the actions of a service provider if “at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit [a violation of the title].” (1798.145(k)) In the case of IAB and Google, those entities have presumably committed large amounts of resources to analyzing this issue from a legal and technical standpoint. And regardless of how regulators may respond in the future, a business who follows these schemes should not be said to have “actual knowledge” that these entities intend to violate the statute. So absent further explicit guidance, a business should be able to rely on these proposals as good faith attempts to comply with the statute.
Businesses have primarily two options based on the mechanisms provided by IAB and Google. They can either instruct the downstream participants to act as “service providers” in all cases, or they can do it individually in response to a “Do Not Sell” link. Sending a signal in all cases could be attractive if the business does not otherwise sell anything as it could avoid the use of a “Do Not Sell” link entirely. The other option is to implement “Do Not Sell” opt-out and have the opt-out send the signal(s) to the downstream providers. In addition to requiring an affirmative statement of selling that businesses may want to avoid if this is the only reason, it is technically more complex to implement.
One consideration that is very difficult to assess is the operational effect of instructing the participants to be “limited service providers” or engage in “restricted data processing.” There is little information as to precisely what limitations will be imposed, and the entire ecosystem is so complex it may be that even the providers do not have an understanding of what type of effect the use of these restrictions will have. However, this is likely the predominant consideration in favor of implementing a “Do Not Sell” link as opposed to just sending the service provider instruction in every instance. The primary downside to the business is that it may affect the quality of the services for which the business is using the widget. If the impact of these restrictions were minimal, a business may be much better off making the default operation limited/restricted mode and not implementing any “Do Not Sell” links for this practice.
The lack of full participation by the industry complicates the analysis because any entity that has not taken a position does not provide the business with the options above or with a justification to view that entity’s current processing as a service provider. Presumably the large players will have to affirmatively take a position, and these should continue to be monitored for any developments. To the extent businesses rely on smaller entities, they may want to reach out to those entities with IAB and Google’s positions to ask how the smaller entity intends to proceed.