United States: Ad And Publishing Industries Confront CCPA Challenges While Congress Considers Privacy

The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, will require more privacy transparency and choice for consumers than they have ever had under U.S. law, but its approach to providing consumers with the right to opt out of a sale of their personal information threatens to disrupt the third-party digital advertising ecosystem. Most consumers are aware that adtech has evolved to enable tracking technologies to monitor online usage across time and sites in order to build interest profiles tied to pseudonymous identifiers and thereby permit advertisers to send ads tailored to likely interests. Consumers benefit from getting more relevant ads, which advertisers will pay more to place, which in turn generates more revenue for publishers, thereby fostering free, ad-supported content that also benefits consumers. Win-win, right? Not so fast, some say; tracking and targeting is intrusive, or at least creepy, and consumers should have a choice about who can learn what about them and use that information to advertise to them. In response to that consumer concern, the U.S. advertising industry developed a transparency and choice paradigm that relies on notices and opt-outs. (Learn more about that here and here.) In addition, users of online services can employ techniques such as using ad blockers and limiting cookies. Google recently announced that it will ban device fingerprinting for ad personalization, citing lack of user transparency and control, and will enable users to block third-party cookies, a typical adtech tool, while permitting first-party cookies, a typical publisher tool. However, the CCPA is poised to upset this approach to consumer choice through its "do-not-sell" right, which provides an opt-out choice for consumers age 16 and older, but requires opt-in for youth between 13 and 16, and parental consent for children under 13.

This is because the CCPA's broad definitions of "personal information" and "sell" threaten to include the passing along of adtech data tied to a particular device to enable third-party interest-based advertising (IBA) within the scope of the do-not-sell right. Unlike first-party advertising, where a publisher serves an ad based on its own data and potentially data supplied by the advertiser, third-party IBA exchanges data among a myriad of intermediaries in a complex digital ecosystem. As a result, even small publishers can sell ad inventory through this ecosystem that matches advertisers, publishers and online consumers in a fraction of a second to facilitate the sale and delivery of ads tailored to the perceived interests of the consumer. This helps publishers of all sizes compete for ad dollars with tech giants, such as the ubiquitous social media sites and search engines, and large publishers, which have their own treasure trove of consumer data they can use to tailor ads. CCPA does not disrupt that kind of first-party targeting because consumer information is not shared with third parties to enable the sale and delivery of a tailored ad. It is not an exaggeration to say that third-party IBA is what keeps a wide array of online content available to consumers for free. And consumers who object to IBA can opt out of it through the industry opt-outs that are linked to from ads and the website pages that display those ads.

The problem CCPA creates, however, is that the technology supporting that opt-out essentially sets a flag to tell the IBA ecosystem players not to serve an IBA ad. If you don't want that pair of shoes you were considering buying to follow you around in the form of online ads, then you should opt out. And the ad industry's self-regulatory rules, available here and here, prohibit certain forms of sensitive or intrusive IBA. CCPA's opt-out remedy, however, addresses the data sharing, not the data use. So upon the receipt of a CCPA do-not-sell request, a business will be obligated not to share or make personal information available "to another business or a third party for monetary or other valuable consideration." There are a number of sound theories for why that restriction should not restrict IBA data transfers, as the Network Advertising Initiative (NAI) explains in its comments and proposed draft regulations to the California attorney general (AG), who is tasked with promulgating regulations to implement CCPA. Adoption of the NAI's recommendations would bypass the effect the do-not-sell right would have if applied to IBA. A proposed bill to amend the CCPA's definition of sale to specifically carve out IBA data transfers, SB-753, was pulled by the author before advancing to necessary hearings and will not make it out of the Senate by the May 30 deadline for passing its house of origin, killing any chance of the bill passing this year. It was opposed by many privacy advocates, including Californians for Consumer Privacy (CCP, the group that initiated CCPA in the first place), who argued that a primary purpose of CCPA was to limit the sharing of consumer information for advertising beyond a limited silo of first-party advertising:

Under CCPA, a business can use a "consumer's information to show advertising on its own website, or use an advertiser, acting as a service provider or contractor to show ads on the business' website as long as the information shared by the business about the targeted consumer is siloed between the business and the advertiser. ... [However,] SB-753 proposes to amend the definition of "sell" in Civil Code Section 1798.140 in a manner that will break down th[is] silo effect. ... As a result, even if a consumer opts out of the sale of their data, this proposal would allow an advertiser to combine, share and proliferate data throughout the advertising economy. The proposed language will essentially eliminate the silo effect that would occur pursuant to the CCPA, which allows for targeted advertising but prevents the proliferation of a consumer's data throughout the economy."

The CCP's interpretation of the CCPA's intent, or at least the ballot initiative they drafted that is the precursor of CCPA, would be inconsistent with the NAI's interpretation and recommendations. We will have to wait until the first set of proposed rulemaking is issued in September to find out whether the AG agrees with the CCP or the NAI. In the meantime, businesses are struggling with how they can practically effectuate a do-not-sell request to IBA, and which parties, between the publisher, advertiser and various intermediaries, are even responsible for doing so, as well as whether there is a statutory exception on which they can rely for not treating the data flow as a sale.

As we have written before, the online advertising industry has been struggling to address compliance challenges with the EU's relatively new General Data Protection Regulation (GDPR), which takes a different approach to choice than the CCPA does but presents similar choice management challenges. On the eve of the effective date of the GDPR, the Internet Advertising Bureau (IAB) Europe and the IAB Tech Lab launched an open-source Transparency and Consent Framework (TCF), a version 2.0 of which is about to roll out and is expected to have greater industry adoption, including by Google. One solution for CCPA may be to modify the TCF 2.0 to address CCPA application. However, the CCPA's approach of opting out on a business-specific basis, as opposed to using consent or legitimate purpose for processing-specific activities, would require a substantial revision of how the TCF is designed and implemented. Other technology-based solutions are under consideration by ad industry groups and compliance solutions providers. No CCPA consent management technology that would address IBA has yet to emerge, and we are only about six months out from the CCPA's effective date. Come September, if the California AG's proposed regulations do not provide assistance, there will be a need to rapidly reach industry consensus on how to address the problem.

Might help come from inside the Beltway? A coalition of ad industry trade associations known as Privacy for America is aiming to facilitate just such a fix. Specifically, it is working with the committees in the Senate and the House that are drafting a potential federal consumer privacy bill. The bill would develop a paradigm based on preventing harm and prohibiting certain data practices that are overly intrusive or have a potential to cause harm to consumers. Further, it would specifically not limit transfers of data for advertising purposes, including tracking and targeting, as long as sensitive data is not used and the use does not include making determinations on eligibility (e.g., for credit, housing or employment). But, opponents of IBA seem to have found an ally in the junior senator from Missouri, Republican Joshua Hawley. Introduced on May 21, Hawley's S. 1578 would require the Federal Trade Commission (FTC) to create and make available a "do-not-track" (DNT) signal that consumers can associate with their devices, which requires online services to look for the signal and, when indicated, not collect, use or share data beyond what is necessary to operate the service, and specifically not for IBA. It would further require that third-party operators, including advertisers and adtech companies, not collect any data other than for the purpose of analyzing how or whether the user engaged with the operator's program, and then only in a de-identified manner and without creating or contributing to a user profile. The proposed law would prohibit publishers from denying service to users who enable a DNT signal or providing them with a different level of service. That prohibition would thereby ban publishers from charging a subscription fee for IBA-free access to make up for lost ad revenue (IBA commands higher prices than contextual or run-of-site ads), something that CCPA does not prohibit. The FTC, and state AGs, would be able to enforce the law, and it gives the FTC authority to seek civil penalties of $50 per affected user for negligent violations, and $1,000 per user and a minimum fine of $100,000 for reckless or willful violations. There is no private right of action proposed, and the bill does not preempt CCPA or other state law. This may be an attempt to influence the federal privacy legislation being drafted by congressional leadership in both chambers.

Finally, in the absence of federal preemption of state law, a patchwork of CCPA-inspired laws appears to be coming down the pike. Although legislation died in Washington and Texas, consumer privacy laws are advancing in Illinois, New Jersey and Nevada, and legislation has been introduced in Arizona, Hawaii, Maryland, Massachusetts (which has a private right of action), Missouri, New Mexico, New York, North Dakota, Oregon, Rhode Island and Virginia.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions