Google updated its privacy terms earlier this month, shifting away from offering many of its advertising services on a "service provider" basis. With the change, Google states that its Customer Match, Audience Partner API, and certain audience-building services no longer meet the CCPA's strict new requirements to be offered on a "service provider" basis. The implication of this change is that companies leveraging these services are "selling" or "sharing" personal information and will need to offer consumers an opportunity to opt out.

"Restricted Data Processing" Under the CCPA

Since 2019, Google has offered a number of its services on a "restricted data processing" basis. Where a service is configured for restricted data processing, Google acts as a service provider with respect to personal information (i.e., names, email addresses, online identifiers) that Google collects from advertisers, publishers, and other partners.

Under the California Consumer Privacy Act (CCPA), which first took effect in 2020, a service provider is not permitted to use personal information other than for business purposes associated with offering services. For example, the CCPA does not permit a service provider to resell personal information processed on behalf of a business or to use the information to build profiles about individual consumers for its own commercial benefit.

In documentation available at https://business.safety.google/rdp/, Google explains that when restricted data processing applies, Google will use personal information for business purposes such as ad delivery, reporting and measurement, security and fraud detection, debugging, and to improve and develop product features. Google cites these policies to support its position that it is a "service provider" for many of its advertising-related services, such as Google Ads, Google Analytics, Tag Manager, and Display & Video 360.

What's changing?

Starting July 1, 2023 – the day that the California Privacy Rights Act (CPRA) amendments to the CCPA become enforceable – Google will no longer offer restricted data processing for the following services in California:

  • Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match)
  • Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API)
  • Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360)

These changes reflect key amendments to the CCPA. In particular, the CPRA amendments define "cross-context behavioral advertising" to mean "targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across" the internet, and prohibit service providers from offering services that involve "sharing" personal information for purposes of "cross-context behavioral advertising."

The clear but unstated message behind these changes is that Customer Match involves cross-context behavioral advertising. When an advertiser uses the Customer Match service, the advertiser provides Google with a target audience, and Google displays ads to that audience on its search results. Because the service involves targeting ads to consumers on Google based on the consumer's interactions with the advertiser, Google's apparent position is that Customer Match is a cross-context behavioral advertising service.

As noted above, advertisers, publishers, and other businesses that share personal information with third parties (such as Google) for cross-context behavioral advertising must offer consumers an opportunity to opt-out of the "sale" and "sharing" of their personal information. In addition, as described in the latest CCPA regulations, these businesses are required to enter into a contract for the "sale" or "sharing" of personal information that requires the third party recipient to comply with the CCPA and provide the same level of privacy protection for consumer data as any business subject to CCPA.

Where can I find the restricted data processing contract?

Google publishes its restricted data processing contract for US state privacy laws at https://business.safety.google/usaprivacyaddendum/.

What about Google Analytics?

Google Analytics is a popular service that allows businesses to gain insights into who visits their digital properties. Google states that it will act as a service provider for Google Analytics as long as the business disables sharing with other Google products and services.

Google offers a variety of privacy-related tools for Google Analytics, including support for deletion requests, here.

What about real-time bidding?

Google also offers services like Display & Video 360 and Authorized Buyers that enable advertisers to respond to bids in real-time for ad inventory across the web. Google indicates that these services continue to operate using restricted data processing but also makes clear that restricted data processing "does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services." As a result, publishers issuing bid requests and advertisers responding to publisher bid requests should understand that personal information conveyed to third parties for bidding purposes may not be covered by Google's restricted data processing terms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.