Examining Industry Approaches to CCPA “Do Not Sell” Compliance
By Christy Harris and Charlotte Kress
Over the past year, the online advertising (“ad tech”) industry has grappled with the practical challenges of complying with the new California Consumer Privacy Act (CCPA). Once the new law — the first of its kind in the United States — goes into effect on January 1, 2020, businesses operating in California will be required by law to provide California residents (“consumers”) with “explicit notice” and the opportunity to opt-out of the sale of their personal information, thus establishing powerful individual rights that represent a major step forward in US privacy legislation.
Practically speaking, however, the law’s notice and “Do Not Sell” obligations present unique structural challenges for ad tech companies, many of whom operate as intermediaries, lack a direct relationship with users, and may or may not have formal contractual relationships with data supply chain partners, including publisher properties where the personal information and insights about user activity are utilized to power data-driven advertising. In light of the imminent effective date of CCPA and with an aim to address these challenges, several key ad tech players have developed approaches to comply with specific CCPA requirements that demonstrate a variety of perspectives toward viable compliance solutions.
In late November, the Digital Advertising Alliance (DAA) announced the release of new guidelines and a “Do Not Sell Tool” for publishers and third parties, including a new icon that, when clicked, provides users with access to a page where they can opt out of the “sale” of their personal information by participating companies, and access more information about how consumers can exercise their other CCPA rights with those companies. The IAB also introduced its CCPA Compliance Framework for Publishers and Technology Companies, which includes a master Limited Service Provider Agreement and technical specifications from the IAB for passing CCPA-related signals from publishers to supply chain partners. Google recently unveiled its CCPA “Restricted Data Processing” mechanism, which, when enabled by a business, restricts Google’s data processing to activities permitted to service providers under the CCPA.
In addition to these solutions, the Network Advertising Initiative (NAI) published an analysis to aid companies in determining whether a business activity may, or may not, constitute a “sale” under the CCPA.
In this blog post, FPF summarizes and compares these industry tools and approaches to advertising within the CCPA’s requirements.
Digital Advertising Alliance (DAA):
The DAA announced new voluntary guidelines and technological specifications for implementing a new icon, providing participating businesses with a mechanism to provide notice to users as well as certain options for CCPA purposes. The guidance and tools are separate and distinct from the DAA’s existing AdChoices program – an established initiative that relies on blue icons and links to inform users about third parties’ use of data for advertising, and allows users to opt out of receiving targeted ads. The familiar icon, which is green, but otherwise resembles the DAA’s existing AdChoices and political ad icons, can be implemented by businesses to take users to a page where they can access a new DAA CCPA Opt Out tool, which they can use to opt out of “sales” of personal information for CCPA purposes. Businesses using the icon should use accompanying language such as “CA Do Not Sell My Info” (recommended by the DAA), or other language that would comply with the CCPA.
According to the DAA, the new tools “will allow users to opt out of the sale of their personal information by any or all of the participating companies…including third parties collecting and selling personal information through the publisher’s site or app.” The DAA’s guidance and opt-out tools differ from other CCPA compliance approaches in several notable respects. First, the DAA’s CCPA opt-out will apply to participating third party companies’ activity across all publishers on which those companies operate, as opposed to strictly limiting the “sale” of consumers’ personal information at the individual publisher or business level. Further, participating third party companies would not be permitted to serve targeted ads to an opted-out user, even using data the company obtained prior to a CCPA opt out request.
In addition, the DAA’s existing Self-Regulatory Principles and Guidelines require companies to commit to not processing “sensitive data” without consent, including health and financial data, regardless of users’ opt-out status, a restriction which does not yet exist in the current California law (although a feature of a proposed 2020 ballot initiative may change that).
Interactive Advertising Bureau (IAB):
In early December, the IAB unveiled the first official version of its CCPA Compliance Framework for Publishers & Technology Companies, which aims to help digital publishers and their downstream ad tech partners in the programmatic advertising environment address the challenges of the CCPA’s “Do Not Sell” obligation. The framework has an accompanying master contract, called the Limited Service Provider Agreement (LSPA), that binds supply chain partners to specific behaviors to meet the law’s provisions, and a set of corresponding technical specifications that guide companies on how to technologically implement the contract in their operations.
The LSPA requires publishers to include a “Do Not Sell My Personal Information” link or icon on their digital property (e.g., webpage) and defines what IAB framework participants (including websites, apps, and advertising partners) must do when a consumer clicks a “Do Not Sell My Personal Information” link (“DNSMPI link”). The agreement creates “service provider” relationships among publishers and third parties when California consumers opt out, thereby restricting data use to only those specific and limited business purposes that are permitted under the CCPA. Publishers’ service providers are prohibited from augmenting an existing consumer profile or creating a new profile where one did not previously exist for those consumers who have opted out. In addition, service providers are prohibited from making ad-buying decisions based on the personal information of a consumer that has clicked a DNSMPI link. Importantly, however, this prohibition does not extend to personal information that was (1) available about the Consumer before that Consumer clicked the link (i.e. available before the 90 day look-back period mentioned in the draft Regulations), (2) is/was sold to the service provider from another property where the Consumer has not opted out, or (3) constitutes “Aggregate Consumer Information” or “Deidentified” information, as defined in the CCPA. Put another way, consumers who opt out via publishers using the IAB Framework may continue to receive targeted ads from companies participating in the Framework in some circumstances. The Framework also requires publishers that “sell” personal information through programmatic ad delivery to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to communicate to downstream participants in an auditable manner that such disclosures were given.
The technical specifications detail a series of signals to be sent from publishers to downstream recipients that will indicate whether: (1) “explicit notice” and the opportunity to opt out has been provided (i.e., CCPA applies and proper notice was given), (2) the user has opted-out of the sale of their personal information, and (3) the publisher is a signatory to the IAB Limited Service Provider Agreement (LSPA) and the publisher declares that the transaction is covered as a “Covered Opt Out Transaction” or a “Non Opt Out Transaction” as defined in the agreement. Together, these specifications provide a common baseline for those who choose to participate in the IAB Framework for communicating between consumers, publishers, advertisers, and other ad tech companies.
In contrast to the DAA’s CCPA Opt Out Tool, which will allow consumers to opt out of a participating third party’s “sale” of their personal across all properties where the third party operates, the opt-out limitations of the IAB’s LSPA are instead applicable at the publisher level on a site-specific basis. Under the IAB Framework, a third party may use the personal information of a user provided by a publisher when the user has not opted out. In instances where a user has opted-out, the third party becomes a “service provider” to that publisher and is permitted to use personal information subject to certain limitations. Specifically, personal information that (a) was made available by the publisher more than 90 days prior to user’s opt-out or (b) is received from other publishers (or digital properties) where the user has not opted out.
Google recently expanded its “restricted data processing” setting to enable websites and apps using its advertising services to comply with the CCPA. At a publisher’s discretion, restricted data processing may be implemented to apply to all users in California or on a per-user basis when a user clicks a “Do Not Sell My Information” link. When enabled, Google will act as the publisher’s “service provider,” meaning that Google will restrict its use of the personal information it receives to only certain permissible business purposes as enumerated in the CCPA. As a result, certain features of Google Ads, including ad retargeting (or “remarketing”) and adding users to audience seed lists, will not be available to advertisers when the data comes from publishers that have enabled restricted data processing. Per an addendum to its Data Processing Terms, Google Analytics will also act as a service provider for affected businesses when they have disabled sharing with Google products and services.
Similar to the DAA and IAB solutions, the Google solution will not impact certain post-opt out data uses that are permitted under CCPA, including ad delivery, reporting, measurement, security and fraud detection, debugging and product improvement information.
Google’s solution also will not apply to “the sending or disclosure of data to third parties” that advertisers, publishers or partners may have enabled in Google’s products and services. This means that other third-party ad tracking or serving (such as data sharing or other uses integrated with, but not provided by Google) will not be affected when restricted data processing is enabled unless disabled by a publisher. Instead, ads will continue to be served on the Google Display Network and other networks. Businesses will need to independently review these practices to ensure compliance with CCPA obligations. Google will not respond to bid requests for cross-exchange display retargeting (remarketing) ads when a publisher sends an opt-out signal.
Google will also integrate certain technical components of the IAB’s CCPA Compliance Framework. Specifically, restricted data processing will be applied in response to the IAB CCPA Framework opt-out signals in certain Google advertising services. When an IAB signal indicates an opt out in AdSense, AdMob and Ad Manager, Google will not pass the bid request on to any third parties via real time bidding. When Google’s DV360 receives an IAB Framework opt-out signal as part of a bid request from third party exchanges, Google will not place a bid.
Network Advertising Initiative (NAI):
While the organizations described previously have announced various frameworks, guidance, and specific tools that companies can use to comply with CCPA requirements, the NAI has developed a high-level analysis. This resource aims to assist ad tech companies in determining whether or not a business activity may be classified as a “sale” under the CCPA, prior to determining if, or which, mechanisms (including any of the available frameworks and tools) should be employed.
The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The NAI’s analysis explains that the definition of “sale” may be broken down into three main elements, which, when satisfied, the NAI states, would make an ad tech use case a “sale.”
- The use case must involve “personal information.”
- The use case must involve the movement of personal information from one business to another business or third party.
- The use case must involve the exchange of monetary or other valuable consideration for the personal information.
To satisfy the third element identified by the NAI, the requisite monetary or other valuable consideration “must be provided [by the recipient of the personal information] specifically for the purpose of obtaining” personal information, as opposed to having received the personal information incidental to another purpose. For that reason, the NAI points out, it would be difficult to broadly categorize all business activities involving the transfer of personal information as “sales,” because the purpose of a transaction is determined by the intent of the parties to the transaction, and not entirely by any data flows. However, the NAI cautions that whenever a company receives personal information and uses it for purposes that could be monetized independently, such as for profiling or segmenting, that would likely be seen as evidence that the purpose of the transaction was at least partly for the personal information, which could render the exchange a “sale.”
Impact of CCPA opt-out on retargeting:
Impact of CCPA opt-out on analytics:
Scope of CCPA Do Not Sell My Personal Information option: