Agencies, Brands and Publishers Beware: A Service Provider Approach To CCPA Is Risky

Leigh Freund headshot

"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Leigh Freund, president and CEO at the Network Advertising Initiative.

Uncertainty has clouded preparations for compliance with the California Consumer Privacy Act (CCPA) ever since the law passed in 2018. Even now, three months after enforcement began, there are many questions still unanswered about how the CCPA will apply to the digital advertising ecosystem.

Some businesses have reached the oversimplified conclusion that designating their ad-tech partners as service providers is a silver bullet that can solve their toughest CCPA compliance burdens without sacrificing business results. The theory underlying this approach is that using a service provider contract for transfers of personal information to an ad tech vendor will prevent those transfers from being classified as sales of personal information. If a business can thereby avoid “selling” personal information, it may also be able to avoid posting a do-not-sell link.

However, ad agencies, brands and publishers should think twice before pursuing this approach. Experience is beginning to show that the use of service-provider contracts to govern relationships with ad-tech vendors has serious drawbacks. The overuse of those contracts can lead to multiple bad effects, including the degradation of individual business results, creation of unhealthy and anticompetitive market dynamics and increased compliance risks.

Drag on performance

Individual business results are likely to suffer under a service-provider regime because the CCPA’s strict requirements on how service providers are permitted to use personal information may prevent vendors from engaging in the data processing necessary to provide their services or limit them to the point where their services are rendered ineffective.

For example, two of the biggest players in digital advertising – Google and Facebook – will act as CCPA service providers for publishers and advertisers in limited circumstances, but say that it will likely reduce the effectiveness of some of their services. Publishers and advertisers should expect the same from other ad-tech vendors, even if they have not released public guidance to that effect.

Unhealthy market dynamics

Brands and publishers should also consider the broader market dynamics of using service-provider contracts. They can put independent ad-tech companies at a competitive disadvantage compared to large first-party platforms or walled gardens, because walled gardens acting as service providers can continue to use their own first-party data to enhance their products and services. On the other hand, independent ad-tech companies acting as service providers may be limited in their ability to use cross-context data collected from all of their partners to enhance their products and services. This result harms both the ad-tech companies put at a competitive disadvantage by the CCPA and the businesses they serve.

If walled gardens continue to grow more dominant, publishers’ ability to monetize ad inventory will suffer. Advertisers are likely to see reduced value in the measurement and conversion services that ad-tech vendors provide, as well as an overall reduction in the value of interest-based advertising for reaching their audiences. This will harm the digital advertising ecosystem as a whole by making third-party ad-tech companies less competitive against large, first-party platforms. Over time, publishers and brands will also suffer from a less competitive marketplace.

Risky approach

Agencies, brands and publishers that depend on service provider contracts are likely to see greater compliance risks compared to those that are willing to classify their ad-tech vendors as third parties.

For example, due to ambiguity under the law and implementing regulations, it’s possible that some contracts being used to designate ad-tech vendors as service providers for specific digital advertising use cases may be interpreted by the California attorney general to be inconsistent with the law’s requirements, leaving the brand or publisher vulnerable to an enforcement action.

Depending on the circumstances, both a service provider and the business that engaged the service provider may be liable for uses of personal information that do not satisfy the CCPA’s requirements. The cost for each violation is $2,500, or $7,500 for each intentional violation.

After considering the significant risks and drawbacks, agencies, brands and publishers should explore alternatives to service provider arrangements with their ad-tech vendors to avoid negative side effects. Given the very low rate of opt-outs businesses are seeing, designating ad-tech vendors as third parties and, when required, posting a “do not sell my personal information” link in a webpage footer may be a small price to pay to benefit from the full range of products and services ad tech companies can offer while keeping compliance risks low.

Follow Leigh Freund (@FreundLeigh), the Network Advertising Initiative (@NAI) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>