We all know it is difficult for participants in digital advertising to enter into contracts with every company to which they disclose personal information.
However, difficulty is no longer an acceptable excuse, especially after the California Privacy Protection Agency’s recent enforcement action against American Honda Motor Co.
That case highlights a critical compliance reminder for digital advertising: All parties must ensure legally required data protection contract terms are included whenever they sell, share or disclose consumer data to ad tech vendors.
On March 12, 2025, the California Privacy Protection Agency (CPPA) fined American Honda Motor Co. $632,500 for violating the California Consumer Privacy Act (CCPA), along with other compliance and remedial requirements.
Among the alleged violations, Honda was found to have collected personal information (PI) on its website and then sold, shared or disclosed that information to ad tech vendors. Under the CCPA, businesses must have agreements containing legally required consumer protection terms with any third party, service provider or contractor to whom they disclose PI. Honda failed to provide evidence of having these necessary agreements.
The settlement order requires Honda to update its agreements within 180 days to ensure compliance with CCPA requirements.
Why advertisers should pay attention
In digital advertising, advertisers use various ad tech tools (such as pixels, tags, cookies, SDKs and server-to-server calls) to collect and share personal data for targeted ads on third-party sites. The complex nature of digital ad campaigns often leads to the disclosure of personal information to many companies, including some with which advertisers may not have appropriate contracts in place.
Additionally, advertisers sometimes rely on technology companies to act as service providers, and those companies disclose personal information on the advertiser’s behalf. Advertisers also commonly depend on ad agencies to manage technology and place ads, often through insertion orders that may lack necessary data protection terms.
The industry’s dynamic data flows make it difficult for advertisers to track their relationships with ad tech vendors and maintain compliance. But make no mistake, the Honda enforcement action makes clear that advertisers are responsible for selling personal information they collect and disclose, even when facilitated by others. Honda’s inability to provide agreements with required CCPA terms highlights a common compliance challenge for advertisers.
Filling the gaps
Advertisers must address ad tech’s contractual challenges by first mapping out outbound data flows, identifying the relevant technology components (pixels, tags, API calls, SDKs) and reviewing vendor roles in ad campaigns.
Next, advertisers should create contracts with the proper data protection terms for each ad tech vendor that is receiving or disclosing data as part of a campaign. This includes ensuring similar agreements with any third parties to whom service providers disclose personal information.
Advertisers often ride on their agency contracts with ad tech providers. But advertisers must verify that their agencies establish contracts (including required CCPA terms) with each ad tech company and that advertisers retain third-party beneficiary rights. Without these rights, advertisers don’t have contractual terms with the ad tech providers and can run into the same problem as Honda.
Alternatively, advertisers can use an industry-standard solution, such as the IAB Multi-State Privacy Agreement (MSPA). This agreement provides a unified privacy framework for advertisers, agencies, ad tech vendors and publishers to comply with US state privacy laws.
The MSPA automatically establishes contractual relationships among signatories as personal information moves through the digital advertising ecosystem, filling gaps in existing contracts. By becoming an MSPA signatory and encouraging their partners and agencies to do the same, advertisers can simplify compliance efforts.
The Honda settlement serves as a critical reminder that digital advertising remains an enforcement priority. And ad tech’s complexities are no shield from oversight. Advertisers must proactively ensure they have the proper contractual protection when engaging with tech vendors.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow IAB, IAB Tech Lab and AdExchanger on LinkedIn.
For more articles featuring Michael Hahn, click here.
