Home Data-Driven Thinking How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech
OPINION: Data-Driven Thinking

How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech

By AdExchanger Guest Columnist

SHARE:
Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, Davis+Gilbert

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, both at Davis+Gilbert.

As the effective date for the California Privacy Rights Act (CPRA) approaches on January 1, 2023, players in the advertising industry are trying to figure out how this reworking of the California Consumer Privacy Act (CCPA) may impact them. 

Currently, the CCPA offers a form of safe harbor for companies that qualify as “service providers,” making them exempt from many requirements. For example, while the CCPA requires businesses to provide consumers with a notice of their rights, a “Do Not Sell My Personal Information” link and other legal disclosures, “service providers” are not subject to the same rules. 

But as the CPRA tightens CCPA’s restrictions, are companies that process data for online behavioral advertising still considered “service providers” based on the CPRA’s new definition and parameters?

What constitutes a “business purpose”?

The CPRA defines a service provider as an entity that processes personal information on behalf of a business “for a business purpose.”

To underscore the importance of the term “business purpose,” the CPRA states that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract.”

The takeaway is that if a company isn’t processing data for a “business purpose,” it isn’t a service provider. 

Although this seems innocuous, the CPRA has also changed the definition of “business purpose” to exclude “cross-context behavioral advertising.” This is a new term defined as:

“… the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

These changes raise important questions. If a business intends to use personal information for “cross-context behavioral advertising” and relies on a vendor to process the data, does this fall outside the scope of a permitted “business purpose”? And does that vendor then no longer qualify as a “service provider”?

These revisions also highlight a major break between the CPRA and other frameworks that distinguish between “data controllers” and “data processors.” Europe’s GDPR, for example, is agnostic about what the controller’s processing purposes are and evaluates processors based on whether they are acting within the scope of the controller’s instructions or for their own independent purposes.

By contrast, the CPRA lists specific activities that can be considered a “business purpose.” These include auditing, data security, debugging, internal research and maintaining quality and safety, as well as “advertising and marketing services” that do not constitute “cross-context behavioral advertising.”  

A gray area for ad tech 

By explicitly excluding “cross-context behavioral advertising” as a business purpose, the CPRA creates ambiguity for vendors and subcontractors that assist businesses with behavioral advertising.

Consider this example: If a vendor is given data to analyze and put into segments that will be used for behavioral advertising, would that constitute “cross-context behavioral advertising” – or is the CPRA’s restriction limited to the entity that is targeting and delivering the ad?

And would the answer be any different if the vendor actually delivers the segments to the entity that is targeting and delivering the ad? As noted above, the CPRA’s definition of business purpose still includes “advertising and marketing services,” other than for cross-context behavioral advertising.

Additional regulations or interpretive guidance from the California Privacy Protection Agency may offer some much-needed clarification in this area.

Until then, vendors that currently are acting within the CCPA’s service provider “safe harbor” – and companies looking to engage them – should pay close attention to these changes and forthcoming regulations.

Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

Tagged in:

Must Read

Platforms

Meta’s NewFronts Message To Advertisers: Embrace The Noise

Can a good sales presentation offset the impact of a very bad news week? That’s a question for Meta, which collected two guilty verdicts in court this week for failing to protect children and creating additive products.

Marketers

AI Helps Manscaped Trim Social Chatter Down To The Bare Essentials

Meet Clamor, a new social listening product that pulls cultural insights from online conversations in real time. Clamor helped Manscaped freshen up its marketing, including for this year’s Super Bowl.

A man talking to a robot
AI

How Red Roof Is Bringing In More Customers With Zeta’s Voice-Activated AI Agent

Hotel chain Red Roof is using Zeta’s new voice-activated AI agent to guide its campaign creation, deployment timing and audience development.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Jean-Paul Schmetz, Chief of Ads, Brave
Platforms

Why Ad-Blocking Browser Brave Introduced Its Own Ads

Brave’s chief of ads Jean-Paul Schmetz on competition in the search and browser markets, the fallout from the Google Search antitrust ruling and whether AI search will help smaller upstarts compete with Big Tech.

Newfronts 2026

Vizio Helps Walmart Cut A Bigger Slice Of The CTV Ad Pie

Walmart and Vizio announced at NewFronts that unified account logins are coming to smart TVs using Vizio’s operating system.

Comic: CTV Tracking
Marketers

Carl’s Jr. And Hardee’s Marketing Goes Regional With Amazon Ads’ Streaming Media

The age-old question for streaming TV advertisers is, how to target the viewers they want while reaching the scale their businesses need. The quick-serve restaurant operator CKE, which owns Carl’s Jr. and Hardee’s, sought an answer in a case study with Attain and Amazon Ads.

Popular

  1. Publishers

    Higher Programmatic CPMs Drove 44% Revenue Growth For The Guardian US

    The Guardian US grew its programmatic revenue by 44% year over year in February. The lift came from higher effective CPMs across both the open exchange and private marketplace deals.

  2. Platforms

    Meta’s NewFronts Message To Advertisers: Embrace The Noise

    Can a good sales presentation offset the impact of a very bad news week? That’s a question for Meta, which collected two guilty verdicts in court this week for failing to protect children and creating additive products.

  3. AI

    Wyndham And Goop Are Using AI To Scale Creative And Avoid Burnout

    AI performance marketing platform Adora provides clients Wyndham and goop with real-time feedback and campaign refinements.

  4. Newfronts 2026

    Google Is Pitching Buyers On Gemini And YouTube Creators At The NewFronts

    Google is getting to talk about its two favorite things during IAB’s NewFronts this week: AI and creators.

  5. OPINION: Data-Driven Thinking

    Saying The Quiet Part Out Loud: AI Isn’t Neutral, So Let’s Stop Pretending

    The play “Data” sparks conversations about AI, surveillance, data tracking and predictive modeling. The ad tech world should be paying attention.