Home Data-Driven Thinking How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech
OPINION: Data-Driven Thinking

How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech

By AdExchanger Guest Columnist

SHARE:
Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, Davis+Gilbert

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, both at Davis+Gilbert.

As the effective date for the California Privacy Rights Act (CPRA) approaches on January 1, 2023, players in the advertising industry are trying to figure out how this reworking of the California Consumer Privacy Act (CCPA) may impact them. 

Currently, the CCPA offers a form of safe harbor for companies that qualify as “service providers,” making them exempt from many requirements. For example, while the CCPA requires businesses to provide consumers with a notice of their rights, a “Do Not Sell My Personal Information” link and other legal disclosures, “service providers” are not subject to the same rules. 

But as the CPRA tightens CCPA’s restrictions, are companies that process data for online behavioral advertising still considered “service providers” based on the CPRA’s new definition and parameters?

What constitutes a “business purpose”?

The CPRA defines a service provider as an entity that processes personal information on behalf of a business “for a business purpose.”

To underscore the importance of the term “business purpose,” the CPRA states that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract.”

The takeaway is that if a company isn’t processing data for a “business purpose,” it isn’t a service provider. 

Although this seems innocuous, the CPRA has also changed the definition of “business purpose” to exclude “cross-context behavioral advertising.” This is a new term defined as:

“… the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

These changes raise important questions. If a business intends to use personal information for “cross-context behavioral advertising” and relies on a vendor to process the data, does this fall outside the scope of a permitted “business purpose”? And does that vendor then no longer qualify as a “service provider”?

These revisions also highlight a major break between the CPRA and other frameworks that distinguish between “data controllers” and “data processors.” Europe’s GDPR, for example, is agnostic about what the controller’s processing purposes are and evaluates processors based on whether they are acting within the scope of the controller’s instructions or for their own independent purposes.

By contrast, the CPRA lists specific activities that can be considered a “business purpose.” These include auditing, data security, debugging, internal research and maintaining quality and safety, as well as “advertising and marketing services” that do not constitute “cross-context behavioral advertising.”  

A gray area for ad tech 

By explicitly excluding “cross-context behavioral advertising” as a business purpose, the CPRA creates ambiguity for vendors and subcontractors that assist businesses with behavioral advertising.

Consider this example: If a vendor is given data to analyze and put into segments that will be used for behavioral advertising, would that constitute “cross-context behavioral advertising” – or is the CPRA’s restriction limited to the entity that is targeting and delivering the ad?

And would the answer be any different if the vendor actually delivers the segments to the entity that is targeting and delivering the ad? As noted above, the CPRA’s definition of business purpose still includes “advertising and marketing services,” other than for cross-context behavioral advertising.

Additional regulations or interpretive guidance from the California Privacy Protection Agency may offer some much-needed clarification in this area.

Until then, vendors that currently are acting within the CCPA’s service provider “safe harbor” – and companies looking to engage them – should pay close attention to these changes and forthcoming regulations.

Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

Tagged in:

Must Read

OPINION: Commerce

How Advertisers Can – And Cannot – Get In Front Of Chatbot Shoppers

Brands have plenty of ways to boost search visibility—paid, organic, and earned. But if a CEO demands presence in customer journey recommendation engines and is ready to pay, what can a marketer do?

Measurement

Northbeam Adds The Third Leg Of The Attribution Stool With Incrementality Testing

There’s MMM and MTA, but no single ad measurement works for brands with multiple points of sale. On Tuesday, Northbeam launched an incrementality tool to complete what it calls “the trifecta of digital attribution.”

Comic: The Great Online Privacy Battle
Data Privacy

What Regulators Talk About When They Talk About Ad Tech

If you want to know what privacy regulators think about online advertising, it’s not a mystery. Just listen to what they’re saying.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Publishers

Keyword Blocking Demonetized More Than Half Of Reuters’ Brand-Safe Stories

The effect wasn’t just limited to news content. The Reuters.com/lifestyle vertical also had some of its brand-suitable pages blocked.

AI

The Agentic Marketplace Is Here. Where Does That Leave DSPs and SSPs?

Swivel and Olyzon’s new partnership brings buy-side and sell-side agents together as early examples of an agentic marketplace.

Comic: Causal Meets Casual
Measurement

Jones Road Beauty Is Using A New Type Of MMM To Reset Its Media Measurement

Inside how Jones Road Beauty is trying to turn messy, conflicting measurement signals into a single testing roadmap for its media mix.

Popular

  1. Seattle, WA USA - circa February 2023: Close up view of Liquid Death sparkling water for sale inside a grocery store
    Measurement

    Liquid Death Lets Incrementality Decide What Tactics To Kill And What To Keep

    Behind its edgy marketing, Liquid Death faces a familiar CPG problem: Most sales happen at the register, where media measurement goes to die.

  2. AI

    Indie Agency Wpromote Dishes On How It’s Testing New Agentic SSP Tools

    Last week, the SSP Kargo announced a closed beta of its AI unified buying platform, Project Kera. The independent ad agency, Wpromote, is an early tester. Plus, the agency reveals a deeper look into its overall AI strategy.

  3. Daily News Roundup

    DSP-ite The Trade Desk Backlash, Buyers Aren’t Budging; Publicis Goes Full-Court in Sports

    DSPlease Brand marketers and agency buyers are skeptical of DSPs’ transparency claims. After Publicis announced last month that it’s no longer recommending The Trade Desk to its clients, other DSPs saw an opportunity to strike. Since then, other DSPs (Viant being “the most aggressive,” according to one media buyer) have been reaching out to TTD […]

  4. Comic: CTV Tracking
    CTV

    Inside RTL’s Plan To Aggregate Europe’s Fragmented TV And Video Supply

    European TV has never been an easy ad market, with content distributed across different languages, currencies and regulatory frameworks. RTL Group’s total video strategy aims to help global advertisers navigate this fragmented market.

  5. Marketers

    Linkby Raises $15 Million For its Hybrid PR And Affiliate Marketing Network

    Linkby, which connects brands with publisher content that advertisers pay for based on reader engagement, announced its $15 million Series B on Tuesday.