“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner at Davis & Gilbert.
The California attorney general just released a final version of the regulations implementing the California Consumer Privacy Act (CCPA), and CCPA enforcement is still slated to begin on July 1. Before being finalized, the regulations were revised twice. The last round of revisions were adopted wholesale in the final regulations, which remain the only guidance provided by the attorney general on how the CCPA will be enforced.
Although it has received surprisingly little attention, the final regulations leave intact one of the most impactful changes for the ad tech ecosystem. This change – made when the draft regulations were revised earlier in the year – relates to how companies can “sell” personal information that they did not collect from consumers directly. The language in the final regulations is far from clear, and how the attorney general will answer this question will have major implications for the digital advertising landscape since it will determine how downstream participants who receive personal information from others can carry out media buys involving targeted ads.
In the now-final regulations, businesses that indirectly collect personal information from consumers may only “sell” onward that personal information without providing a pre-collection notice to consumers if they are registered as “data brokers” under California’s new data broker law. This highlights the rising importance of the data broker registry but creates new challenges for companies that have not yet registered as data brokers.
Pre-collection notice exemption
The CCPA requires businesses that collect a consumer’s personal information to provide a notice to the consumer at or before the point of collection. Since “collection” is broadly defined, some interpreted this requirement to apply even if the personal information is not collected directly from the consumer.
The initial draft regulations exempted businesses that did not collect personal information directly from consumers (who we will refer to as “intermediaries”) from providing pre-collection notices. But before selling the consumer’s information, they were required to either contact the consumers directly with a chance to opt out of the sale or obtain signed written proof from the source of the information describing how the pre-collection notice was given.
Who is a data broker?
Under California law, businesses that knowingly collect and sell to third parties the personal information of consumers with whom the business does not have a direct relationship are data brokers that must register with the attorney general.
Although what constitutes a “direct relationship” is never defined, the data broker law provides examples of forging direct relationships, such as “by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements,” with the key being the consumer’s knowledge about and control over the business’ data collection practices.
As defined, data brokers arguably could include many ad tech vendors and other participants in the targeted-ad buying process, since they do not have direct relationships with consumers yet may receive consumer personal information. Certain intermediaries that never receive or have access to personal information may argue that they do not sell personal information or need to register. These entities still must be mindful of the requirements of the regulations and perform due diligence to ensure that any organizations they work with that play a more direct role in collecting and selling personal information are registered as “data brokers.”
No clear answers
Although the language in the final regulations leaves intact the changes to the pre-collection notice exemption, the attorney general will need to clarify which downstream participants in the online advertising industry need to register as data brokers. While businesses engaging in targeted advertising may choose to register despite the lack of clarity, there are downsides to doing so, including the increased exposure of being listed on the registry. As a result, many businesses seem to be taking a wait-and-see approach.
As with other unclear CCPA requirements, businesses will need to assess their role in processing personal information – while simultaneously assessing the role of everyone they work with – and determine their appetite for risk and available means to mitigate that risk.