“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner at Davis & Gilbert.
For the ad tech community, election day felt like deja vu. Less than a year after the California Consumer Privacy Act (CCPA) came into effect, the California Privacy Rights Act (CPRA) passed through a ballot initiative. Like its predecessor, the CPRA will have dramatic implications for the ad tech ecosystem.
The CPRA was touted as legislation that would fill in the blanks that CCPA left open and further CCPA’s consumer protections. Significantly for online advertisers, the CPRA more specifically addresses businesses’ obligations when engaging in behavioral advertising.
Under CCPA, some businesses engaged in behavioral advertising interpreted “sales” as excluding the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms, arguing that no “sales” were involved because no exchange for “valuable consideration” had occurred. The CPRA’s introduction of the concept of “sharing” closes this potential loophole.
And, the CPRA clarifies that it intends to regulate the processing of any information for “cross-context behavioral advertising,” defined as ad targeting of consumers based on personal information collected across businesses, websites, applications or services with which the consumer did not intentionally interact. The CPRA extends the same opt-out and transparency rights to consumers for any “sharing” of their personal information, which includes making such information available for cross-context behavioral advertising “whether or not for monetary or other valuable consideration.”
The CPRA also makes clear that while businesses can still disclose personal information to “service providers” and “contractors” for “business purposes,” those “business purposes” do not include “cross-context behavioral advertising” and that any disclosure for such advertising activities will disqualify any recipient of that information from being considered a “service provider” or “contractor.”
So what will not be subject to these new requirements?
Disclosures involved in first-party advertising and auditing to gauge ad performance are identified as “business purposes” carved out of what are considered “sales” or “sharing”. In particular, “non-personalized advertising” is distinguished from “cross-context behavioral advertising” as advertising and marketing that “is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business” and does not involve “precise geolocation information.” Non-personalized advertising is included in the definition of a “business purpose,” and will not constitute “sales” or “sharing” when the personal information is not disclosed to another third party or used to build a profile for the consumer.
Other language in the CPRA may provide advertisers a bit more leeway in carrying out certain advertising activities. When consumers use or direct a business to “intentionally interact” with third parties, it is not considered a “sale” or the “sharing” of personal information. Deliberate interactions such as visiting an entity’s website or purchasing goods or products from a party constitute “intentional interactions” as newly defined in the CPRA.
The CPRA also further clarifies CCPA’s limitation on a business’s liability for the violations of third parties to whom it discloses personal information. Businesses that disclose non-opted-out personal information to third parties and impose on such parties certain contractual provisions protecting consumer rights will not be liable for those parties’ subsequent violation of CPRA if the business has no reason to believe such violations would occur.
A version of this “safe harbor” was provided in the CCPA, and the CPRA preserves this protection from liability albeit with an added contractual provision requirement. This exemption from liability may continue to provide assurances to compliant publishers who are concerned about their liability for downstream recipients of personal information (e.g., in real-time bidding situations), and potentially lessen the exposure for publishers under the CPRA even when disclosing personal information for cross-context behavioral advertising.
As the CPRA’s regulations emerge, the contours of how cross-context behavioral advertising may be permitted under the new law will become clearer. One question to consider is what sort of activities will count as “intentional interactions” that will afford some flexibility under the statute. Another is whether any more room to conduct cross-context behavioral advertising activities will be granted to entities that have registered as “data brokers” under California’s separate data broker law.
As we wait for those answers, businesses will have to readjust their data privacy compliance plans in preparation for the CPRA’s effective date on Jan. 1, 2023, and its one-year look back requirement.