If you’re not a privacy lawyer, you probably haven’t been closely following the saga of California Consumer Privacy Act (CCPA) regulations.
It’s been quite the process of updates, refinements, clarifications and curveballs.
Implementation regulations are the detailed rules issued by regulators that explain how businesses can put a law into practice. Basically, they turn legal requirements into (hopefully) clear and practical steps that companies can take to comply.
Enforcement of the CCPA was delayed for seven months between January and July 2020 to give the California Department of Justice enough time to promulgate the initial regulations.
Since then, there have been multiple rounds of regulatory activity:
- There were amendments to the original regulations in 2021.
- In 2022, the then brand-new California Privacy Protection Agency initiated a formal rulemaking process to implement the California Privacy Rights Act (CPRA).
- And in 2023, the CPPA updated the CCPA rules to align with the CPRA.
(Lunch is served and it’s alphabet soup.)
Then, just a couple of weeks ago, the CPPA unanimously approved a long-awaited and major amendment package for the regulations, which will take effect in 2027 pending approval next month by the California Office of Administrative Law.
The updates ease compliance for ad tech companies but introduce new and detailed requirements for automated decision-making technology (ADMT).
Redlines in the sand
How does this affect online advertisers?
One of the most important updates is that the regulations now exclude behavioral advertising from the requirements for when AI or algorithms are used to make “significant decisions” about consumers. Significant decisions refer to when ADMT is used to determine life-changing stuff, such as loan approvals, health care access or whether someone qualifies for housing or a job opportunity.
Which is good news for ad tech – but it’s not a get-out-of-compliance card, said Odia Kagan, a partner at Fox Rothschild who specializes in privacy and data security.
Sure, advertisers can breathe “a sigh of relief” that they don’t have to do risk assessments or data protection impact reviews for behavioral advertising, Kagan said. But sharing personal information for targeted ads still requires clear consumer opt-outs and transparent disclosures.
Plus, if there’s any profiling based on sensitive information, such as health, race, religion or geolocation, that would still require businesses to conduct a data protection impact assessment.
In other words, nothing is without nuance and the devil lives in the redlines.
That’s why I decided to punt a question about ADMT that’s been on my mind to the experts rather than trying to answer it myself (because I’m not a lawyer and the only advice I’m qualified to give is that everyone should watch this classic clip and then this related banger).
Okay, so, here’s the question: How will the CPPA’s new rules on automated decision making and AI impact ad targeting?
- Nikki Bhargava, partner, Reed Smith
- Gary Kibel, partner, Davis + Gilbert
- Cobun Zweifel-Keegan, managing director, IAPP, Washington, DC
- Erik Weinick, partner, Otterbourg P.C.
Nikki Bhargava, partner, Reed Smith
The California Privacy Protection Agency noted that the removal of behavioral advertising from the ADMT and risk assessment thresholds was intended to simplify compliance for businesses.
But looking at the CPPA’s final revisions – including commentary around the revisions as well as recent enforcements – companies should continue to take a cautious approach to targeting and profiling based on sensitive categories of personal information.
Ensure you have the proper compliance mechanisms in place, including proper notice, effective and working opt-outs and opt-ins as required, and proper sharing guardrails and contracts.
Gary Kibel, partner, Davis + Gilbert
As usual, the CPPA continues to make privacy compliance ever more complex for businesses.
The definition of ADMT is very broad and includes “profiling,” yet many obligations under the regulations are triggered by “significant decisions,” and that definition specifically carves out “advertising to a consumer.”
So, it appears that the new definition of ADMT will pull in more online activities, but not every use of ADMT will be to make significant decisions – therefore, the complexity for the ad tech industry continues to grow.
Cobun Zweifel-Keegan, managing director, IAPP, Washington, DC
The final rules apply only to ADMT used for “significant decisions” in areas like credit, housing, employment, education or health services. Crucially, “advertising to a consumer” is expressly excluded from this scope, so purely ad targeting or bidding algorithms do not trigger the notice, opt-out and appeal obligations under the ADMT rules.
But even though ad targeting isn’t a significant decision, the ad ecosystem must still comply with existing CCPA requirements related to notice and choice around selling or sharing, as well as limiting the use of sensitive personal data for targeted ads.
Erik Weinick, partner, Otterbourg P.C.
Proposed changes to the CPPA’s rules relating to ADMT and behavioral advertising stand to have a profound impact on ad targeting strategies.
Particularly noteworthy is the prohibition on not only completely automated decision making, but the ban on using technology to “substantially facilitate human decision making.” Even though the proposed changes contain explanatory hypothetical examples, it may take time for a clear standard to emerge as to what “substantially” facilitating actually means.
As a result, advertisers deploying ADMT should proceed with caution and the advice of professionals until the standard becomes clearer.
🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
