While Facebook, Google and Amazon have all been adamant that they don’t sell people’s data, the California Consumer Privacy Act (CCPA), which went into force on July 1, has a very broad definition of what’s considered a data sale.
In short, a sale under CCPA is about more than just the transfer of a California resident’s data in exchange for money – a data sale can also include the non-monetary value that companies derive from sharing data with third parties.
However, disclosing personal information to a service provider doesn’t count as a sale under certain circumstances. For example, if the data is necessary to perform a vital business purpose, the user was given the proper notice and choice and if the data in question is only used for the specific, stated purpose and isn’t retained or disclosed beyond that.
Which is why Facebook and Google contend that they should be classified as service providers under the law. (Amazon is taking an even more hands-off approach, at least when it comes to its ad-related tools.)
Whether the service provider argument holds water will be up to the California attorney general’s office and the courts to decide.
In the meantime, here’s how the triopoly is coming to grips with the CCPA.
Facebook isn’t making major changes to its web and mobile-tracking services on the grounds that the way it collects and shares data through its tracking pixel doesn’t constitute selling data.
In Facebook’s view, many of the post-Cambridge Analytica privacy product-related changes it’s already been making over the past few years, including its Off-Facebook Activity tool, are enough to bring it into compliance with the CCPA.
Facebook maintains that its existing data policy, with a few CCPA-related updates, is also sufficient to comply. The policy includes information on all of the different types of data Facebook collects, how Facebook’s products work and an update on what California users need to do to exercise their CCPA-derived data privacy rights.
Although Facebook did update its contractual commitments to clarify that it only uses partner data for the specific business purposes laid out in their contracts, Facebook believes that it’s up to those businesses to assess whether their data transfer activities count as a sale of data under the law.
Read: Plausible deniability.
In that vein, Facebook released a feature in June called Limited Data Use (LDU), which limits how Facebook uses partner data by directing Facebook to act as a service provider when processing info coming from California residents. The LDU feature is on by default through July 31, after which businesses will need to re-implement it if they want to restrict how they share data with Facebook’s business tools.
The feature is wreaking a little bit of havoc, though, among Facebook advertisers. Search Engine Journal reports that advertisers are bracing for campaign performance and measurement issues as less data is available for people in California.
In November, Google introduced mechanisms to help its partners comply with CCPA and stop collecting data on users who have opted out.
Advertisers and publishers can disable personalized ad serving and restrict how data is processed through Google Ads, App Campaigns and Google Analytics. Google then acts as a service provider and will only use data for certain limited business purposes, including ad delivery, reporting, measurement, security, fraud detection and debugging.
Although third-party ad tracking and serving will continue as normal unless sites and apps actively enable the restricted data processing function, the restrictions apply by default for Google’s Customer Match and Store Sales products.
But even when restricted data processing is enabled, there will be no change to how campaign measurement or conversion tracking functions.
On the wider industry front, Google pledged to adopt the IAB Tech Lab’s technical specs for compliance with the CCPA by Jan. 1, which was the law’s effective date. The specs enable real-time bidding transactions to occur while simultaneously imposing constraints on the use of opted-out customer data.
In other words, Google is using the IAB Tech Lab’s privacy string to honor opt-out requests and restrict data processing for AdSense, AdMob and Ad Manager. In the case of an opt-out, Google does not pass bid requests to third parties via RTB. When DV360 receives an opt-out as part of a bid request from a third-party exchange, Google does not place a bid.
Amazon already has strict guidelines in place that govern data use. Sellers on Amazon.com, for example, are not allowed to use a customer’s personal data to do anything other than fill orders and carry out other vital customer service-related functions.
An addendum to Amazon’s advertising API licensing agreement puts the onus on whoever is using the API to comply with “all applicable laws and data protection laws (e.g., GDPR, CCPA.)”
Users of the pixels are expected to obtain consent and refrain from collecting or passing personally identifiable information to Amazon. It’s up to the advertiser and its agency to comply with these requirements, and “the agency will be fully responsible for advertisers’ non-compliance,” according to Amazon.
AKA, pay attention, don’t mess up and if you do, you’re on your own.