The California Consumer Privacy Act (CCPA) requires businesses who engage in “sales” of “personal information,” to offer consumers the right to opt out of such sales via a “Do Not Sell My Personal Information” link or button on their websites. Businesses should carefully consider their practices concerning online advertising and web tracking and determine the approach best suited for their business.
The California Consumer Privacy Act (CCPA) requires businesses who engage in “sales” of “personal information,” to offer consumers the right to opt out of such sales via a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers that serve digital ads, or publish ads on a business’ websites, constitute a “sale” of data?
The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey the approaches to this hotly contested question.
Why the Debate?
The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The Network Advertising Initiative (NAI) broke this definition down into three main elements that, when satisfied, might make the case that digital advertising involves a “sale.”
- The digital advertising must involve “personal information.” We know that it does because serving digital ads requires, at the very least, access to IP address and browsing history.
- The digital advertising must involve the movement of personal information from a business to another business or third party. This is often true for digital advertising relationships, as ad tech intermediaries and other participants in the ad exchange often use the personal information they have received from businesses for their own purposes, thus taking many ad tech entities outside of CCPA’s “service provider” safe harbor.
- The digital advertising must involve the exchange of monetary or other valuable consideration for the personal information. This is a fact-specific inquiry that will vary across contractual arrangements. For that reason, the Network Advertising Initiative (NAI) analysis states it would be difficult to broadly categorize all digital advertising activities as “sales.” However, the NAI cautions that if the recipients of personal information can retain the information “for profiling or segmenting purposes” (e., the ability to monetize the data independently), that could constitute evidence of a “sale” of data.
Approaches to “Do Not Sell” Vary Widely
Several of the largest players in the digital advertising industry have taken conflicting positions on whether digital advertising is a “sale” under the CCPA. The lack of a consensus combined with the fact-specific nature of the “sale” analysis leaves most businesses with a risk-based choice between competing considerations. Approaches we have seen to date include the following:
1. Affirmatively Stating No Sale. Some businesses, including major ad tech players, have announced that they believe their receipt of consumer personal information falls within the “service provider” safe harbor and is therefore not a “sale” under the CCPA. They affirmatively state in their privacy policies that they do not sell personal information and do not offer an opt-out link or button.
2. Changing the Service Offerings. Other businesses have implicitly acknowledged the sale of personal information by publishing changes to their service offerings that avoid activities that would constitute a “sale” under the CCPA.
3. Acknowledging a Sale and Adhering to Ad Industry Frameworks. For those businesses that have chosen to treat digital advertising as a sale, some have opted into complying with one or more of the following ad industry compliance frameworks:
- The Interactive Advertising Bureau (IAB) finalized its CCPA framework aimed at helping digital publishers and their supply chain partners comply with the CCPA. To participate, businesses must agree to a contractual arrangement that purports to trigger the CCPA “service provider” safe harbor when a consumer exercises their right to opt out. This allows data transfers to continue even when a consumer has opted out, as long as data practices fall within the limited “service provider” use cases.
- The Digital Advertising Alliance (DAA) recently unveiled its own solution, a new icon aimed at helping ad companies comply with the law. When a consumer clicks on the icon, they will be directed to a page where they can access a tool to opt out of the sale or transfer of their information. The DAA recommended in recent guidance that businesses accompany the icons with text links with language like “CA Do Not Sell My Info.
- The NAI updated its Code of Conduct to cover a broader range of products and technologies and align with the CCPA’s requirements for targeting audiences from 13 to 16 years old.
Some businesses have chosen to provide links to the IAB, DAA or NAI in lieu of providing an opt-out link or button. Although these ad industry organizations provide tools and programs that allow consumers to opt out of certain targeted advertising, not all businesses and/or advertisers are members of these organizations. This means that opting out through these organizations’ tools may not share the consumer’s request to opt out with all the digital advertising partners with which the business engages.
4. Acknowledging a Sale and Giving an Ultimatum. In limited cases where sharing personal information is an integral part of the business’s products or services, some businesses explain to consumers that by directing the business to not “sell” personal information, they will no longer be able to use their accounts with the business and may be asked to delete their accounts.
5. Acknowledging a Sale and Using Cookie Management Tools. Some businesses have acknowledged that their digital advertising activities constitute sales of data, and rely on existing “cookie management” products, used by many businesses for GDPR compliance, to simply disable advertising trackers for website visitors who opt out.
Finally, some businesses have adopted a variation on the above approaches by providing opt-out functionality but objecting to the characterization of their practices as “sales.” These businesses’ privacy policies explain that while they do not believe that their digital advertising activities constitute “sales” of data as colloquially understood, they nonetheless admit that such activities may fall under the CCPA’s expansive definition of “sale,” and offer appropriate choices under one of the above approaches.
The decision to take any of these approaches, or to participate in an industry compliance framework, depends on a variety of factors, including industry, exposure and risk tolerance. It remains to be seen whether any of these approaches will be interpreted to satisfy the CCPA’s requirements.
What About Analytics?
Not all online tracking is related to advertising, and many businesses may be wondering if their use of other online tracking vendors, such as website analytics tools or customer relation management trackers, trigger the CCPA’s “sale” obligations. Although this is a fact-specific question that depends on the vendor and data practices in question, analytics vendors are generally more likely to qualify for the “service provider” safe harbor and be exempt from the “sale” obligations, provided their use of personal information to the purposes specified by their business customers is contractually limited.
Finding Common Ground
More guidance is clearly needed for businesses to determine whether digital advertising always or sometimes amounts to a sale. California’s Attorney General Xavier Becerra has recently said that he intends to help businesses understand how he plans to interpret the law. We hope that clarification of the applicability of CCPA’s “Do Not Sell” rights to the digital advertising industry is among the Attorney General’s highest priorities. In the meantime, with the CCPA now in effect, businesses should carefully consider their practices concerning online advertising and web tracking and determine the approach best suited for their business.