Can retargeted advertising campaigns be done under service provider agreements?

BCLP
Contact

Yes. 

The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider.  In order for an adtech company to meet the definition of a “service provider,” at least two conditions must be met.

First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.1

Second, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”2

One common use of third party behavioral advertising cookies is to allow businesses to contact consumers that have left the business’s website in order to serve those consumers with targeted advertising.  Similarly, businesses may serve targeted advertising not through the use of behavioral advertising cookies, but  by providing adtech partners lists (e.g., names, email addresses, or telephone numbers) of customers or potential customers.  These practices are commonly referred to as retargeting campaigns, as they often attempt to “retarget” consumers that expressed interest in a product or service, but failed to complete a transaction. 

Questions have been raised about whether third parties that provide retargeting services can be classified as “service providers” under the Act.  Specifically, some commenters have asserted that such a use might not be “necessary” for a business purpose under the CCPA, or that by performing a retargeting campaign an adtech partner may be using data for its own purposes.  In response to these concerns, the California Attorney General clarified that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”3  The Attorney General further cautioned, however, that to be considered a service provider the adtech partner must not use the personal information that it collects from one business to “provide advertising services to other businesses.4   Furthermore, under the regulations implementing the CCPA the adtech partner must be prohibited from “building or modifying household or consumer profiles” from the data that it receives.5 

For more information and resources about the CCPA visit http://www.CCPA-info.com.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.t)(2)(C).

2. CCPA, Section 1798.140(t)(2)(C)(ii), (v).

3. FSOR Appendix A at 167 (Response No. 519).

4. FSOR Appendix A at 167 (Response No. 519).

5. CCPA Reg. 999.314(c)(3).

[View source.]

Written by:

BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide