7th Edition: Trends in Marketing Communications Law
Since the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) came and went without the issuance of final regulations by California’s Attorney General, and since the final regulations were not yet in force when the Attorney General’s enforcement activity commenced on July 1, 2020, members of the digital marketing ecosystem have continued to experience the challenge of operating in an environment of uncertainty. This stems from the complexity of an ad tech ecosystem that does not easily lend itself to the rigid structure set out in the CCPA.
Compliance frameworks introduced by the Interactive Advertising Bureau (IAB) and Digital Advertising Alliance (DAA) have attempted to address these challenges through a collaborative industry approach, but were forced to rely on interim versions of the regulations. Since CCPA enforcement commenced on July 1, 2020, and since the Attorney General only filed the final regulations on June 1, 2020, members of the industry (including the aforementioned industry groups) were not provided ample time to digest the final regulations prior to the start of enforcement activity.
The CCPA requires that companies that sell personal information (PI) about a California resident to a third party offer the consumer the ability to opt-out of such sales. The transfer of data from a publisher’s website to an ad tech company (that is not acting as a service provider) via cookies or similar technologies for retargeting purposes is generally believed to be such a sale. The IAB and DAA frameworks each provide a process to offer consumers the ability to opt-out and to inform third parties when a user has opted-out of such sales.
Where a California resident opts out, the CCPA does not prohibit the publisher from continuing to collect PI for the purpose of interest-based advertising, as long as the publisher does not transfer the PI to parties that will use PI for purposes outside of the performance of services for that one publisher.
In order to prevent the processing of PI by media partners from constituting a “sale,” some online platforms are trying to establish a “service provider” relationship with customers under CCPA. Google created the Restricted Data Processing (RDP) program, which establishes Google as a service provider when RDP is enabled, and limits Google’s right to use the PI that it processes.
Similarly, Facebook issued California-specific terms, supplementing its Custom Audiences Terms Program and Business Tools Terms. Facebook amended its California-specific terms midyear to only apply where Facebook’s own “Limited Data Use” program is enabled. While the programs offered by Google and Facebook have the potential to be helpful, in both cases, the burden of confirming CCPA compliance is placed on the customer of the online platform.
It is likely we will see continued demand for interest-based advertising products, presenting some advantages for website publishers and other players that have direct contact with consumers (e.g., cable companies, OTT providers and content platforms that stream directly). In the post-CCPA landscape, consumer opt-outs do not prevent these players from collecting data for targeting purposes as long as the PI is not sold.
Key Takeaways
- Now that the regulations have been finalized and the enforcement period has begun, compliance cannot wait.
- Industry proposed solutions and major platform initiatives should be carefully reviewed.