‘We’re not going to play around’: Ad industry grapples with California’s ambiguous privacy law
The California Consumer Privacy Act takes effect in less than a month, and companies across the industry are still coming to terms with what changes the law demands of their advertising practices.
While they wait for the California attorney’s general office to clarify the rules it will use to enforce the CCPA, many companies are taking conservative initial approaches to ensure they are compliant with the law. Some advertisers are pulling back on targeted advertising, and ad tech firms are adopting limits on what they can do with the data they receive from other companies. These measures may turn out to be overly cautious, but prudence can be necessary in the face of uncertainty.
“The ambiguity is on the advertising side of things, the implications for the status quo of the types of targeting we do,” said Justin Scarborough, director of programmatic media at PMG.
The major ambiguity facing companies is how the CCPA’s broad definition of a “sale” of data applies to digital advertising. Under the law, a sale is not simply the exchange of California residents’ personal information for money but for any business value. A publisher passing a device ID to an ad tech firm to fill a programmatic ad impression or an advertiser sharing a list of IP addresses to an agency to plan a targeted ad buy could be considered a sale of data under the law. Or they could not be.
“Digital advertisers use a variety of types of information that may be personal and is exchanged with other companies in order to fulfill their purpose or their services. Whether that meets the definition of sale under CCPA is questionable in some cases,” said Aaron Tantleff, a partner at law firm Foley & Lardner.
The CCPA’s definition of sale has been “heavily discussed” among agencies and their clients, said Laura Aldridge, vp of consumer and market intelligence at Rapp. “I think the definition of sale is something that’s still being interpreted legally because that is a difficult one.”
Agencies often tout their abilities to take people’s information collected by clients and create models for planning and buying purposes. The CCPA has put a question mark over whether the sharing of data from clients to agencies to perform that work constitutes a sale. “The moment you model data and extract the top decile for targeting, is that adding value? Or is that just analyzing your data?” said Aldridge.
The ad tech industry is similarly grappling with the question of whether the information passed along the programmatic supply chain constitutes a sale under the CCPA. The proverbial ad tech tax that companies charge to facilitate a programmatic ad sale would seem to meet the law’s definition of sale. But some aren’t so sure.
“There are still some in the ecosystem that want to take the approach that passing personal information with respect to advertising is not a sale, but I think the statute as drafted almost covers every use case that the ad tech ecosystem has to deal with,” said Thomas Chow, general counsel and secretary at PubMatic.
Consider GumGum, an ad tech company that specializes in contextual advertising. The company does not sell data under the traditional definition of exchanging information for money, but because it operates a programmatic advertising business, it is taking the position that it does sell data under the CCPA’s definition, said T’Juana Albert, director of global compliance and legal affairs at GumGum. By Jan. 1, GumGum’s website will carry a notice to inform California residents that it sells people’s personal information and provide them with tools for individuals to submit requests to access that information and to ask the company to stop selling that information. “We’re not going to play around,” Albert said.
The uncertainty surrounding the CCPA’s application to targeted advertising combines with a broader assault on online tracking by browser makers like Apple and Mozilla and is leading some advertisers to explore moving away from targeted advertising, according to agency execs. Retail advertisers typically rely heavily on retargeting. However, PMG has some retail clients that are testing “extreme scenarios where our ability to retarget at scale is severely deprecated” as a way to “pressure-test some of the options in the future,” Scarborough said.
Given the questions companies have and the answers they lack, companies, such as GumGum and PubMatic, that deal with personal information collected by other companies are gravitating toward the CCPA’s service provider designation. The designation enables a company to process the data collected by another company, even if a person has requested their data not be sold, so long as the service provider only uses the data for the purposes specified in a written contract with the company that collected and shared the data.
The service provider designation comes with trade-offs. An ad tech company serving as a service provider cannot use the personal information it receives from a publisher to target ads to the individual on another publisher’s site, for example. That can curtail the revenue that ad tech companies generate from being able to track people across the internet for targeting and measurement purposes. But the fines and other penalties companies could face if those practices are found to be non-compliant with the law can be a bigger concern.
“The approach we’ve taken is we want to be good actors in the space. If it costs us a little bit of revenue, so be it. It’s not worth it to our brand to be caught up in things where we’re processing data without consent. It’s just not worth it for us,” said Albert.
While some companies solidify their preparations for the CCPA before it takes effect on Jan. 1, others may not feel such urgency because of the law’s delayed enforcement window. The California attorney general’s office will be responsible for enforcing the law, but that enforcement cannot begin until six months after the AG’s office releases its finalized regulations or July 1, 2020, whichever happens first. As of press time, those finalized regulations have yet to be released.
However, anyone believing they have another six months before they’ll be on the hook is misguided, according to Tantleff. “Any noncompliance that dates back to Jan. 1, there’s a look-back, and they will be responsible,” he said.
“At the end of the day, the best thing a company like PubMatic or anyone in the industry can do is take a relatively conservative approach to CCPA,” said Chow.
‘We still see value in live’: Inside Verizon’s Oscars advertising strategy
The brand is rolling out seven new spots this weekend including five during the awards ceremony and one set to air throughout the weekend as part of its Oscars campaign.
‘There are no more excuses’: Advertisers try to overcome the fallacy of ethical media buying
Companies are being asked, pressured and regulated to take a stand — or at least not stand back — on everything from data privacy to voting rights, diversity to sustainability. That has made responsible spending more important than ever.
How start-up Kindred is pushing companies to improve on workplace equity and social justice
The motivation for companies to respond to social change is strong, but many fall short. Kindred is among those pushing business leaders to drive deeper DE&I change.
SponsoredCompanies are following these principles to improve DEI initiatives
It has been nearly a year since the tragic killing of George Floyd sent the United States into a racial reckoning that forced companies to be held accountable for their low diversity rates. Conversations about systemic racism and lack of access were being discussed head on and with transparency. With the advertising industry already employing […]
Clubhouse starts monetization, but startups and influencers may beat them to it
In the rush to monetize Clubhouse, third party app developers are hoping to get a slice of the pie. That includes a new app, called Clubmarket.
Cheat Sheet: Why advertisers need to know about the ‘Fourth Amendment Is Not For Sale Act’
The bill aims to close legal loopholes in federal law permitting data brokers and other forms to sell people's personal information to the government and law enforcement.