WTF is CCPA’s service provider designation?
An open-ended definition of “selling data” in the California Consumer Privacy Act has put programmatic advertising in a precarious position ahead of the CCPA going into effect on Jan. 1.
The law provides people with the option to request that companies not sell their personal information and delete the information they have sold. This provision has the potential to eradicate the information that the programmatic advertising ecosystem relies on to target ads — at least to the 40 million people in California. The law’s definition for selling data is broad enough that some industry experts believe it may cover how companies across the programmatic supply chain use data to facilitate targeted advertising.
The ad tech industry is gravitating toward a stipulation in the law that would appear to enable programmatic advertising practices to continue, albeit with some limitations and at least as a stopgap measure until the enforcement picture becomes clearer. Similar to the GDPR’s “data processor” label, the California law provides a “service provider” designation that companies can adopt in order to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. “I think the industry is going to coalesce around it,” said Thomas Chow, general counsel and secretary at PubMatic.
WTF is a service provider?
The CCPA defines a service provider as a company that processes personal information collected by another company, but only for the purposes specified in a written contract between the companies. If a person requests that a company not sell their personal information — as the CCPA gives them the right to do — the company can still share that personal information with service providers for those specified business purposes.
How is this different from how companies already handle data collected by other companies?
The difference is that a service provider is limited in what it can do with the information it receives. For example, if an ad tech company receives device IDs collected by a publisher in order to serve targeted ads on the publisher’s site, the ad tech company cannot also use those device IDs to build a device graph in order to track people across the internet.
Will that prevent ad tech companies from sharing data with other ad tech companies to complete a programmatic ad sale?
Not necessarily. However, the various ad tech companies involved in a programmatic ad transaction would need to serve as service providers.
That sounds really complicated.
Definitely. To simplify matters, the Interactive Advertising Bureau and IAB Tech Lab have developed a CCPA compliance framework that is meant to facilitate this daisy chain of service providers. “Under our framework, what happens is companies downstream [in the programmatic supply chain] will be required to operate as service providers on the behalf of publishers,” said Michael Hahn, svp and general counsel at the IAB.
In early December, the IAB plans to release a Limited Service Provider contract that will detail the terms for ad tech companies serving as service providers under its framework. Chow has seen a version of the contract and said it lays out what service providers can and cannot do with the personal information collected by publishers “in a way that’s logical and reasonable to me.” Boiled down, the contract requires that ad tech companies have a way to isolate the personal information they receive from publishers so that the information is not used to enrich an ad tech company’s own data set.
Are ad tech companies okay with these restrictions?
They’re not wild about it. However, until Congress passes a federal privacy law that would preempt states’ privacy laws, ad tech companies have little choice but to figure out how to comply with the California law. Given the ambiguities that remain in the law, like what does and does not count as a sale of data, the service provider provision gives them some cover to continue to conduct their basic programmatic advertising businesses while they wait for more clarity regarding how the attorney general plans to enforce the law.
So programmatic advertising is saved?
No. For starters, the IAB framework only works for companies that adopt the framework. Apart from the framework, companies would need to sign service provider agreements with each company for which they process data for business purposes. Then there’s the trust required that service providers will abide the contracts and comply with the restrictions placed on their use of data. The attorney general’s office has yet to confirm whether ad tech companies operating as service providers to process data for targeted advertising would be compliant with the law.
Health app makers are on notice amid FTC data rule refresh, but some privacy experts say the regulator has gone too far
The Federal Trade Commission will begin applying an old rule governing health data privacy and security. Some privacy experts say it's a convoluted approach that already is causing confusion.
‘I’m ambitious for us’: How Peloton CMO Dara Treseder made community her selling point
A year into her role as Peloton's svp and head of global marketing, Dara Treseder discusses spinning storytelling in service of community.
How Salesforce is gathering its own customer data through its new streaming video play
Salesforce is combining data from Salesforce+ with data gathered from sales and customer service channels viewers inside its customer data platform.
SponsoredHow legacy publishers are transforming into profitable streaming channels
Navdeep Saini, co-founder and CEO, DistroScale, parent company of DistroTV Connected TV (CTV) has become one of the fastest developing channels in advertisers’ marketing mix today. The pandemic led to an increase in CTV consumption, with 75% of consumers watching more streaming content than before quarantines set in. With streaming viewership continuing to gain momentum, […]
‘We’re all figuring out what our new reality is’: How DTC underwear brand Thinx is diversifying its media mix with more OOH
As a cookieless future and Apple's data privacy updates loom over advertisers, at least one DTC brand is diversifying its ad spend by doubling down on OOH efforts.
Pay On Demand: Immediate payment for work growing in popularity as tech companies fight for talent
On-demand pay could be just the ticket for industries like the restaurant business struggling to find and keep workers in key roles.