WTF is CCPA’s service provider designation?

california privacy law

This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

An open-ended definition of “selling data” in the California Consumer Privacy Act has put programmatic advertising in a precarious position ahead of the CCPA going into effect on Jan. 1.

The law provides people with the option to request that companies not sell their personal information and delete the information they have sold. This provision has the potential to eradicate the information that the programmatic advertising ecosystem relies on to target ads — at least to the 40 million people in California. The law’s definition for selling data is broad enough that some industry experts believe it may cover how companies across the programmatic supply chain use data to facilitate targeted advertising.

The ad tech industry is gravitating toward a stipulation in the law that would appear to enable programmatic advertising practices to continue, albeit with some limitations and at least as a stopgap measure until the enforcement picture becomes clearer. Similar to the GDPR’s “data processor” label, the California law provides a “service provider” designation that companies can adopt in order to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. “I think the industry is going to coalesce around it,” said Thomas Chow, general counsel and secretary at PubMatic.

WTF is a service provider?
The CCPA defines a service provider as a company that processes personal information collected by another company, but only for the purposes specified in a written contract between the companies. If a person requests that a company not sell their personal information — as the CCPA gives them the right to do — the company can still share that personal information with service providers for those specified business purposes.

How is this different from how companies already handle data collected by other companies?
The difference is that a service provider is limited in what it can do with the information it receives. For example, if an ad tech company receives device IDs collected by a publisher in order to serve targeted ads on the publisher’s site, the ad tech company cannot also use those device IDs to build a device graph in order to track people across the internet.

Will that prevent ad tech companies from sharing data with other ad tech companies to complete a programmatic ad sale?
Not necessarily. However, the various ad tech companies involved in a programmatic ad transaction would need to serve as service providers.

That sounds really complicated.
Definitely. To simplify matters, the Interactive Advertising Bureau and IAB Tech Lab have developed a CCPA compliance framework that is meant to facilitate this daisy chain of service providers. “Under our framework, what happens is companies downstream [in the programmatic supply chain] will be required to operate as service providers on the behalf of publishers,” said Michael Hahn, svp and general counsel at the IAB.

In early December, the IAB plans to release a Limited Service Provider contract that will detail the terms for ad tech companies serving as service providers under its framework. Chow has seen a version of the contract and said it lays out what service providers can and cannot do with the personal information collected by publishers “in a way that’s logical and reasonable to me.” Boiled down, the contract requires that ad tech companies have a way to isolate the personal information they receive from publishers so that the information is not used to enrich an ad tech company’s own data set.

Are ad tech companies okay with these restrictions?
They’re not wild about it. However, until Congress passes a federal privacy law that would preempt states’ privacy laws, ad tech companies have little choice but to figure out how to comply with the California law. Given the ambiguities that remain in the law, like what does and does not count as a sale of data, the service provider provision gives them some cover to continue to conduct their basic programmatic advertising businesses while they wait for more clarity regarding how the attorney general plans to enforce the law.

So programmatic advertising is saved?
No. For starters, the IAB framework only works for companies that adopt the framework. Apart from the framework, companies would need to sign service provider agreements with each company for which they process data for business purposes. Then there’s the trust required that service providers will abide the contracts and comply with the restrictions placed on their use of data. The attorney general’s office has yet to confirm whether ad tech companies operating as service providers to process data for targeted advertising would be compliant with the law.

More in Marketing

Q1 ad rundown: there’s cautious optimism amid impending changes

The outlook for the rest of the year is a tale of two realities.

WTF is the American Privacy Rights Act

Who knows if or when it’ll actually happen, but the proposed American Privacy Rights Act (APRA) is as close as the U.S. has ever come to a federal law that manages to straddle the line between politics and policy.

Here’s how some esports orgs are positioning themselves to withstand esports winter

Here’s a look into how four leading esports orgs are positioning themselves for long-term stability and sustainability, independent of the whims of brand marketers.