California Attorney General says popular, digital ad opt-outs from trade groups don’t comply with CCPA

Four people sitting at tables speaking into microphones. An illustrated depiction of a congressional meeting.

For more than a year advertisers and publishers had few clues for detecting how California regulators would enforce the state’s privacy law. Now, subtle and not-so-subtle indicators are emerging in enforcement letters and case examples from the state’s Office of the Attorney General.

Another fresh revelation: companies cannot rely on blanket digital ad opt-out tools from trade groups to satisfy compliance with the California Consumer Privacy Act. In other words, popular opt-out tools from the Network Advertising Initiative and Digital Advertising Alliance won’t cut it.

When a media and entertainment conglomerate directed people to a third-party trade association’s digital ad opt-out tool, it wasn’t an appropriate opt-out, said the state’s OAG, which said it amounted to a failure to allow people to opt-out from the sale of their personal information. And, when a pet industry site forced people to use a trade group’s digital ad opt-out tool, the OAG alleged the company was not in compliance with the law.

‘What you see on many companies’ sites’

The CCPA requires that companies notify people of data sales and give them a choice to opt out from it. Some companies have responded to that demand by simply directing them to tools from the ad trade groups the NAI and DAA, both of which provide methods for opting-out from digital advertising tracking and targeting, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren. “That is what you see on many companies’ sites as a way to operationalize do-not-sell, and that’s still prevalent,” she said.

California Attorney General Rob Bonta’s office unveiled in mid-July several examples of CCPA enforcement cases, allaying some lamentations about a lack of rules and guidance associated with the law, which went into effect in January 2020. “As a law enforcement agency, the OAG does not generally release information to the public about its investigations,” wrote the AG’s office when it released nearly 30 industry-specific case examples scrubbed of actual company names and other revealing details. “The OAG provides the information below as illustrative examples of situations in which it sent a notice of alleged noncompliance and steps taken by each company in response,” the OAG continued. 

The case examples make it clear that merely employing existing methods for opt-out from data collection for California residents via an industry group process is not enough, said Odia Kagan, chair of the GDPR compliance and international privacy practice group at Fox Rothschild, adding that the case examples bring welcome clarity to companies navigating how to comply with the law. “That’s more instruction that we can take in and align compliance practices around,” she said.

But questions remain as to whether the OAG accepts tools developed by industry groups specifically to comply with CCPA as compliant. For instance, the DAA — a consortium of large ad industry groups — offers a CCPA Opt-Out Tool built in conjunction with its pre-existing WebChoices platform that is intended to stop the sale of personal information, including in relation to online behavioral advertising. The Interactive Advertising Bureau also developed a framework for compliance with the California law; however, it is not clear from the case examples what specific tools were determined to be out of compliance. The DAA, NAI and California Attorney General’s Office did not respond in time to comment for this story.

Because the DAA’s CCPA opt-out sends people to a third-party site to opt out of interest-based ads, said Hutnik, it addresses only the companies participating in that program, rather than providing a direct way to address someone’s request to opt out from data sales occurring on a publisher’s site itself. “Put another way, there is nothing in the CCPA enforcement summaries or regulations that supports this approach as a compliant way to operationalize do not sell opt-outs,” she said.

It is possible that even when using CCPA-specific opt-out tools from trade groups, businesses must also include a “Do Not Sell My Personal Information” link on their sites. In the case examples involving trade group opt-out tools, the OAG said the media company rectified the situation by updating its opt-out process, privacy policy and notices, and by adding a “Do Not Sell My Personal Information” link to all of its digital properties; no details on what was included on the landing page for that do-not-sell link were provided. As for the pet industry site, the company added a “Do Not Sell My Personal Information Link” and updated its opt-out form allowing people to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted ads.

Put simply, said Hutnik, companies have to provide people with options that are “more specific to a CCPA opt-out.”

https://digiday.com/?p=421933

More in Media

BuzzFeed’s sale of First We Feast seen as a ‘good sign’ for the M&A media market

Investor analysts are describing BuzzFeed’s sale of First We Feast for $82.5 million as a good sign for the media M&A market — which itself is an indication of how ugly that market had become.

Media Briefing: Efforts to diversify workforces stall for some publishers

A third of the nine publishers that have released workforce demographic reports in the past year haven’t moved the needle on the overall diversity of their companies, according to the annual reports that are tracked by Digiday.

Creators are left wanting more from Spotify’s push to video

The streaming service will have to step up certain features in order to shift people toward video podcasts on its app.