Publishers’ CCPA compliance varies with ambiguous definition of ‘sale’

california privacy law

Publishers’ efforts to comply with the California Consumer Privacy Act have diverged as they parse one of its biggest ambiguities: whether selling targeted ads qualifies as selling California residents’ personal information. The conundrum has prompted some advertisers to redirect their dollars while waiting for the situation to clear.

The CCPA, which took effect on Jan. 1, defines a sale as the exchange of California residents’ personal information for any business value. Without explicit guidance in the law or from the California attorney general’s office, which is charged with its enforcement on July 1, publishers are unclear whether the sharing of data to enable targeted advertising constitutes a sale.

Some publishers have asserted that they do not sell people’s information under the CCPA and have seen little to no impact from the law. Others have taken the strict interpretation that they are selling personal information. These publishers have prominently placed the requisite links on their homepages for people to request a publisher not sell their personal information and, in some cases, seen their ad prices cut in half. And then there are those publishers that have sought to split the difference, adopting the strict interpretation but attempting to obscure the opt-out links’ appearance.

Given the ambiguity about the CCPA’s application to targeted advertising and publishers’ varied responses, some advertisers have redirected their ad dollars from publishers that do not appear as compliant. These advertisers have shifted their spending to publishers that meet their compliance expectations, according to ad agency executives. “Better safe than sorry,” said one ad agency executive.

Opt-out rates impinge on ad prices
Advertisers’ flight to safety while the CCPA’s ambiguities are sorted out may be making some publishers sorry that they have not appeared to have fully complied with the law. But other publishers may be sorry that they have taken ultraconservative approaches to complying with the law, such as by highlighting the opt-out links on their sites.

When a California resident has opted out of the sale of their personal information, ad prices, on average, have shrunk by 44% as of Jan. 31, according to ad tech firm Infolinks, which sells ads across a network of 25,000 primarily small- and mid-sized publishers.

According to Sourcepoint, a technology provider that offers a consent management tool for publishers, consumer opt-out rates for the sale of their information have ranged from 0% to 30%. The rates correlate to the prominence of the opt-out notification link, said Sourcepoint COO Brian Kane.

Some publishers have put the opt-out notices at the top of the homepage. Others have placed the notices within their sites’ footers so that people must scroll to the bottom to find them. One publisher that deposited the opt-out notice in the footer said that that less than 1% of site visitors click on the notice and, of those visitors, only 10% opt out of the sale of their personal information.

Publishers opt out of opt-out links
Some publishers, such as Dotdash and Ziff Davis, have not put the opt-out links on their websites.

In the case of Ziff Davis, the publisher’s privacy policy states that it “may and may have disclosed or sold” people’s personal information for business purposes. However, while Ziff Davis offers an opt-out request tool, a link to it is absent from its sites’ homepages. That could become an issue if, when the California AG’s office begins to enforce the CCPA, the regulator opts to take advantage of the law’s lookback window to penalize companies that were not fully compliant anytime after Jan. 1.

If a company has stated that it may sell California residents’ personal information but has not placed an opt-out link on its homepage, that “is going to be problematic because they’re supposed to have it,” said Aaron Tantleff, a partner at law firm Foley & Lardner.

“Any Ziff Davis sites that may share California consumers’ personal information with third parties within the definition of ‘sale’ under CCPA are actively working on implementation of the ‘Do Not Sell’ link,” said a Ziff Davis spokesperson in an emailed statement.

The absence of an opt-out link on Dotdash’s sites does not appear to be problematic since the publisher has taken the position that it does not sell people’s personal information as defined by the CCPA. The publisher complies with the law in other respects, such as by letting users request that Dotdash inform them about the information it collects about them and ask the company to delete that information.

Dotdash’s advertising business has not been affected by the CCPA, said Sara Badler, Dotdash’s svp of programmatic revenue and strategy. “I have not seen any changes or dips at all,” she said.

The service provider safety net
Dotdash has given its advertising business further cover by designating its ad tech partners as service providers, a stipulation within the CCPA that the ad tech industry has rallied around. Under the CCPA, companies can share personal information from California residents, including those who opt out of their information’s sale, for specified business purposes with other companies designated as service providers.

Some advertisers have found it difficult to ascertain whether a publisher and the ad tech firms that mediate an ad’s programmatic are using that designation, according to ad agency executives. That is especially true of publishers with which advertisers do not have direct relationships and may further contribute to the ad price declines that Infolinks has observed.

To help publishers and ad tech firms communicate whether a transaction is covered by the service provider designation, the Interactive Advertising Bureau has developed the Limited Service Providers Agreement.

About 200 companies, including publishers and ad tech firms, have signed the IAB’s Limited Service Providers Agreement, said Michael Hahn, svp and general counsel at the IAB. Hahn said that it is “a fairly sizable number” given that the law only took effect on Jan. 1.

More in Media

Publishers’ Privacy Sandbox pauses settle into a deep freeze following reports of poor performance

Publishers aren’t ready to press play yet on dedicated Privacy Sandbox tests.

AI Briefing: Senators propose new regulations for privacy, transparency and copyright protections

A new bill called the COPIED Act aims to pass new transparency standards to protect IP and guard against AI-generated misinformation.