More than a year after the California Consumer Privacy Act took effect, publishers and programmatic ad sellers are still split on how they are required to comply with California’s privacy law.
Some like The New York Times have taken a strict interpretation, adopting a conservative approach in complying with the law. Others like ad management firm CafeMedia have taken a looser interpretation of the CCPA’s notoriously ambiguous definition of sale and may eventually find themselves running afoul of regulators.
When California residents request that website publishers stop selling their personal information in accordance with the state’s privacy law, many publishers still use that information to sell targeted ads by passing the data into programmatic ad marketplaces where they have little control over how other companies use that information. Although the publishers are using the Interactive Advertising Bureau’s CCPA compliance framework, the rickety custody of the data they share may put them at risk of non-compliance, making them vulnerable to lawsuits or legal enforcement, according to privacy lawyers.
“I would not say it’s illegal. I would not say it’s not compliant,” Jessica Lee, partner and co-chair of the privacy, security and data innovation practice group at law firm Loeb and Loeb, said of the IAB’s CCPA framework. In fact, for companies that want to continue participating in the programmatic ad marketplace, she said, “the IAB’s framework is the best option that we have.”
Still, said Lee, the IAB approach “definitely creates some risk” because the companies with whom data is shared may use the data in violation of their contractual agreements. She and other ad tech and privacy lawyers say there are risks to assuming every entity along the complex ad supply chain is clean. “There are parties in your supply chain that are taking an aggressive approach,” speculated Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren.
The New York Times’ conservative approach
For more risk-averse publishers like The New York Times, a loose interpretation of the CCPA is not an option. “We’ve really been trying to demonstrate and open the path toward a more privacy-friendly ecosystem, and so we’re trying to push the envelope,” said Robin Berjon, executive director of data governance at The New York Times.
When a California resident has opted out of their data being sold — or enabled the Global Privacy Control tool, which California’s attorney general has implied qualifies as an opt-out request — the Times prevents the ad space created by that person’s page visit from being sold in real-time programmatic ad marketplaces. Instead, the publisher relies on contextual signals and its first-party data to target ads to these site visitors.
“We basically shut down open programmatic when people are in a Do Not Sell state,” Berjon said. However, when a California resident requests that the Times not sell their personal information, the publisher’s opt-out tool states that it “will continue to share your personal information with our service providers, which process it on our behalf,” which could create exposure risks for the Times.
Berjon told Digiday those service providers perform tasks related to analytics and ad serving. He pointed Digiday to a blog post he wrote in July 2020, which noted that the company shares data about readers with tracking companies or “data controllers” to attract new subscribers. The post states that as of April 2019, the firm limited those data controllers to “marketing-related parts of the site, such as subscription offer pages,” adding, “This reduced the amount of data we shared with third-party data controllers by over 90 percent.”
The New York Times’s approach is just one of many, and a relatively conservative one when it comes to data use, said Hutnik. “There’s no common approach right now. It’s all over the map,” she said.
CafeMedia’s looser interpretation
On another side of that map is CafeMedia, which uses the IAB’s CCPA compliance framework. The company manages ad operations and sales for 3,000 digital publishers, all of which now feature Do Not Sell buttons, according to Don Marti, vp of ecosystem innovation at CafeMedia.
When people use those buttons to opt-out from sales of their data, the firm continues to use open programmatic systems to fill ad inventory, passing the same data along to third-party firms operating in those ad marketplaces as they would if someone had not enabled Do Not Sell, according to Marti. He said CafeMedia does not monitor what actually happens to the data downstream and that the company leaves it up to its third-party partners to decide how certain data might be used. “That is where it goes back to how vendors define sale under CCPA,” he said.
Given the CCPA’s vague definition, “‘sale’ is a highly-contested term,” said Lee. Because firms like CafeMedia and others employing the IAB framework leave the definition of Do Not Sell up to the interpretations of third-parties, companies intercepting that data could have various interpretations regarding what they can and cannot do with the data, she said.
Lawyers interviewed for this story lamented the lack of clarity from California’s Attorney General Xavier Becerra around how the CCPA applies to technical aspects of programmatic advertising. They said the ambiguity has created confusion in how the law is interpreted.
CafeMedia is far from the only company in the programmatic advertising market relying on the IAB’s framework. “The vast majority of our publisher partners have adopted the IAB framework,” said Eric Shih, global svp business development for Teads, which helps manage advertising for publishers including ESPN, Washington Post, BuzzFeed and others. He did not say specifically which of its publisher clients use the IAB approach. Shih said Teads requires contractually that DSPs and ad buyers abide by CCPA regulations if applicable by preventing tracking across sites through third-party cookies.
In one example Marti gave, one external company with which CafeMedia shares data has an internal firewall set up that prevents commingling of some data from other sources, therefore restricting the information used to decide how the ad is targeted.
Enforcement on the horizon
While companies using the IAB’s framework appear to be compliant under the CCPA, that status could change if the law’s definition of sale and application to targeted advertising is cleared up. And if that happens, a company would be on the hook for having shared data with another company if the latter company had continued to use it. “You could be subject to an enforcement action by the attorney general,” said Lee. Alleged violations could also trigger lawsuits under CCPA or other California privacy laws, she added.
Further clarity and a greater likelihood for enforcement is on the horizon. The revised version of the CCPA, the California Privacy Rights and Enforcement Act, which will cover data use beginning in 2022, removes confusion around the meaning of “sell,” by explicitly giving consumers the right to opt out of the “sharing” of their data. It places the burden on companies to monitor whether other entities with which they share data comply with the terms of contracts through yearly audits.
Plus, the CPRA creates a new agency intended to strengthen enforcement capabilities. That state agency, said Lee, will be watching to ensure that companies actually conduct audits. Simply relying on contractual agreements to ensure compliance of third-party partners, she said, “I don’t think that’s going to be good enough.”