CCPA Update: Sadly, Not Every Vendor can be a Service Provider
Looking Ahead to CCPA Implementation
It’s the final moments leading up to the CCPA’s January 1, 2020 effective date. We won’t bore you with all the background on CCPA (for that, you can see our blog post from a few months ago), but we do want to provide an overview of what it will mean for customers using our services.
Now is the time to face the reality that, more likely than not, at least a few of your vendors are not actually service providers given how they process personal information – they are third parties and you need to provide the “Do Not Sell My Personal Information” opt out link and accompanying “explicit notice.”
These categories of third parties most likely includes the adtech companies you work with, including ownerIQ. In the world of CCPA, the adtech ecosystem will be a complex mixture of third party and service provider transactions. (Note: adtech/targeted advertising/digital advertising/online behavioral advertising/interest-based advertising are typically used interchangeably in our industry.)
We acknowledge that this article is very long and full of details. To help you get an overview, below is a quick summary of our main points:
- The adtech pixel(s) on your website means you are very likely “selling” personal information to ownerIQ (and likely others).
- You need to a) place the “Do Not Sell My Personal Information” link your website and mobile app (as applicable) so consumers can opt out of “sales” and b) provide “explicit notice” of this opt-out right.
- Unless you are highly technical, you need to use a commercial provider to handle your “Do Not Sell My Personal Information” obligations above, e.g., OneTrust, LiveRamp, or TrustArc, which will integrate with the IAB CCPA Framework or DAA CCPA Opt Out Tool.
Business’ CCPA Obligations
For sales of personal information to third parties, businesses have the following immediate CCPA obligations:
- Use and disclose personal information pursuant to (i) an enumerated “business purpose” or (ii) a “sale.” Considering the data flows in adtech, these “business purposes” are likely to be construed narrowly; that is, most adtech transactions involving personal information are likely “sales.” An example list of “business purpose” is below.
- Detecting security incidents
- Short-term, transient use
- Performing services on behalf of the business or service provider
- Internal research
- Activities to verify or maintain quality or safety
- Update your privacy notice with information on disclosures for a “business purpose” or “sales” (among other disclosures!).
- Provide an opt-out for sales through the “Do Not Sell My Personal Information” link.
ownerIQ CCPA Classification
ownerIQ’s classification depends on the service provided to a customer. Below, we include an analysis of our current position as January 1 looms (and understanding the law is not exactly a model of clarity at this point). However, at the end of the day, we believe the less risky classification, and the one most in line with the intent of the law, is to be a “third party” to all of our customers.
At a high level, we have the following categories of customers:
- Advertisers – Possibly a service provider but most likely a third party. It is possible for us to be a service provider IF the advertiser is solely using its own data for its own retargeting purposes. However, we believe the optics of performing retargeting without the ability to opt out will strike consumers as odd, at best. Retargeting is the most obvious form of targeted advertising to consumers and would likely go against their expectations if the ability to opt out of such retargeting is absent.
- Advertising Agencies – Possibly service provider but most likely third party. This is because our technology is built to use new information we may receive in the context of providing the ad campaign (e.g., bid stream data) to increase efficiency in bidding. Under the Draft Regulations, this may qualify as use of personal information collected on behalf of one client for use across all other clients, which, in this case, would not be allowed as a “service provider.” We recognize this may change later in 2020 but, for now, the less risky classification is “third party.”
- Monetization Customers (revenue share/ad credit for use of first party data) – Clearly, we would be a third party here by nature of receiving compensation for use of their first party data for other businesses’ ad campaigns. The relationship with our monetization customers cannot reasonably be that of business-to-service provider.
Providing the “Do Not Sell My Personal Information” Link and “Explicit Notice”
We need you, as the business/digital property owner, to provide (a) the “Do Not Sell My Personal Information” link so consumers can opt-out of “sales” and (b) “explicit notice” of this opt-out right. We cannot collect and use our pixel data for digital advertising without these two items. This is known as the “115(d) Requirement” in the CCPA.
There are two options to provide the “Do Not Sell My Personal Information” opt-out link and accompanying notice: a) IAB CCPA Compliance Framework for Publishers and Technology Companies (“IAB Framework”) and b) DAA CCPA Opt Out Tool (“DAA Opt Out”).
It is up to you which one you use but we do need you to use at least one for digital advertising/adtech. Without one of these options, we will not know whether you provided the explicit notice of sale nor will we be able to provide a user-friendly opt out which propagates through the digital advertising ecosystem.
Our preference is at least the IAB Framework, due to our ability to:
- Know whether the explicit notice and opt-out right were provided via technical signals from you to us;
- Switch into a “service provider” role through an industry-wide contract when a consumer opts out; and
- Facilitating a right to delete in a subsequent version (based on IAB working group).
(Don’t be confused by the “publisher” terminology in either the IAB Framework or DAA Opt Out. All websites, including advertisers, which embed our pixel are considered the “business”/”digital property owner”/”publisher”, regardless of whether the ads show up on or off their website. It’s the collection of personal information from your website which determines the need to provide explicit notice and link to opt out of sales of personal information for digital advertising.)
Though there is currently no charge or membership requirement for either, you still need to sign on to participate in each.
A. IAB CCPA Framework
An easily readable summary of the IAB CCPA Framework is here (now in final form). According to the IAB Framework’s Executive Summary, “the Framework is intended to be used by those [businesses] who ‘sell’ personal information and those technology companies that they sell it to. It also is intended to create ‘service provider’ relationships between [businesses] and technology companies so that limitations on the use of data and mechanisms for accountability can be imposed when the consumer opts-out of a ‘sale’.” The IAB Framework is in v1.0.
There are two components to the IAB Framework: a) technical specifications and b) a “Limited Service Provider Agreement” that binds adtech companies and publishers to conduct that aims to fulfill CCPA requirements.
a) IAB CCPA Technical Specifications
There are three technical specifications for the IAB Framework (listed below). When a consumer clicks to opt out of the sale of their personal information (via the “Do Not Sell My Personal Information” link), a privacy string is generated. All three tech specifications are used together to generate, read, and propagate the privacy string throughout the adtech ecosystem. Digital properties (that’s you, our customer) that embed adtech pixels will need to implement #2 below. ownerIQ will implement #1 below to read #2. ownerIQ will also implement/respond to #3, which is the communication of the “Do Not Sell” opt-out privacy string through the OpenRTB protocol (i.e., the process of placing a targeted ad on a website or mobile app).
- IAB Tech Lab U.S. Privacy String: The “signal” to communicate the disclosures by the digital property, and choices selected by a consumer (e.g., whether opted-out or not), under the IAB Framework.
- IAB Tech Lab U.S. Privacy User Signal API: Specifies a lightweight API that may be implemented by digital properties for web and mobile in-app to represent U.S. privacy signals.
- IAB Tech Lab U.S. Privacy OpenRTB Extension: Outlines a mechanism to support communication of U.S. privacy signals via the OpenRTB protocol.
If you built your own explicit notice and choice for your website (i.e., the “Do Not Sell My Personal Information” link and accompanying notice), you can use the technical specifications in #2 to generate the privacy string.
If you are using a commercial provider of an explicit notice and choice user interface, e.g., OneTrust, LiveRamp, or TrustArc, they can integrate with the IAB Framework and generate #2 for you. When you implement the commercial options, please select IAB CCPA Framework to propagate and communicate the privacy string to us. For now, there is no charge for participation in the IAB Framework, though the commercial provider typically has a charge for their notice/choice product.
b) Limited Service Provider Agreement
Once a consumer opts out via the IAB CCPA Framework, signatories (including ownerIQ) will act as limited service providers, pursuant to the IAB agreement, and have restrictions related to how personal information can be processed. You will also need to be a signatory (click here to sign).
B. DAA CCPA Opt Out Tool
The Digital Advertising Alliance (“DAA”) is also providing a CCPA Opt Out Tool. Under the DAA CCPA policy, website owners must post a text link (“CA Do Not Sell My Info” or other CCPA-compliant language) and green icon in one, clickable format. Consumers who click on the link will be taken to the website owner’s privacy notice that will provide CCPA-required disclosures and CCPA-required user choice controls, including:
- If the website owner itself is collecting and selling personal information, a choice mechanism for users to opt out of your sale of data (e.g., sales other than adtech); AND/OR
- If third parties (e.g., ownerIQ) collect information on your website site and onward sell it, a link to the cross-industry CCPA opt-out tool provided and hosted by the DAA. This is where ownerIQ’s data collection and use will be classified.
Once the consumer goes to your privacy notice, you need to link to the DAA CCPA opt-out tool, which will reside at optout.PrivacyRights.info (more information can be found at www.privacyrights.info). The DAA CCPA opt-out tool will enable consumers to opt out of the sale of their personal information by participating third party companies (e.g., ownerIQ). Any consumer’s request not to sell personal information expressed through the DAA tool will apply across all properties on which a third party collects information, rather than just the originating publisher site or app. The new opt-out tool will use a different database from the existing industry tool.
Update 12/18: More information from DAA is below:
FAQs for Publishers, Brands, Agencies, AdTech regarding the use of the CCPA Opt Out Tool and PrivacyRights Icon
- PrivacyRights Icon Creative Spec (How do Publishers and Brands (and their partners) leverage the new PrivacyRights Icon on Web and in App) (New)
- DAA Webinar on CCPA Tools (from Dec. 12) (New)
CCPA compliance is a work in progress at this point. These Frameworks will likely change as the Attorney General finalizes its CCPA Regulations. We also know there are additional compliance obligations to CCPA, which we are all working on past January 1, 2020. We will continue to provide updates like these and, hopefully, a full ownerIQ CCPA manual, as we gain more clarity in how the CCPA is applied and interpreted.
Note: In no way should this article be construed as legal advice. You should consult with legal counsel about your CCPA compliance strategy.