Home Data-Driven Thinking How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech
OPINION: Data-Driven Thinking

How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech

By AdExchanger Guest Columnist

SHARE:
Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, Davis+Gilbert

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, both at Davis+Gilbert.

As the effective date for the California Privacy Rights Act (CPRA) approaches on January 1, 2023, players in the advertising industry are trying to figure out how this reworking of the California Consumer Privacy Act (CCPA) may impact them. 

Currently, the CCPA offers a form of safe harbor for companies that qualify as “service providers,” making them exempt from many requirements. For example, while the CCPA requires businesses to provide consumers with a notice of their rights, a “Do Not Sell My Personal Information” link and other legal disclosures, “service providers” are not subject to the same rules. 

But as the CPRA tightens CCPA’s restrictions, are companies that process data for online behavioral advertising still considered “service providers” based on the CPRA’s new definition and parameters?

What constitutes a “business purpose”?

The CPRA defines a service provider as an entity that processes personal information on behalf of a business “for a business purpose.”

To underscore the importance of the term “business purpose,” the CPRA states that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract.”

The takeaway is that if a company isn’t processing data for a “business purpose,” it isn’t a service provider. 

Although this seems innocuous, the CPRA has also changed the definition of “business purpose” to exclude “cross-context behavioral advertising.” This is a new term defined as:

“… the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup

Less Personalized Ads On Meta In The EU; The Secret Service Loves Ad Tech

These changes raise important questions. If a business intends to use personal information for “cross-context behavioral advertising” and relies on a vendor to process the data, does this fall outside the scope of a permitted “business purpose”? And does that vendor then no longer qualify as a “service provider”?

These revisions also highlight a major break between the CPRA and other frameworks that distinguish between “data controllers” and “data processors.” Europe’s GDPR, for example, is agnostic about what the controller’s processing purposes are and evaluates processors based on whether they are acting within the scope of the controller’s instructions or for their own independent purposes.

By contrast, the CPRA lists specific activities that can be considered a “business purpose.” These include auditing, data security, debugging, internal research and maintaining quality and safety, as well as “advertising and marketing services” that do not constitute “cross-context behavioral advertising.”  

A gray area for ad tech 

By explicitly excluding “cross-context behavioral advertising” as a business purpose, the CPRA creates ambiguity for vendors and subcontractors that assist businesses with behavioral advertising.

Consider this example: If a vendor is given data to analyze and put into segments that will be used for behavioral advertising, would that constitute “cross-context behavioral advertising” – or is the CPRA’s restriction limited to the entity that is targeting and delivering the ad?

And would the answer be any different if the vendor actually delivers the segments to the entity that is targeting and delivering the ad? As noted above, the CPRA’s definition of business purpose still includes “advertising and marketing services,” other than for cross-context behavioral advertising.

Additional regulations or interpretive guidance from the California Privacy Protection Agency may offer some much-needed clarification in this area.

Until then, vendors that currently are acting within the CCPA’s service provider “safe harbor” – and companies looking to engage them – should pay close attention to these changes and forthcoming regulations.

Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

Must Read

Online Advertising

Integral Ad Science Goes Big On Social Media As Retail Ad Spend Softens In Q3

Integral Ad Science shares dropped more than 10% on Wednesday, after the company reported lackluster revenue growth and softened its guidance for the Q4 season.

Comic: Gen AI Pumpkin Carving Contest
generative AI

Meet Evertune, A Gen-AI Analytics Startup Founded By Trade Desk Vets

Meet Evertune AI, a startup that helps advertisers understand how their brands and products appear in generative AI search responses.

Platforms

Private Equity Firm Buys Alliant As The Centerpiece To Its Platform Dreams

The deal is a “platform investment,” in which Inverness Graham sees Alliant as a foundation to build on, potentially through further acquisitions.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Gaming

Even Sony Needed Guidance For Its First In-Game Ad Campaign

In-game advertising is uncharted territory even for brands like Sony Electronics that consumers associate with gaming.

Comic: Always Be Paddling
Online Advertising

The Trade Desk Maintains Its High Growth Rate And Touts New Channels

“It’s hard not to be bullish about CTV when it’s both our largest channel and our fastest growing,” said The Trade Desk Founder and CEO Green during the company’s earnings report on Thursday.

Publishers

After The Election, News Corp Has Harsh Words For Advertisers Who Avoided News

News Corp’s chief exec blasted “the blatant biases of ad agencies and ad associations,” which are “boycotting certain media properties” due to “personal political prejudices.”

Popular

  1. Platforms

    Private Equity Firm Buys Alliant As The Centerpiece To Its Platform Dreams

    The deal is a “platform investment,” in which Inverness Graham sees Alliant as a foundation to build on, potentially through further acquisitions.

  2. Comic: The Adventures Of Cookie Monster
    Chrome privacy sandbox

    The CMA Wants Updated Privacy Sandbox Commitments From Google By Next Month

    Google and the UK’s Competition and Markets Authority continue their seemingly never-ending colloquy on Chrome, competition and cookies.

  3. auction dynamics
    ad tech earnings

    PubMatic’s Modified Relationship With DV360 Will Take A Toll On Revenue Until 2025

    Remember last quarter when PubMatic projected a $5 million revenue dip from a large DSP buyer having switched to a first-price auction?

  4. Comic: Gen AI Pumpkin Carving Contest
    generative AI

    Meet Evertune, A Gen-AI Analytics Startup Founded By Trade Desk Vets

    Meet Evertune AI, a startup that helps advertisers understand how their brands and products appear in generative AI search responses.

  5. Mario Diez, CEO of Peer39
    AdExchanger Content Studio

    Debunking The Four Biggest Myths About CTV Content-Level Signals

    Throughout the CTV market, there is an ongoing push for higher levels of transparency and control – and for good reason. Advertisers need deeper insights into the audiences and types of content surrounding their ads if they want to drive maximal interest.