“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, both at Davis+Gilbert.
As the effective date for the California Privacy Rights Act (CPRA) approaches on January 1, 2023, players in the advertising industry are trying to figure out how this reworking of the California Consumer Privacy Act (CCPA) may impact them.
Currently, the CCPA offers a form of safe harbor for companies that qualify as “service providers,” making them exempt from many requirements. For example, while the CCPA requires businesses to provide consumers with a notice of their rights, a “Do Not Sell My Personal Information” link and other legal disclosures, “service providers” are not subject to the same rules.
But as the CPRA tightens CCPA’s restrictions, are companies that process data for online behavioral advertising still considered “service providers” based on the CPRA’s new definition and parameters?
What constitutes a “business purpose”?
The CPRA defines a service provider as an entity that processes personal information on behalf of a business “for a business purpose.”
To underscore the importance of the term “business purpose,” the CPRA states that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract.”
The takeaway is that if a company isn’t processing data for a “business purpose,” it isn’t a service provider.
Although this seems innocuous, the CPRA has also changed the definition of “business purpose” to exclude “cross-context behavioral advertising.” This is a new term defined as:
“… the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
These changes raise important questions. If a business intends to use personal information for “cross-context behavioral advertising” and relies on a vendor to process the data, does this fall outside the scope of a permitted “business purpose”? And does that vendor then no longer qualify as a “service provider”?
These revisions also highlight a major break between the CPRA and other frameworks that distinguish between “data controllers” and “data processors.” Europe’s GDPR, for example, is agnostic about what the controller’s processing purposes are and evaluates processors based on whether they are acting within the scope of the controller’s instructions or for their own independent purposes.
By contrast, the CPRA lists specific activities that can be considered a “business purpose.” These include auditing, data security, debugging, internal research and maintaining quality and safety, as well as “advertising and marketing services” that do not constitute “cross-context behavioral advertising.”
A gray area for ad tech
By explicitly excluding “cross-context behavioral advertising” as a business purpose, the CPRA creates ambiguity for vendors and subcontractors that assist businesses with behavioral advertising.
Consider this example: If a vendor is given data to analyze and put into segments that will be used for behavioral advertising, would that constitute “cross-context behavioral advertising” – or is the CPRA’s restriction limited to the entity that is targeting and delivering the ad?
And would the answer be any different if the vendor actually delivers the segments to the entity that is targeting and delivering the ad? As noted above, the CPRA’s definition of business purpose still includes “advertising and marketing services,” other than for cross-context behavioral advertising.
Additional regulations or interpretive guidance from the California Privacy Protection Agency may offer some much-needed clarification in this area.
Until then, vendors that currently are acting within the CCPA’s service provider “safe harbor” – and companies looking to engage them – should pay close attention to these changes and forthcoming regulations.
Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.
