Owners of websites and mobile applications that utilize cookies and other tracking technologies, e.g., pixels, app SDKs (tracking technologies), for interest-based advertising and other activities inherently share data across the digital ecosystem and will have to address these activities as part of their greater California Consumer Privacy Act (CCPA) compliance approach. In particular, the CCPA’s novel “do not sell” right and broad definition of “personal information” (PI) (which includes but is not limited to IP addresses, device IDs, cookie IDs and other unique identifiers) is directly implicated in these types of data transfers. With respect to tracking technologies under the CCPA, various approaches are emerging to take certain PI transfers outside the scope of a “sale” by the publisher and for complying with a consumer’s do-not-sell opt-out request if necessary, although there remains no industry consensus and the California attorney general (AG) has provided no direct guidance on the issue. This post discusses the emerging approaches to CCPA compliance for tracking technologies, and in particular the CCPA frameworks developed by the Internet Advertising Bureau (IAB), the Digital Advertising Alliance (DAA) and Google. Whether you adopt one or more of these framework approaches, integrate a do-not-sell tool to shut down all cookies that are not strictly acting as service providers or take the position that third-party tracking technologies’ data activities are simply not a sale by you, it is recommended that your privacy notice and consumer rights request messaging clearly explain the approach(es) you are taking and the scope and limitation of consumer choice offered thereby. Until there is further guidance from the AG, the biggest risk would seem to be a claim that you are being deceptive with regard to how you are treating tracking technologies under the CCPA.
A sale under the CCPA includes any “making available” of PI, which would include association of usage activity with a device identifier, to another business or a third party for valuable consideration (which need not be monetary and arguably not direct), unless a statutory exception to a sale is present. The two most likely exceptions are disclosures to service providers that are contractually limited to only retain, use and disclose PI to perform the services for the business and to certain internal business purposes of the vendor. The regulations originally only provided service providers the ability to use a business’s PI in a manner that benefits other parties for fraud prevention or security, but the recent revisions expanded this scope to also include the ability for service providers to use PI to build or improve the quality of their services, so long as the use does not include building or modifying household or consumer profiles, or for supplementing data acquired from another source. Many tracking technologies’ PI usage, such as for interest-based advertising, exceeds the CCPA’s qualified service provider usage limitations. Another exception is a disclosure at the express direction of the consumer, but only if the recipient does not engage in downstream sales, unless otherwise permitted by the CCPA. Downstream disclosures for the downstream recipient’s commercial purposes are inherent in interest-based advertising and as such are likely sales. Arguably, a consumer could expressly consent to both the initial and further downstream sales, but it is not clear whether that would be “otherwise permitted by the CCPA.” This makes an opt-in to interest-based advertising tracking technologies as an exemption from a sale transaction questionable, and the U.S. ad industry has, at any event, sought to avoid an opt-in regime. An alternative approach to trying to find an exception from a sale is to argue that the publisher is not a business making its users’ PI available to tracking technologies, but rather tracking technologies are themselves independent businesses that are independently collecting PI from the publisher’s users. Support for this theory can potentially be found in version two of the regulations’ new Section 302(a)’s use of the word “maintains.” Section 302(a) provides that whether info is PI “depends on whether the business maintains information in a manner that [is linkable or associated with a consumer or household].” The argument would be that in the case of tracking technologies, the technology operator, not the publisher, maintains the PI associated with the technology. Of course, the contract between the technology company and the publisher may provide that this is done for the publisher, which would put responsibility back on the publisher. Even if the technology company is contractually the controller of the PI, it has no direct connection with the user and thus will be unable to meet its own CCPA precollection notice, opt-out and other obligations unless the publisher assists it in doing so. As a result, a tracking technologies operator is unlikely to accept responsibility as a business unless the publisher facilitates its ability to meet its obligations as a business.
In the face of these regulatory challenges, various compliance approaches are being adopted that would allow certain participating tech vendors to commercialize the PI of their clients in a manner that arguably can be CCPA compliant. One approach assumes that the publisher is responsible for the data collection by tracking technologies interacting with its service and uses a signal system to indicate whether tracking technologies must restrict data processing to what is permitted of a CCPA-qualified service provider or whether it is free to accept the data without restriction as a sale. This requires a publisher to either treat all users as having opted out by attaching a signal to all users’ tracking technologies indicating that only restricted data processing is permitted or tying the signal program to a do-not-sell opt-out program to have the restricted data processing signal apply only to specific users who have exercised do-not-sell rights with the publisher. Alternatively, another approach is emerging that theorizes that technology operated by a party other than the publisher can be independently collecting PI notwithstanding that its technology is integrated into the publisher’s app or site. However, to enable the tracking technologies operator to meet its obligations under the CCPA, the publisher would have to push through that other business’s precollection notice and provide an opportunity for that technology operator to opt out of downstream sales, which would require the publisher to push that operator’s notice down through the site or app to the user.
Both approaches have digital advertising trade association sponsors. The IAB, which takes the former approach, and the DAA, which is promoting the latter approach, have developed CCPA opt-out notice and signal tools and related program frameworks, which are discussed in further detail below. The IAB reports having more than 200 participants that have signed on to its program (the IAB treats the list of its agreement signatories as confidential and does not publish a list of its participants) and Google has announced its own program, which is very similar to the IAB’s program. Fifty-four companies are currently listed on the DAA’s consumer-facing CCPA opt-out tool. Given the lack of guidance to date by the AG, and that the proposed regulations are silent on these issues, there is confusion in the marketplace and a lack of industry consensus as to how publishers and tracking technologies operators should address tracking technologies that are not strictly service providers. This, in part, has led to all the major ad industry trade groups petitioning the AG to further delay enforcement for an additional six months from the finalization of the regulations to allow time to address implementation of whatever schemes will ultimately be necessary to reflect the final rules. (See here.) However, the AG ignored this request in the second version of the regulations, which continued to be largely silent on issues relating to tracking technologies. It seems that the regulations will become final without clarifying the issues and that publishers and tracking technologies operators will have to attempt to sort out compliance approaches on their own. As more tracking technologies operators choose to participate in one or both frameworks, they are likely to require corresponding framework participation by the publishers with which they work. This is exactly what Google did at the beginning of 2020, corresponding with the CCPA effective date. As the July 1 CCPA enforcement date nears, and once the final regulations are published, it can be expected that more and more tracking technologies operators will join frameworks or develop their own compliance programs, as Google has done.
Currently, many publishers have simply taken the position that the collection of PI by tracking technologies associated with their sites and apps is not a sale by the publisher to these technologies operators, many have given consumers information on how to control cookies, and some have implemented cookie management tools to let users opt out of some or all cookies unrelated to a do-not-sell exercise. Yet others have integrated their do-not-sell opt-out into a cookie management tool, applying a do-not-sell request as an opt out to all cookies that are either not strictly necessary or have not been qualified as service providers. Of these approaches, simply taking the position that data collection by tracking technologies that are not service providers is not a sale is likely to be an inadequate approach in the long term, if for no other reason than that these tracking technologies, if acting as independent collectors of PI, can meet their own CCPA obligations only with publishers’ assistance, such as through the DAA framework, or a similar pass-through notice and choice program. Whether a publisher should participate in the IAB or DAA program, or both, will depend in large part on which programs its ad tech partners pick. And like Google, some tech companies may launch their own proprietary programs. Accordingly, it is recommended that publishers reach out to all their digital vendors and partners to find out how they believe that they can maintain their services in compliance with the CCPA and what the publishers need to do in that regard.
Notably, these CCPA notice and choice opt-out programs will exist alongside the well-known interest-based advertising opt-outs offered by the DAA and Network Advertising Initiative, which are not intended to facilitate the opt out of sale as defined in the CCPA, but rather the opt out from interest-based advertising, which uses profiles built by tracking usage behavior across time and services to better target consumers with relevant ads. A do-not-sell opt-out will stop the particular party that receives the request from further downstream sales, for interest-based advertising or otherwise, but will not stop interest-based advertising based on existing profile information or profile information obtained elsewhere. Accordingly, publishers will have to explain to consumers the scope and limitations of both sets of opt-out programs, and explaining the distinctions between and the scope and limitations of each will be a challenge. If a publisher adopts both the IAB and DAA CCPA compliance frameworks, it will also have the challenge of explaining the differences and that consumers will need to go through both processes. And then, what to do about tracking technologies that are neither service providers nor participants in a CCPA compliance framework? Thus, we have what can best be described as a cookie conundrum.