The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing here a multi-part series that discusses the questions most frequently asked by retailers concerning the CCPA

Q. If a website participates in behavioral advertising, does the CCPA require that it disclose that it is “selling” consumers’ information?

The California CCPA requires that a business that “sells” personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.” CCPA, § 1798.130(A)(5)(C)(i). The CCPA broadly defines the term “sell” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration.” CCPA Section 1798.140(t)(1). “Personal information” is also defined broadly as including any information that “could reasonably be linked, directly or indirectly, with a particular consumer or household” such as, in certain instances, IP addresses, unique online identifiers, browsing history, search history and “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.” CCPA, Section 1798.140(o)(1)(A), (F).

Many companies – particularly online retailers – participate in behavioral advertising networks. In order to participate in a network, a company places code on its website that permits a third party (the behavioral advertising network) to either (1) place tracking technology (e.g., a cookie) on the computer of people who visit the website, or (2) receive information that the visitor’s computer transmits to the website that the visitor intends to visit. This might include, for example, a GET request whereby the consumer’s computer asks the website to load a webpage, or a POST submission whereby the consumer transmits information about themselves (e.g., email address, search query, etc.) to the website. The third party behavioral advertising network collects and aggregates the information in order to monitor a consumer (or at least the consumer’s computer) across all of the websites that participate in the network and to build a profile from which the behavioral advertising provider can discern characteristics about the consumer to help deliver targeted advertising.

Unrelated to the CCPA, courts that have evaluated the relationship between a consumer, the website that they intend to visit, and behavioral advertising networks that receive information about that visit have held that the data transmitted from the consumer to the website is “intended for” the website itself, and the website is, in turn, “consent[ing]” for the behavioral advertising network to “access” the consumer’s “communications to them.” In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497, 511 (S.D.N.Y. 2001). In other words, they view the website as “authoriz[ing]” a behavioral advertising network to access information transmitted by a consumer to the website. Id. at 514. Given these holdings, plaintiffs’ attorneys are likely to argue that the act of authorizing a third party behavioral network to access information transmitted by a consumer is synonymous with “making available” the information and, thus, constitutes a “sale” pursuant to the CCPA.

While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, the exception may not apply to behavioral advertising networks. Specifically, the service provider exception requires that three conditions be present. While some of those conditions exist in the context of a behavioral advertiser, others do not.

First, the transfer of information to the service provider must be “necessary” for the website’s business purpose. CCPA, Section 1798.140(t)(2)(C). While the facilitation of targeted advertising may be desirable, it is questionable whether a court would view targeted advertising as a necessity.

Second, the transfer of the information to the service provider must be disclosed to consumers. CCPA, Section 1798.t)(2)(C). Many websites arguably meet this requirement by disclosing their participation in behavioral advertising networks within their privacy policies.

Third, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.” CCPA, Section 1798.140(t)(2)(C)(ii), (v). As behavioral advertising networks typically retain the information that they obtain from websites within their network, and use that information for the benefit of themselves (and the other members of their network) a plaintiff’s attorney is likely to argue that the contracts in-place between websites and advertising networks are insufficient to convert the advertising network into a “service provider.”

In order to mitigate the risk that permitting behavioral advertising networks to deploy cookies on a website will be interpreted as a “sale” of information, a website has two main options:

  • Ask for consent. The CCPA excepts from the definition of “sale” the situation where a “consumer uses or directs the business to intentionally disclose personal information.” CCPA, Section 1798.140(t)(2)(A). As a result, if a website deploys a cookie banner, and a consumer agrees or “opts-in” to the use of tracking cookies, the website arguably has not “sold” information to behavioral advertisers.
  • Disclose the sale of information and offer opt-out. If opt-in consent is not obtained, a website could disclose within its privacy policy that it is “selling” information (as that term is defined within the CCPA) to behavioral advertising networks. Note, however, that if a company sells personal information, the CCPA requires that the company provide a “Do Not Sell My Personal Information” link on its homepage, and honor requests to opt-out from such sales CCPA. Section 1798.135(a)(1). Assuming that a business provides such a link, it is not clear that a mechanism currently exists for the business to communicate to the behavioral advertising networks that a particular consumers’ information cannot be collected