The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data?
The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question.
Why the Debate?
The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The Network Advertising Initiative (NAI) broke this definition down into three main elements that, when satisfied, might make the case that digital advertising involves a “sale.”
The digital advertising must involve “personal information.” We know that it does because serving digital ads requires, at the very least, access to IP address and browsing history.
The digital advertising must involve the movement of personal information from a business to another business or third party. This is often true for digital advertising relationships, as ad tech intermediaries and other participants in the ad exchange often use the personal information they have received from businesses for their own purposes, thus taking many ad tech entities outside of CCPA’s “service provider” safe harbor.
The digital advertising must involve the exchange of monetary or other valuable consideration for the personal information. This is a fact-specific inquiry that will vary across contractual arrangements. For that reason, the NAI analysis states it would be difficult to broadly categorize all digital advertising activities as “sales.” However, the NAI cautions that if the recipients of personal information can retain the information “for profiling or segmenting purposes” (e.g., the ability to monetize the data independently), that could be evidence of a “sale” of data.
Approaches to “Do Not Sell” Vary Widely
Several of the largest players in the digital advertising industry have taken conflicting positions on whether digital advertising is a “sale” under the CCPA. The lack of a consensus combined with the fact-specific nature of the “sale” analysis leaves most businesses with a risk-based choice between competing considerations. Approaches we have seen to date include the following:
1. Affirmatively Stating No Sale. Some businesses, including major ad tech players, have announced that they believe their receipt of consumer personal information falls within the “service provider” safe harbor. Therefore, these activities do not constitute a “sale” under the CCPA. These businesses affirmatively state in their privacy policies that they do not sell personal information and do not offer an opt-out link or button.
2. Changing the Service Offerings. Other businesses have implicitly acknowledged that their digital advertising activities constitute a sale of personal information by changing their practices to avoid activities that would constitute a “sale” under the CCPA.
3. Acknowledging a Sale and Adhering to Ad Industry Frameworks. For those businesses that have chosen to treat digital advertising as a sale, some have chosen to comply with one or more of the following ad industry compliance frameworks:
The Interactive Advertising Bureau (IAB) issued its CCPA framework to help digital publishers and their supply chain partners comply with the CCPA. To participate, businesses must agree to a contractual arrangement that purports to trigger the CCPA “service provider” safe harbor when a consumer exercises their right to opt out. This allows data transfers to continue even when a consumer has opted out, as long as data practices fall within the limited “service provider” use cases.
The Digital Advertising Alliance (DAA) recently unveiled its own solution, a new icon aimed at helping ad companies comply with the law. When a consumer clicks on the icon, they will be directed to a page where they can access a tool to opt out of the sale or transfer of their information. The DAA recommended in recent guidance that businesses accompany the icons with text links and language like “CA Do Not Sell My Info.”
The NAI updated its Code of Conduct to cover a broader range of products and technologies and align with the CCPA’s requirements for targeting audiences from 13 to 16 years old.
In lieu of providing a “Do Not Sell My Personal Information” opt-out link or button, some businesses provide links to or explanations about the ad industry framework(s) in which they participate. While this certainly reflects reasoned compliance with the framework(s), this approach may have limits under the CCPA. The opt-outs expressed by consumers through the various ad industry tools and frameworks may only be disseminated among those organizations that participate in the framework. Businesses and/or advertisers outside of the framework, including those with whom a business may engage for digital advertising services, may not receive notice of the request to opt-out and not be held accountable for honoring that request under the framework.
4. Acknowledging a Sale and Giving an Ultimatum. In limited cases where sharing personal information is an integral part of the business’s products or services, some businesses explain to consumers that by directing the business to not “sell” personal information, they will no longer be able to use their accounts with the business and may be asked to delete their accounts.
5. Acknowledging a Sale and Using Cookie Management Tools. Some businesses have acknowledged that their digital advertising activities constitute sales of data and rely on existing “cookie management” products to simply disable advertising trackers for website visitors who opt out. This approach is used by many businesses for GDPR compliance.
6. Combining Approaches. Finally, some businesses have adopted a variation on the above approaches by providing opt-out functionality but objecting to the characterization of their practices as “sales.” These businesses’ privacy policies explain that while they do not believe that their digital advertising activities constitute “sales” of data as colloquially understood, they nonetheless admit that such activities may fall under the CCPA’s expansive definition of “sale,” and offer appropriate choices under one of the above approaches.
The decision to take any of these approaches, or to participate in an industry compliance framework, depends on a variety of factors, including industry, exposure and risk tolerance. It remains to be seen whether any of these approaches will be interpreted to satisfy the CCPA’s requirements.
What About Analytics?
Not all online tracking is related to advertising, and many businesses may be wondering if their use of other online tracking vendors, such as website analytics tools or customer relation management trackers, trigger the CCPA’s “sale” obligations. This is a fact-specific question that depends on the vendor and data practices in question. Analytics vendors are generally more likely to qualify for the “service provider” safe harbor and be exempt from the “sale” obligations, provided their use of personal information is contractually limited to the purposes specified by their business customers.
Finding Common Ground
More guidance is clearly needed for businesses to determine whether digital advertising always or sometimes amounts to a sale. California’s Attorney General Xavier Becerra has recently said that he intends to help businesses understand how he plans to interpret the law. We hope that clarification of the applicability of CCPA’s “Do Not Sell” rights to the digital advertising industry is among the Attorney General’s highest priorities. In the meantime, with the CCPA now in effect, businesses should carefully consider their practices concerning online advertising and web tracking and determine the approach best suited for their business.
Austin Mooney Austin Mooney focuses his practice on global privacy, cybersecurity, and emerging technologies. A Certified Information Privacy Professional/Europe, he is experienced in helping clients navigate US and international data protection law, including the GDPR. Click here to learn more about Austin's practice. Amy C. Pimentel Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.