California passed the California Consumer Privacy Act (CCPA) in September 2018, and the CCPA enters into force on January 1, 2020. One of the CCPA’s core elements is a right for consumers to know when a company is selling their data, and to opt-out of data sales at any time. This was the primary focus of early CCPA drafts. Enabling consumers to exercise control over data sharing represents a key area where the CCPA went beyond previous privacy legislation, such as the GDPR.
Observers expected CCPA “Opt-Out” compliance to play a significant role in online advertising. The CCPA defines data sales broadly; any sharing of data for some form of value presumptively qualifies as a “sale” of the data. Online advertising often involves data sharing among a complex network of parties for commercial purposes. Publishers on whose website or app an ad is to be displayed may share data about the individuals currently using their website, so that ad opportunities can be auctioned. Advertisers who wish to place ads on websites or apps may share data about the audience they wish to target, so that they can optimize bidding for ad opportunities. In between publishers and advertisers sits a complex network of supply-side platforms, ad networks and exchanges, demand-side platforms, data management platforms, and other participants – each of which receive and share data as part of auctioning and displaying online ads. Data passed between these participants is generally not in identifiable form; it is usually tied to a cookie ID, device ID, or the like. But since the CCPA includes “online identifier[s]” and the online-activity data often associated with them as personal information, expectations arose that data sharing for online advertising would need to be evaluated as to whether it is a “sale” – and if so, consumers would need to be able to opt-out of it.
This raised the question of how publishers would stop sharing data about a particular individual on command, since cookie- or SDK-based data sharing is often automatic and instantaneous. Conversely, advertisers faced challenges of, e.g., identifying individuals within audiences keyed only to cookie IDs, so that their data could be removed from campaign lists shared with other parties.
Now, the California Senate has introduced a bill that – if passed – may exempt a significant portion of data sharing related to online advertising from CCPA “do not sell” compliance requirements. Senate Bill 753 states that its purpose is to “provide that, for purposes of the [CCPA], a business does not sell personal information if the business … shares, discloses, or otherwise communicates to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer.”
To accomplish this purpose, SB 753 adds a new exemption to the CCPA’s definition of a data sale. Under SB 753, data sharing would not qualify as a “sale” when:
- Pursuant to a written contract,
- The business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier
- Only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.
SB 753 would require the written contract to “prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.”
On the whole, SB 753 appears to attempt to offer some relief from “do not sell” compliance obligations in the online-advertising context. It was introduced by California State Sen. Henry Stern, a Democrat representing California’s 27th Senate district. Some industry associations have announced support for the bill, but it is unclear what level of support SB 753 has within committee or within the California Senate. Until recently, the Judiciary Committee of the California Senate was concentrating on another proposed CCPA amendment we summarized earlier, which would markedly expand the scope of permissible CCPA lawsuits.
Even if there is support for SB 753, its current language raises questions as to whether it would have a significant impact on existing CCPA obligations to opt-out individuals from data sharing connected to online advertising:
• SB 753 only exempts data sharing “to the extent necessary to deliver, show, measure, or otherwise serve … a specific advertisement to the consumer.” This raises the question of whether data sharing for the purpose of displaying targeted behavioral advertising to an individual is “necessary” for purposes of the CCPA, when – for example – the same individual could be shown contextual advertising without the same sharing of data.
• SB 753 only exempts the sharing of “online identifier[s], [IP] address[es], cookie identifier[s], [or] device identifier[s]” from the CCPA’s data-sale rules. But displaying targeted advertising often requires more information than just a cookie or device ID to be shared between parties in the online advertising ecosystem. For example, demographic and/or segmentation data about an ad opportunity may be shared to permit advertisers to bid. SB 753 does not appear to exempt this additional data sharing from CCPA’s “do not sell” rules.
We are following SB 753 closely and will report updates on this blog. The text of SB 753 can be viewed in its entirety here.
* * * * *
Alston & Bird’s Privacy & Data Security Practice is closely following the CCPA enactment, amendment, and rulemaking process. For more information contact Jim Harvey, David Keating, or Daniel Felz.