Impact of Final CCPA Regs on AdTech with Ben Isaacson

CCPA Regs and Adtech – Thanks to for sharing his insights on the key provisions of the final CCPA Regs as they relate to the Adtech industry. He discusses the benefits and pitfalls of using cookie consent banners, the importance of carefully reviewing your contractual language, changes to record-keeping requirements, and much more. Watch this mini recording to learn more.

Transcription for CCPA Regs and Adtech below:

Teresa Troester-Falk

Hello everyone, and welcome to today’s PrivacySnapshot, where we’re going to be talking about the finally published CCPA regulations, but specifically with a look at its impact on the ad tech industry. And I’m really excited that Ben Isaacson is with us today. Ben is an expert in the field of adtech and digital privacy. He’s been working at this for over a couple of decades as a privacy consultant and does work with us at BlueSky Privacy and among many other privacy engagements, including a secondment at Uber.

Ben, we were not surprised, of course, to see the Regs finally in a position to be enforceable. But we were surprised that at the 25th hour, as you say, there were some little changes that nobody expected, and one of them that many listeners have noticed is that, for example, the option to include a smaller or shorter version of “do not sell my personal information” to “do not sell my info” was just deleted from the final version of the Regulations. It seems like a small thing but will impact a lot of companies’ operational procedures because they included the shorter version. But, there were some very specific things that the adtech industry should pay attention to. And that’s what you’re here to talk about. So I’ll pass it over to you now to highlight those issues.

Ben Isaacson

Thanks, Teresa. It’s great to be with you. So the last-minute changes to the Attorney General Regulations included a couple of pieces, in particular to the opt-out, which is what a lot of digital companies care most about. The simple ones that they changed at the last minute were if you’re an online company, you don’t need to offer an offline opt-out. But when a lot of online companies were worried about it, they also changed some of the text around, just what that opt-out mechanism needs to be. It doesn’t need to be easy to execute with minimal steps (that was a language in the earlier draft that they got rid of). So not to say you should make your job harder. But it just needs to be easy to read and understand. And then the last change, but a really important one is that it also has a recently posted comment.

Some constitutionality questions are, if you’re a large digital company, especially a digital advertising company, you might collect 5 million data points a year and not necessarily know whether they’re Californians or not. There was this note; there’s this provision in the law that said you need to have record keeping for anything over 4 million records and provide around all the Access and opt-out and deletion requests that were made in the course of a year, that threshold, they changed at the last minute, from 4 million records to 10 million records. So it’s going to be rare for any smaller ad tech companies to get that kind of data. But for certainly, most large adtech companies, most large online publishers, they’re still compelled to track the number of disclosures and requests that they’ve made in the course of the year.

So it’s a record-keeping requirement. So those are the brand new changes that just came in last week. They’re there are a couple of recap issues I just want to throw out there around the core issue for ad tech and digital advertisers as well. And the big one that, working with my advertiser clients and prospective clients, particularly talks about is, “Is ad tech a sale of data under the CCPA and pretty generally done Say this explicitly, saying it’s very fact-specific. And so there might be scenarios where there are certain ad tech, you know, measurement companies, auditing companies, anything that might be helping you do analytics and performance measurement could still be certainly service providers even if they are doing some things to help improve their products. But if it’s an identifier that’s being used for retargeting if it’s being used, real-time bidding ecosystem, really anything that results in targeting on another website or app is going to be considered a sale as far as the Attorney General goes, and that includes any identifiers including fingerprints and mobile ad IDs and other aspects.

So the big question then becomes, okay, well, what am I supposed to do about that as an advertiser — should I have a cookie consent banner as we have in Europe, to acquire opt-in consent, similarly to what the GDPR and the privacy directive require in Europe? And so you’ve seen a lot of these banners pop up since January. But the law is actually much less clear on this. And so there’s really no requirement under the law, or in the Attorney General’s regulations that say, you should have a cookie consent banner on your website. And there are different interpretations of the law. In fact, the Attorney General does not address this at all; they say if you have a cookie consent and opt-in request for cookies, it may still not satisfy the do not sell requirements under the law because there are very different provisions under the text. So the most conservative approach would be to have a notice that has a button that says do not sell my personal information.

And that’s all it says — it doesn’t say opt-in, opt-out. Except rejected just says, click here to satisfy your rights under the CCPA to do not sell my personal information with the full words spelled out. So that’s probably the most tricky issue. It will be kind of digested over the next few months.

Teresa Troester-Falk

So just thinking ahead. Do you think that the the CPRA, which will be on the November ballot, given the new definition of sharing, adds any insight to that question, and puts it to rest in some way, and introduces a new element?

Ben Isaacson 

I mean, I think it’s left to be determined whether the CPRA even passes with the ACLU and EFF opposing. So this question objected to it, but I think, in general, what we’re looking at is adequacy with the GDPR in a way that puts to bed, you know, whether a sale is really sharing because the two are essentially synonymous between the CPRA now CCPA. So we’re kind of it does raise the specter of Canada’s onward transfer, and the need for an opt-out, really eventually an opt-in, you know, to make sure that if an entity is going to be using your data for another purpose, other than, you know, just to service you in any way, then it’s clearly going to need consent.

Teresa Troester-Falk

So let’s leave our viewers with a final word. If you think about our client base — these last-minute changes, the ongoing questions about the ambiguities, is there one, you know, a nugget of insight or suggestion, a best practice that you could pass on? You know, if you haven’t thought about this, you really should be thinking about it. If you’re not doing this, you really should be doing it. I know that’s a very broad question, but is there something that comes to mind?

Ben Isaacson

Oh, I mean, the lawyer in me has to point out that there are some discrepancies between the text of the CCPA and the regulations when it comes to whether a vendor is a service provider and, or whether they’re doing things with your data that they could get away with. That may not even be in the text of the ccpa. And guess what the nugget I would say is that, you know, not all contracts, especially data protection, language, and contracts, are equal. And the first thing is that you know if you’re in West  — California data, you must specify crystal clear that the vendor is a service provider.

And then, you know, again go, what I would recommend is going back to the text of the law rather than the regulations, and pointing out that the text, the business purpose, under the definition of service provider, is very limited to only servicing that, that customer and not to build profiles or build products. And really, you know, in essence, like copy and pasting, what that exclusive business purposes, and that, you know, there’s no other purpose beyond that. And what this does is simply narrow down so that, you know, if you’re working with a vendor that may, especially in ads that may have, other interests in your data, that it’s crystal clear exactly what they’re limited to.

Teresa Troester-Falk

Great, great suggestion. So thank you. That is our privacy snapshot for today. As always, if you are looking for support with your CCPA privacy compliance or otherwise, we at BlueSky Privacy are here to help you figure out those operational pieces. So Ben, thank you again, and we’ll look forward to having you back for a discussion on cookie governance.

Let’s talk about Privacy, the CCPA and AdTech

Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.

Ask us how we can help you feel confident and at ease with your privacy compliance efforts.

Follow us on LinkedIn: https://www.linkedin.com/company/blueskyprivacy/mycompany/