Thanks to Ben Isaacson for sharing his insights on the key provisions of the final CCPA Regs as it relates to the Adtech industry. He discusses the benefits and pitfalls of using cookie consent banners, the importance of carefully reviewing your contractual language, changes to record-keeping requirements and much more. Watch this mini recording to learn more.
Transcription below:
Teresa Troester-Falk
Hello everyone and welcome to today’s PrivacySnapshot where we’re going to be talking about the finally published CCPA regulations, but specifically with a look to its impact on the ad tech industry. And I’m really excited that Ben Isaacson is with us today. Ben is an expert in the field of adtech and digital privacy. And he’s been working at this for over a couple of decades as a privacy consultant, does work with us at BlueSky Privacy and among many other privacy engagements, including a secondment at Uber.
Ben we were not surprised, of course, to see the Regs finally, in a position to be enforceable. But we were surprised that at the 25th hour as you say, there were some little changes that nobody expected and one of them that many listeners have noticed is that, for example, the option to include a smaller or shorter version of “do not sell my personal information” to “do not sell my info” was just deleted from the final version of the Regulations. It seems like a small thing but will impact a lot of companies’ operational procedures, because they included the shorter version. But, there were some very specific things that the adtech industry should pay attention to. And that’s what you’re here to talk about. So I’ll pass it over to you now to highlight those issues.
Ben Isaacson
Thanks, Teresa It’s great to be with you. So the last minute changes to the Attorney General Regulations included a couple of pieces in particular to the opt out, which is what a lot of digital companies care most about. The simple ones that they changed at the last minute where if you’re an online company, you don’t need to offer an offline opt out. But when a lot of online companies were worried about, they also changed some of the text around, just what that opt out mechanism needs to be. It doesn’t need to be easy to execute with minimal steps (that was a language in the earlier draft that they got rid of). So not to say you should make your job harder. But it just needs to be easy to read and understand. And then the last change but really important one is that it also has a recently posted comment some constitutionality questions is, if you’re a large digital company, especially digital advertising company, that you might collect, 5 million data points a year and not necessarily know whether they’re Californians or not. There was this note, there’s this provision in the law that said, you need to have record keeping for anything over 4 million records and provide around all the Access and opt out and deletion requests that were made in the course of a year, that threshold, they changed at the last minute, from 4 million records to 10 million records. So it’s going to be rare for any smaller ad tech companies to get that kind of data. But for certainly, most large adtech companies, most large online publishers, they’re still compelled to track the number of disclosures and requests that they’ve made in the course of the year. So it’s a record keeping requirement. So those are the brand new changes that just came in last week. They’re there there’s a couple of recap issues I just want to throw out there around the core issue for ad tech and digital advertisers as well. And the big one that, working with my advertiser clients and prospective clients particularly talks about is, “is ad tech a sale of data under the CCPA and pretty general done Say this explicitly saying it’s very fact specific. And so there might be scenarios where there are certain ad tech, you know, measurement companies, auditing companies, anything that might be helping you do analytics and performance measurement could still be certainly service providers even if they are doing some things to help improve their products. But if it’s an identifier that’s being used for retargeting if it’s being used, real time bidding ecosystem, really anything that results in targeting on another website or app is going to be considered a sale as far as the Attorney General goes, and that includes any identifiers including fingerprints and mobile ad IDs and other aspects. So the big question then becomes, okay, well, what am I supposed to do about that as an advertiser — should I have a cookie consent banner like we have in Europe, to acquire opt in consent, similarly to the what the GDPR and the privacy directive require in Europe. And so you’ve seen a lot of these banners pop up since January. But the law is actually much less clear on this. And so there’s really no requirement under the law, or in the Attorney General’s regulations that say, you should have a cookie consent banner on your website. And there are different interpretations of the law. In fact, the Attorney General does not address this at all, they say, if you have a cookie consent and opt in request for cookies, it may still not satisfy the do not sell requirements under the law, because they’re very different provisions under the text. So the most conservative approach would be to have a notice that has a button that says do not sell my personal information. And that’s all it says — it doesn’t say opt in, opt out. Except rejected just says, click here to satisfy your rights under the CCPA to do not sell my personal information with the full words spelled out. So that’s probably the most tricky issue. It will be kind of digested over the next few months.
Teresa Troester-Falk
So just thinking ahead. Do you think that the the CPRA, which will be on the November ballot, given the new definition of sharing adds any insight to that question, puts it to rest in some way introduces a new element.
Ben Isaacson
I mean, I think it’s left to be determined whether the CPRA even passes with the ACLU and EFF opposing. So this question, objected to it, but, , I think in general What we’re looking at is, an adequacy with the GDPR in a way that puts to bed, you know, whether a sale is really sharing because the two are essentially synonymous, between the cpra now ccpa. So we’re kind of it does raise the specter of Canada’s onward transfer, and the need for an opt out, really eventually an opt in, you know, to make sure that if an entity is going to be using your data for another purpose, other than, you know, just to service you in any way, then it’s clearly going to need consent.
Teresa Troester-Falk
So let’s leave our viewers with a final word. If you think about think about our client base — these last minute changes, the ongoing questions about the ambiguities is there one, you know, nugget of insight or suggestion, best practice that you could pass on? You know, if you haven’t thought about this, you really should be thinking about it? If you’re not doing this, you really should be doing it. I know, that’s a very broad question, but is there something that comes to mind?
Ben Isaacson
Oh, I mean, the lawyer in me has to point out that there is some discrepancies between the text of the CCPA and the regulations, when it comes to whether a vendor is a service provider, and, or whether they’re doing things with your data that they could get away with. That may not even be in the text of the ccpa. And guess what the nugget I would say is that, you know, not all contracts, especially data protection, language and contracts are equal. And the first thing is that, you know, if you’re in West — California data, you must specify crystal clear that the vendor is a service provider. And then, you know, again go, what I would recommend is going back to the text of the law rather than the regulations, and pointing out that the text, the business purpose, under the definition of service provider, is very limited to only servicing that, that customer and not to build profiles or build products. And really, you know, in essence, like copy and pasting, what that exclusive business purposes, and that, you know, there’s no other purpose beyond that. And what this does is simply narrow down so that, you know, if you’re working with a vendor that may, especially in ads that may have, other interests in your data, that it’s crystal clear exactly what they’re limited to.
Teresa Troester-Falk
Great, great suggestion. So thank you. That is our privacy snapshot for today. And as always, if you are looking for support with your CCPA privacy compliance or otherwise we at BlueSky Privacy are here to help you figure out those operational pieces. So Ben thank you again, and we’ll look forward to having you back for a discussion on cookie governance.
Let’s talk about Privacy, the CCPA and AdTech
Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.
Ask us how we can help you feel confident and at ease with your privacy compliance efforts.
