It seems like at the start of every year there are new privacy laws. The 2020 new year brought us the California Consumer Privacy Act. The 2023 new year will bring us the California Privacy Rights Act and the Virginia Consumer Data Protection Act, with new legislation from Colorado, Connecticut and Utah arriving a bit later in the year.
So yet again, cross-functional privacy teams from across the digital advertising industry are trying to decipher what companies can and can’t do under new state privacy laws in an environment with little precise guidance about how exactly these laws apply to digital advertising and with little time left for interpretation, no less implementation.
And yet again, just as in 2019 and 2020, certain market participants feel uncomfortable saying they “sell” personal information, outside of entering into valid service provider agreements, under the CPRA’s amendment of the CCPA. The everyday consumer understanding of “sale” conjures images of brands selling their secrets to all comers in some shadowy market. This, of course, is not what’s happening at all when publishers and advertisers exchange information with trusted partners to deliver and measure relevant ads. But chief marketing officers, understandably, worry consumers will not grasp the nuance between the common understanding of the term “sale” and its legal meaning under California privacy law.
And so, yet again, a new legal theory is beginning to take root to blunt the impact of state privacy regulation. Specifically, some are suggesting the CPRA’s amendment of the CCPA provides, except for disclosures of personal information made pursuant to valid service provider agreements, personal information disclosures are either a “share” for cross-context behavioral advertising purposes or a “sale” of personal information — not both. Under this myopic view, publishers and advertisers can tell consumers they engage in CCBA by “sharing” personal information, but do not “sell” their personal information.
If we don’t want to be here yet again next year with another amendment or enforcement action, those pursuing such an approach must stop searching for loopholes to avoid the conclusion that a “sale” is occurring and take CCPA and CPRA’s amendment as intended — broadly.
CCBA is 'sale.' It is time to get over it.
The notion the CPRA amended the CCPA to make “sales” and “shares” mutually exclusive categories of personal information disclosures is fundamentally at odds with the structure of the law, which provides for those concepts to overlap. Indeed, a better reading of the CPRA is that all “shares” are “sales,” but not all “sales” are “shares.” For example, if an industry participant engages in CCBA, it is both a “share” and a “sale.” But there are certain measurement and reporting functions that can support CCBA, or other forms of advertising such as contextual, that are likely “sales” but not “shares.”
The CPRA intends “sale” and “share” to overlap, evidenced in the history of the ballot initiative. Certain industry participants unwisely took a narrow view of “sale” upon CCPA’s effective date in January 2020. Those advocating the position stated there were certain exchanges of personal information in the delivery of digital ads that were not supported by valuable consideration, an element of the statutory definition of “sale,” and thus the consumer did not have the right to opt-out of such disclosures. Under that view, participants in the multi-billion-dollar digital ad market were seen as providing gifts of personal information to one another without receiving any benefit.
However, Alastair Mactaggart, privacy advocate and now California Privacy Protection Agency board member who drove the effort towards the CCPA’s legislative enactment and the CPRA ballot initiative amendment to the CCPA, expressed the view that CCPA’s definition of “sale” encompassed all sharing of personal information for CCBA purposes:
I think that the language in the CCPA is clear, and I think the intent is clear. I was really surprised to see a thread developing among some attorneys saying, “don’t worry about ‘sell,’ because that means exchange for valuable consideration,” and essentially, “we can ‘share,’ and it’ll all be OK.” Even though I don’t think the CCPA is ambiguous, if some people are saying it is ambiguous, let’s make sure we close that out. It is now crystal-clear, when it comes to sharing consumer information for cross context behavioral advertising, that the law gives consumers the right to opt out.
In legal parlance Mactaggart’s view was: CCBA disclosures are “sales” of personal information supported by valuable consideration, but for the avoidance of doubt the CPRA amendment made CCBA disclosures “shares” of personal information that do not require any valuable consideration.
The notion that CPRA somehow pulled CCBA out of the “sale” bucket and placed it solely into the “share” bucket is belied by the ballot initiative history.
Moreover, the California attorney general’s complaint and settlement for $1.2 million with Sephora stated, “companies make consumer personal information available to third parties and receive a benefit from the arrangement — such as in the form of ads targeting specific consumers — they are deemed to be ‘selling’ consumer personal information under the law.” Given the position of the California attorney general’s office that CCBA — i.e., “ads targeting specific consumers” — is a “sale” of personal information, it might not be wise to tempt fate and say the CPRA somehow changes that, especially in light of the unchanged definition of “sale” and the attorney general’s enforcement authority.
Unless you have perfected a proper service provider or contractor relationship, and are willing to live with the substantial limitations the law imposes on those relationships, market participants should explain to consumers when they engage in targeted advertising, they’re “selling” and “sharing” personal information for CCBA purposes and provide corresponding opt-outs. Anything less will create incredible friction when negotiating contracts between participants in the digital advertising industry, foster consumer confusion and create unnecessary legal risk. Going into 2023, it is untenable to have half of market participants disclosing to consumers they only “share” personal information and the other half disclosing they both “sell” and “share” personal information, to describe exactly the same activity. Consumers are likely to be confused by what opt-out choices they are being offered, and regulators are unlikely to demonstrate patience with this approach after sending clear signals through statements about the intent of the CPRA’s changes as well as the Sephora enforcement action.
Many may ask: How does this relate to the IAB's new Multi-State Privacy Agreement? The MSPA does not take a legal position on what exactly is encompassed by the definitions of “sale” or “share,” just as the IAB did not define the scope of “sale” in the Limited Service Provider Agreement. We wait for regulators to do that. Instead, the MSPA only defines the activities a service provider or contractor may engage in after a consumer has opted out of “sales” or “sharing,” or in circumstances where an advertiser or publishers determines it does not “sell” or “share” personal information.
In order to support continued growth in an increasingly fraught regulatory environment, we as an industry must coalesce around a common understanding of the CPRA that accepts the broad scope of the law. Our job is to comply. And that begins by accepting the term “sale,” which is here to stay, includes the CCBA.
This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
California Privacy Law, now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
If you want to comment on this post, you need to login.