Comprehensive data privacy laws and new advertising technology standards limit companies’ ability to combine their first-party audience information with third-party data. It all started with California passing the nation’s first comprehensive data privacy law, the California Consumer Privacy Act, which allows consumers to opt out of the sale of personal information. This had a significant impact on the adtech ecosystem as many businesses stopped sharing data with third parties to avoid being sellers of personal information under the CCPA. Following the passage of the California Privacy Rights Act, which goes into effect Jan. 1, 2023, less data will flow into the adtech environment because consumers can now restrict businesses from sharing their personal information specifically for cross-context behavioral advertising.
Increasingly, other states may follow California’s lead and restrict the sharing of personal information for cross-context behavioral advertising. Indeed, Virginia recently passed the Consumer Data Protection Act, allowing consumers to opt out of targeted advertising. At least eight other states are also proposing legislation that could provide similar rights to consumers.
Not only are data privacy laws limiting the sharing of personal information for targeted advertising, but so are tech companies. For example, Apple is trying to position itself as an industry leader to protect users’ privacy and will require app developers to obtain opt-in consent before tracking users when it launches iOS 14.5 this spring. Additionally, Google recently announced that in 2022 it would eliminate third-party cookies from its Chrome browser and stop selling ads based on individuals’ browsing activity across multiple websites.
Simply put, these developments will restrict the use of third-party data for retargeting as more consumers exercise their opt-out rights and tech companies require businesses to no longer rely on third-party data for targeted advertising.
Data privacy laws restricting the sharing of data for advertising
In 2018, California made history by passing the CCPA, the nation’s first comprehensive data privacy law. Under the CCPA, businesses that sell personal information are required to disclose in their privacy policies that they sell personal information and give consumers the right to opt out of the sale through a “Do Not Sell My Personal Information” link on their homepage. The term “sale” is broadly defined under the CCPA to include all transfers of personal information to third parties for monetary or other valuable consideration. Businesses tried to avoid being sellers of personal information by treating the entities receiving their consumers’ personal information as service providers, in which capacity they must agree to certain restrictions regarding what they can do with the personal information. If properly treated as service providers, these entities may receive personal information from businesses without the transfer constituting a sale under the CCPA. Some companies also took the approach that permitting third-party cookies on their websites is not a sale of personal information under the CCPA because there is technically no transfer of personal information in that context. When the CCPA went into effect in 2020, however, that position became uncertain, as the California attorney general appears to take the position that allowing third-party cookies on a business’s website constitutes a sale of personal information.
The uncertainty of this position intensified when the final CCPA regulations included a provision requiring businesses to treat browser plug-ins, privacy settings, device settings or other mechanisms that communicate or signal a consumer’s choice to opt out as valid requests under the CCPA. Soon after the CCPA regulations became final in 2020, a coalition of organizations developed a browser extension called the Global Privacy Control, which communicates opt-out signals every time a consumer visits a website. Ambiguity regarding whether GPC signals constitute valid opt-out-of-sale requests may have been dispelled Jan. 28, 2021, when then-California Attorney General Xavier Becerra tweeted businesses must treat GPC signals as valid opt-out-of-sale requests under the CCPA. Critically, should more consumers choose to use the GPC browser extension, consumers will restrict businesses from sharing their personal information whenever they visit a website as a default setting.
In November 2020, Californians also voted the CPRA into law, which further restricts businesses from sharing personal information for cross-context behavioral advertising. Cross-context behavior advertising is defined as the targeting of advertising to a consumer based on the personal information obtained from their activity across businesses, distinctly branded websites, applications or services, other than which the consumer intentionally interacts. Under the CPRA, businesses may not be able to avoid being sharers of personal information by entering into service provider agreements with their vendors because transferring personal information to a vendor for cross-context behavioral advertising is no longer considered a business purpose — a requirement to treat the entity receiving personal information as a service provider under the CPRA. This leaves businesses with limited options to avoid being sharers of personal information under the CPRA. The only option available for businesses is to implement a mechanism, such as a pop-up box or tick box, to capture consumers’ consent for businesses to disclose their personal information to other entities.
Virginia also passed a data privacy law March 2, 2021. The Consumer Data Protection Act permits consumers to opt out of the processing of their personal data for targeted advertising (defined as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests). California and Virginia are not alone, as other states, including Arizona, Connecticut, Illinois, Maryland, Minnesota, New York, Oklahoma and Washington, are proposing similar comprehensive data privacy laws to further restrict combining first-party and third-party data for targeted advertising.
Changing adtech landscape
Along with the limits placed on the use of third-party data by new data privacy laws, new standards are being set by tech companies, as well, with Apple and Google among the companies leading the way to protect consumers’ privacy. For example, Apple announced that with the launch of its iOS 14.5 in early spring, it will require app developers to obtain opt-in consent from users before tracking them. Under Apple’s App Tracking Transparency framework, “tracking” is defined in a similar way as in the laws discussed above — that is, as the act of linking user or device data collected from an app with user or device data collected from other companies’ apps, websites or offline properties for targeted advertising or advertising measurement purposes. This also includes sharing user or device data with data brokers. Apple has provided some examples regarding what does and does not constitute tracking, which essentially involves linking app developers’ first-party data with third-party data.
Examples of tracking include the following:
- Displaying targeted advertisements in a company’s app based on user data collected from apps and websites owned by other companies.
- Sharing device location data or email lists with a data broker.
- Sharing a list of emails, advertising IDs or other IDs with a third-party advertising network, which uses that information to retarget those users in other developers’ apps or find similar users.
- Placing a third-party software development kit in an app that combines user data from the company’s app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if the SDK is not used for those purposes. One example is the use of an analytics SDK that repurposes the data it collects from a company’s app to enable targeted advertising in other developers’ apps.
Apple also provides examples of what does not constitute tracking, which includes the following limited scenarios:
- When the user or device data from a company’s app is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device.
- When the data broker with whom a company shares data uses that data solely for fraud detection, fraud prevention or security purposes and solely on the company’s behalf. One example is the use of a data broker solely to prevent credit card fraud.
Similarly, Google announced that in 2022 it would eliminate third-party cookies from its Chrome browser and stop selling ads based on individuals’ browsing activity across multiple websites.
With all these changes by major tech companies, businesses are left with limited options for gathering user profiles based on their interactions across multiple owned and operated properties.
What should businesses do?
With this change in landscape, first-party data is king. Major companies are well-positioned to adapt to these developments, as they likely still have a treasure trove of first-party data that they can rely on for retargeting and measuring marketing performance on their owned and operated properties. Businesses can also increase their volume of first-party data through, among other mechanisms, loyalty and rewards programs. Further, businesses can gain a greater granular understanding of their first-party data through synthetic data, which uses machine learning algorithms to provide an in-depth understanding of trends and analytics without revealing the identity of a data subject. By all accounts, synthetic data is considered as effective as using actual data sets for purposes of analytics. Lastly, businesses have the option of utilizing Apple’s closed-box SKAdNetwork to measure the success of ad campaigns and Google’s Privacy Sandbox technology, the Federated Learning of Cohorts, which is considered an effective alternative to third-party cookies for generating interest-based audiences.
The IAPP created an infographic outlining the 10 most-impactful provisions of the California Privacy Rights Act ballot initiative. The infographic gives a snapshot of the potential implications stemming from the CPRA being passed and entering into force January 2023.
“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
The Westin Research Center released this interactive tool to help IAPP members navigate the California Consumer Privacy Act and the California Privacy Rights Act. The “CCPA and CPRA Genius” maps CCPA and CPRA legal requirements and provides ready access to critical resources, expert analysis, compliance guidance and more.
If you want to comment on this post, you need to login.