The CCPA Backfire: Online Data Is Now A Commodity
The California Consumer Privacy Act (CCPA) provides significant new privacy rights to Californians (with many companies now offering these rights globally), including the right for (CA) consumers to opt-out of the ‘sale’ of their personal information. While the CCPA authors’ intent may have been to reduce or eliminate many of these ‘sales’ techniques, the irony is that they’ve commoditized website and app visitor data used for advertising.
Disclaimer: The opinions in this article are my own, and do not reflect those of any of my clients or the organizations I represent.
Under the CCPA, personal information now includes cookie IDs, mobile advertising IDs, IP addresses and anything that can uniquely identify an individual or household. In other words — all website or app unique visitor data is now considered personal information.
A ‘commodity’ is commonly defined as an ‘economic good’ or ‘something useful or valued’. In the past, companies would rarely ‘value’ their website or app data shared with online advertising services, other than those with ad-supported ‘monetization’ efforts. Now, the CCPA requires companies to determine if there is any ‘value exchange’ when sharing website or app data with a company that does not strictly meet the definition of being a ‘service provider’ or fall into one of the seven ‘business purpose’ exceptions found in 1798.140.d. (For an excellent analysis of this issue, read this post by Lydia de la Torre.)
Over the past few months, there have been many differing interpretations of whether anything other than monetization constitutes a ‘sale’. For website or app visitor data, it’s well-established that ad-supported publishers who enable use of their visitor data in the open market is a ‘sale’, which prompted the IAB to create their CCPA Framework. This same conclusion extends to any websites that share data with services who create ‘audiences’ for other advertisers to target, which prompted the DAA to create their new CCPA Icon and associated tools. (As I see it — the IAB approach is a ‘scalpel’, while the DAA approach is a ‘hammer’.)
However, most of the largest advertising platforms and services fall somewhere in between ‘monetization’ and ‘service providers’. Some of these services may be both, where they act as ‘service providers’ when you use their self-service platform to target your own audiences that are matched to theirs, but then they may act as a ‘third party’ when they place a pixel on your website or integrate an app SDK for broader ad retargeting and lookalike audience creation. The reason for this is that with the latter category, the advertising service compliance rationale may be that they are the ‘business’ collecting visitor personal information from your website or app, or more likely they have language in their agreement terms that grants them various rights to use your website or app data beyond the scope of the seven CCPA ‘business purposes’ (or even some who are creating new ‘business purposes’ that aren’t in the CCPA).
It’s this latter analysis of pixel and SDK partner uses that have caused many companies to determine that these uses are ‘sales’ and offer an opt-out. (Or with some approaches, using language such as ‘we don’t think ad data sharing is really a sale, but the CCPA seems to say it is, so here’s an opt-out anyway’.) Part of the rationale for this ‘sale’ conclusion is that every website with an EU presence is already offering a cookie-related opt-out for EU visitors, and it’s relatively trivial to extend a similar cookie opt-out to CA (or US) visitors.
However, the commoditization of online data is not just established through partner analysis or offering an opt-out, but with the prominent “Do Not Sell My Personal Information” (DNSMPI) home page disclosure.
When the CCPA was first passed, I thought there was no way brand advertisers would post a home page link disclosing that they ‘sell’ consumer data. I could not have been more wrong.
Here is a small sample of the largest brands that now disclose on their home pages that they (may) ‘sell’ personal information: Disney, GM, Adidas, McDonalds, eBay, Budweiser, Colgate, Sony, Target, and Uber
(Full disclosure — I worked on that last one.)
Now that the ‘DNSMPI’ disclosure is ubiquitous, what risk is there for a brand to expand data sharing beyond just with ‘service providers’? Please don’t misunderstand me-I’m a privacy professional who cares deeply about data protection and am not advocating for more data sharing. That said, it’s hard to avoid the following trends in the marketplace of new tools that couple privacy choices with the ability to increase data sharing, such as;
The IAB’s ‘Limited Service Provider Agreement’ that creates a legal framework to share opt-out ‘signals’ across all participants in the Real-Time-Bidding ecosystem.
Tag Management or Consent Management Platforms (CMPs) that enable cross-site/app opt-outs and integrate directly with the advertising industry.
Customer Data Platforms (CDPs) that help manage access, deletion and opt-outs in a centralized method across digital data sharing partners such as this offering by Segment. (Full disclosure-a former client.)
There is also a (likely unintentional) consequence of the CCPA maintaining, or even improving, the status for data resellers and brokers. In 2005, the CA legislature passed the ‘Shine the Light Act’ which requires companies who (actually) sell lists of consumers for direct marketing purposes to either offer consumers a list of the business recipients of these lists, or opt-out. Strangely, the authors of the CCPA made no effort to amend or expand upon this law and require that consumers get access to a list of the ‘buyers’. Even more amiss from the CCPA is any requirement for data resellers or brokers who purchase data to honor a consumer ‘sale’ opt-out beyond the scope of the source-publisher who shared the opt-out. In other words, there is no restriction on a data reseller reselling information about an opted-out user if they receive that same user information from another source-publisher without an opt-out. The CCPA’s opt-out approach is in direct contrast with interest-based (or ‘tailored’ as the NAI now calls it) advertising industry self-regulation where the DAA/NAI offer consumers a business-specific (or ‘select-all’ industry-wide) opt-out solution. Finally, while there was a last minute amendment to the CCPA adding a ‘data broker registry’, there is no requirement for a centralized opt-out mechanism or even inclusion of an opt-out link on the registry webpage.
As a result, the vast majority of consumers will never know who the business entities are that purchase their data from ‘sellers’, and consumers will need to exercise their opt-out rights across every publisher as well as their respective resellers.
So between the ubiquitous ‘DNSMPI’ disclosures on most brand websites and virtually no new restrictions on data resellers, do we think that the CCPA is creating data sharing friction, or empowering brands to further ‘sell’ online data across the advertising ecosystem?
