Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22.
“Selling” and CCPA challenges for digital. Those who have been actively preparing for CCPA’s implementation on January 1 know by now that pursuant to section 1798.115(d) of the CCPA, a company that has personal information about a consumer may not onward “sell” (as defined in the CCPA) such information to another party without the consumer (1) having received explicit notice of the sale of the personal information and (2) being given the right to opt out pursuant to section 1798.120. Under the CCPA, even if consumers opt out of having their personal information sold, the information may be shared with third parties acting as “service providers” for limited purposes, but the party disclosing the personal information (that is, the “business”) is very specifically limited in its ability to use any data it received that is deemed “personal information.”
Current information sharing practices. Currently, in the programmatic advertising ecosystem, publishers may pass personal information about visitors to their website to downstream participants (the Downstream Participants) who then may pass such information on to others in the supply chain. These Downstream Participants include providers such as:
- supply-side platforms (SSPs)
- demand-side platforms (DSPs)
- ad exchanges
- ad networks
- ad tech platforms
- data management platforms (DMPs)
Downstream Participants also include the advertiser who ultimately purchases the ad, funds the ecosystem, and, in many cases, expects to have ready and trusted access to information associated with its advertising activity and consumer behavior in response to such advertising.
Current barriers to CCPA risk management. Unfortunately, the publisher does not currently have the ability to communicate with Downstream Participants as to whether a consumer visiting the publisher’s website is a California resident (thereby implicating CCPA), whether the consumer was provided with explicit notice about the potential sale of his or her personal information, and whether the consumer was given an option to opt out. Moreover, the Downstream Participants (other than advertisers) often do not have a direct relationship with the consumer. Consequently, providing their own notice and opt-out rights to consumers and otherwise complying with CCPA presents special challenges to these participants.
IAB’s stated goals. The IAB’s Framework is designed to be used by publishers and Downstream Participants (including advertisers) when engaged in programmatic advertising transactions by providing
(i) a technology solution (the Signal) to allow publishers to electronically share whether the consumer has been provided with the notice and opt-out options required by the CCPA, and
(ii) a standard “Limited Service Provider Agreement” agreement (the Agreement) that governs the sharing of the consumer data in the event the consumer opts out and that imposes on those receiving the consumer information the CCPA statutory limitations of a service provider.
Proposed enforcement. Although the IAB has not provided a draft of the Agreement terms, the Framework notes that the terms would require that the participants in the Framework submit to an audit to ensure the representations and warranties of the Agreement are complied with. The protocol and nature of the audit rights are still to be determined.
Risk allocation and responsibility. The draft Framework begins from the position and assumption that compliance with legal requirements is the goal and that, other than data breaches, enforcement actions would be through the California attorney general. Some experts have suggested that the failure to include any indemnification obligations among and between participants and default limitations of liability could significantly undermine genuine efforts to reform and create an environment of accountability and transparency, as sought by the CCPA and many consumer groups. Right now, recourse for breach of the Agreement by any participant will be limited to non-monetary remedies, such as injunctive relief and being barred from participating in the Framework.
Practical effect of silence on suggested remedies. The Framework notes that it does not prohibit any parties from negotiating their own separate contracts with agreed-upon remedies, limitations of liability, and indemnification obligations. As a practical matter, given that advertisers often to do not have direct relationships with many of the Downstream Participants, this may place a heavy burden on advertisers to insist upon flow-down provisions through their agencies, who are more likely to have direct relationships with these suppliers. It may also leave smaller or less sophisticated brands at risk when they are told the Agreement is “standard.”
“Service provider” safe harbor and CCPA. Under the CCPA, parties that are “businesses” are not liable for the violations of “service providers” unless they have actual knowledge or reason to believe that the service provider intends to commit a violation (section 1798.145(k)). Also, “service providers” do not have liability for “businesses” for which they provide services (1798.145(k)). Thus, the Framework does not address, for example, reputational concerns of publishers and brands whose reputation could potentially be harmed by a breach by Framework participants. In particular, remedies with teeth to help ensure repeatable, sustainable, and demonstrable information accountability may be available solely to those who have market-power to negotiate them or otherwise persuade others to agree.
The Framework effort is notable in that it makes two significant immediate contributions. First, it contemplates a technical framework that will help enable information interoperability subject to real constraints focused on compliance. Second, given the timing urgency, it reflects considerable effort to engage many participants to express their points of view and embrace a partial solution to some key emerging challenges. The net effect of the Framework seems intended to develop a technological system to permit existing programmatic advertising activity to operate as it does currently by pushing responsibility to those with direct relationships with consumers who are being tracked and about whom personal information is being shared.
It is important for publishers, advertisers, and their privacy and data protection officers to know and understand how the Framework works and what the Framework is not intended to do. Notably, the Framework is not designed to make the overall programmatic or digital ecosystem better or more trustworthy through enforcement mechanisms. It is instead designed to facilitate the information flow within the ecosystem similar to the way business is done now. Furthermore, the Framework does not attempt to interpret the CCPA’s definition of “sale” or define whether a participant is acting as a “business” or a “service provider” or a “third party.” In this respect, significant interpretative ambiguity on these roles is left to individual parties to resolve on their own. Consequently, parties could comply strictly with the requirements imposed on them by a particular role, but if the role was determined inaccurately or improperly, counterparties to such relationships could have considerable exposure, especially absent aggressive remedies. Additionally, the Framework contemplates potential continued participation in the ecosystem by non-adherents to the Framework and interaction between and among adherents and non-adherents, thereby leaving an open question as to whether the Framework can contribute to addressing continued criticism of digital advertising in general. Furthermore, the Framework focuses on digital advertising and CCPA compliance. It is too early to tell whether and how companies may apply and use the Framework outside of personal information of California residents and how, if it is widely adopted, it might impact other marketing and data usage by brands.
The comment period for the Framework document is open until November 5, 2019. We are collecting feedback on behalf of our clients and will share with the IAB on your behalf. Please feel free to reach out to Keri Bruce at firstname.lastname@example.org or Gerry Stegmaier at email@example.com. Alternatively, you can send your feedback directly to the IAB at firstname.lastname@example.org.