“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner at Davis & Gilbert.
While enforcement of the California Consumer Privacy Act (CCPA) is still slated to begin on July 1, the accompanying regulations still have not yet been finalized. The only guidance provided by the attorney general on how the CCPA will be enforced are its twice-revised draft regulations.
Although it has received surprisingly little attention, one of the most impactful changes in the draft regulations for the ad tech ecosystem relates to how companies can “sell” personal information that they did not collect from consumers directly. The answer to this question will have major implications for the digital advertising landscape since it will determine how downstream participants who receive personal information from others can carry out media buys involving targeted ads.
As currently drafted, businesses that indirectly collect personal information from consumers may only “sell” onward that personal information without providing a pre-collection notice to consumers if they are registered as “data brokers” under California’s new data broker law. This highlights the rising importance of the data broker registry but creates new challenges for companies that have not yet registered as data brokers.
Pre-collection notice exemption
The CCPA requires businesses that collect a consumer’s personal information to provide a notice to the consumer at or before the point of collection. Since “collection” is broadly defined, some interpreted this requirement to apply even if the personal information is not collected directly from the consumer.
The initial draft regulations exempted businesses that did not collect personal information directly from consumers (who we will refer to as “intermediaries”) from providing pre-collection notices. But before selling the consumer’s information, they were required to either contact the consumers directly with a chance to opt out of the sale or obtain a signed written proof from the source of information describing how the pre-collection notice was given.
Who is a data broker?
Under California law, businesses that knowingly collect and sell to third parties the personal information of consumers with whom the business does not have a direct relationship are data brokers that must register with the attorney general.
Although what constitutes a “direct relationship” is never defined, the data broker law provides examples of forging direct relationships, such as “by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements,” with the key being the consumer’s knowledge about and control over the business’ data collection practices.
As defined, data brokers arguably could include many ad tech vendors and other participants in the targeted-ad buying process, since they do not have direct relationships with consumers yet may receive consumer personal information.
Certain intermediaries that never receive or have access to personal information may argue that they do not sell personal information or need to register. These entities still must be mindful of the requirements of the current draft regulations and perform due diligence to ensure that any organizations they work with that play a more direct role in collecting and selling personal information are registered as “data brokers.”
No clear answers
If the language in the draft regulations about intermediaries remains unchanged, the attorney general will need to clarify which downstream participants in the online advertising industry need to register as data brokers. While businesses engaging in targeted advertising may choose to register despite the lack of clarity, there are downsides to doing so, including the increased exposure of being listed on the registry. As a result, many businesses seem to be taking a wait-and-see approach.
As with other unclear CCPA requirements, businesses will need to assess their role in processing personal information – while simultaneously assessing the role of everyone they work with – and determine their appetite for risk and available means to mitigate that risk.
Follow Davis & Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.