Last Monday, Google released its answer to the CCPA: a new “service provider” contract. Given Google’s widely used advertising and analytics technologies, Google’s new contract has the potential to influence how website publishers, advertisers, the Ad Tech industry, and software as a service (SaaS) providers approach compliance with California’s new privacy law.
No “Sales” if Sharing with a Service Provider
To explain Google’s move, it’s helpful to understand that the CCPA incentivizes a business-service provider relationship. A business can provide a service provider personal information without calling the disclosure a “sale” or offering an opt-out option. When a business provides personal information to a service provider, the business receives liability protections so long as the business does not have actual knowledge or reason to believe that the service provider is violating the CCPA.
In turn, the service provider is restricted from keeping, using, or disclosing personal information for purposes other than “business purposes” spelled out in the service provider contract.
How to Determine if an AdTech Partner is a Service Provider?
But many in the Ad Tech industry have not yet publicly addressed their practices within the context of the CCPA, which has left companies to scrutinize existing contracts, the partner’s publicly-posted terms, statements, privacy policies, and to evaluate the partner’s actual tracking activity, to help determine if there is support for a service provider classification. Other Ad Tech players have asserted that CCPA does not change their practices, but that no “sales” are occurring, leaving many publishers and advertisers to determine if their business can withstand taking on the risk that this assertion will be rejected once the Attorney General evaluates the practice.
At bottom, there is not yet consensus in the AdTech industry on how to assess CCPA within the context of digital advertising. Enter Google. Google offers an array of advertising and analytics services. But is Google an eligible service provider?
In favor of this classification is the definition of a “business purpose,” which includes “performing services on behalf of the business…, including … providing advertising or marketing services, [or] providing analytic services…” Under this interpretation, Google obtains personal information to provide services to the business, but is using the personal information only as allowed under the CCPA.
But in the absence of clear contract or terms of service, there is ambiguity on whether this explanation would be enough to support a CCPA service provider classification. For example, it’s possible, absent clear restrictions, that Google or another Ad Tech service provider might use third party cookies for ad tracking or bid requests sent to third party programmatic buyers involving pooled personal information of customers. That practice would involve broader sharing and usage of personal information than what clearly fits within a service provide construct. Further, it’s also possible that some Ad Tech partners might use that personal information for their own purposes, such as their own marketing efforts or other commercial purposes.
Google’s response to these compliance concerns is to offer businesses covered by the CCPA both clarity as to which of its solutions, by default, only use personal information for purposes on behalf of the customer, such as Google Analytics, Google Ad Words Customer Match, among others. And, for other solutions, customers have to enable “restricted data processing” for Ad Manager, Ad Manager 360, AdMob, AdSense, and Google Ads services. When companies enable restricted data processing, they essentially “turn off” any interest-based advertising and other broader usage of the data that is not on behalf of a customer. Google explains, “When a publisher [using Ad Manager] enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms.” To further support a “service provider” classification and remove any ambiguity, Google’s service provider contract expressly affirms that, “with respect to customer personal information processed while restricted data processing is enabled … Google will act as Customer’s service provider…”
For solutions that are not enabled to restrict data processing, Google will let individual consumers opt out in accordance with the rights offered in the CCPA.
This development will have ripple effects on the industry given that Google, as a major player, provides core turnkey Ad Tech solutions where it is the only provider linking the publisher, advertiser, and end consumer. This gives Google latitude to implement contract language and new tools to restrict data processing, and to then apply those restrictions across Google’s services. By comparison, a solution being discussed by the Interactive Advertising Bureau would require disparate Ad Tech players to all enter into a common contract that governs sharing of personal information and restricts “commercial purpose” uses of personal information.
But both concepts recognize that online programmatic interest-based advertising often involves a broader sharing and use of personal information, as defined by the CCPA, that includes a “sale,” and there’s a need to distinguish which relationships and practices involve a “service provider” (where there is not a “sale”), and which entities in that exchange facilitate a sale of personal information.
Google will not require customers complying with its online terms to opt in to the new contract. The contract takes effect as of January 1, 2020 to the extent that the CCPA applies.
CCPA’s compressed timeline for compliance has resulted in late-breaking developments by major players in the industry on how they are interpreting and responding to CCPA requirements, whether in the role of a business, service provider, or third party. This necessitates a responsive compliance framework that tracks these developments and makes appropriate modifications, as needed. This is particularly the case with digital advertising. If you have further questions about how these developments apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.