Photo of Alex Schneider

 

 

Email
(202) 342-8634
Bio

 

 

 

The California Attorney General unveiled its data broker registry on Monday.  On or before January 31st, companies qualifying as a “data broker” based on the prior year’s activities are required to register their name and contact information with the Attorney General and may provide a statement concerning their data collection practices.  A

The January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) has come and gone, but questions about how to comply with the law show no hint of disappearing.  As companies move past their efforts to comply with the law’s most visible requirement – providing notice at the point of collection and explaining data practices in a full privacy policy – the focus is sharpening on a broad array of operational and implementation questions.

While Attorney General Xavier Becerra has indicated his office will prioritize enforcement relating to the sale of minors’ personal information, will direct enforcement efforts at companies that are not showing a willingness to comply, and will not make major changes before finalizing the proposed regulations, the Attorney General has not fielded specific questions about how to implement the law.  This state of affairs has left companies scrambling to benchmark their compliance practices against competitors and the industry at large.

In this post, we provide some insights on common questions we are hearing about how to comply with the CCPA in the absence of clear guidance or precedent.  Of course, every company is different and companies should always consult with a privacy attorney before deciding on the best way to comply with the CCPA.

Why are so many companies posting a “Do Not Sell My Info” (DNSMI) button on their website if they do not sell personal information in exchange for money?

Companies that post a DNSMI button but do not sell personal information for money likely have determined that their provision of personal information to ad tech companies in connection with interest-based advertising is a “sale.”  Accordingly, they post the DNSMI button to enable consumers to opt out of these “sales.”

The question of whether, and under what circumstances, the use of third-party cookies, pixels, tags, etc. constitutes a “sale” and how to provide DNSMI choices is a flashpoint in the debate over how to interpret the CCPA (as discussed here, here, and here).  There is a growing consensus that only a lawsuit or a government enforcement action will resolve this matter.

For now, two ways of analyzing this question are emerging.  One position concludes that data collected via a third-party cookie, tag, or pixel may be a potential “sale” because the company adding that cookie, tag, or pixel to its website sends, makes available, or otherwise shares personal information to an ad tech provider in exchange for services, and, critically, where that provider does not restrict its use or sharing of that personal information for the provider’s or other entities’ commercial benefit (other than for a limited number of exempted purposes).

The other position is that the third party directly collects personal information via the cookie, tag, or pixel placed on a publisher’s website, and the publisher is not selling that personal information to the third party responsible for the tracker.

Each business, however, will need to evaluate, on a case-by-case basis, whether its interest-based advertising, analytics, and other forms of tracking may constitute a sale under the CCPA.  Often this starts with categorizing  the types of vendors and partners (i.e. ad tech, analytics, or other services); identifying each specific vendor or partner responsible for the tracker on the business’s site(s); and reviewing the vendor or provider’s publicly posted terms, privacy policy, and contract with the business, if there is one, to determine if the transfer of personal information to the vendor could reasonably qualify as a transfer for a business purpose to a service provider, or other exemption, or whether the transfer is likely a “sale.”

When can a business claim that its ad tech partner and purchased ad tech services are exempt from the “sale” provisions of the CCPA?

The CCPA provides an exemption from the definition of a “sale” when a business uses or shares with a “service provider” personal information of a consumer that is necessary and proportionate to perform a “business purpose.”  As a result, companies may want to determine (1) whether an ad tech vendor is a “service provider” and (2) whether that vendor performs its ad tech service for a “business purpose.”  Examining specific arrangements with each advertising partner is the best way to address this question and for each of the relevant services provided by the vendor.

Some of the major players in online advertising have laid down public markers that can be helpful in classifying interest-based advertising activities.  Examples include:
Continue Reading

Last Monday, Google released its answer to the CCPA: a new “service provider” contract.  Given Google’s widely used advertising and analytics technologies, Google’s new contract has the potential to influence how website publishers, advertisers, the Ad Tech industry, and software as a service (SaaS) providers approach compliance with California’s new privacy law.

No “Sales”

In exactly two months, the California Consumer Privacy Act (CCPA) takes effect. Many businesses are devoting resources to timely comply, but between the late rollout of the Attorney General’s draft regulations, recent amendments to the law, and a lack of consensus in the industry on interpretation of key CCPA terms, tackling compliance can be

On Friday, California Governor Gavin Newsom signed seven legislative proposals to amend the California Consumer Privacy Act (CCPA), marking the end of a nearly-yearlong process to make changes to the new privacy law before it goes into effect on January 1st.  The next opportunity to amend the CCPA will be in the 2020

On Thursday, California Attorney General Xavier Becerra released draft regulations implementing the California Consumer Privacy Act (CCPA). The regulations provide the first glimpse into how the Attorney General interprets the sprawling law, which is slated to go into effect on January 1.

The new regulations cover seven topics:

  1. Notices to Consumers: The draft regulations clarify

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the amendments to the California Consumer Privacy Act (CCPA) the California legislature voted to send to the California governor’s desk.

For additional information see the Ad Law Access blog posts:

Last week, the California legislature voted to send five amendments to the CCPA to the California governor’s desk.  The amendments include a one-year exemption for access and deletion rights to employee data and B2B communications; a provision exempting online-only businesses from operating a toll-free number to accept consumer requests; and a new mandate for data

This week marks the final opportunity for California lawmakers to amend the CCPA before the legislative session closes on Friday, September 13th.  The legislative posture of the amendments changed last Friday, when the Senate made changes to all of the active amendments.  These bills still require an affirmative vote of both houses this week before

Amendments to the California Consumer Privacy Act (CCPA) continued to advance on Monday, as the California legislature returned from its summer recess.  With just five weeks to go until the September 13th deadline for the legislature to pass bills, and fewer than five months until the CCPA is set to take effect, the Senate Appropriations