The Expanding Scope of “Sale:” California Data Privacy
When companies discovered that the use of a pixel that shares data directly between your website and a social media platform is a sale of data from a regulatory perspective in California, it caught our attention. The increasingly complicated state of privacy compliance understanding and implementation is challenging to say the least.
Among the sea of change we have worked through in the last several years, one very small, but very important part, is the expanding scope of what defines a “sale” of data which is of vital importance to marketing teams.
WireWheel CEO Justin Antonipillai was joined by IAB Tech Lab EVP and General Counsel Michael Hahn and Davis+Gilbert LLP Partner Gary Kibel to discuss the ramifications of California Privacy and the Expanding Scope of What is a “Sale” of Data, and the marketing challenges it portends.
The Sephora takeaways
If companies make consumer personal information available to third-parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be “selling” consumer personal information under the law.
—California AG – Sephora complaint
“Everyone is talking about the Sephora action. It is an important action, not just on its merits, but also as it is the first publicly announced enforcement action out of California,” Davis+Gilbert’s Kibel.
He notes that the complaint, among other concerns (including the use of not legally defined buzzwords like ‘surveillance’), focused on two major issues:
1. Pixels from a third-party provider are on a publisher’s site: Is that a sale of personal information under the CCPA? Or are you in a service provider relationship?
Firstly, opines Kibel, “they were talking about the fact that there could be sensitive data that’s being collected. And If companies make consumer personal information available to third-parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be selling consumer personal information under the law.”
That said, “if you have a pixel from a third-party provider on your website, and for free, you get great analytics, and in exchange, the provider can use the data generated on the publisher’s site for their own benefit, that may be a sale of personal information.” This then requires providing the consumer the ability to opt-out.
If you are deemed to be selling personal information. You must have a link on the homepage of the website with these six exact words: “Do not sell my personal information.”
—Gary Kibel, Davis+Gilbert LLP
“There are two avenues here,” Kibel explains: “You can either deem to be selling personal information to a third-party, or you could be in a service provider relationship with that pixel provider. However, if you want a service provider relationship, there needs to be a written contract with that provider restricting the way that they’re going to use the personal information.”
2. Compliance with global privacy control (GPC) signals that are automatically sent by a user’s browser to a publisher’s site.
“As many of us know, there is not a single mention of opt-out preference signals or global privacy controls in the CCPA law but was introduced in the CCPA regulations.” The CPRA (effective January 1, 2023) directly addresses opt-out preference signals at length in the regulations (in draft form) “and makes very clear that you have to honor global privacy controls and opt-out preference signals.
However, the Sephora action made it clear that the California AG said, no, you need to be honoring GPC signals now.”
This makes it really challenging, because the CCPA regulations really don’t tell you anything about how to comply with GPC signals. So, what are businesses supposed to do right now?
Perhaps you could look at the CPRA draft regulations to see what it says and use that as guidance.
—Gary Kibel, Davis+Gilbert LLP
Devising GPC signals and third-party contracts
“One of the important things that you need to do under any privacy law is you need to communicate the consumers privacy elections to the other participants who receive the personal information in a manner that complies with state law,” says IAB’s Hahn.
As a function of technology, the IAB is designing the schematic for this communication ‘plumbing’. “The IAB Legal Affairs Council asked, ‘What do we need to communicate to lawfully process a digital advertising transaction?’ and gave these requirements to the engineers in the Tech Lab and their working groups to translate them into technical specifications. IAB Tech Labs recently released global privacy platform, which is encoded to handle State-level signals,” alerts Hahn.
“The second component concerns what rules need to exist for companies when they send – and receive – the signals. To do this we created an industry contract called the IAB Multi-State Provider Agreement which creates a set of obligations that applies to all the signatories. They spring into place and in the manner that follows the personal information.
“There are a number of requirements for your specific contracts alone, but at a high level, we are creating a common baseline set of privacy terms that could flow through the digital ad chain, and also fill in gaps where you need contracts, but you don’t have them.”
If you spent the next 100 years trying to write contracts, you will not be able to scale with enough of them given the broad definition of sale that exists today as the regulators applied in the digital advertising context, which for all practical matters, seems to apply to nearly every disclosure of personal information.
—Michael Hahn, IAB Tech Lab
The IAB has also created, as an alternative to state-specific rules-based contracting, a “national consumer” program, notes Hahn, for those that opt to treat all consumers the same regardless of where they reside.
The technology implementation
There are three critical support elements to achieving an effective and compliant technology implementation says WireWheel’s Antonipillai.
- If you have automated scripts, tags, or pixels that are going directly to a third-party platform, you have to be able to know that it’s not going to go automatically. You have to have a way to control them.
- In the context of marketing, you need a place that a human being can come and easily opt-out. You have to make it super simple and easy to find. It has to interact with the automated marketing, it can’t just be the stuff that goes on in your back-end systems. And it has to happen automatically.
- You have to strongly consider – some view it mandatory – setting up the infrastructure to accommodate choice in a touchless way. Including via the global privacy control concept.
“This is not a cookie tool,” warns Antonipillai. “Here we are talking about a different kind of exercise. It’s not about not only governing what happens in that browser area where your cookie tool used to live, but on the automated marketing side and what the marketing team does outside of automated marketing (think Adobe, Marketo, Eloqua, Dynamics, HubSpot). The front and back-end have to be communicating.
“You have to have the infrastructure to not only understand it and govern it internally, says Antonipillai. “You have to start thinking about how you’re going to signal through your networks.”
The marketing community is going to have to own this issue. If you go to almost any other jurisdiction, certainly in Europe, when a marketing team is about to run a marketing campaign, privacy and GDPR compliance is typically number one or two on the list. It’s just part of the culture.
—Justin Antonipillai, WireWheel
“My experience from the privacy side” continues Antonipillai, “is that when you’re talking to a marketing professional, if you just ask the question, ‘Are you selling personal data?’ most marketers are going to say, “No,” (unless it’s part of the business plan).
Three critical, more specific, questions need to be asked –
- Are we using any scripts, tags, or pixels, to improve our social media ads?
- Are we using any technologies or platforms to measure the performance of our ads?
- Are we using any technology to cap the frequency that people see our ads?
– to gain a more complete understanding of how data is interacting with social media ads.”
“Marketing techniques like measuring performance and frequency capping often uses personal data, so when engaging with your marketing team, it is important to move away from simply asking the more charged question, ‘Are you selling data?’
“These activities are what some regulators are starting to call a sale and we need to start putting the right technology and notices in place, so you can do this the way you want.
Fortunately, he notes that there are really good technical solutions that allow you to do these things while providing the necessary consumer choice in a touchless way.
The historical model in the United States is for large marketers to say ‘from pillow to my agency this is your responsibility. Make sure everything complies with the law and identify to me if something goes wrong. Changes in the rules have become stressors on that approach.
Requirements around auditing service providers needed in your contracts is one indicator of that. Suddenly there could be sales of personal information that marketers are engaging in or causing others to engage in.
Marketers need to get their arms around this.
—Michael Hahn, IAB Tech Lab