Advertising Industry Trade Group Opines on the Use of Service Provider Contracts for Ad-Tech Vendors

Months after the California Consumer Privacy Act came into effect and its regulations have been finalized, there remain many unanswered questions about how the CCPA applies to the digital advertising ecosystem.  Particularly, it is still unclear how certain ad-tech-related transactions should be classified and relationships between key players be characterized under the Act.

Network Advertising Initiative (NAI), an industry trade group that develops self-regulatory standards for online advertising, published a white paper which outlines potential issues arising from publishers classifying their ad-tech vendors as “service providers” under the CCPA.

In theory, a business’s use of a service provider contract in connection with its transfer of “personal information” to an ad-tech vendor would prevent that transfer from being classified as a “sale” of personal information under the CCPA.  If a transfer is not classified as a “sale,” then the transfer would generally not require a business to provide an opt-out of sale functionality to its consumers and would not require the business to post a “do not sell my personal information” link on its website.

NAI, however, notes several drawbacks in relying on the service provider contract with the ad tech vendors.  First, NAI notes that service provider restrictions may be inconsistent with how data is used by the ad tech vendors.  Thus, such contracts are likely to curtail the activities an ad-tech vendor can undertake for a business.   Second, NAI argues that overly-restrictive service provider terms put some ad tech vendors at a competitive disadvantage while benefiting first-party platforms that can use their own data to improve and enhance their systems.  Third, NAI argues that designating ad tech vendors as service providers might end up being inconsistent with the CCPA requirements, as interpreted by the Office of the Attorney General, thus potentially creating compliance risks for both publishers and advertisers.

NAI argues that publishers should explore alternatives to service provider agreements, including classifying ad-tech companies as either businesses that collect personal information on the publisher page or as “third parties” to whom personal information is transferred or sold.

Until the California Attorney General issues further clarifying regulations or brings enforcement actions, there will remain a degree of uncertainty as to how ad-tech data transfers and relationships should be handled under the CCPA.  These issues will only get more complicated if and when the California voters approve major changes to the CCPA, including restrictions on data transfers for cross-context advertising purposes, on the November 3 referendum.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653