Publishers and Brands Beware: Service Provider Approach to CCPA is Risky
Preparations for compliance with the California Consumer Privacy Act (CCPA) have been checkered with uncertainty ever since the law passed in 2018, with many questions still unanswered about how the CCPA and its implementing regulations will apply to the digital advertising ecosystem.
One strategy for CCPA compliance that many businesses are exploring (or are already relying on) is the use of contracts to designate their ad-tech vendors as “service providers.” In theory, a business’ use of a service provider contract in connection with its transfer of “personal information” to an ad-tech vendor would prevent that transfer from being classified as a “sale” of personal information, and therefore potentially help many publishers and advertisers avoid the “do not sell” link and opt out otherwise required by the law.
However, brands and publishers should think twice before pursuing this approach, because while the initial appeal of using service provider contracts for programmatic advertising is clear, the potential adverse impacts of doing so may not be, at least initially. Amid understandable confusion around the application of “service provider” contracts for complex digital advertising transactions, some businesses have come to the over-simplified conclusion that designating their ad-tech partners as service providers is a silver bullet that can solve their toughest CCPA compliance burdens without sacrificing business results.
This is most likely false. Experience is beginning to show that the use of service provider contracts by digital media publishers and brand advertisers to govern their relationships with ad-tech vendors has serious drawbacks. The over-use of service providers can lead to multiple bad effects, including the degradation of individual business results, creation of unhealthy and anti-competitive market dynamics, and, ironically, increased compliance risks.
Individual business results are likely to suffer under a service provider regime because the CCPA’s strict requirements on how service providers are permitted to use personal information may prevent vendors from engaging in the data processing necessary to provide their services, or limit their operations to the point where the service is rendered ineffective. Two of the biggest players in digital advertising — Google and Facebook — have not been shy about this fact. While both of those companies have indicated they will act as CCPA service providers for publishers and advertisers in limited circumstances, Facebook has warned advertisers that doing so may have “an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited”; and Google has indicated that it will not “create or update profiles for ads personalization or use existing profiles to serve personalized ads” relating to data to which restricted data processing — which Google requires in order to act as as service provider — applies. Limitations on the use of consumer profiles to personalize ads will likely impact a publisher’s ability to monetize its ad inventory. Publishers and advertisers shouldn’t expect anything different from their other ad-tech vendors, even if they have not released public guidance to that effect.
Beyond individual business results, brands and publishers should also consider the broader market dynamics they are influencing by limiting the availability and use of third-party data through service provider contracts. The CCPA only limits the transfer of personal information from one company to another, either by allowing consumers to opt out of “sales” of personal information, or by tightly restricting how service providers can handle non-sale transfers of personal information. Large first-party platforms with their own proprietary data stand to benefit from those restrictions because they don’t need to rely on anyone else for data assets. On the other hand, third-party ad-tech vendors use collective information to enhance the quality of the services they provide to each of their clients individually, putting them at a competitive disadvantage under the CCPA. These effects are exacerbated by the overuse of service provider terms, which allows walled gardens to continue to enhance their products and services using their own first-party data, while preventing other ad-tech companies from doing the same using third-party data, to the detriment of both ad-tech companies and the businesses they serve.
If walled gardens continue to grow more dominant as a result, publishers may see their ability to monetize ad inventory suffer, and advertisers are likely to see reduced value in the measurement and conversion services they rely on their ad-tech vendors to provide, as well as an overall reduction in the value of interest-based advertising for reaching their audiences.This free-rider problem will at first harm the digital advertising ecosystem as a whole by hampering the ability of third-party ad-tech companies to compete with large, first-party platforms. Over time, however, it’s publishers and brands who will suffer from a less competitive marketplace, but only after it’s too late and the competitive harms have set in.
Finally, and perhaps counterintuitively, publishers and brands that see service provider contracts as the way to go are likely to see greater compliance risks compared to those that are willing to classify their ad-tech vendors as “third parties.” For example, because it is still unclear under the law and implementing regulations, and therefore unknown, how the California Attorney General will interpret the service provider provisions in the CCPA as they apply to specific digital advertising use cases, it’s possible that the contracts being used to designate ad-tech vendors as service providers may be determined to be inconsistent with the requirements of the law. In that case, there may be a risk that the brand or publisher could be accused of having sold personal information to an ad-tech vendor without posting a required “Do Not Sell My Personal Information” link, or in contravention of a consumer’s request to opt out of sales of personal information. Further, businesses relying on service providers must contend with the added complexity of responding to consumer requests for access to or deletion of personal information in concert with their service providers. There is no corresponding requirement to coordinate with vendors designated as “third parties” for those requests.
Service providers are not solely responsible for managing these compliance risks. Depending on the circumstances, both a service provider and the business that engaged the service provider may be liable for uses of personal information that do not satisfy the CCPA’s requirements. And while we may not know for certain what service providers can and cannot do for before the Attorney General begins taking enforcement actions on that issue, it is an area to watch closely for compliance risk. Brands and publishers should bear in mind that the costs of violations can add up quickly – $2,500 for each violation or $7,500 for each intentional violation.
Taking all of these drawbacks together, brands and publishers should be thinking twice, maybe three times, about whether “service provider” contracts really are a silver bullet for CCPA compliance, and should be actively exploring alternatives to service provider arrangements with their ad-tech vendors to avoid negative side effects. Given the very low rate of opt outs businesses are seeing, designating ad-tech vendors as third parties and posting a “do not sell my personal information” link in a webpage footer may be a small price to pay to keep the full range of products and services ad-tech companies can offer while keeping compliance risks low.
For brands and publishers seeking to think these issues through in more detail, we encourage you to read the NAI’s white paper on the use of ad-tech companies as CCPA service providers.