California data privacy law, Prop 24, set to have major impact on ad targeting
Goodbye CCPA, hello CPRA. California’s new privacy rights act, on the ballot as Proposition 24, is expected to pass Tuesday. It adds more specifics to the original bill and takes direct aim at data sharing and behavioral advertising.
CCPA, we hardly knew you.
Data regulation in California is about change again. The California Privacy Rights Act (CPRA), also known as Prop 24, is on the ballot for Tuesday and is expected to pass. Experts say it will have a big impact on common ways advertisers reach audiences across media.
The new law would, specifically, make it harder for advertisers to target consumers based on data shared about them. It is currently common practice for marketers to leverage ad tech services to target audiences built from third-party data and then reach them with ads based on their online behaviors. CPRA calls this “cross-context behavioral advertising.” Under CPRA, consumers will be able to opt-out from receiving such ads.
Still, the language gets broader than that of California Consumer Privacy Act of 2018 (CCPA) which went into effect in January of this year. If passed, the CPRA would require the countless third parties operating in the complex digital ad ecosystem to give consumers explicit notice of – and allow them to opt-out from – the selling or sharing of personal consumer data. Its definition of personal data includes purchase information, geolocation data, online identifiers, IP addresses and even inferences drawn from such information to create consumer profiles.
This means businesses that suck up consumer data from the programmatic advertising bidstream to package together and target audiences, such as people who buy pet food to those in-market for an electric car, would be affected. Already, Congress and the Federal Communications Commission are inspecting bidstream data collection practices which some consider to be a form of surveillance.
Also, it’s important to note that CPRA reaches beyond just data “sales.” The law covers businesses that share, disclose, transfer or disseminate data. Data sharing and sales “is everything that goes on in the ad tech ecosystem,” says Gary Kibel, a partner in the digital media technology and privacy group at law firm Davis and Gilbert.
To enforce the regulations, the act calls for the establishment and funding of a California Privacy Protection Agency which would be dedicated to enforcing the new law.
Penalizing ad tech players who grab data from the bidstream without giving consumers the chance to opt-out “seems like low hanging fruit for that new regulator,” says Chris Pedigo, svp for government affairs at publisher trade group Digital Content Next, who is confident it will pass.
Good news for Google and Facebook?
Some publishers welcome the crackdown on common practice of grabbing bidstream data to build audiences who can then be reached across the web and mobile environments; they argue it dilutes the value publishers create by producing content that attracts those audiences.
“Any regulation in this regard is helpful to the consumer and the industry,” says Glenn Hansen, CEO of BPA Worldwide, which represents B2B publishers. He argues the CPRA would curtail bad actors operating in the ad tech ecosystem. The trade group has fought bidstream data leakage and plans to hold a webinar after election day on the impact of the CPRA.
“If a publisher did not consent to bidstream data capture and use for derivative products, it is highly unlikely the necessary permission is in place with the consumer,” says Hansen.
Some suggest the new enforcement agency created by CPRA would be more likely to go after big fish like Facebook and Google as opposed to lesser-known ad tech industry minnows. However, others say it will help the ad tech giants. “They are such large first parties and have a direct relationship with the consumer,” says Kibel. “They’re not in the business of selling [data] off to other publishers or ad tech companies.”
And, unlike small media sellers and ad tech firms with fewer resources to respond to the new law, Facebook and Google have large legal and compliance teams. “These types of laws benefit them for a number of reasons,” Kibel says. “They have more resources to build around these laws for compliance.”
What marketers need to know about compliance
While marketers and their agencies won’t necessarily be held liable if the law passes, they will need to do more due diligence when it comes to the data they use to reach consumers.
Even if they mainly use their own first-party data, says Pedigo, if advertisers use third parties to enhance data for audience building and targeting, “they’ll have to be super diligent about where that data is coming from.”
If the law passes, businesses such as ad tech firms or publishers like newspaper sites or mobile app providers will be required to prominently and conspicuously notify consumers about their data collection, sharing and sales practices on the homepage of their websites or download page.
The law would also require companies to disclose personal information they have collected about a consumer, directly or indirectly, including through or by a service provider or contractor. With all the data sharing and transfers that happen in the audience building and targeting process, that will be challenging.
Violators of the law would be subject to a maximum civil penalty of $2,500 for each violation or $7,500 involving personal information of a minor. Still, some argue the law does not go far enough. For one thing, they say it should have established a private right of action, giving consumers themselves permission to sue directly over privacy violations.
Lawyers say it’s not clear exactly which types of businesses will be held liable. But in a practical sense, Kibel and others say they expect the law to play out in contract negotiations between ad tech vendors and publishers. Right now, the way in which contracts address bidstream data siphoning or data sharing and re-purposing vary widely.
If passed, the CPRA will go into effect 1 January, 2023, but it would apply to personal information collected by a business on or after 1 January, 2022.