Introduction & Acknowledgments
The California Consumer Privacy Act (the “CCPA”) is a complicated law, prompting multiple interpretations that have evolved over time. This holds especially true for the digital advertising industry, where the combination of complex data flows and numerous participants has understandably resulted in differing legal views and approaches to CCPA compliance since the law’s effective date.
Throughout Spring 2020, the IAB Legal Affairs Council convened approximately 80 senior privacy lawyers from publishers, ad tech companies, agencies, and brands for small group bi-weekly meetings to discuss CCPA friction points as well as best practices (the “CCPA Roundtables” or “Roundtables”). We discussed critical questions, some of which have vexed the industry, such as:
- What activities are within the scope of “sale” in the context of delivering a digital ad impression
- Who is the “business,” “service provider,” or “third party” in a digital advertising transaction?
- What constitutes a “sale” of personal information?
- How frequently are consumers opting out of “sales” of their personal information?
- How are companies handling access and deletion rights?
The Roundtables involved a robust dialogue on these and other topics, and many Roundtable participants asked if we could quantitatively measure industry practice, rather than simply rely on qualitative observations. That impetus drove the Roundtable participants to draft the IAB CCPA Benchmark Survey, the high-level results of which we are making available here with greater detail available to those who completed the survey.
While much work still needs to be done to achieve convergence on CCPA viewpoints, there is relatively broad agreement on a number of issues, including those for which industry participants originally shared little common ground after the law’s enactment. Such agreement includes, for example, that:
- 100% of publisher and brand respondents state that they serve as a “business” in some capacity. A portion of these respondents also state that they acted as “service providers” and “third parties” in other capacities.
- Buy and sell-side intermediaries, along with ad servers and DMPs (Data Management Platforms), generally agree that they play multiple roles. Most view themselves as “service providers” but also act, at times, as “businesses” and “third parties,” with responses depending on the entity type.
- Over two-thirds of respondents believe that a “sale” takes place when disclosing personal information in a “bid request,” in a “direct” deal, in a private marketplace deal, and when carrying out data matching/identity resolution – in each case, absent a “service provider” relationship.
- Approximately 90% of respondents take the position that, when a publisher puts an ad tech company’s pixel, SDK (Software Development Kit), or similar technology on the publisher’s digital property, the publisher is the “business” and the ad tech company is the “third party.” Under these circumstances, 72% of respondents believe that the publisher is “selling” personal information to the ad tech company by “making available” personal information to the ad tech company through the publisher’s digital property.
- Respondents view passing IAB Tech Lab’s U.S. Privacy String as a Limited Service Provider Agreement (“LSPA”) signatory, as well as blocking all “sale”-related pixels, SDKs, or similar technologies, as the top two ways to operationalize an opt-out.
- Approximately 60% “businesses” make CCPA rights (e.g., access, deletion, opt-out of “sales”) available to consumers regardless of jurisdiction.
- Few consumers are acting upon their CCPA rights, with many respondents seeing “sale” opt-out rates at 1-5% regardless of channel (e.g., website, mobile, OTT/CTV) and receiving at or under 100 access/deletion requests to date.
With these survey results, which are explained in further detail below, companies can benchmark their positions against others to determine whether they have taken a “market” approach in their compliance efforts, to the extent one has emerged, and draw upon others’ approaches when thinking about their own. IAB will also continue to foster a dialogue around these legal issues, as well as their business and operational impact, in the coming months.
We are grateful for the support of our sponsors, Paul Hastings LLP and Kelley Drye & Warren LLP, for not only underwriting this survey but also leading with others the work of our CCPA Roundtables. We are also indebted to the approximately 80 industry privacy lawyers who participated in the Roundtables and the law firms that helped support us in that work. I would like to acknowledge the law firm attorneys that brought their acumen, leadership, and organizational skills to the CCPA Roundtables: Alan Friel, Daniel Goldberg, Alysa Hutnik, Sundeep Kapur, Gary Kibel, Natasha Kohne, and Jessica Lee.
“Business, “Service Provider,” or “Third Party”?
The question of whether a company is a “business, “service provider,” or “third party” (or some combination of the three) in the context of a digital advertising transaction was a challenging issue for the industry after the CCPA’s passage. Despite those initial challenges, the CCPA Benchmark Survey shows relatively broad convergence on this topic.
All publisher and brand respondents state that they serve as a “business” in some contexts. A portion of these respondents also state that they act as “service providers” and “third parties” in other contexts, though this was less common. Notably, 40% of publishers state that they act as a “service provider,” in contrast to only 15% of brands. This “service provider” statistic is surprising given that the general market signals and discussions in the CCPA Roundtables did not suggest this position was common.
Other digital advertising participants view themselves as serving multiple roles under the CCPA. A majority of sell-side intermediaries (e.g., Supply Side Platforms or SSPs, exchanges), buy-side intermediaries (e.g., Demand Side Platforms or DSPs), publisher/advertiser ad servers, and DMPs take the position they act as “service providers” in some contexts. However, with the exception of buy-side intermediaries, a portion of these same respondents also state they may function as “businesses” or “third parties”; for buy-side intermediaries, the “third party” classification is more common than “service provider.”
In other words, ad tech companies are wearing different hats depending on the context in which they operate (e.g., receiving personal information as a “service provider” in some instances and as a “third party” in another), rather than only operating in one capacity. Most ad tech respondents state they act as “service providers” in some manner, which is likely due to businesses requiring ad tech companies to enter into “service provider” agreements prohibiting “sales” or otherwise restricting their use of personal information (such as those found in the IAB LSPA) in connection with their digital advertising operations.
The CCPA provides California residents with the right to request access to, and deletion of, their personal information in a business’s control, as well as to opt-out of the “sale” of their personal information. These rights – particularly access and opt-out – have been difficult for many companies to operationalize because their scope is often unclear in practice.
Broadly speaking, the CCPA Benchmark Survey shows that “businesses” are making CCPA rights available broadly, and not just for California consumers. At the same time, the results show that there is a very low level of consumer utilization of these rights.
Applying CCPA Rights Regardless of Jurisdiction
Approximately 60% of “businesses” make CCPA rights (e.g., access, deletion, sale opt-outs) available regardless of jurisdiction (i.e., whether in U.S., EU, LATAM, etc.). This trend may reflect that it can be easier to administer consumer rights uniformly, regardless of consumer location. It may also relieve “businesses” of any concern about differential treatment of their consumers.
Such “ease of administration” holds especially true with the CCPA’s access and deletion rights, which were already required under the GDPR and other laws. From a technical perspective, it also may be less burdensome to provide the “sale” opt-out right regardless of where the user is located. “Businesses” that do restrict the opt-out right to certain jurisdictions typically rely on “geofencing” (such as via IP lookup to detect whether a consumer is located in California).
How to Provide a Compliant “Opt-Out of Sale” Mechanism
When asked which mechanisms allow consumers to opt-out of “sales” in a compliant manner, respondents most frequently chose to pass the IAB Tech Lab’s U.S. Privacy String as an IAB LSPA signatory. We are glad to see the popularity of the IAB CCPA compliance program.
As a close runner-up to passing the IAB Tech Lab’s U.S. Privacy String as an LSPA signatory, many respondents honored “sale” opt outs by blocking any pixels, SDKs, or similar technologies that result in a “sale.” While this approach can be operationally difficult for companies with many digital properties, it provides a useful mechanism for “businesses” to block certain ad calls from being sent at all upon opt-out.
CCPA Consumer Rights Are Vastly Underutilized
The CCPA Benchmark Survey shows that consumers, by and large, are not using their new privacy rights. Most notably, most respondents saw “sale” opt-out rates of 1-5% (where such statistics were available). The low level of consumer usage is noteworthy and should be monitored to see if usage increases over time.
This opt-out statistic is especially noteworthy given that, prior to the CCPA’s January 1, 2020 effective date, many organizations were concerned about the optics of a “Do Not Sell My Personal Information” link and, based on that concern, decided that they would not engage in “sales.” This led to a scramble to implement operational and contractual changes, particularly through “service provider” agreements between advertisers and each of their ad tech partners to steer clear of “selling” personal information. According to some ad tech companies, these service provider agreements have severely limited their ability to provide or optimize their services to reach audiences. The low opt-out rate observed in the CCPA Benchmark Survey may warrant re-examining the presumption that the “Do Not Sell My Personal Information” link harms brand perceptions.
Access and Deletion Rights
Most respondents have received at or under 100 access and deletion requests, respectively, to date. Where access requests were fulfilled, respondents typically provided both the specific pieces of personal information (in PDF, Excel, or CSV format), and the category-based information (e.g., categories of personal information, sources of personal information).
For the provision of specific pieces of personal information, approximately 42-45% of respondents provided personal information that they internally generated about the consumers (e.g., analytics, digital IDs, segment information) or received from third parties (e.g., identifiers received by identity resolution providers). However, half of all respondents stated that they do not request any personal information that is held by “service providers” as part of fulfilling access requests. This could be due to duplication of data maintained by service providers with that held by the business, not wanting to re-identify pseudonymous data in the service provider’s control with personal information in the business’s control, or a narrow interpretation of a business’s obligations.
Where deletion requests were fulfilled, most “businesses” pass these deletion requests to service providers either via API or email, though a minority of respondents stated that they do not currently send deletion requests to service providers.
Authorized Agent Requests
Most survey respondents either received no privacy rights requests from authorized agents, or less than 100. About two thirds of those that did receive such requests did not have difficulty verifying the authorized agent. The most frequent form of verifying the authorized agent was to contact the consumer independently, with the remainder of responses spread between checking the Secretary of State website to confirm such agent is registered, obtaining a copy of the agency agreement, requesting power of attorney proof, or not conducting verification. It’s also possible that the type of verification utilized may vary depending on the type of privacy right at issue (e.g., access/deletion vs. opt out).
What is a “Sale”?
Perhaps the most intensely debated question under the CCPA is what constitutes a “sale” of personal information, especially in the context of digital advertising. The CCPA Benchmark Survey responses on this question are illuminating, particularly given the lack of regulatory guidance on the topic.
We found that publishers have a clear view that they “sell” personal information. Moreover, across all parts of the industry, respondents overwhelmingly agree that, when a publisher integrates an ad tech company’s pixel or similar technology on a publisher digital property, the publisher is the “business,” the ad tech company is a “third party,” and the publisher is “selling” personal information to the ad tech company by “making available” the personal information via the digital property.
Who “Sells” Personal Information?
Approximately 80% of publisher respondents believe they engage in “sales” of personal information.
However, other respondents are slightly less aligned on whether they “sell” personal information. 60% of publishers’ sell-side ad tech partners believe that they engage in “sales.” On the buy-side, 55% of brands believe they engage in “sales.” However, 47% of buy-side intermediaries, 42% of data management platforms (DMPs), and no media-buying agencies believe they engage in “sales.” These latter statistics are lower than expected given the tenor of Roundtable discussions, particularly with respect to DMPs.
When Does a “Sale” Take Place?
Almost 90% of respondents take the position that when a publisher puts an ad tech company’s pixel, SDK, or similar technology on the publisher’s digital property, the publisher is the “business” and the ad tech company is the “third party” (absent a service provider relationship).
Further, 72% of respondents believe that the publisher is “selling” personal information to the ad tech companies in this instance by “making available” personal information to the ad tech company via the publisher’s digital property.
Approximately the same percentage of respondents believe that, in this context, the ad tech companies are “third-party businesses,” which is consistent with the view set forth in the California Attorney General’s Final Statement of Reasons on the CCPA regulations. That is, these ad tech companies are a “third party” to whom publishers “sell” personal information, and have the obligations of a “business” with respect to such “personal information” once it is in their control (provided they otherwise fit the “business” definition).
More generally, respondents take an expansive view of “sales” in typical digital advertising contexts. About two-thirds of respondents believe that a “sale” takes place when personal information is disclosed in a bid request, in a private marketplace transaction, in a “direct” deal, and during data matching/identity resolution – in each case, absent a “service provider” relationship.
A relatively large majority of respondents also believe that “sales” take place when personal information is disclosed in a programmatic bid request, in a “direct” deal, in a private marketplace deal, or when data matching or engaging in identity resolution services, such as with a DMP or similar service. These statistics are drawn from questions that did not presume that a “service provider” relationship exists. This broad view of “sales” may explain why we have seen many organizations enter into “service provider” agreements with their partners. In other words, the divergence between views of when a “sale” takes place in the abstract and a company’s own activities may reflect broad reliance on service provider agreements to avoid engaging in “sales.”
Finally, most organizations take the position that measurement and frequency capping activities do not involve a “sale” of personal information, even without a “service provider” agreement.
If you participated in the IAB CCPA Benchmark Survey earlier, you can request the complete results to [email protected].