Join us on Thursday for a webinar discussing how to operationalize adtech privacy compliance, and learn about other ways you can stay informed.

Operationalizing Adtech Privacy Compliance: Understanding the IAB Multi-State Privacy Agreement

Responding to the industry’s need for a solution, the Interactive Advertising Bureau (IAB), working with various stakeholders, has prepared the Multi-State Privacy Agreement (MSPA). The MSPA is designed to help publishers, advertisers, agencies, and adtech intermediaries address some of these privacy contract and choice obligations throughout the supply chain, while also providing publishers and advertisers with flexibility in operationalizing on a national basis or apply state-specific approaches.

Please join us for a discussion on Thursday, September 29, at 1:00 pm Eastern with IAB’s Michael Hahn and Tony Ficarrotta to discuss the structure of the MSPA and how the MSPA solves significant digital advertising industry compliance challenges. The discussion will also cover the changing regulatory landscape, such as the California Privacy Protection Agency’s rulemaking process, and how the MSPA is positioned to respond to those changes.

Please register here to attend this event.

Ad Law News and Views Back to School Issue

Ad Law Access App

Find All Our Information

Privacy/Competition Focus on Tech

First, Khan’s statement reiterates her commitment to address privacy through a “cross-disciplinary” approach that uses the tools of competition law, not just consumer protection law, to address privacy harms. She states that “concentrated control over data has enabled dominant firms to capture markets and erect entry barriers while commercial surveillance has allowed firms to identify and thwart emerging competitive threats,” resulting in reduced privacy.

To address these concerns, as outlined further in the report, the agency intends to focus “most” of its limited resources against the “data practices of dominant digital platforms,” including through additional compliance reviews and order modifications and enforcement, “as necessary,” against, for example, Facebook, Google, Microsoft, Twitter, and Uber.

The Report adds that (with more resources from Congress), the FTC also will prioritize:

• Adtech and “Walled Garden” Advertising Practices, including:
  • “[B]usiness models that depend on expansive and potentially illegal data collection to fuel targeted advertising and user engagement,” and
  • “Exclusionary or predatory conduct by dominant digital platforms to defend their data troves, resulting in lower levels of privacy and data protections and more intrusive ads.”
• Children’s Tech: “Platforms and other online services that are potentially violating COPPA, an area of particular importance given that many children may be increasingly relying on online services for both educational, entertainment, and social purposes during the pandemic.”
• Other Privacy Considerations, such as data uses involving health, biometric, or other sensitive data, discriminatory algorithmic practices, or other deceptive or unfair data practices.
• Even More Competition Focus on Tech:
  • Dominant digital platforms’ data practices that present both privacy and competition concerns due to their scope and size, and
  • “Acquisitions that allow dominant digital platforms to collect and control ever expanding data from consumers or block the development of more secure data protection policies.”

Privacy Rulemaking

Second, recognizing that competition may not always align with and fully address privacy concerns, Khan emphasizes the need for the FTC to use its rulemaking authority to codify baseline protections. In support of such rules, she cites a variety of factors that may mask how much consumers value their privacy and undermine their ability to make choices to protect it. These include the lack of competition among technology providers, “dark patterns” that manipulate and “nudge” users, and the inadequacies of the notice-and-consent framework. The report elaborates on this topic, stating that the FTC intends to develop new privacy rules (presumably under its inherent “Magnuson Moss” rulemaking authority) and strengthen existing ones, such as COPPA, Health Breach Notification (already expanded via policy statement as we discuss here), Red Flags, and GLB Safeguards. In other words, expect more rulemaking concerning privacy practices affecting children’s data, health, identity theft, and financial services (but likely with a much broader view of what these encompass based on the FTC’s recent activity).

New Data Use Restrictions

Third, Khan states that the FTC should consider “substantive limits,” rather than procedural protections and process requirements, in its privacy work. Here, she also discusses how behavioral ad-based business models can “incentivize constant surveillance, resulting in further mass aggregation of data, potentially heightening the risk of data privacy and security abuses—and further inviting us to consider a market-wide approach.” Her provocative discussion of behavioral advertising here (and multiple references to unlawful or intrusive surveillance on this topic) is significant, as it suggests that she intends to issue rules limiting or banning this practice, as urged in a recent petition to the FTC. Relatedly, the report states that the FTC will obtain stronger remedies in enforcement actions, including notifications to consumers when their data has been disclosed; provisions requiring companies to monitor and prevent identity theft and other privacy harms; deletion of algorithms, models, and data created or used illegally; and redress obtained in coordination with other federal and state agencies.

More Money

Finally, Khan cites the need for a substantial increase in resources to bring the FTC in line with international counterparts and enable the agency to recruit additional talent. The report elaborates on this goal, comparing the FTC’s privacy FTEs (40-45) to the UK’s (768) and stating the FTC needs about 100 more. (This point was also discussed in the Congressional hearing last week). According to the report, the FTC would use these resources for all of the activities discussed above, as well as a host of others, including conducting additional industry studies under Section 6(b) of the FTC Act; studying algorithms and bringing enforcement actions against algorithmic discrimination; hiring more technologists and subject matter experts; and addressing privacy and safety issues involving connected cars, health devices, stalking apps, and pornography platforms.

The report also reiterates the FTC’s call for federal privacy legislation, legislative clarification of the FTC’s authority to obtain consumer redress under Section 13(b), and removal of the common carrier and non-profit exceptions.

Is This News? Yes, and Here’s Why.

Many of the goals in Khan’s statement and the report are consistent with the FTC’s current authority and longstanding support for stronger federal laws and remedies. Robust injunctive and monetary relief, section 6(b) studies, vigorous order enforcement, and enhanced legislative authority and resources are all worthy goals that protect consumers and honest businesses and increase the agency’s effectiveness. However, as discussed in Commissioner Phillips’ dissent and Commissioner Wilson’s concurrence in part, dissent in part, some of them likely exceed the FTC’s statutory mandate and will run into serious obstacles when they are tested in court.

For example, as the Phillips and Wilson statements note, competition and privacy are governed by different laws with different remedies. To the extent that Khan seeks to conflate these laws and remedies, it could exceed the FTC’s authority. In addition, Phillips emphasizes that many of the goals and remedies cited by Khan and the report – including the references to “tackling [privacy] issues on a structural level” and potentially banning industry-wide practices through rulemaking – could “bar companies from engaging in legal conduct,” “let a majority of Commissioners run companies by regulatory fiat,” and usurp the role of Congress in weighing the “judgements and tradeoffs that will be required of privacy legislation...”

As mentioned in our blogpost last week, there are also many legal and practical obstacles to engaging in rulemaking of the type and number that Khan and the report appear to contemplate. Under Magnuson Moss rulemaking, the FTC must prove that any practice it seeks to regulate is unfair or deceptive, as well as prevalent. Magnuson Moss rulemaking also contains a slew of procedural steps that the agency must take (hearings, analyses, publications, etc.) and establishes a standard of judicial review that gives very little deference to the agency. These hurdles were imposed by Congress precisely because Congress was concerned about regulatory overreach in the 1970s. (For a little history tour, see “Stoning the National Nanny: Congress and the FTC in the late 1970s,” by former FTC Chairman Michael Pertschuk).

For all of these reasons, the FTC’s privacy (competition, and tech) agenda is certainly likely to face challenges. Congress could block or delay many of the bold regulatory moves being discussed now, especially as they relate to broad federal mandates banning conduct that, to date, has never been found to be illegal. Will Congress be willing to allocate additional resources to an agency that is reconceiving of itself and its privacy mandate? Will additional resources be enough to empower a new bureau of privacy without additional legal authority? How will the courts respond to the FTC’s ambitious efforts? If the Supreme Court’s AMG decision is any indication, the agency is likely to face judicial skepticism over some of these positions.

In the meantime, the road ahead appears to be filled with new rulemaking and investigations, potentially novel legal theories, and more litigation. Companies may need to make difficult decisions as they navigate these developments and consider whether to expend the resources necessary to challenge them in court. We will continue to monitor and report on developments as they occur.

With AdTech (tracking individuals and their online or in app behaviors to build a profile of them to better serve and more effectively target them) and MarTech (strategies and technologies to generate demand, attention, and sales for a product) now the most celebrated or perhaps infamous areas in privacy today, being a privacy lawyer has changed dramatically in just a few years. Privacy lawyers are not only counseling and guiding companies along the lines of what they need to do from a legal perspective but there's an element of what should be done from an ethical or social perspective as well. Finding a coherent thread through all of the requirements and keeping track of all the technological changes in what is now a very tech heavy business is difficult.

Kelley Drye Partner Alysa Hutnik discusses the state of privacy, tracking, compliance technology and tools, and strategies privacy lawyers and others can use to help do their jobs. As you would expect, there are some practical tips to take away.

Find the episode on Apple Podcasts, Google Podcasts, Amazon Podcasts, SoundCloud, or wherever you get your podcasts.

Contact:

Alysa Z. Hutnik [email protected] (202) 342-8603

For additional information, please visit:

• Key Developments in CCPA Litigation for Q1 2021- As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings. In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021. These cases raise significant issues regarding judicial interpretation of the private right of action in the CCPA, the definition of a “data breach,” and CCPA plaintiffs’ ability to access pre-complaint discovery.
• Advertising and Privacy Law Resource Center - Kelley Drye has organized this Advertising and Privacy Law Resource Center to help your company navigate the legal landscape. While this site is not exhaustive, it addresses key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling. Feel free to contact us to discuss any specific claims, privacy or data security practices, or for any other questions.
• Ad Law Access Blog - Updates on consumer protection trends and developments from the Advertising Law and Privacy Law practices
• Privacy and Information Security Practice Group Page

No “Sales” if Sharing with a Service Provider

To explain Google’s move, it’s helpful to understand that the CCPA incentivizes a business-service provider relationship. A business can provide a service provider personal information without calling the disclosure a “sale” or offering an opt-out option. When a business provides personal information to a service provider, the business receives liability protections so long as the business does not have actual knowledge or reason to believe that the service provider is violating the CCPA.

In turn, the service provider is restricted from keeping, using, or disclosing personal information for purposes other than “business purposes” spelled out in the service provider contract.

How to Determine if an AdTech Partner is a Service Provider?

But many in the Ad Tech industry have not yet publicly addressed their practices within the context of the CCPA, which has left companies to scrutinize existing contracts, the partner’s publicly-posted terms, statements, privacy policies, and to evaluate the partner’s actual tracking activity, to help determine if there is support for a service provider classification. Other Ad Tech players have asserted that CCPA does not change their practices, but that no “sales” are occurring, leaving many publishers and advertisers to determine if their business can withstand taking on the risk that this assertion will be rejected once the Attorney General evaluates the practice.

At bottom, there is not yet consensus in the AdTech industry on how to assess CCPA within the context of digital advertising. Enter Google. Google offers an array of advertising and analytics services. But is Google an eligible service provider?

In favor of this classification is the definition of a “business purpose,” which includes “performing services on behalf of the business…, including … providing advertising or marketing services, [or] providing analytic services…” Under this interpretation, Google obtains personal information to provide services to the business, but is using the personal information only as allowed under the CCPA.

But in the absence of clear contract or terms of service, there is ambiguity on whether this explanation would be enough to support a CCPA service provider classification. For example, it’s possible, absent clear restrictions, that Google or another Ad Tech service provider might use third party cookies for ad tracking or bid requests sent to third party programmatic buyers involving pooled personal information of customers. That practice would involve broader sharing and usage of personal information than what clearly fits within a service provide construct. Further, it’s also possible that some Ad Tech partners might use that personal information for their own purposes, such as their own marketing efforts or other commercial purposes.

Google’s response to these compliance concerns is to offer businesses covered by the CCPA both clarity as to which of its solutions, by default, only use personal information for purposes on behalf of the customer, such as Google Analytics, Google Ad Words Customer Match, among others. And, for other solutions, customers have to enable “restricted data processing” for Ad Manager, Ad Manager 360, AdMob, AdSense, and Google Ads services. When companies enable restricted data processing, they essentially “turn off” any interest-based advertising and other broader usage of the data that is not on behalf of a customer. Google explains, “When a publisher [using Ad Manager] enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms.” To further support a “service provider” classification and remove any ambiguity, Google’s service provider contract expressly affirms that, “with respect to customer personal information processed while restricted data processing is enabled … Google will act as Customer’s service provider…”

For solutions that are not enabled to restrict data processing, Google will let individual consumers opt out in accordance with the rights offered in the CCPA.

This development will have ripple effects on the industry given that Google, as a major player, provides core turnkey Ad Tech solutions where it is the only provider linking the publisher, advertiser, and end consumer. This gives Google latitude to implement contract language and new tools to restrict data processing, and to then apply those restrictions across Google’s services. By comparison, a solution being discussed by the Interactive Advertising Bureau would require disparate Ad Tech players to all enter into a common contract that governs sharing of personal information and restricts “commercial purpose” uses of personal information.

But both concepts recognize that online programmatic interest-based advertising often involves a broader sharing and use of personal information, as defined by the CCPA, that includes a “sale,” and there’s a need to distinguish which relationships and practices involve a “service provider” (where there is not a “sale”), and which entities in that exchange facilitate a sale of personal information.

Google will not require customers complying with its online terms to opt in to the new contract. The contract takes effect as of January 1, 2020 to the extent that the CCPA applies.

Next Steps

CCPA’s compressed timeline for compliance has resulted in late-breaking developments by major players in the industry on how they are interpreting and responding to CCPA requirements, whether in the role of a business, service provider, or third party. This necessitates a responsive compliance framework that tracks these developments and makes appropriate modifications, as needed. This is particularly the case with digital advertising. If you have further questions about how these developments apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.

This workshop will be open to the public but registration is required. Register here.

Agenda Highlights

Marketing with influencers and celebrities can help companies capture consumer attention, but there are enough legal headaches to make you dizzy. Not only do companies need to worry about complying with the law, they need to worry about whether the talent will do anything to harm their brands. Although there isn’t a one-size-fits-all solution to these issues, we will discuss the key legal requirements and provide practical tips for your campaigns.

FTC Update

Now that the FTC has a full slate of new commissioners, and is nearing conclusion of hearings examining the agency’s past and future policy and enforcement approach, what can businesses expect to see from the FTC in terms of policy and enforcement changes? This session will discuss these updates and the practical ramifications for industry.

Privacy Strategy: Planning for California’s CCPA and Beyond

The California Consumer Privacy Act (CCPA) takes effect January 1, 2020. A number of states are following with efforts to enact their own comprehensive privacy laws. Federal legislation that preempts such state laws also remains a possibility. This session will focus on practical steps that companies can take now to address their privacy compliance obligations in the United States, along with best practices for data risk management.

Class Action Update

The plaintiffs' bar is more active than ever. This session will discuss current issues and trends in consumer protection litigation, with a particular focus on Telephone Consumer Protection Act (TCPA) class actions.

Advertising Technology: Key Legal and Self-Regulatory Developments

Recently-enacted laws with global impact and high-profile privacy and data security events with associated industry scrutiny have major implications for companies that create and support targeted advertising and those that leverage the resulting insights. This session will provide strategies to carefully navigate the increasingly complex legal, regulatory, and self-regulatory AdTech landscape.

Consumer Protection and Privacy Panel

Update on some of the other significant developments that companies should have on their radar.

Questions, please contact [email protected]

The “sale” definition in the CCPA, as it stands today, is broadly worded and includes essentially any distribution of data in return for value. As a result, there has been legitimate concern in the online advertising space—which involves data sharing among multiple parties—that the sharing of personal information for purposes of delivering targeted advertising would be viewed as a “sale” under the statute and trigger the CCPA’s compliance requirements.

SB-753, if adopted, would respond to these concerns by adding a new exemption to the CCPA’s definition of a sale. Specifically, a business would not be deemed to have sold personal information if:

Pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.

Overall, the proposed amendment would have potentially positive implications for the AdTech industry by allowing businesses to share information to the extent necessary to show specific advertisements to the consumer. That said, the full parameters of the exemption remain unclear, including what exactly qualifies as “necessary,” and how the contract obligations might apply across the highly-distributed AdTech ecosystem. We anticipate these questions and others like it to be discussed at the upcoming hearing.

We will continue to closely track SB-753 and provide updates as they come.

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the following three clarifications relating to CCPA provisions that, unless modified, the group believes could reduce consumer choice and privacy:

• Notice relating to a sale of consumer data: A company’s written assurance of CCPA compliance should satisfy the requirement to provide a consumer with “explicit notice” (under 1798.115(d)) when a company sells a consumer’s personal data that the company did not receive directly from such consumer;
• Partial opt-out from the sale of consumer data: When responding to a consumer’s request to opt out of the sale of personal data, companies can present consumers with choices on the types of “sales” from which to opt-out, the types of data to be deleted, or whether to opt out completely, rather than simply offering an all or nothing opt-out.
• No individualized privacy policies: Businesses should not be required to create individualized privacy policies for each consumer to satisfy the requirement that a privacy policy disclose to consumers the specific pieces of personal data the business has collected about them.

The comments coincide with a series of public forums that the California AG is hosting to provide interested parties with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.