The use of data by marketers and advertisers has fueled the modern digital economy, and powers many of the businesses that have become staples in the American marketplace. At the same time, across the nation and the globe, lawmakers have been looking for ways to force companies to tighten up their data privacy and data security practices.
Late last year, California lawmakers enacted the California Consumer Privacy Act of 2018 (CCPA) to provide for more stringent requirements and practices on the part of companies handling California consumers’ electronic information and data. While all businesses that fall under the scope of the CCPA can expect the compliance process to be complex, complying with the law may be an especially thorny undertaking for data-driven marketing and advertising businesses, as the CCPA encompasses much of the information relied on by, and disclosed among, those entities that operate in the online advertising ecosystem.
Notice and Disclosure Obligations
For covered businesses that have direct contact with consumers, such as publishers, this means updating their online privacy policies with the information that is required to be affirmatively disclosed. The notice requirements present more of a dilemma for participants in the digital advertising space that do not have direct contact with consumers, which will need to determine how to deliver the required information to consumers.
The Right to Opt-Out
The CCPA requires covered businesses to allow consumers to “opt-out” and stop a business from selling their personal information to third parties. This restriction on the ability to sell consumers’ personal information will have a sizable impact on the digital advertising industry as a result of the expansive definition of “sale,” which extends to any data transaction that involves a value exchange.
As a result of these new opt-out rights, it is likely that many consumers will choose to opt out of data collection from third-party websites. A consumer reaction in this fashion could significantly curtail the effectiveness of digital advertising channels that rely on consumer information, forcing businesses to rely more heavily on search engine optimization and contextual advertising, as opposed to direct-to-consumer behavioral advertising. As such, marketers and advertisers are well advised to develop contingency plans for when the CCPA goes into effect in order to effectively handle how consumers will react to the right to opt-out.
In addition, the CCPA also bars businesses from engaging in the resale of personal information—selling data that was sold to it, as compared to selling data the business originally collected directly from a consumer—absent providing consumers express notice and an opportunity to exercise the right to opt out of the resale. This limitation may trigger significant challenges for data brokers and other intermediaries, whose business models focus on selling data that is collected from a range of sources other than consumers, due to the requirement that those entities must offer consumers the ability to opt out a second time prior to the resale of any personal information.
The Right to Deletion
As part of the CCPA’s right to deletion, companies must inform consumers of this right and, upon request, must delete the consumer’s personal information from its records, and direct any vendors or service providers to do the same. Applied to the digital advertising context, this right creates significant challenges to the accuracy and reach of certain types of audiences that can be accessed on web and social media platforms, as well as additional challenges to companies that collect consumer data and sell it to third parties.
With that said, there are several exceptions to the right to deletion, including where the business requires such information to complete a consumer transaction, for research or free speech purposes, for security purposes, for legal compliance, and otherwise where information is necessary to use “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” Thus, it is potentially feasible that businesses with first-party relationships may have valid grounds to refuse a deletion request, even if information is used for marketing or advertising purposes.
Private Right of Action Provision
In today’s highly technological age, while data is an asset, it is also increasingly becoming a significant potential liability. This is especially so with the CCPA’s inclusion of a private right of action provision, which at the present time allows individuals whose data has been compromised to pursue litigation against businesses that experience a data breach (but which may be amended to extend beyond the data breach context to any violation of a consumer’s CCPA rights).
Thus, while marketers and advertisers may be driven to collect and acquire as much information as possible, they should closely evaluate the risk that such collection entails, and whether the benefits outweigh the potential downsides of collecting certain types of data. Companies can limit their liability under the CCPA by being selective as to what data is collected and stored, especially as it relates to personally identifiable information.
The Final Word
Although the CCPA is not set to go into effect until 2020, because many of the CCPA’s provisions require the disclosure of data collected and/or sold over the preceding 12-month period, full compliance with the CCPA will require significant lead-time and resources, making now the time for businesses to begin the process of preparing for compliance with the CCPA.
Getting an early start on compliance is also especially important due to the breadth and scope of the new law, which may require marketing and advertising firms to invest significant time in order to determine all organizational systems that require updates, and to implement changes to come in compliance with the new law.
Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm’s Privacy Class Action Defense group and vice chair of the Corporate Litigation group. Jennifer J. Daniels is a partner at Blank Rome LLP and serves as co-chair of the Firm’s Cybersecurity & Data Privacy group. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm’s Cybersecurity & Data Privacy group.