Can retargeted advertising campaigns be done under service provider agreements?


The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider.  In order for an adtech company to meet the definition of a “service provider,” at least two conditions must be met.

First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.1

Second, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”2

One common use of third party behavioral advertising cookies is to allow businesses to contact consumers that have left the business’s website in order to serve those consumers with targeted advertising.  Similarly, businesses may serve targeted advertising not through the use of behavioral advertising cookies, but  by providing adtech partners lists (e.g., names, email addresses, or telephone numbers) of customers or potential customers.  These practices are commonly referred to as retargeting campaigns, as they often attempt to “retarget” consumers that expressed interest in a product or service, but failed to complete a transaction.

Questions have been raised about whether third parties that provide retargeting services can be classified as “service providers” under the Act.  Specifically, some commenters have asserted that such a use might not be “necessary” for a business purpose under the CCPA, or that by performing a retargeting campaign an adtech partner may be using data for its own purposes.  In response to these concerns, the California Attorney General clarified that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”3  The Attorney General further cautioned, however, that to be considered a service provider the adtech partner must not use the personal information that it collects from one business to “provide advertising services to other businesses.4   Furthermore, under the regulations implementing the CCPA the adtech partner must be prohibited from “building or modifying household or consumer profiles” from the data that it receives.5