Are consumers in Europe more likely than consumers in the United States to “opt-in” to cookies?”

Can retargeted advertising campaigns be done under service provider agreements?

Yes.

The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider. In order for an adtech company to meet the definition of a “service provider,” at least two conditions must be met.

First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.¹

Second, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”²

One common use of third party behavioral advertising cookies is to allow businesses to contact consumers that have left the business’s website in order to serve those consumers with targeted advertising. Similarly, businesses may serve targeted advertising not through the use of behavioral advertising cookies, but by providing adtech partners lists (e.g., names, email addresses, or telephone numbers) of customers or potential customers. These practices are commonly referred to as retargeting campaigns, as they often attempt to “retarget” consumers that expressed interest in a product or service, but failed to complete a transaction.

Questions have been raised about whether third parties that provide retargeting services can be classified as “service providers” under the Act. Specifically, some commenters have asserted that such a use might not be “necessary” for a business purpose under the CCPA, or that by performing a retargeting campaign an adtech partner may be using data for its own purposes. In response to these concerns, the California Attorney General clarified that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”³ The Attorney General further cautioned, however, that to be considered a service provider the adtech partner must not use the personal information that it collects from one business to “provide advertising services to other businesses.⁴ Furthermore, under the regulations implementing the CCPA the adtech partner must be prohibited from “building or modifying household or consumer profiles” from the data that it receives.⁵

Under the CCPA, can a conference organizer transfer personal information of attendees to sponsors?

If an App asks users to consent to a privacy notice, and the privacy notice discloses that the App shares user information with AdTech partners, would that sharing be considered a “sale?”

Arguably not.

Some privacy advocates and plaintiffs’ attorneys have argued that the CCPA’s broad definition of the term “sell” might encompass the transmission of user information from an App to an AdTech partner. Specifically, they claim that the CCPA considers any “disclos[ure]” of personal information to be a “sale” when a company receives “monetary or other valuable consideration.” As the definition of “personal information” includes “unique identifiers” – a term which includes “mobile ad identifiers, or similar technology” – the act of transmitting information about a user’s device to an AdTech partner that then leads to ad revenue should be considered a “sale” for the purposes of the Act.

While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, that exception may not apply to all AdTech partners.¹ Specifically, to invoke the service provider exception the contract between an App publisher and an AdTech partner must “prohibit” the partner “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”² Behavioral advertising networks that retain the information that they obtain from Apps and use that information for the benefit of themselves (or the benefit of other members of a behavioral advertising network) may not satisfy the definition of a “service provider.”

The definition of “sale” under the CCPA contains a second exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.”³ In order to mitigate the risk that sending user information to AdTech partners might be interpreted as a “sale” of information, some App publishers disclose that they transmit information to AdTech partners in their privacy notices, and then ask users to consent to those notices (and, hence, consent to the sharing of their information). If the App publisher obtains consent to its privacy notice, it could argue that the consumer has “direct[ed] the business to intentionally disclose” information and, therefore, the transfer of information is not a sale. The strength of such an argument may depend, in part, on the prevalence of the privacy notice, and the manner in which consent is solicited and obtained.

If an App asks users to consent to the sharing of their information with AdTech partners, would that sharing be considered a “sale?”

No.

Many Apps transmit information about their users to third party advertising technology companies to facilitate the placement of targeted advertising within the App which, in turn, generates advertising revenue for the App publisher.

Some privacy advocates, and plaintiffs’ attorneys, have argued that the CCPA’s broad definition of the term “sell” might encompass such activities. Specifically, they claim that the CCPA considers any “disclos[ure]” of personal information to be a “sale” when a company receives “monetary or other valuable consideration.” As the definition of “personal information” includes “unique identifiers” – a term which includes “mobile ad identifiers, or similar technology” – they have argued that the act of transmitting information about a user’s device to an AdTech partner should be considered a “sale” for the purposes of the Act.

The definition of “sale” under the CCPA contains a second exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.”³ In order to mitigate the risk that sending user information to AdTech partners might be interpreted as a “sale” of information, some App publishers ask users to consent to the sharing of their information. If the App publisher obtains consent, it would have a strong argument that the consumer has “direct[ed] the business to intentionally disclose” their information and, therefore, the transfer of information is not a sale.

Are companies required to get opt-in consent under the CCPA before using personal data?

Is the disclosure of personal information for purposes of creating a look-alike audience a “sale” under the CCPA?

Sometimes.

Many companies today use “look-alike audiences” (a.k.a “mirror audiences” or “similar audiences”) to reach potential consumers through online advertising. A look-alike audience is created when a business sends information, typically in hashed form, about a group of its current customers (the “seed audience”) to an advertising platform who matches the seed audience to an entirely new audience (the “look-alike audience”). The matching process uses the aggregated seed audience information to identify new individuals who have similar purchase habits, preferences, search histories, or other relevant traits. After the match is complete and the look-alike audience created, the advertising platform then serves the business’s ads directly to the look-alike audience.¹ While the use of a look-alike audience can offer significant advantages to a company, it can also raise concerns that a company is “selling” personal information as defined by the CCPA.

Depending on the underlying contractual terms, the business’s initial transfer of customer’s personal data to the advertising platform could be considered a “sale” under the CCPA. The CCPA broadly defines “sale” to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”² As such, the very act of transferring the data arguably falls within this broad definition, since the business almost certainly gets valuable consideration in return.

However, a “sale” does not include sharing information with a “service provider.” A “service provider” includes an entity who “process[es] information on behalf of a business and to which a business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”⁴ Importantly, the contract must prohibit the entity from “retaining, using, or disclosing” the personal information for any purpose other than to perform the services specified in the contract.⁵ The contractual terms between the business and the advertising company governing the creation of the look-alike audience, such as the advertising platform’s terms of service, may exclude the initial data transfer from the definition of “sale” by qualifying the advertising platform as a “service provider.” Each advertising platform has different contractual terms, so in order to determine whether the creation of a look-alike audience is a “sale” under the CCPA, a business must determine the following:

Does the contract prohibit the advertising platform from “using” the data for any purpose other than to create the look-alike audience?
Does the contract prohibit the advertising platform from “disclosing” the data to another third party except for the purposes of creating the look-alike audience?
Does the contract prohibit the advertising platform from “retaining” the data longer than as necessary to create the look-alike audience?

If the contract fails to do any of those three things, or the contract does not govern all of the personal information subject to the transfer, the transfer of data to the advertising platform is likely a “sale” under the CCPA.

If a company acquires another company, can it transfer the target’s data to its new affiliates for their marketing purpose?

Federal and state privacy laws do not expressly prohibit most acquirers (e.g., acquirers of a retail brand) from internally transferring the target’s data for use by affiliated companies. That said, in 2000, the Federal Trade Commission took the position that a company which had included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., hailed from the same industry).¹ Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that the information could never be transferred to an acquirer.² As a result of the positions taken by the FTC and state regulators, as a best practice, most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition. For example, many companies include a provision along the following lines:

“If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.”

If the target has a disclosure similar to the above, the acquirer arguably can take and disseminate to corporate affiliates the personal information collected by the target consistent with federal and (most) state laws.

This result is largely consistent with the approach taken by the California Consumer Privacy Act. The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.³ The CCPA includes an exception to the sale of information, however, in situations in which information is transferred as part of an acquisition in which the acquirer “assumes control of all or part of” the target.⁴ In those situations, the Act permits internal transfers to occur without classifying those transfers as “sales” so long as the information is “shared” consistently with the target’s privacy notice.⁵ On a going forward basis (i.e., post acquisition) the CCPA’s rules concerning affiliate sharing likely apply. Under those rules, an entity that is owned by another entity is considered a separate business unless the two companies “share[] common branding.”⁶ For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”⁷

The net result is that if a privacy notice states that information can be shared between and among acquirers and affiliates, such sharing is arguably permitted at the time of acquisition. On a go-forward basis, at least in California, the target would need to share common-branding with the acquirer in order to continue the sharing of information without raising the possibility that such continued use constitutes the “sale” of information for which an opt-out right would need to be given. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.⁸

Do cookie banners receive different acceptance rates on desktops and on smartphones?

Does the placement of a cookie banner impact user acceptance rate?

Yes.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners. If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.¹

Companies often struggle with how to display a cookie banner given the complexities of conveying information to individuals that may lack technical expertise, and “banner fatigue” – i.e., the fact that website visitors are presented with so many pop-ups and banners that they often do not spend the time to read banners that appear before closing them.

There is relatively little empirical data publicly available concerning website visitors interactions with cookie banners. The little data that does exist, however, indicates that user acceptance rates are significantly impacted by where a cookie banner is placed on a screen. For example, in one study researchers randomly placed the same cookie banner at the top, the top-left, the top-right, the bottom, the bottom-left, and the bottom-right of a website and then observed how 14,135 website visitors interacted with the banner.² They found that when the banner was placed in a “bar” at the top of the page approximately 1.8% of visitors accepted cookies. When the same banner was placed on the bottom-left of the screen the acceptance rate jumped to 18.4%. While the researchers did not probe the cause of the difference, they suspected that the bottom-left placement was more likely to cover the main content of a website (in comparison, notices shown at the top often hide only design elements), and that website visitors were accustomed to the left-to-right directionality of Latin script. Both factors may cause viewers to interact with a cookie banner at the bottom left.