- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
What concerns do website owners have with the IAB’s final CCPA Do Not Sell Framework?
The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing. Its members include both media companies and advertising technology (“adTech”) companies.
In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “Draft IAB Do Not Sell Framework”).1 The draft proposed that website owners would provide consumers with a “do not sell” link, transmit a do not sell signal to IAB framework participants if a consumer opted-out, and the framework participants would agree to abide by a “Limited Service Provider Agreement” in their treatment of such data. The proposal was presented as a means of complying with the CCPA’s requirement that companies disclose if they sell personal information, and, if a sale is occurring, include a “Do Not Sell My Personal Information” link on their website.2
Numerous questions and concerns were raised by privacy advocates and the business community with the draft. In December, the IAB released a final version of the framework (the “IAB Do Not Sell Framework”) which addressed some (but not all) of those concerns. The following are some of website owners’ concerns with the viability of the framework as it was finalized:
- Website owners would be contractually limited to dealing with adTech companies that participate in the framework. The IAB Do Not Sell Framework effectuates a do not sell request by attempting to convert adTech companies that have joined the framework, and that have executed a “Limited Service Provider Agreement” provided by the IAB, into “service providers” when such companies receive a do not sell signal from a website owner. From a website owner’s perspective, however, if they participate in the IAB Do Not Sell Framework they are effectively self-restricting the adTech companies with whom they can partner to those that have joined the framework. Specifically the Limited Service Provider Agreement that website owners are required to accept requires that they represent and warrant that if a consumer clicks their do not sell link the website owner will “only” transmit “bid requests . . . to Downstream Participants that are Signatories” of the IAB Do Not Sell Framework.3 Given uncertainty concerning how many companies in the behavioral advertising ecosystem will join the framework, many website owners are concerned about the cost, and the potential disruption, that could be involved in (1) identifying which of their behavioral advertising partners have joined the framework, (2) terminating relationships with behavioral advertising companies that choose not to participate in the framework, and (3) conducting ongoing monitoring of behavioral advertising partners to ensure that they continue their framework participation.
- Website owners that continue to transmit data to non-IAB participants could be alleged to have engaged in deceptive practices. The IAB Do Not Sell Framework requires that website owners post a “do not sell my personal information” link on their website, and disclose in their privacy notice that by clicking the link a consumer’s information will no longer be sold. To the extent that the website owner continues to transmit data to non-IAB participants (i.e., companies that have neither entered the IAB Do Not Sell Framework, or agreed via a separate contract to refrain from using, sharing, or disclosing information that they receive from the website owner for their own purpose if the website owner broadcasts the IAB do not sell signal) it is possible that a regulator or a privacy advocate may allege that the website owner has misrepresented the effect of clicking on the Do Not Sell link.
- The effectiveness of the Limited Service Provider Agreement is unknown. In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”4 Although the “Limited Service Provider Agreement” published by the IAB purports to be a contract between and among “all other Signatories to this Agreement” there is ambiguity about whether a court will interpret such an arrangement as a sufficient “contract” between a website owner and downstream adTech companies.5 Furthermore, although the Limited Service Provider Agreement purports to take precedence over pre-existing contracts entered into between a website owner and its adTech partners, the order of precedence identified in the Limited Service Provider Agreement may itself conflict with priority designations within those existing contracts.6 Existing contracts may also prohibit, or nullify, contractual arrangements, like the Limited Service Provider Agreement, that are created without bilateral signatures from both parties.
- IAB, and the adTech participants, refuse to accept any liability for the effectiveness of the framework. The “Limited Service Provider Agreement” disclaims any representation that the the IAB Do Not Sell Framework complies with the CCPA. To the contrary it states that “changes in the interpretation of the CCPA by an enforcement authority or court of competent jurisdiction . . . may hold that this Agreement, in whole or in part, is not permissible.”7 The IAB reiterates its reluctance to warrant that its framework complies with the CCPA in the IAB CCPA Compliance Framework for Publishers & technology Companies document itself where it states that the “IAB make[s] no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and the accompanying Agreement and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”8 The reluctance to assume any monetary liability if a CCPA penalty is assessed as a result of the use of the framework is reiterated in the Limited Service Provider Agreement where it states in all CAPS that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND . . . ARISING FROM OR RELATING TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH SIGNATORY WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.”9 It is unclear to what extent website owners who may be directly liable for a violation of the CCPA will be comfortable relying upon a compliance framework that ascribes no liability to their adTech partners.
- The Limited Service Provider Agreement may erode existing liability protections. To the extent that a website owner has entered into a separate contract with an adTech partner that provides contractual remedies (e.g., damages) if the adTech partner fails to comply with data privacy laws, the Limited Service Provider Agreement may erode those protections. Specifically, the Limited Service Provider Agreement states that in the face of a conflict with pre-existing contract terms, the Limited Service Provider Agreement will take precedence in connection with the “Sale and/or use of Personal Information.”10 As the Limited Service Provider Agreement states that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND” an adTech company may attempt to argue that any monetary recovery permitted by an underlying agreement is eroded by the Limited Service Provider Agreement.11
- Device/Browser level opt-out may not comply with the CCPA. The IAB Do Not Sell Framework appears to contemplate that when a user clicks on a website owner’s Do Not Sell My Personal Information link it would typically trigger a “Device/Browser Level Opt Out.”12 A “Device/Browser Level Opt Out means that the consumer’s instruction for their information not to be sold would only apply “to the particular device (e.g., mobile or desktop hardware unit) or browser on which the applicable Consumer has Opted Out.”13 It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”14 Put differently, while the CCPA prohibits a business from selling a consumer’s personal information after they click a Do Not Sell link, under the IAB Do Not Sell Framework it would appear that a consumer’s personal information would continue to be sold each time they visit a website owner’s site from a different device or a different browser.
- Failure to adequately disclose device/browser level opt-out could result in allegations of deception. The draft IAB Do Not Sell Framework suggested that websites notify consumers who opted out under the framework that if they visited the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information would again be sold until, or unless, the consumer submitted a new opt-out request on the new device.15 Specifically it required website owners to state in their privacy notices that “opt out is at a device level and how to opt out across different devices.”16 Interestingly, the final IAB Do Not Sell Framework does not contain such an explicit requirement and instead requires the website owner to generally explain “the effective scope of the opt out.”17 If a website owner does not accurately describe to consumers that the IAB Do Not Sell Framework’s opt-out mechanism appears to be limited to the device/platform used by the consumer to submit an opt-out request, privacy advocates may attempt to allege that the website owner has misrepresented the consumers’ ability to opt-out.”18
- Non-persistent opt-outs may not comply with the CCPA. When a user clicks on a website’s Do Not Sell My Personal Information link, it appears that the framework contemplates that the user’s preference would be recorded in a cookie placed on the user’s machine.19 If a user clears their browser’s cache, that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business. Put differently, by suggesting that website owner’s utilize cookies to store user Do Not Sell requests, the framework appears to be endorsing a non-persistent system for recording consumer preferences. It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”20
- Offline to online sales. The CCPA arguably requires a company that receives a do not sell request to cease the selling of information that is collected by the business both online and offline. The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
- Admission that most website visitors are “consumers.” The CCPA applies to “consumers” a term defined under the Act as including only residents of the state of California. Many website owners have struggled with how to identify whether a website visitor is, in fact, a California resident. While data points that are sometimes collected by website owners (e.g., IP address, shipping information, or billing information) might bear some correlation to residency, such data points are far from conclusive. For example, a resident of Colorado who works for a company that is headquartered in Los Angeles might ship information to a California office address, present with a California billing address, and even have a California IP address (e.g., via a corporate VPN), but would not be a California resident. The Limited Service Provider Agreement requires that website owners represent and warrant that they have “undertaken commercially reasonable efforts to determine that the User [that clicks on a Do Not Sell My Personal Information Link] is a Consumer” for the purposes of the CCPA, or that the website owner “has assumed that all Users on the Digital Property are Consumers.”21 Both representations may be problematic. The former may state or imply that some effort has been undertaken to verify the residency of website visitors when most websites do not collect residency, or take efforts to verify residency. The latter would require that the website confer upon all visitors the rights of Californians. It also raises the specter that the California attorney general might use the contractual representation in an enforcement action to prevent a company from arguing that a particular visitor was not a Californian.