Back to top


Submitted by Tony Ficarrotta on October 13, 2020

Preparations for compliance with the California Consumer Privacy Act (CCPA) have been checkered with uncertainty ever since the law passed in 2018, with many questions still unanswered about how the CCPA and its implementing regulations will apply to the digital advertising ecosystem.  

One strategy for CCPA compliance that many businesses are exploring (or are already relying on) is the use of contracts to designate their ad-tech vendors as “service providers.” In theory, a business’ use of a service provider contract in connection with its transfer of “personal information” to an ad-tech vendor would prevent that transfer from being classified as a “sale” of personal information, and therefore potentially help many publishers and advertisers avoid the “do not sell” link and opt out otherwise required by the law.

However, brands and publishers should think twice before pursuing this approach, because while the initial appeal of using service provider contracts for programmatic advertising  is clear, the potential adverse impacts of doing so may not be, at least initially. Amid understandable confusion around the application of “service provider” contracts for complex digital advertising transactions, some businesses have come to the over-simplified conclusion that designating their ad-tech partners as service providers is a silver bullet that can solve their toughest CCPA compliance burdens without sacrificing business results.

This is most likely false. Experience is beginning to show that the use of service provider contracts by digital media publishers and brand advertisers to govern their relationships with ad-tech vendors has serious drawbacks.  The over-use of service providers can lead to multiple bad effects, including the degradation of individual business results, creation of unhealthy and anti-competitive market dynamics, and, ironically, increased compliance risks.

Individual business results are likely to suffer under a service provider regime because the CCPA’s strict requirements on how service providers are permitted to use personal information may prevent vendors from engaging in the data processing necessary to provide their services, or limit their operations to the point where the service is rendered ineffective.  Two of the biggest players in digital advertising -- Google and Facebook -- have not been shy about this fact.  While both of those companies have indicated they will act as CCPA service providers for publishers and advertisers in limited circumstances, Facebook has warned advertisers that doing so may have “an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited”; and Google has indicated that it will not “create or update profiles for ads personalization or use existing profiles to serve personalized ads'' relating to data to which restricted data processing -- which Google requires in order to act as as service provider -- applies.  Limitations on the use of consumer profiles to personalize ads will likely impact a publisher’s ability to monetize its ad inventory.  Publishers and advertisers shouldn’t expect anything different from their other ad-tech vendors, even if they have not released public guidance to that effect.

Beyond individual business results, brands and publishers should also consider the broader market dynamics they are influencing by limiting the availability and use of third-party data through service provider contracts.  The CCPA only limits the transfer of personal information from one company to another, either by allowing consumers to opt out of “sales” of personal information, or by tightly restricting how service providers can handle non-sale transfers of personal information. Large first-party platforms with their own proprietary data stand to benefit from those restrictions because they don’t need to rely on anyone else for data assets. On the other hand, third-party ad-tech vendors use collective information to enhance the quality of the services they provide to each of their clients individually, putting them at a competitive disadvantage under the CCPA.  These effects are exacerbated by the overuse of service provider terms, which allows walled gardens to continue to enhance their products and services using their own first-party data, while preventing other ad-tech companies from doing the same using third-party data, to the detriment of both ad-tech companies and the businesses they serve.

If walled gardens continue to grow more dominant as a result, publishers may see their ability to monetize ad inventory suffer, and advertisers are likely to see reduced value in the measurement and conversion services they rely on their ad-tech vendors to provide, as well as an overall reduction in the value of interest-based advertising for reaching their audiences.This free-rider problem will at first harm the digital advertising ecosystem as a whole by hampering the ability of third-party ad-tech companies to compete with large, first-party platforms. Over time, however, it’s publishers and brands who will suffer from a less competitive marketplace, but only after it’s too late and the competitive harms have set in.

Finally, and perhaps counterintuitively, publishers and brands that see service provider contracts as the way to go are likely to see greater compliance risks compared to those that are willing to classify their ad-tech vendors as “third parties.”  For example, because it is still unclear under the law and implementing regulations, and therefore unknown, how the California Attorney General will interpret the service provider provisions in the CCPA as they apply to specific digital advertising use cases, it’s possible that the contracts being used to designate ad-tech vendors as service providers may be determined to be inconsistent with the requirements of the law.  In that case, there may be a risk that the brand or publisher could be accused of having sold personal information to an ad-tech vendor without posting a required “Do Not Sell My Personal Information” link, or in contravention of a consumer’s request to opt out of sales of personal information.  Further, businesses relying on service providers must contend with the added complexity of responding to consumer requests for access to or deletion of personal information in concert with their service providers.  There is no corresponding requirement to coordinate with vendors designated as “third parties” for those requests.

Service providers are not solely responsible for managing these compliance risks. Depending on the circumstances, both a service provider and the business that engaged the service provider may be liable for uses of personal information that do not satisfy the CCPA’s requirements.  And while we may not know for certain what service providers can and cannot do for before the Attorney General begins taking enforcement actions on that issue, it is an area to watch closely for compliance risk.  Brands and publishers should bear in mind that the costs of violations can add up quickly – $2,500 for each violation or $7,500 for each intentional violation.

Taking all of these drawbacks together, brands and publishers should be thinking twice, maybe three times, about whether “service provider” contracts really are a silver bullet for CCPA compliance, and should be actively exploring alternatives to service provider arrangements with their ad-tech vendors to avoid negative side effects.  Given the very low rate of opt outs businesses are seeing, designating ad-tech vendors as third parties and posting a “do not sell my personal information” link in a webpage footer may be a small price to pay to keep the full range of products and services ad-tech companies can offer while keeping compliance risks low.

For brands and publishers seeking to think these issues through in more detail, we encourage you to read the NAI’s white paper on the use of ad-tech companies as CCPA service providers.

Submitted by Leigh Freund on September 30, 2020

The NAI welcomes GroupM’s Tamera Reynolds and Audrey Trainor of MediaMath to the NAI Board of Directors. They join Dan Hegwood, Markus Ruhl, and Matthias Mattiesen as new board members in 2020.

Tamera Reynolds is a Senior Partner and Associate General Counsel for the international media investment company, GroupM. Reynolds is responsible for strategic tech and data partnerships and data privacy compliance, across GroupM and its agencies. 

Reynolds previously was VP of Global Legal Counsel for Xaxis, the advanced programmatic arm of GroupM. While at Xaxis, she led (and continues to lead) legal and privacy support across a broad range of business functions including technology partnerships, intellectual property, privacy, and new business and policy initiatives.  

Prior to joining Xaxis, she worked at Sahara Media, Inc. and was instrumental in successfully executing an IPO during the 2008-09 financial crisis. The company subsequently was acquired by Youblast Global Inc.

“Tamera’s fifteen years implementating lawful and ethical procedures across multiple countries in the media industry makes her an exciting addition to the board,” said NAI President and CEO Leigh Freund. 

Audrey Trainor, Data Policy & Governance Manager at MediaMath, develops strategy on policy and process implementation around privacy, data use, and compliance. Her work helps ensure data is used ethically while ensuring continued growth at MediaMath. 

In addition to her leadership role with MediaMath’s Data Policy & Governance team, Trainor has led the NAI Precise Location Data and Opt-In Consent Guidance Working Group and served on the board of the Better Business Bureau of Metropolitan New York. 

“Audrey is an expert data policy strategist,” said Freund. “She works every day to make sure responsible data policies are part of an accountable and addressable supply chain for digital advertsing,” 

Tamera and Audrey join three board members appointed earlier in 2020, bringing the total membership on the board to twelve. Board members appointed in 2020 include:

  • Dan Hegwood – Xandr, Vice President, Legal

Dan Hegwood is Group VP for Xandr, and is responsible for Xandr’s global public policy program spanning privacy and other regulatory matters.  Hegwood also leads a team of attorneys covering Xandr’s international sales and operations.

  • Markus Ruhl – Global Data Privacy Officer, Publicis Groupe

Markus is a qualified attorney in Germany with over 20+ years of experience in various industries. He has worked for many years on emerging technologies, policy and global privacy issues, and spoken at privacy and security conferences.

  • Matthias Matthiesen – Quantcast, Senior Privacy Counsel

In his role as Quantcast’s Senior Privacy Counsel, Matthiesen works to manage the company's global privacy and data protection program and drive positive privacy and data protection changes at an industry level. Prior to joining Quantcast, he served as director of privacy and public policy at the Interactive Advertising Bureau Europe where led the industry’s strategy and approach to privacy and data protection in response to the GDPR and ePrivacy Regulation. 

The Network Advertising Initative’s other board members are Chairman Douglas Miller – Vice President and Global Privacy Leader, Verizon Media; Vice Chairman Ted Lazarus – Director of Legal, Google; Alan Chapell – President, Chapell & Associates (representing Eyeota); Dana Edwards, Senior Vice President, Engine Group; Duncan McCall, CEO & Co-Founder, PlaceIQ; Ken Dreifach, share holder, ZwillGen (representing Adroll), and Paul Harrison, Co-Founder & Chief Technology Officer, 

Submitted by Anthony Matyjas... on August 25, 2020

The NAI has been pleased with the positive response to its Guidance for NAI Members: Health Audience Segments (Guidance), and we continue to receive questions from member companies about the applicability of this document to various digital advertising products and scenarios.

One of the questions the NAI has fielded on several occasions relates to how the Guidance applies to non-member companies, typically in the form of advertisers. Together with the 2020 Code of Conduct (Code), the Guidance document establishes steps NAI members may take when creating audience segments for medications and treatments for various health conditions. 

The central premise of the Guidance is tied to the creation of audiences that rely only on demographic information, such as age or gender, and that are large enough to encompass at least ten percent of the total population, thus helping to preserve consumer privacy, and reducing the likelihood of singling out specific users who may actually suffer from a given condition.

However, the Code and Guidance apply only to NAI member companies, and NAI members often make audience segments available to advertisers who then choose to display advertising campaigns to the consumers in those audience segments. Can NAI members permit advertisers or other non-members to modify audiences created based on the Guidance with non-demographic data and/or by refining the audience size so that it becomes smaller than the ten percent threshold discussed in the Guidance? The answer is “no,” unless the non-member has received Opt-In Consent from consumers.

The NAI recognizes that it may not always be possible for member companies to police the uses of data that has been licensed to third-parties, and the NAI does not typically hold members accountable for what others may do with data that has been licensed to them. Nonetheless, the NAI expects member companies to place contractual and (when possible) technical restrictions on the use of data by clients and partners, to help ensure that such uses are consistent with the NAI Code and Guidance documents. These practices help spread the NAI’s high standards for consumer privacy beyond NAI membership, to the broader digital advertising ecosystem, including publishers, advertisers, and others.

Submitted by Tony Ficarrotta on July 1, 2020

Today is the first day that the California Attorney General (AG) is authorized to bring enforcement actions under the California Consumer Privacy Act (CCPA). It marks the start of what is likely to be an evolving process of privacy enforcement in California as the AG and the courts interpret the law for the first time, and while the status of the law itself remains in flux over the next few years.

How did we get here?

  • In 2018, Californians for Consumer Privacy were set to have their original version of the CCPA appear on the November 2018 ballot, but after negotiations with the California legislature, a compromise version of the CCPA was quickly passed into law.
  • In 2019, the AG solicited initial input on CCPA regulations, both in writing and through hearings around California, and published the first of four versions of the regulations. At the same time, the legislature passed amendments to the CCPA, and Californians for Consumer Privacy introduced a new ballot initiative, the California Privacy Rights and Enforcement Act of 2020 (CPREA).
  • So far this year, the CCPA went into effect on January 1st, and the AG has produced three different versions of the regulations – two modified drafts and final proposed regulations. Californians for Consumer Privacy succeeded in qualifying their new initiative for the November 2020 ballot, now updated and re-named the California Privacy Rights Act of 2020 (CPRA).

Where does that flurry of activity leave us today?

  • The CCPA itself has technically been in effect since January 1, 2020. Private litigants have been taking advantage of the CCPA’s limited private right of action for alleged data breaches since then, but those lawsuits have not affected ad-tech companies to date because the kinds of pseudonymous information ad-techs generally use are not subject to the private right of action.
  • Not until today, however, is the AG authorized by the CCPA to start bringing enforcement actions. That means, for example, that the AG may now bring a civil enforcement action for a business’s alleged failure to respect a California consumer’s request to opt out of the sales of personal information, or a service provider’s alleged failure to adhere to the strictures of their contracts. Such enforcement actions could result in fines of $2,500 for each violation or $7,500 for each intentional violation. AG Becerra has indicated that his office may bring enforcement actions for violations alleged to have occurred since the CCPA’s January 1 effective date.
  • After a business has been notified of alleged violation(s), that business has up to 30 days from the time of notice to cure the violation before being subject to an enforcement action and/or fines.
  • Although the AG proposed final regulations on June 1, those regulations are not yet directly enforceable because they have not yet been approved by the California Office of Administrative Law (OAL). For example, it’s possible that controversial language governing conflicts between local and global “do not sell” signals that appear in section 999.315(d)(2) of the final proposed regulations, but not the CCPA, may not be enforceable until the OAL approves the regulations.

What are the next steps in this evolving process?

  • As of June 1, the OAL had 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review, approve, and file the AG’s final proposed CCPA regulations to make them effective. By my count, that means the OAL could make the regulations effective and enforceable any time between today and September 12, 2020. Or, the OAL could reject the proposed regulations for non-compliance with California’s Administrative Procedure’s Act.
  • California voters appear likely to approve the new CPRA ballot initiative this November. The CPRA, if approved, will significantly overhaul the CCPA and shift enforcement and rulemaking from the AG to a new California Privacy Protection Agency. The CPRA would take effect on January 1, 2023.

It has been difficult to track, much less plan compliance with CCPA developments over the last 18 months in the midst of legislative amendments, evolving proposed regulations, and Californians for Consumer Privacy’s second foray into direct democracy to alter the longer-term outlook. Regardless, businesses should expect to see the AG bringing enforcement actions under the statute in the near future, while remaining flexible in planning for new requirements under the final proposed regulations later this year, and under the CPRA in 2023.