September 17, 2019

California Consumer Privacy Act and AdTech

*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

www.dlapiper.com

Agenda

Attorney-Client Privileged and Confidential 2

Introduction

AdTech ecosystem

CCPA – key components

Key digital advertising activities

Applying CCPA to advertising and marketing activities

Operationalizing CCPA: responding to consumer requests

www.dlapiper.com 3

Presenters

Kate LucentePartnerkate.lucente@dlapiper.com

Rena MearsPrincipalrena.mears@dlapiper.com

Tracy ShapiroPartnertracy.shapiro@dlapiper.com

www.dlapiper.com

AdTech ecosystem

4

AdTech ecosystem – CCPA impact analysis

5

www.dlapiper.com 6

Marketing and advertising – enterprise view

Attorney-Client Privileged and Confidential 6

Email marketing

Organizational groups

Direct mail

Channels Activities (impacted by CCPA)

Telemarketing Experiential marketing

Regional, geography-based

marketingMobile marketing

Video marketing Search engine marketing

Website marketing Social media marketing

Website Mobile

Phone Email

Social Media Search

In-person events Direct mail

Out of band Video

Customer experience

Profiling and enrichment

Display advertising Direct mail/print marketing

Email marketing Paid social advertising

Analytics Search engine

advertising (paid search, PPC, CPC)

Campaign management CRM management

Loyalty and referral programs

Cookie, pixel, and tag management

Affiliates

Social listening Retargeting

Inbound marketing Surveys

www.dlapiper.com

CCPA – key components

7

Access / copy Introduces broad rights for consumers, including the right to obtain a copy of personal information in a portable form, and the right to know how the business has handled the specific individual’s personal information in the preceding 12 months

Deletion Upon request, a business must delete a consumer’s personal information, unless an exemption applies

Do not sell Introduces mandatory right to opt out of sales of personal information. Businesses must provide a “do not sell” link on website to a page that explains how to opt out

Enhanced notice Businesses must disclose collection and use of personal information prior or at point of collection. Privacy policies require updates and specific disclosures

Discrimination Businesses are prohibited from discriminating against consumers for exercising their rights, eg, by offering a different class of service or charging a higher rate

Incentives Businesses may only offer incentives that are fair and fully disclosed; incentives must be reasonably related to the value of the consumer’s personal information

Contract terms Introduces mandatory contract terms for service providers

Enforcement risks Private right of action and statutory damages of $100-750 per violation in the event of data breach of unencrypted or “un-redacted” personal information, if company did not have “reasonable” securityEnforcement of privacy provisions by California Attorney General with penalties of up to $2,500 ($7,500 if intentional) per violation

Key components of the CCPA

Business vs. service provider vs. third party

9

BusinessAn entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California” Section 1798.140 (c)

Third party An entity that is not a business or a service provider. Section 1798.140(w)

Service provider An entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the [service provider] from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business or as otherwise permitted by [CCPA] including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the Business.” Section 1798.140 (v)

• Personal Information: “information that directly or indirectly identifies, relates to, describes or is reasonably capable of being associated with or reasonably linked to a California resident or household” (eg, contact information, government IDs, biometrics, location data, account numbers, purchase history, behavior, tendencies, online and device IDs, cookie IDs, search and browsing history or activities from connected devices)

• Four buckets: an approach to addressing the breadth of the definition• Data elements – traditional concept of personal information • Contextual – attributes, profiles, queries, ordinary course of business• Potential – may be PI given significant effort, not done in ordinary business• Not Personal Information - financial information, not related to a personBuckets 1, 2 and 4 operational response; Bucket 3 requires analysis and decision

Key definitions under CCPA

• Collection: Includes buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including active and passive collection and observing individual behavior

• Sale: Broadly includes selling, providing, making available or disclosing personal information in exchange for any consideration or thing of value

• The following is NOT a sale: The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose (if notice provided and service provider provisions are in place)

Key definitions under CCPA

Business purpose means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected, including:

• Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with specification and other standards

• Short-term, transient use such as the contextual customization of ads shown as part of the same interaction, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction

• Performing services on behalf of the business or service provider, including … providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider

Key definitions under the CCPA

www.dlapiper.com

• Contextual and ad reporting

• Behavioral advertising • Retargeting

• Advertising analytics

• SSPs, DSPs, DMPs• Ad exchanges

• Direct ad sales and buys

• Ad agencies

13

How will the CCPA apply?

Specific digital advertising activities

• Providing user segments to data provider

• Obtaining third-party user segments• Intermediaries that connect two entities data

sets so that one entity can supplement its data set

• Using existing user data to target ads (to the user, lookalikes) on social media platform

www.dlapiper.com

Applying CCPA to advertising and marketing

14

www.dlapiper.com

An effective and efficient method for determining the impact and the operational requirements necessary to comply with CCPA is through the analysis of the following five CCPA use cases:

Three use cases are based on the consumer requests made by consumer:• Access• Deletion • Do not sell

Two use cases involve the enterprise requirements with respect to consumers and third parties:• Transparency/notice• Third parties vs. service provider

It is important apply the use cases to both individual functions, such as marketing, as well as to the enterprise as a whole to manage CCPA compliance effectively

15

CCPA use cases

www.dlapiper.com

• Privacy policy updates • Categories of information collected, sold, disclosed for a business purpose

• Notice of collection and use at or before collection• Are cookie banners now required?

Opt out• Managing opt out

• After opt out, can’t request consumer opt back in for 12 months• Applying opt outs to stop personal information disclosure• Distinguishing between sales and non-sales involving third-party tags

• Reseller provisions• AdTech providers may begin to seek a rep from publishers that they have provided the notice

and opt out required by CCPA

Transparency and notice

16

Applying CCPA obligations in AdTech

www.dlapiper.com

• Challenges in responding to access and deletion requests in the AdTech space

• What is a “verifiable consumer request”? • A request that is made by a consumer … that the business can reasonably verify, pursuant to regulations

adopted by the Attorney General to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer if the business cannot verify that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

• Determining who is a California resident

Access and deletion

17

Applying CCPA obligations in AdTech

www.dlapiper.com

Third-party management• Ensure appropriate contractual terms are included in contracts with service providers• Consider role of agency, including in contracting with third parties

• Data enhancement and acquisition

Non-discrimination vs. fair and reasonable incentives• Consumer can’t be required to waive rights under CCPA or be penalized for exercising rights

• Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data

CCPA vs. GDPR• Consent versus opt-out (but no opt in request for 12 months)

• Use of cookie banners, tag managers and consent portals for GDPR + CCPA

18

Applying CCPA obligations in AdTech

www.dlapiper.com

Operationalizing CCPA: responding to consumer requests

19

www.dlapiper.com 20

Process requirements – CCPA consumer request

1. Consumer request 7. Communication

2. Point of contact 8. Production action

3. Audit record 9. Response aggregation

4. Validation of request 10. Response package review

5. Response analysis 11. Consumer response

Central Orchestration Point

6. Required actions 12. Record action and close

• Data governance committee• Privacy office• Privacy software / workflow

Management tool• Audit tool• Functional POCs• Legal/compliance

www.dlapiper.com 21

CCPA: “The Law of Lists”• List of covered population

• List of categories of personal information collected, sold and disclosed during the preceding 12 months

• List of categories of sources from which the business collects Personal Information

• List of categories of third parties who purchased or received Personal Information

• List of business processes that collect Personal Information

• Inventory of systems and data stores and corresponding owners

• Inventory of data maps

• Inventory of websites, mobile applications, marketing and digital marketing activities

• Inventory of cookies, cookie providers and pixels

• List of use cases (interaction, sources, channels, relationships, consumer types)

www.dlapiper.com

Questions?

22

www.dlapiper.com

Thank you

23