California: IAB white paper offers insight into CCPA compliance in the CTV/OTT environment
The Interactive Advertising Bureau ('IAB') released, on 16 November 2021, a white paper1 addressing companies' compliance with the California Consumer Privacy Act of 2018 ('CCPA') within the connected TV ('CTV') and over-the-top ('OTT') marketplace. In this respect, the white paper provides an overview of the CTV/OTT landscape while examining various issues, and aims to provide solutions to ensure that CTV and OTT companies are compliant when the California Privacy Rights Act of 2020 ('CPRA') takes effect.
Following the enactment of California's CCPA, which made California the first US State to enact a comprehensive privacy legislation, companies were faced with the need to improve their privacy standards in various areas in order to ensure compliance, including with respect to digital advertising. The IAB facilitates these compliance efforts with the CCPA, and now the CPRA, through various resources on various themes, including on CTV and OTT.
With this in mind, the IAB highlighted in its white paper that, 'digital advertising in the CTV/OTT space has unique privacy compliance considerations. The diverse participants and their varied roles, responsibilities, and relationships to the personal information processed, as well as applicable technical standards and limitations, do not line up neatly with comparable processes for programmatic advertising for desktop and mobile. In particular, the CCPA's classifications of business entities and how to treat data flows among them raise added complexities in the CTV/OTT environment.'
As a response to this need to facilitate compliance in the CTV/OTT environment, a working group was created specifically for CCPA compliance considerations for CTV/OTT, and to focus on:
- identifying current CCPA practices;
- identifying data flows relevant to CCPA analysis;
- developing a common framework for addressing CCPA classifications; and
- determining next steps in order to prepare CCPA compliance solutions which would address data sales and service provider disclosures.
Following discussions on this and a field survey to explore these matters further, the white paper was developed with a focus on the CTV/OTT marketplace stakeholders, how participants disclose and process personal information, how they view themselves when applying CCPA definitions and compliance obligations, whether and which friction points exist with respect to CCPA compliance, and potential solutions. As such, this article breaks down some of the key points within these discussion categories of the white paper.
Sharing personal data in the CTV/OTT environment
One important point of consideration with respect to compliance with the CCPA in the CTV/OTT environment is that there are various different stakeholders involved, all of which differ in certain ways. These include, among others, platforms and devices, content providers, broadcast enablers, data management platforms, or advertisers. However, and as the white paper notes, most, if not all, of these types of entities will either process or have a relationship to personal information that is transmitted within the CTV/OTT ecosystem in some way. This could either be because the information is necessary to perform a function, or may be a company asset, or is a targeted audience.
As such, it is important to consider how the CCPA defines 'personal information' and then applying this definition to the CTV/OTT environment. Specifically, the CCPA defines 'personal information' as 'information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. […]'. Therefore, and as the white paper indicates, this definition encompasses both direct and identifiers respectively, such as name, email address, or physical address on the one hand, and digital identifiers, including those used in the CTV or OTT context on the other hand. Within the CTV/OTT environment, such personal information is collected and then used in three key parts, namely from the sell-side of the industry, the buy-side of the industry, and third parties.
In the sell-side of industry, personal information is collected and used by being combined and analysed to understand user and household viewing habits that advertisers can then use to target for advertising. In the buy-side of industry, the white paper highlights relationships such as advertisers relying on publishers' data and using this to target advertising based on the advertiser's criteria, or even with advertisers using their own first-party data to target users on CTV/OTT publisher properties. Finally, the white paper also discusses the possibility of third-party data being leveraged by advertisers for example when expanding to a wider customer base or marketplace
Stakeholder views on CCPA categorisation
With the above in mind, another important categorisation per the CCPA is whether such entities view themselves as a 'business', 'service provider', or 'third party', where they may function as any of these depending on the data at issue and function being performed. In this respect, the white paper highlights some interesting results deriving from the field survey:
- Most platforms, devices, advertisers, and content providers: These entities primarily viewed themselves as a 'business', although a few acknowledged they could also be a 'third party' purchasing personal information, or act as a 'third party' processing personal information on behalf of another 'business'.
- Demand side platforms, supply side platforms, and other intermediaries: Responses to the field survey were fairly evenly divided in describing their roles, although the white paper indicates that it is less clear from the survey whether these responses reflect different interpretations of the different terms, or whether the responses turned on particular functions and data flows in particular.
- Measurement and attribution companies: Such entities mainly viewed themselves as a 'service provider' but a few indicated they viewed themselves as a 'business' or 'third party' as well. However, the white paper indicates that these responses do not necessarily account for all types of measurement and attribution services.
The white paper also highlights classifications and survey results with respect to data sharing arrangements, noting points such as the majority of participants in the field survey stated that platforms, devices, and identity resolution providers were the main sources of personal information disclosed to them. The white paper also indicates various results with respect to entities and their CCPA obligation to provide a 'Do Not Sell My Personal Information' option on their website.
Friction points for CCPA compliance
One of the main so-called 'friction points' that the white paper indicates with respect to CCPA compliance concerns the obligation for opt-out mechanisms through the 'Do Not Sell My Personal Information' option, detailing that the application of such mechanisms is inconsistent. Specifically, the white paper indicates that there is a lack of consensus on which data sharing arrangements for ad purposes prompted a company to offer a 'Do Not Sell My Personal Information' option, as well as where and how to offer such an option. One noted possible solution that the white paper highlights for these inconsistencies is additional guidance from the California Attorney General's ('AG') Office, though the white paper also states that the AG's Office has made it clear that 'the use of personal information for ad targeting purposes is likely a 'sale' under CCPA, and 'businesses' that direct users to opt-out via industry opt-out pages for general interest-based advertising is insufficient for purposes of providing a lawful 'Do Not Sell My Personal Information' right under the CCPA'.
To this effect, the white paper clarifies that, 'when participants act as 'businesses', their disclosures of 'personal information' to other participants, in nearly all cases, should be considered 'sales', except when disclosing such 'personal information' to their 'service providers'. As such, each participant must provide a 'Do Not Sell My Personal Information' mechanism in relation to such disclosures to non-'service providers'. Furthermore, the 'Do Not Sell My Personal Information' mechanism cannot direct users to opt-out on a generic industry page. Instead, users must be able to make requests directly to the 'business' 'selling' its personal information and that 'business' must effectuate that opt-out (without further user action).'
Although the white paper does discuss some other friction points which were considered, the matter around 'Do Not Sell My Personal Information' opt-out mechanisms and the inconsistency of offering this within the CTV/OTT environment remained as one of the main points. This inconsistency is then exacerbated by the lack of consensus on the role of parties with respect to various data flows. As such, the white paper discusses the benefits of having a clear industry standard and mechanisms to support such an opt-out option designed specifically for the CTV/OTT environment and CCPA compliance.
In this regard, the white paper offers no clear solutions, stating that it will be left for the working group to explore whether the IAB's CCPA Compliance Framework and Limited Service Provider Agreement could be a workable solution where adjustments may be made, as necessary, in order to adapt it to the CTV/OTT environment. To this end, the white paper also highlights that in doing so, the working group will also explore whether any best practices or technical innovations may be used to provide additional solutions is assisting parties' operationalisation of the CCPA in order to ensure compliance, including harmonising privacy rights options across the CTV/OTT, desktop, and mobile environments.
Iana Gaytandjieva, Lead Privacy Analyst