New material issued by the Interactive Advertising Bureau Tuesday suggests that some ad companies plan to aggressively interpret loopholes in California's sweeping privacy law.
The law, slated to take effect next January, includes a provision giving consumers the right to opt out of the sale or disclosure of their personal information -- including data used for ad targeting, such as persistent identifiers, browsing history and IP addresses.
The opt-out provisions require web companies to place a “do not sell my information” link or button on their sites.
But the measure has an ambiguously worded exception for situations where one company transfers data to another for “business purposes,” including advertising and marketing.
That exception could arguably apply when businesses sell data for ad targeting. (The law's definition of “sale” appears broad enough to cover the types of data disclosures and exchanges that occur in the online ad eco-system.)
The IAB and IAB Tech Lab suggest in a compliance framework draft issued Tuesday that some advertisers plan to contend they aren't “selling” customers' data when they contract with ad-tech companies to disclose customers' information for business purposes.
“Advertisers often disclose the personal information of consumers ... to DSPs, DMPs, agencies, and others for targeting purposes,” the draft document states. “Some advertisers are choosing not to 'sell' (as defined by CCPA) such personal information by entering into service provider agreements where personal information is disclosed pursuant to business purposes.”
The IAB and IAB Tech Lab add that there are two consequences of this approach: Those advertisers “would not be required to put a 'Do Not Sell My Personal Information' link on their properties,” and “will be limited in the benefits that ad tech companies can provide in reaching their intended audience.”
The industry groups say the compliance framework “does not interfere with an advertiser’s right to pursue such a path.”
The organizations add that they're not taking a position on legal conclusions.
“The CCPA is not yet effective nor enforced, and there are provisions of the law that are ambiguous and leave room for interpretation,” the organizations write. “We recognize that there is no single, agreed upon compliance interpretation of the CCPA.”
California's attorney general is still crafting regulations to implement the bill.
But the notion that advertisers will be able to avoid the mandate for a “do not sell my information” link reflects a “very aggressive interpretation” of the statute, according to Justin Brookman, director for consumer privacy and technology policy for Consumer Reports.
“I think that interpretation is contrary to the spirit of the CCPA,” he says in an email to MediaPost.
Earlier this year, California Senator Henry Stern proposed an amendment (SB 753) to the privacy law that would have explicitly exempted targeted advertising from the law's mandates. He withdrew the proposal before it came up for a vote.
The IAB and IAB Tech Lab's compliance framework also addresses other aspects of the new law, including a provision giving consumers the right to learn what personal information is held about them.
The document was developed with input from more than 350 legal, public policy, and technical experts from online companies. The IAB is accepting comments on the draft until November 5.