The CCPA, similar to the GDPR in the EU, has established requirements on companies that collect, use, and share data related to California residents (or “consumers” as such are defined in the CCPA). Under the CCPA, personal information is defined very broadly to mean information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer. IAS does not collect or process information that is directly identifiable information concerning natural persons (for example individuals’ names). However, in the course of providing services to its Customers, IAS does collect IP addresses and other electronic information. This is generally considered to be personal information under the CCPA, and we treat it in line with our obligations under the CCPA
1. How does the CCPA apply to IAS in the context of working with its Clients?
The CCPA applies to IAS when we are providing our core service offerings to Clients and processing personal information collected from Clients in connection with performing our services on their behalf, in which case we act as a “service provider” as that term is defined under the CCPA and the California Attorney General’s Proposed Regulations. These core services include Brand Safety, Ad Fraud, and Viewability.
As a service provider, we commit to retain, use and disclose personal information only to perform services for our Clients and our CCPA-qualified business purposes. In addition, we will reasonably assist our Clients’ efforts to comply with requests from consumers as appropriate.
We will continue to closely monitor the regulatory process and the Attorney General’s Proposed Regulations. The Attorney General released his Proposed Regulations on October 11, 2019, which were the subject of public hearings in early December and hundreds of comments were submitted on December 6, 2019. As of the date of these FAQ’s, the Attorney General has not yet issued final regulations, and it is possible and anticipated that the regulatory picture will not be finalized until late winter or early spring. We are committed to working with our Clients to address their and our obligations under the CCPA, and any other future privacy laws, with regard to our current and future service offerings.
2. Can you provide more detail on how IAS is a “Service Provider” under the CCPA?
The CCPA allows for service providers to retain, use and disclose personal information for the CCPA business purposes and other operational purposes, such as for detection of security incidents and protecting against fraudulent or illegal activity, debugging, appointing subcontractors, internal R&D, and improving the quality or safety of its service. This is precisely what IAS does for its Clients when performing its core services on their behalf. This position is further supported by the Proposed Regulations. While Section 314(c) of the Proposed Regulations generally purport to limit the activities of service providers, it is IAS’s belief that the Proposed Regulations explicitly do not limit IAS’s processing of personal information that it carries out with respect to its core services. Section 314(c) of the Proposed Regulations includes a specific provision that allows service providers to “combine personal information received from one or more entities to which it is a service provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” To the extent that IAS combines personal information received from one or more of its Clients in order to provide its services, it does so pursuant to allowances under the CCPA, including Section 314(c) of the Proposed Regulations. This is particularly true as to IAS’s Ad Fraud service, in which IAS collects and compiles a database of both legitimate and fraudulent or bot IP addresses from each of its Clients in order to provide this service to all its Clients. Moreover, IAS also uses deidentified and aggregate consumer information to deliver its core services and the recent amendments to the CCPA clarify that this data does not constitute personal information under the Act.
On a related note, IAS was actively involved in the IAB CCPA Taskforce that was instrumental in the recently released IAB CCPA Compliance Framework for Publishers and Technology Companies, a CCPA technical solution for the Ad Tech industry for situations where a publisher or technology company may not qualify as a “service provider.” Although we believe that IAS’s core services do not involve a “sale” of personal information that would lead IAS to lose its status as a service provider under the CCPA, IAS has nevertheless become a signatory to the IAB CCPA Compliance Framework to ensure that IAS can transact with all IAB CCPA Compliance Framework participants and process all participant transaction related data.
For more information on the IAB CCPA Compliance Framework and the accompanying Limited Service Provider Agreement see: https://www.iab.com/blog/ccpa-compliance-framework/.
3. As a tech/data/measurement/media partner, how are you addressing the CCPA?
While the outcome for third-party Interest-based Advertising (“IBA”) remains unknown, we are continuing to monitor the rule making process and hope to see to see clarity that the service offerings we provide would not be considered a sale. While we are confident in our role as a service provider when offering our core services, as discussed above, nonetheless, we remain actively involved in the IAB opt-out solution process and are working with outside privacy compliance counsel to help us maintain comfort that our characterization of our services and service provider status is appropriate.
Note that when we are providing core Brand Safety, Ad Fraud, and Viewability services we are not engaging in IBA and we believe we are a service provider under the CCPA.
4. What should ad agencies be telling their Clients?
IAS operates as a CCPA service provider committed to assisting our customers to operate in compliance with the Act and the Proposed Regulations. If we conclude that any of our current or future services do not qualify under the service provider, or any other, exception to sale, we will inform our customers of those services and work with them to address their and our appropriate CCPA compliance obligations.
5. Given the consumer rights provided by the CCPA, what are you doing to address consumer rights?
As explained above, we believe that our core services do not involve the sale of personal information. Furthermore, IAS does not knowingly process the personal information of any persons under the age of 16 thus negating the opt-in requirement for minors even were the disclosures to be deemed a sale. As a service provider, we are not obligated to honor requests to know information or requests to delete by consumers regarding personal information we process as a service provider, and accordingly we do not plan to do so. To the extent we conclude that any of our current or future services do not qualify under the service provider, or any other exception to sale, we will inform our Clients of those services and work with them to address theirs and our appropriate CCPA compliance obligations.
As for our Clients’ obligations as a business to respond to consumer requests, we will reasonably cooperate with our Clients to assist them in complying with regard to the personal information we are processing for them where feasible, and to the extent required by applicable law. As for deletion requests, to the extent we do not have a CCPA-qualified retention right, in which case our retention will be limited to that CCPA-qualified purpose and for only so long as that purpose exists, we will comply with a Client’s instruction to delete personal information we are processing for that Client.
For further information on how we will comply with consumer rights requests as a service provider, depending in whether your services are governed by a MSA, SOW or our Standard Terms and Conditions, we refer you to CCPA Addendum (MSA & SOW Clients) found here or CCPA Addendum (T&Cs Client) here found here.
6. Since most agency/ad tech partners DO NOT collect what we traditionally think of as PII (some may given their purpose) only online cookie data, how does this actually tie back to the user making a request for their data (to view/delete) since we can’t tie the cookie to the user 1 to 1?
Online cookie data and other pseudonymous data is personal information under CCPA. This is a big change from how U.S. law has historically worked. We have already dealt with this issue in Europe regarding the GDPR and we are doing so in the U.S. now as part of CCPA compliance. The fact that the CCPA definition is so broad does not change our compliance analysis as set forth above – we still conclude that for our core services we are a CCPA service provider and that the disclosure of consumer personal information from our Clients for our performance of services for them is not a sale of personal information under the CCPA. To the extent we conclude that any of our current or future services do not qualify under the service provider, or any other, exception to sale, we will inform our Clients of those services and work with them to address their and our appropriate CCPA compliance obligations.
7. Considering GDPR is somewhat similar, for those Clients that are global, can you provide perspective on how CCPA might impact Clients in the US (given how GDPR impacted EU)?
While the two regimes differ, there are overlaps. We have already dealt with GDPR compliance for our existing core services, and we are prepared to address the new requirements of CCPA. We are finding that our global Clients are having a similar experience with respect to their own CCPA compliance. For Clients that are U.S.-centric, the CCPA can seem overwhelming. We are happy to work with Clients to understand how our services work, how we come to the compliance conclusions we do, and what that means for each of us and our Clients.
Notably, one important distinction between the GDPR and CCPA for IAS compliance purposes is that IAS has taken the position that is both a controller and processor under the GDPR when providing services to its clients, but that it is only a service provider under the CCPA. Unlike the GDPR, which substantially limits processors’ processing activities to the documented instructions of the controller, the CCPAallows for service providers to retain, use and disclose personal information for the CCPA business purposes and other operational purposes.
8. How do I learn more?
We have prepared CCPA data flow charts for IAS’s core services that can be provided upon request. Please contact our Global Compliance Officer, at firstname.lastname@example.org, for a copy or to further discuss any questions or concerns you may have about our CCPA and other privacy and data protection compliance programs.