Google recently announced that starting July 1, 2023, it will no longer act as a service provider in California under the California Privacy Rights Act of 2020, which amended the California Consumer Privacy Act of 2018 (CCPA), for cross-context behavioral advertising.
We know you may be wondering what this means and how it impacts marketers, so we developed an FAQ to help. Take a look, but keep in mind, we aren't lawyers, so please check with your own counsel about these issues.
What did Google announce? How does the announcement affect our agreement with Adswerve?
Starting July 1, 2023, Google will no longer be able to act as a CCPA “service provider” for the following services:
While these features and services will still be available, Google will now be considered a “third party” under the CCPA when providing those services and has updated the Google Data Processing Terms that apply to those services. In addition, these services and features will no longer be able to operate under Google’s “Restricted Data Processing” setting.
By extension, Adswerve will also no longer act as your service provider to the extent that you access the affected Google services via an agreement with Adswerve.
Why is Google making this change?
On January 1, 2023, the CCPA was amended by the California Privacy Rights Act, which introduced the concept of cross-context behavioral advertising under California law. The amended CCPA and the recently finalized CCPA regulations state that when a company’s services include cross-context behavioral advertising, that company can’t act as a “service provider” under the CCPA and must act as a “third party.”
What’s cross-context behavioral advertising?
“Cross-context behavioral advertising” is the targeting of advertising to a California resident based on the individual’s personal information obtained from their activity across businesses, distinctly-branded websites, applications or services (other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts).
The Google services listed above (Customer Match, Audience Partner API and certain DV360 features) involve these activities.
What’s the difference between a “service provider” and a “third party” under the CCPA?
A “service provider” under the CCPA is a vendor that processes personal information on behalf of a CCPA-covered business. In order to qualify as a service provider, the contract with the vendor must include specific restrictions on how they may process personal information, including (among other things) that the vendor won’t “sell” or “share” personal information, won’t use personal information outside of the direct business relationship with the business and won’t combine personal information that the vendor receives from the business with personal information collected from other sources except for specifically-approved business purposes set out in the CCPA and its regulations.
The CCPA also references “contractors,” which play essentially the same role as a “service provider” under the law and have the same contract requirements.
A ”third party” is any organization that receives personal information and isn’t the covered business, a service provider or a contractor. In other words, under the CCPA, if a business provides personal information to a vendor, partner, supplier or other entity and does not include the contract restrictions for service providers required by the CCPA, then that entity will be considered a “third party.” The contract between the business and the third party must still include certain required language under the CCPA in order for the third party to process personal information received from the business.
What does my business need to do in response to this change?
Among other rights, the CCPA grants California residents the right to opt-out of “sales” and the “sharing” of their personal information.
While every business should conduct an independent legal review of the Google services listed above and the business’s specific obligations under the CCPA and other privacy laws, beginning July 1, 2023, many businesses are now classifying their use of the revised Google services as “selling” or “sharing” personal information under the CCPA. As a result, those businesses are now planning to offer California residents the ability to opt-out from their personal information being used or transferred to Google for these particular services.
So, for example, when those businesses receive an opt-out from a California resident, they’ll no longer include that individual’s name on any customer list data files transmitted to Google for the services listed above. Please note, every business is different, and the approach taken by some businesses may not be relevant to or appropriate for other companies. It’s imperative that you seek legal counsel when determining your opt-out and other compliance obligations under privacy laws.
Whose responsibility is it to make sure that advertisers’ use of the services listed above complies with the CCPA and other privacy laws?
It’s important for all advertisers to conduct an independent legal review of the Google services they wish to use. For example, advertisers that are subject to the CCPA as a covered “business” should be aware of the privacy notice and opt-out requirements related to using services that involve cross-context behavioral advertising under the CCPA, as those advertisers will be responsible for ensuring their own compliance needs are met. The same is true for other US privacy laws, which include similar opt-out rights to those provided under the CCPA.
Will there be any service impact on July 1? Will the affected services continue to work? What if I’m using the services to target audiences in California? Will I still be able to do that?
Google will continue to offer the impacted services like normal after July 1, 2023, and we don’t expect to see any service interruption. The key change is that CCPA-covered businesses may no longer treat Google as a CCPA “service provider” for those services and will need to ensure that they’re collecting and implementing appropriate consumer “sale” and “sharing” opt-outs from consumers related to those services. You should reach out to your legal team to determine the specific steps your business may need to take to address these issues.
Will Adswerve also be updating the Adswerve Data Processing Terms (DPT)?
Yes. When Adswerve provides access to Google services, we’re required to flow down the same terms to our customers that Google includes in the Google Data Processing Terms. Adswerve will soon be publishing an updated version of the Adswerve DPT that will apply after July 1, 2023.
Please note that the above answers shouldn’t be treated as legal advice. Please obtain independent legal advice regarding recent developments under privacy laws and compliance questions specific to your business in connection with your use of Google services.
If you have questions we didn't address, please feel free to reach out.