Opt-out Options: how consumers and publishers are navigating the CCPA post-enforcement
By now most if not all US marketers are all too familiar with the wide scale changes the CCPA imposes on the digital ad ecosystem. Since coming into effect January 1st of this year, brands, publishers, and technology providers alike have been working tirelessly to get their proverbial houses in order - updating privacy languages and establishing opt-out mechanisms in accordance with the law, auditing (and in some cases limiting) the data collected and shared via site pixels and app SDKs, and reworking backend data systems that enable data on opted-out users to be scrubbed from CRM databases and the like. Yet, until relatively recently, most of this work has been done behind the scenes - going largely undetected by most consumers.
Since moving from enactment to enforcement of the CCPA in July, however, these implementations are starting to manifest in new and in some cases bizarre ways. And while the CCPA (and the European predecessor, GDPR) created a flurry of newcomers and M&A deals in the “consent tech” space (and, of course, a new acronym, the “CMP” for consent management platform, to go along with it), the varying interpretation of the law and subsequent lack of industry-wide standardization create potentially confusing consumer-facing solutions. As a result, “accepting cookies” or electing “do not sell” options are just small examples of ambiguity around what it means to opt-out of data collection and ultimately our rights as consumers to protect our data - which is the purported intent of the law in the first place.
Interpretation is 9/10ths of the Law
So, what does the CCPA explicitly state about providing opt-outs for consumers? To put it simply the CCPA states businesses that “sell” data are required to provide two or more methods for California residents to request to opt out. In the digital space, common methods include clear and easily accessible links to request forms titled “Do Not Sell My Personal Information” or “Do Not Sell my Info” on the organization’s site or app. While that seems simple enough, the definition of the sale of data is, of course, not nearly as simple. And herein lies just one of the challenges the industry has raised with the legislation from day one.
While far beyond the intended scope of this writing, suffice it to say the same brands, publishers, and tech companies tasked with CCPA compliance also have different interpretations of the “sale” of data and subsequently their resulting responsibilities under the law. In addition to trying to decipher the meaning of a four-letter word, organizations are undoubtedly considering their risk exposure in the event of non-compliance. While internal debates about being data controllers / businesses vs service providers (the former have more to uphold under the CCPA than the latter) are months old and should hopefully be ironed out at this point, the lack of a consistent industry-wide approach has left many implementing a wide spectrum of options to be compliant with the CCPA according to their interpretation.
(Web)sites to be Seen
Similar to what our European counterparts saw in the wake of the GDPR two plus years ago, we are seeing different interpretations manifest in different opt-out and consent rollouts - some of which are quite contradictory or limited by technology frictions while others are relatively forward-thinking, but could also hamper day-to-day business outside California. Just a few examples of what we’ve seen going about our daily digital lives include:
The Pretty Good. The Huh? And the WTF?!
The above examples are just a few of the many choices now facing consumers nearly every time they visit a site or download an app. To go deeper, we’ve taken a closer look at three more options facing consumers - obfuscating the originating sources to protect the innocent.
The Pretty Good
This example comes from an organization that operates in the mobile space, and thus is largely reliant on mobile ad ids. The below screenshot is an excerpt of their data request page recently viewed on a desktop browser. We appreciate that this organization has chosen to interpret the spirit of the law by allowing users to opt-out of mobile data collection despite being on their desktop. However, as one of the authors sheepishly admits, it's unlikely the average consumer knows where to locate their mobile ad id. What’s more, the mobile ad id is technically resettable, so it's quite possible to opt out with one yet be back in the mix the next time it's reset. Remembering to repeat this process seems like a tedious cycle though we understand that this is a technical limitation rather than a miss on the part of the organization providing the opt-out mechanism.
Bonus - The Has Potential
As a bonus, we’d be remiss not to share a relatively new Google Chrome extension called Ads Transparency Spotlight we’ve recently come across that we think is interesting albeit a little tough to fully appreciate if you’re not self-professed adtech geeks like us. The screenshot below demonstrates one of the extension’s main features - listing all the technology vendor pixels that fire on a particular page and providing links to their privacy policies. We think it’s quite interesting to explore all the vendor pixels on any one page (again, self-professed adtech geeks), and while the links to privacy pages are helpful where available (we found missing links about 10% of the time when visiting the homepages of a few Comscore top 100 websites), we’re really not sure what a typical user is supposed to do with this information. Still, given Google’s widely known move towards third party cookie deprecation, we suspect extensions like this could evolve into something more usable for the average consumer over time.
Much like the onset of the GDPR in Europe, the move from enactment to enforcement of the CCPA has been swift, and as a result, we are not surprised to see industry players (and newcomers) responding in different ways. Yet, as brands, publishers, and tech providers institute necessary changes to be compliant, consumers are left with a mixed bag of options that don’t always make sense. What’s more, the CPRA (the California Privacy Rights Act) is on the November ballot and is quite likely to be approved by voters. With it, comes a hyper-focus on the “sale” and now “sharing” of personal information explicitly for the purposes of “cross-context behavioral advertising” that will undoubtedly further complicate the compliance landscape for years to come.
In the interim, while the CCPA is still fresh in minds and the mechanisms used to comply still being ironed out, we offer a few key takeaways (but definitely not legal advice) for consumers:
Know what’s collected and why before opting out - some collected data, while potentially used for advertising, also helps improve your user experience. At this point, the CCPA does not differentiate much between the two.
Weigh the time/effort of opting out versus the utility derived from the site/app. This is particularly true of sites you use regularly that rely on advertising to drive revenue.
Be leery of class action lawsuit lawyers masquerading as new consumer technologies as these organizations collect just as much data about you and could be acting even more nefariously than the organization you’re aiming to sue.
And a few takeaways for publishers (and brands):
Make what data you collect and for what purpose(s) abundantly clear and available in plain-language to consumers.
Make it ridiculously easy to opt-out using easy to find (and working) “Do Not Sell” links.
Avoid just passing the buck downstream to technology partners as chances are you’re still liable for some degree of data privacy.
This article was co-authored by Pete Cook.
Note: The comments and opinions expressed in this document should not be taken as, or construed as giving, legal advice and we would recommend the reader take independent legal advice in relation to the interpretation of the requirements of data legislation. For more on this topic, see https://www.groupm.com/opting-out-of-the-opt-out-a-conversation-about-third-party-cookies/