Leading up to January 1st of this year my clients who met the thresholds for the CCPA had one question on their minds – will their status as an advertiser who merely purchases ad space from publishers like Facebook make them a seller of personal data under the CCPA’s broad definition of sale?
As a lawyer steeped in privacy, gray is a color I’ve become familiar with, but even this one had me (and every other privacy lawyer I know) spinning my wheels a bit.
Determining whether your business sells personal data sends you in a tautological circle of defined terms like “business,” “service provider,” “third party,” “sale,” and “business purpose,” each one like the next circle of Hell in Dante’s inferno. I read privacy laws on the regular and the devil is always in the details, but this is one where the deeper you go, the less those details make any sense.
Which leads me to the Facebook issue and the title of this post.
As mentioned, the definition of sale is broad. So while it would definitely include brazen data broker-ish activities like selling leads, it could also include more passive activities like purchasing targeted ad services from Facebook. That is, if Facebook uses the data that is shared by the corporate customer to Facebook for purposes other than for the “specific purpose of performing the services specified in the contract for the business,” which in this scenario would be to serve the corporate customer’s ads to Facebook users.
Facebook, like all companies, had about 18 months to figure out whether the way in which it used the data it received from its corporate customers made that exchange of data a “sale” under the CCPA. Still, it remained stubbornly silent until virtually the last moment, when it published this blog post pretty much stating that it viewed itself as fitting squarely in the “service provider” definition. Now call me naïve but fundamentally this made sense to me. Facebook shouldn’t be using that data for any other purposes. Their standard EU data processing agreement clearly stated that they were a “processor” under the General Data Protection Regulation, or GDPR, which while not a strict 1:1 match with “service provider” under the CCPA, is pretty darn close.
That Facebook believed it was a service provider was also music to advertisers’ ears because it meant that they could continue to purchase ad services from Facebook without posting the dreaded “Do Not Sell My PI” button.
And so we all plodded along, business as usual, until late June when Facebook so kindly posted this delightful blog post. It’s a quick read at less than 250 words but the gist is something like “Whoops! Business as usual was actually a sale. Starting July 1st, if y’all want to continue using Facebook’s ad services as a ‘service provider’ under the CCPA, you need to enable “Limited Data Use,” which will, as the name suggests, limit both the services we can provide and the benefits you will receive.” (Interestingly, there was no mention of whether they would offer a lower price to correspond with this limited service.)
In short, businesses can enable Limited Data Use, and continue the relationship with Facebook acting as a service provider. But if they continue to use Facebook’s services in the way they’ve been provided prior to July 1st, they will not be able to take shelter under the service provider exception and they will need to post a Do Not Sell button on their own websites (not on Facebook’s platform, mind you) that allows an individual consumer to apply Limited Data Use to his/her/their data.
If I was going to cut them some slack, I’d acknowledge that Facebook has some other issues to worry about right now. And even though I live and breathe privacy, right now combatting misinformation, racism, and systemic inequality is more important. But that doesn’t mean that privacy isn’t important too, which is why I’m not going to cut them said slack.
Instead, I’m going express utter disbelief at calling their blog post “Helping Businesses Comply With the California Consumer Privacy Act (CCPA)” when they’ve spent the past 2 years reassuring their corporate customers that business as usual was acceptable.
This is because while compliance under the CCPA is the responsibility of the “business” (in this case Facebook’s corporate customer), at the end of the day, those customers are not in the position to know what Facebook is actually doing with their data (and are any of us really?). They know they pay Facebook money and they know that ad conversions occur, but beyond that we all have had to take Facebook at its word that it was only using the data to facilitate the services being procured.
So how did we end up in this position where the ad services were a mere provision of services one day and a sale the next? Presumably the nature of the services themselves hasn’t changed overnight, so we can only speculate (though the timing of the change in relation to July 1st - the date that the California Attorney General will begin enforcing the CCPA - is certainly interesting).
The problem is where this leaves corporate customers and ultimately consumers. As a sole practitioner, most of my clients are startups who, while subject to the CCPA for one reason or another, don’t have the endless resources of established companies (like Facebook, for one!). They genuinely want to be compliant in this area and they’re struggling with the whiplash of Facebook’s turnabout, including the decreased value that will be realized from ad purchases that have already been made.
But the real losers here are consumers. By placing the burden of compliance in this area on the purchasers of Facebook’s ad services (instead of on Facebook itself) the promise of the CCPA to crack down on the big bad tech giants will never be fulfilled. In addition, the uneven thresholds for CCPA applicability mean that while a consumer can opt-out of the sale of their data by corporate customer A, who has an annual revenue of $25,000,0001, they cannot do so for corporate customer B, who has an annual revenue of $24,999,999. I suppose my next blog post should be about the revenue threshold. For now, we’ll let this one marinate a bit.