A "sale" is coming to a CTV near you: IAB on CPRA in CTV

IAB issues white paper on CTV compliance under CPRA.

Key points:

• “indirect” and digital identifiers, including those used in the CTV or OTT context, such as proprietary user IDs (e.g., TIFA from Samsung, RIDA from Roku), IP address, household IDs, mobile advertising IDs (e.g., IDFA, GAID), and precise geolocation - are personal information under CCPA
• CTV/OTT targeting at the household level via IP address is also personal information under CCPA (because of the inclusion of the "household" component)
• The sell-side of the industry collects and uses “personal information” (as defined by CCPA). First, device providers, content providers, vMVPDs, and other CTV/OTT publishers directly collect first party data from their own users. More specifically, publishers collect “ACR data” (the content that the user is watching), unique user ID (e.g., proprietary user ID assigned by a content provider or device manufacturer based on user log-in, such as Samsung’s TIFA), IP address of the user’s device, and, if available, any demographic information within the user’s profile (if logged in).
• The buy-side of the industry also collects and uses “personal information” (as defined by CCPA). Advertisers may rely solely on publishers’ first-party data (e.g., walled gardens) and work with those publishers to target advertising based on the advertiser’s criteria. Advertisers may also choose to use their own first-party data to target users on CTV/OTT publisher properties. For example, advertisers may maintain their own personal information about their consumers, such as a consumer’s name, purchase history, and physical address, which is stored in the advertiser’s CRM. Advertisers translate the names and physical addresses into their targetable IDs because CTV/OTT users are targeted via digital identifiers (e.g., proprietary user IDs, MAIDs, or IP addresses), typically through the use of an “identity resolution provider” -- advertisers upload their CRM data (an “input file”) and then receive the corresponding IP addresses or proprietary user IDs “keyed” to that CRM data (the “output file”).
• Many CTV/OTT participants, given the nature of their business, may function as a “business,” “service provider,” or a “third party” (as those terms are defined under the CCPA) depending on the data at issue and function performed
• When participants act as “businesses,” their disclosures of “personal information” to other participants, in nearly all cases, should be considered “sales,” except when disclosing such “personal information” to their “service providers"
• As such, each participant must provide a “Do Not Sell My Personal Information” mechanism in relation to such disclosures to non-“service providers.” Furthermore, the “Do Not Sell My Personal Information” mechanism cannot direct users to opt-out on a generic industry page. Instead, users must be able to make requests directly to the “business” “selling” its personal information and that “business” must effectuate that opt-out (without further user action).
• CA AG has not provided any examples of this concept as applied to a platform, such as CTV/OTT, and whether directing a consumer off-platform to a webpage to opt out of sales is sufficient
• It is not clear whether an option such as “Limit Ad Tracking” might satisfy “Do Not Sell” obligations, but only where (a) “Limit Ad Tracking” is accessible via a link expressly titled, “Do Not Sell My Personal Information,” and (b) activation of Limit Ad Tracking anonymizes information in the ad serving data flow (as opposed to allowing recipients to determine how to honor “Limit Ad Tracking”), so the business can show that the user’s personal information is not sold pursuant to the CCPA
• There are considerable industry and consumer benefits to having a clear industry standard and mechanisms to support “Do Not Sell My Personal Information” options designed specifically for the CTV/OTT environment and CCPA compliance. Such efforts can also provide much needed guidance to promote consensus on who and how parties can use these standards and compliance mechanisms to alleviate some of this friction.
• The CTV/OTT working group will explore whether the CCPA Framework and LSPA may be a workable solution with adjustments, as necessary, to adapt it to the CTV/OTT environment.