Unlock the definitive guide to managing your online tracking technology vendors effectively. This webinar delves into a comprehensive and actionable set of best practices that every organization needs. From meticulous website scans to in-depth contract reviews, from precise consent categorization to harmonizing diverse frameworks, our checklist ensures you cover all the crucial touchpoints. Equip yourself with this essential framework and confidently navigate the complex landscape of online tracking compliance, using our step-by-step roadmap as your trusted reference.
Join our panel of experts in the webinar as they equip you with the knowledge and strategies for navigating vendor relationships under CPRA.
2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.
4. Agenda
• Levelsetting
○ Ad Tech Vendors
○ Tracking Technologies
○ The Scope of Personal Information
• Market Forces
○ CA & Other States
○ FTC and MHMD
○ EU
• Managing Your Ad Tech
• Putting It All Together
• Looking Ahead to 2024
• How TrustArc & BakerHostetler can help
6. 6
Ad Tech Vendors
December 2022: OCR released controversial bulletin calling out vendors:
“Regulated entities are not permitted to use tracking technologies in a manner that
would result in impermissible disclosures of PHI to tracking technology vendors.”
August 2023: Interactive Advertising Bureau released its State Privacy Law
Survey Results. The survey highlighted the concern respondents had with
respect to their vendor compliance, implicating tracking technology vendors:
● A consensus that a lack of adequate contract controls are in place
● Challenges remain for businesses to enter into contracts with privacy
protective provisions with third parties in Ad Tech ecosystem
● Nearly half of respondents do not feel prepared to comply with the
vendor due diligence obligations required under the laws.
August 2022: California AG’ Alleged Sephora did not have valid service provider
contracts in place.
7. 7
The Definition of Personal Information is Broad
CCPA’s Definition: “...information that identifies, relates to, describes, is reasonably
capable of being associated with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household… a unique personal identifier, an online
identifier, an Internet Protocol Address, an email, other similar identifiers, internet or
other electronic network activity information, or geolocation.” CCPA § 1798.140(v).
● Unique Identifiers: Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar
technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of
persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is
linked to a consumer or family. CCPA § 1798.140(aj).
● Precise Geolocation: Derived from a device that is used or intended to be used to locate a consumer
within a geographic area that is not equal to or less than the area of a circle with a radius of 1,850 feet.
CCPA § 1798.140(w).
● Internet or other electronic network activity information (e.g. browsing history, search history, and
information regarding a consumer’s interaction with an internet website application, or advertisement).
CCPA § 1798.140(f).
8. 8
Technologies that Can Collect Personal Information
Cookies
Pixels SDKs
Third Party Libraries
Web Beacons
Session Replay Tech
Others
10. 10
California’s Enforcement of the Sale/Share
What Happened?
In August 2022, the California Attorney General’s Enforcement Action--Sephora--,
construed the definition of “Sale” when online tracking technologies are involved:
“Sale Using Online Tracking Technology means Sale where [1] the business
[2] discloses or makes available consumers’ personal information to third
parties through the use of online tracking technologies such as [a] pixels,
[b] web beacons, [c] software development kits, [d] third party libraries,
and [e] cookies, [3] in exchange for monetary or other valuable
consideration, including, but not limited to: (a) personal information or other
information such as analytics; or (b) free or discounted services.” See Final
J. & Permanent Inj., California v. Sephora USA, Inc., No. CGC-22-601380
(S.F. Super. Ct. Aug. 24, 2022).
What you need to know
Incorporating this new understanding of Sale into your tracking technology vendor
management practice is critical. If an organization is engaging in a Sale/Share,
this triggers several different enforceable obligations under the law.
11. 11
Assessing Your Ad Tech Vendor
1) Is your organization subject to the CCPA?
2) Does your organization use Online Tracking Technologies?
3) Is your organization disclosing or making available CA consumersʼ personal information to third
parties?
4) Is there a monetary or non-monetary benefit exchanged with the third party?
a) Monetary Benefit: Direct financial payment (traditional currency) or other financial benefits OR
b) Non-Monetary Benefit: a) analytics or b) free or discounted services
5) Are there any exceptions to Sale?
6) Classify your Vendor
● Service Provider or Third Party
● If itʼs a Third Party, you must provide an opt-out
12. 12
Colorado, Connecticut, Virginia, and Utah
California Consumer Privacy Act (CCPA)
•Right to opt out of Sharing for Cross Context Behavioral Advertising
Virginia Consumer Data Protection Act (VCDPA)
•Right to opt out of Processing for purposes of Targeted Advertising
Colorado Privacy Act (CPA)
•Right to opt out of Processing for purposes of Targeted Advertising
Connecticut Data Protection Act (CTDPA)
•Right to opt out of Processing for purposes of Targeted Advertising
Utah Consumer Protection Act (UCPA)
•Right to opt out of Processing for purposes of Targeted Advertising
13. 13
Health Privacy: What Happened and What You Need to Know
FTC Enforcement Actions:
○ Definition: Enforcement actions in 2023 indicate Sensitive Health Data is no
longer limited to Personal Health Information ("PHI") under HIPAA; the updated
definition is very broad, including anything that conveys information or enables
inferences about a consumer’s health.
○ Disclosure/Collection: The use of tracking technologies in collection or
disclosure of sensitive PI may be deemed an unauthorized disclosure (Health
Breach Notification Law) or breaches the promises in its privacy policy without
affirmative express consent.
○ Enforcement: Companies need to exercise extreme caution when using online
tracking technologies. The FTC will continue doing everything in its powers to
protect consumers’ health information from potential misuse and exploitation.
Washington’s My Health My Data: Obligations on any-sized businesses that “process”
broadly defined “consumer health data.” There are dramatically increased compliance
burdens related to notice and consent. The Act goes into effect on March 31, 2024 (for
large businesses) and June 30, 2024 (for small & medium businesses). A Private Right of
Action is provided.
14. 14
Litigation: What is Happening
Recent developments indicate an escalating risk from U.S. lawsuits concerning
consent, notice, and disclosure practices associated with online tracking technologies.
There is an increasing frequency among plaintiffs’ attorneys to employ creative and
unconventional legal theories to test the truth around publicly made statements
(notice), consent, and disclosure practices related to online tracking technologies.
Lawyers continue using non-traditional privacy laws to allege violations because these
laws make available powerful remedies, such as punitive, statutory, and treble
damages, in the form of a private right of action that isn’t available in comprehensive
privacy laws outside a data breach.
Legal theories we have seen used
● Wiretapping laws
● Video Privacy Protection Act
● The California Invasion Of Privacy Act
● RICO Conspiracy
● California Penal Code §§ 631 And 632
15. 15
EU/UK
What to know. While the definition of personal information does not specifically
include tracking technologies in the GDPR/UK GDPR, the scope is broad enough to
interpret trackers (i.e., cookies) as personal information. Importantly, ePrivacy Directive
(EU) and the PECR (UK) complements the regulations, specifically addressing cookies
and similar technologies.
“Cookie” enforcement is a priority of the EU’s data protection authorities.
The EDPB’s Cookie Banner Taskforce issued a report about in January 2023,
focusing on consent, cookie walls, and ther cookie banner compliance guidance.
DPAs (e.g., Belgium, France, Spain, and others) are issuing and harmonizing
cookie consent guidance documents.
What is happening. The EDPB is currently soliciting comments on recently issued
guidelines on the scope of personal information and tracking technologies.
What to expect. Cookie enforcement will continue tick up. Also, there is a trend to
sharing more transparency around information related to cookie purposes.
17. 17
Explaining Differences Between CMP + TMS
● Consent Management Provider
(CMP) provides a notice and choice
mechanism
● Tag Management System (TMS)
provides ability to centrally control
execution of third party code which
is what allows collection based on
trackers on the users browser.
Controlling of tags will allow
blocking of cookies/trackers and &
data collection
21. 21
Explaining Differences Between CMP + TMS
Tag Management
● Controlling which code fires based on
the users consent choice in the CMP
22. 22
Explaining Differences Between CMP + TMS
Alternatives to Tag Management
● Use a tag blocking solution by the CMP. This will
attempt to automatically block requests to third
party code
● Use API by the CMP to block your own code and
only execute if consent choices are opted-in
23. 23
Auditing
Conduct Scans of your Website to validate compliance
● Are trackers dropping in GDPR region prior to user opting in?
● Are Trackers dropping if the user has opted out?
● For CCPA if user has opted out to advertising, are advertising
trackers still dropping?
25. 25
Onboarding an Ad Tech Vendor
Stakeholder submits
vendor request
assessment
Privacy Office / outside
counsel conducts due
diligence
Privacy Office / outside
counsel negotiate
agreement, including
DPA
Privacy Office Record
findings along the way
Configure technology
with a Consent
Manager Platform and
Tag Management
Solution
Implement the
technology on website
Ensure notice
practices reflect tech
on site
Run an initial scan to
ensure opt-out working
Develop a cadence for
scanning
27. 27
Looking Ahead to 2024
1. New solutions with Consent Management Platforms may be needed if Google
deprecates third party cookies.
2. The EDPB is looking to expand its scope on personal information and tracking
technologies.
3. Anticipate more Data Protection Authorities will continue to harmonize cookie
enforcement.
4. FTC enforcement will continue.
5. CPPA will focus more on what’s going on “behind the scenes.”
6. My Health My Data Act will to go into effect.
7. Litigation will continue.
28. How TrustArc and BakerHostetler
Can Help
Manage Your Ad Tech Vendors
Taylor A. Bloom tbloom@bakerlaw.com
Andrew Scott ascott@trustarc.com
Ryan Ostendorf rostendorf@trustarc.com