The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Can a business share its marketing list with social media platforms in order to target advertising messages to specific social media users?
Sharing may be permitted under certain circumstances.
Under California’s CCPA, a business is permitted to share personal information with “service providers,” entities that process information on behalf of a business for a “business purpose.” The term “business purpose” is defined as being for “operational purposes.” It is questionable whether advertising relates to “operational purposes” as opposed to “commercial purposes.” The net result is that if a business shares information with a social media platform for the purpose of targeted advertising, the act of sharing could be classified as a “sale” of information under the CCPA. Consequently, such sharing would need to be disclosed within the business’s privacy notice, and the business would need to give consumers the ability to opt-out of such sharing.
Under the European GDPR, a business must have one of six permissible purposes to transfer information to a third party. While one of those purposes could be the consent of the data subject, in theory transmission could also be based upon the legitimate interest of the controller to directly market their products or services. If a controller attempted to base their online banner advertisements upon legitimate interest, the Article 29 Working Party has stated that the activity must comply with all other European laws in order to be “legitimate.” The ePrivacy Directive states that a company cannot engage in direct marketing using “electronic mail” unless it has the consent of the data subject to do so. The phrase “electronic mail” is defined broadly to include any “image message sent over a public communication network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.” An argument could be made that a banner advertisement falls within the definition of “electronic mail,” and as result, consent would be needed prior to displaying the banner advertisement on a third party social media platform. That said, at least one supervisory authority has interpreted their statute implementing the ePrivacy Directive as not applying to “direct marketing online.” The net result is that there is uncertainty in Europe whether the ePrivacy Directive requires consent prior to sharing a marketing list with a social media platform for the purpose of targeting advertisements.