Can retargeted advertising campaigns be carried out under agreements with service providers? | Bryan Cave Leighton Paisner


The definition of “sale” under the CCPA contains an exception for situations where information is shared with a service provider. For an adtech company to meet the definition of a “service provider”, at least two conditions must be met.

First, the transfer of information to the service provider must be “necessary” for the business purpose of the website.1

Second, the agreement with a service provider must “prohibit” the service provider “from retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the company”.2

A common use of third-party behavioral advertising cookies is to allow companies to contact consumers who have left the company’s website in order to provide those consumers with targeted advertisements. Similarly, companies may deliver targeted advertisements not by using behavioral advertising cookies, but by providing adtech partner lists (e.g., names, email addresses, or phone numbers) of customers or potential customers. These practices are commonly referred to as retargeting campaigns because they often attempt to “retarget” consumers who have expressed interest in a product or service but have failed to complete a transaction.

Questions have been raised as to whether third parties who provide retargeting services can be classified as “service providers” under the Act. Specifically, some commenters have asserted that such use may not be “necessary” for a business purpose under the CCPA, or that by conducting a retargeting campaign, an adtech partner may be using data for its own purposes. In response to these concerns, the California Attorney General clarified that “

For more information and resources about the CCAC, visit

This article is part of a multi-part series published by BCLP to help businesses understand and implement the General Data Protection Regulation, the California Consumer Privacy Act, and other privacy laws. You can find more information about the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about GDPR in The EU GDPR: Answers to the Most Frequently Asked Questions from the American Bar Association.

1. CCPA, Section 1798.t)(2)(C).

2. CCPA, Section 1798.140

3. FSOR Appendix A at 167 (Answer #519).

4. FSOR Appendix A at 167 (Answer #519).

5. CCPA Reg. 999.314(c)(3).

[View source.]

Marilyn J. Hernandez