The California Consumer Privacy Act takes effect in less than a month, and companies across the industry are still coming to terms with what changes the law demands of their advertising practices.

While they wait for the California attorney’s general office to clarify the rules it will use to enforce the CCPA, many companies are taking conservative initial approaches to ensure they are compliant with the law. Some advertisers are pulling back on targeted advertising, and ad tech firms are adopting limits on what they can do with the data they receive from other companies. These measures may turn out to be overly cautious, but prudence can be necessary in the face of uncertainty.

“The ambiguity is on the advertising side of things, the implications for the status quo of the types of targeting we do,” said Justin Scarborough, director of programmatic media at PMG.

The major ambiguity facing companies is how the CCPA’s broad definition of a “sale” of data applies to digital advertising. Under the law, a sale is not simply the exchange of California residents’ personal information for money but for any business value. A publisher passing a device ID to an ad tech firm to fill a programmatic ad impression or an advertiser sharing a list of IP addresses to an agency to plan a targeted ad buy could be considered a sale of data under the law. Or they could not be.

“Digital advertisers use a variety of types of information that may be personal and is exchanged with other companies in order to fulfill their purpose or their services. Whether that meets the definition of sale under CCPA is questionable in some cases,” said Aaron Tantleff, a partner at law firm Foley & Lardner.

The CCPA’s definition of sale has been “heavily discussed” among agencies and their clients, said Laura Aldridge, vp of consumer and market intelligence at Rapp. “I think the definition of sale is something that’s still being interpreted legally because that is a difficult one.”

Agencies often tout their abilities to take people’s information collected by clients and create models for planning and buying purposes. The CCPA has put a question mark over whether the sharing of data from clients to agencies to perform that work constitutes a sale. “The moment you model data and extract the top decile for targeting, is that adding value? Or is that just analyzing your data?” said Aldridge.

The ad tech industry is similarly grappling with the question of whether the information passed along the programmatic supply chain constitutes a sale under the CCPA. The proverbial ad tech tax that companies charge to facilitate a programmatic ad sale would seem to meet the law’s definition of sale. But some aren’t so sure.

“There are still some in the ecosystem that want to take the approach that passing personal information with respect to advertising is not a sale, but I think the statute as drafted almost covers every use case that the ad tech ecosystem has to deal with,” said Thomas Chow, general counsel and secretary at PubMatic.

Consider GumGum, an ad tech company that specializes in contextual advertising. The company does not sell data under the traditional definition of exchanging information for money, but because it operates a programmatic advertising business, it is taking the position that it does sell data under the CCPA’s definition, said T’Juana Albert, director of global compliance and legal affairs at GumGum. By Jan. 1, GumGum’s website will carry a notice to inform California residents that it sells people’s personal information and provide them with tools for individuals to submit requests to access that information and to ask the company to stop selling that information. “We’re not going to play around,” Albert said.

The uncertainty surrounding the CCPA’s application to targeted advertising combines with a broader assault on online tracking by browser makers like Apple and Mozilla and is leading some advertisers to explore moving away from targeted advertising, according to agency execs. Retail advertisers typically rely heavily on retargeting. However, PMG has some retail clients that are testing “extreme scenarios where our ability to retarget at scale is severely deprecated” as a way to “pressure-test some of the options in the future,” Scarborough said.

Given the questions companies have and the answers they lack, companies, such as GumGum and PubMatic, that deal with personal information collected by other companies are gravitating toward the CCPA’s service provider designation. The designation enables a company to process the data collected by another company, even if a person has requested their data not be sold, so long as the service provider only uses the data for the purposes specified in a written contract with the company that collected and shared the data.

The service provider designation comes with trade-offs. An ad tech company serving as a service provider cannot use the personal information it receives from a publisher to target ads to the individual on another publisher’s site, for example. That can curtail the revenue that ad tech companies generate from being able to track people across the internet for targeting and measurement purposes. But the fines and other penalties companies could face if those practices are found to be non-compliant with the law can be a bigger concern.

“The approach we’ve taken is we want to be good actors in the space. If it costs us a little bit of revenue, so be it. It’s not worth it to our brand to be caught up in things where we’re processing data without consent. It’s just not worth it for us,” said Albert.

While some companies solidify their preparations for the CCPA before it takes effect on Jan. 1, others may not feel such urgency because of the law’s delayed enforcement window. The California attorney general’s office will be responsible for enforcing the law, but that enforcement cannot begin until six months after the AG’s office releases its finalized regulations or July 1, 2020, whichever happens first. As of press time, those finalized regulations have yet to be released.

However, anyone believing they have another six months before they’ll be on the hook is misguided, according to Tantleff. “Any noncompliance that dates back to Jan. 1, there’s a look-back, and they will be responsible,” he said.

“At the end of the day, the best thing a company like PubMatic or anyone in the industry can do is take a relatively conservative approach to CCPA,” said Chow.

By Tim Peterson, originally published in DIGIDAY