Privacy & Information Security Law Blog

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

Since 2019, Google has offered some of its services on a “restricted data processing” basis. If a customer opts for restricted data processing, Google limits its processing to qualify as a “service provider” for purposes of the CCPA, restricting its use of consumers’ personal information for business purposes associated with its service offerings. These business purposes include delivering advertising, reporting and measurement, security and fraud detection, debugging and improving and developing features for products.

Beginning July 1, 2023, Google will no longer offer restricted data processing for the following services:

• Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match);
• Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API); and
• Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360).