Google announces that it will no longer function as a "Service Provider" under the CPRA for some services.

Google's Changes

Google announced upcoming changes to the "restricted data processing" functionality so that it will no longer act as a "service provider" under the California Privacy Rights Act of 2020 (CPRA) for many of its advertising services. The updated privacy terms will take effect on July 1, 2023 - the first day that the new or changed provisions of the CPRA go into effect. In particular, as of July 1, 2023, the "restricted data processing" functionality will no longer apply to the following services:

• Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match)
• Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API)
• Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360).

The move effectively removes the advertising services from being subject to the "restricted data processing" functionality that Google put in place under the California Consumer Privacy Act of 2020 (CCPA) in order to be deemed a "service provider" and not be subject to the CCPA's right for consumers to opt-out of the sale of their personal information. However, under the CPRA, that right extends to the "sharing" of personal information for the purpose of cross-context behavioral advertising, which is the core functionality of the Google advertising services. When a Google analytics or advertising user enabled the "restricted data processing" it automatically entered the user into a service provider agreement consistent with the requirements of the CCPA. However, the CPRA regulation section 7050(b) make it clear that a service provider under the CPRA cannot provide cross-context behavioral advertising services, and therefore Google could not be a service provider for its cross context behavioral advertising services. 

Impact to Business

While the move will impact some businesses that are subject to the CPRA and relied on the restricted data processing setting to comply with the CCPA and not require an ability to opt-out of selling information, it will not affect businesses that used other analytics and advertising cookies that did not have an equivalent restricted data processing setting. Those businesses already required some other method to opt-out of the sale of personal information (such as through a cookie consent manager), and could not depend on the Google restricted data processing setting. Businesses that relied on the Google restricted data processing functionality will either need to disable the functionality or adopt some form of a cookie consent manager capability to disable the use of these cookies in order to comply with the opt-out of sale or sharing requirements of the CPRA.