Google Makes Changes Ahead of July 1 CPRA Enforcement Date, Gary A. Kibel, Emily Catron

Google’s Policy Change

Google recently announced that it will no longer act as a service provider to advertisers under California law for certain Google services starting July 1, 2023 (when California Privacy Rights Act enforcement begins), Google had offered restricted data processing (RDP) to help advertisers, publishers and partners manage compliance with the California Consumer Privacy Act (CCPA).

Google’s shift is an effort to address compliance with the CPRA’s prohibition on service providers conducting cross-context behavioral advertising. Accordingly, Google will no longer offer RDP where advertisers engage in cross-context behavioral advertising, including for its Customer Match service.

What is Restricted Data Processing?

RDP, introduced by Google in 2019, allowed businesses to limit Google's use of their California customers' personal data. It was an optional feature that gave organizations more control over how their data was handled within Google's ecosystem.

Specifically, with RDP, Google restricts the way certain identifiers and other data is processed in its provision of services to advertisers. When RDP is enabled by advertisers, Google acts as a service provider to those advertisers under California law instead of a third party. Under Google’s new policy, RDP will not apply to cross-context behavioral advertising activities but may still be applicable for other services.

Google is not a signatory to the Interactive Advertising Bureau’s (IAB) Multi-State Privacy Agreement (MSPA). The MSPA is a collaborative industry framework to help industry participants comply with various aspects of numerous state privacy laws, including the obligation to offer consumers the right to opt-out of targeted advertising. Google will, however, recognize and honor the U.S. privacy string currently being transmitted by signatories to the industry framework.

Other providers currently offer similar solutions, such as Meta’s limited data use feature.

Impact on Advertisers

Phasing out RDP may require businesses to adapt their data strategies since more transactions with Google will be deemed “sales” or “shares” under the CPRA, thereby obligating the business to offer consumers the right to opt-out of such sales or sharing. While RDP will remain in place for certain Google services, such as Google’s “store sales” and “offline conversion imports,” RDP will no longer be available for any activities that constitute cross-context behavioral advertising, including Google’s “Customer Match,” which currently supports the offering.

The Bottom Line

To comply with the California Privacy Rights Act (CPRA), Google is changing its restricted data processing (RDP) policy and will no longer offer the service to advertisers conducting cross-context behavioral advertising as of July 1, 2023.
In such cases, Google will no longer act as a service provider to advertisers under California law and will instead act as a third party.

https://www.dglaw.com/google-makes-changes-ahead-of-july-1-cpra-enforcement-date/