Connexity Merchant FAQs regarding CPPA/CPRA & US Privacy Laws
1. How is Connexity complying with the CPRA and other U.S. State privacy laws?
Connexity has a compliance program to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), as well as other U.S. States’ comprehensive privacy laws (15 U.S. States have such laws signed and/or in effect as of mid-April 2024). Our privacy team has worked closely with internal stakeholders to determine what changes to our program are needed to ensure compliance with these laws. For example, we continuously build on our existing controls, described below, so that consumers of U.S. States with new comprehensive privacy laws, as they come into effect, will be able to opt out of targeted advertising and the sale of their personal information.
2. What is Connexity’s position under the CCPA and other US state privacy laws?
In relation to Merchants, Connexity is a “Third Party Business” under the CCPA and a “Controller” under other U.S. States’ comprehensive privacy laws. This is because Connexity, through its affiliate company, Taboola, provides retargeting and personalization services to Merchants, involving using the data collected for “cross contextual behavioral advertising.” In light of CPRA amendments to the CCPA, both Connexity and Taboola position themselves as Third Party Businesses (and Controllers under other U.S. State laws) in order to use the data this way.
3. What is “cross-context behavioral advertising” and how does it affect Connexity?
“Cross-context behavioral advertising” is the targeting of advertisements to consumers based on unique identifiers collected through tracking technologies such as cookies or the like. Connexity’s service, as implemented through Pixel(s), now includes the Dynamic Product Ads (also references as “DCO” (Dynamic Creative Optimization)) feature, which involves cross-context behavioral advertising by Taboola. Please note that cross-context behavioral advertising is considered to be sharing, and may be considered to be a sale, of personal information under the CCPA, so any transfer of data collected from visitors of your online properties constitutes a sharing, and may constitute a sale, under the CPPA.
4. What does this mean for Merchants like me and how I work with Connexity?
Under the CCPA, California consumers have the right to opt out of cross-context behavioral advertising (and similarly, consumers of other U.S. states with privacy laws have the right to opt out of the targeted advertising, essentially the equivalent of cross-context behavioral advertising).
We offer many ways to opt-out of cross-context behavioral advertising, including:
i) Our unified pixel is equipped to read and honor:
-
- A user-enabled global privacy control (“GPC”) as required under the CCPA;
- Opt out signals transmitted through cookie banners and Consent Management Platforms provided by: (1) OneTrust, (2) Didomi, (3) Sourcepoint, (4) Usercentrics, and (5) Cookiebot.
ii) Connexity’s opt-out page at https://connexity.com/opt-out/, or by sending a verifiable consumer request by visiting connexity.com or via e-mail at dataprotection@connexity.com.
iii) Taboola also offers an opt-out mechanism via its privacy policy (https://www.taboola.com/policies/privacy-policy#optout), or through its Data Subject Access Request Portal (https://accessrequest.taboola.com/access (https://ccparequest.taboola.com/) (offering users the ability to exercise their other rights under the CPRA as well).
Merchants should implement a mechanism to read and send opt out signals as required under applicable data protection laws. Merchants may also direct their users to any of the other opt out mechanisms mentioned above.
You can find out more about implementing Pixel(s), including the unified pixel, for Dynamic Product Ads in the Merchant Resource Center here, in the “Getting Started” section, or by working with your Account Manager, as applicable.
5. How do you honor a user’s request to no longer sell or share data?
Connexity does not sell the personal information of California consumers, nor consumers of the other states with comprehensive privacy laws, to any downstream companies, and we enter into contractual “Service Provider Agreements” with downstream vendors to ensure they only use data for permissible purposes.
When a user click’s Connexity’s CCPA opt-out link (on our website), the user is directed to Connexity’s CCPA Opt-Out page, at https://connexity.com/opt-out/. Here, California users, as well as users from other U.S. States with privacy laws, can instruct Connexity to no longer share their data with any third parties, but this will not prevent Connexity from serving non-targeted ads on the user. Should the user wish to opt out of Connexity’s data collection and personalized content, the user may opt out via (1) Connexity’s global opt out tool (https://connexity.com/opt-out/), (2) by sending a verifiable consumer request by visiting connexity.com or via e-mail at dataprotection@connexity.com, or (3) the DAA’s industry-wide opt out tool that stops all interactive advertising, available via our opt out page mentioned above or at https://youradchoices.com/control).
For Taboola, when a user clicks Taboola's CCPA opt out link (in Taboola’s platform) the user is directed to Taboola's California Consumer Rights Portal, at https://ccparequest.taboola.com/. Here, California users can instruct Taboola to no longer share their data with any third parties, but this will not prevent Taboola's use of the user's data for its own purposes (to serve personalized content). Should the user wish to opt out of Taboola's data collection and our personalized content, the user may opt out via (1) Taboola's global opt out tool (https://www.taboola.com/privacy-policy#optout), (2) Taboola’s global Data Subject Access Request Portal (https://accessrequest.taboola.com) or (3) an industry-wide opt-out tool that stops all interactive advertising, provided either by the DAA (available at https://youradchoices.com/control) or the NAI (available at http://optout.networkadvertising.org).
6. Do you collect sensitive data from Merchant users and do consumers have the ability to restrict it?
Connexity does not collect any sensitive data about consumers under the CCPA.
7. Do we need to update our contracts with Connexity?
Our updated Connexity Merchant Terms incorporate the new Merchant Privacy Terms, available at https://connexity.com/merchant-privacy-terms/, which include updated disclosures about the personal data collection and processing activities involved in our service, and expectations of Connexity and Merchants. Merchants should review the Merchant Privacy Terms to ensure they understand their obligations, including the disclosures it will need to provide to visitors of their online properties where the Pixel(s) are implemented, as well as the requirement to pass opt out signals to Connexity/Taboola. You should receive a notification of the update to the Connexity Merchant Terms between you and Connexity, which will become effective as detailed in the notification. Otherwise, your Account Manager will be in touch to help ensure that the terms in place will now include the Merchant Privacy Terms.