Cross-context behavioral advertising: What you need to know

Cross-context behavioral advertising (CCBA) emerged in the early 2000s as data collection and tracking technologies like cookies evolved. Since then, CCBA has continued to grow, fueled by the rise of big data and multi-device ecosystems.

This type of digital advertising has revolutionized marketing by enabling businesses to target users that are already interested in products like theirs. However, it has also become a point of contention in the data privacy space. 

Today, concerns about how personal information is used to enable cross-context behavioral advertising has sparked stricter regulation of this practice. Businesses need to be cautious and pay attention to meet — and maintain compliance with — these regulatory requirements. 

This article explores what cross-context behavioral advertising is, what privacy laws like the CPRA and GDPR say about it, and what you can do to ensure your operations are compliant. 

Cross-context behavioral advertising explained

Think about the last time that you visited a news website. You likely saw a range of advertisements that weren’t necessarily related to the information featured on the page you landed on. For example, you may have spotted a promotional video for athletic gear embedded into a finance article regarding interest rate predictions.

This is a prime example of cross-context behavioural advertising. It’s a sophisticated digital marketing technique that uses data from a website visitor’s activity across multiple platforms to deliver tailored ads.

According to the California Privacy Rights Act (CPRA), cross-context behavioral advertising refers to when a website shares a consumer’s information with other, unrelated websites, apps, or services with the aim of delivering targeted ads to that individual. 

CPRA SEC. 14. Section 1798.140 (k) defines cross-context behavioral advertising as:

“the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly‐branded websites, applications, or services, other than the business, distinctly‐branded website, application, or service with which the consumer intentionally interacts.”

In other words, cross-context behavioral advertising happens when data is:

• gathered from a user’s activities on distinct websites, apps, or services
• collected from platforms other than the one where the user is currently engaged
• used to deliver targeted ads tailored to the user’s inferred interests and behaviors

Generally, businesses use digital advertising platforms like Google and Meta to push ads to their targets. These platforms aggregate user data, and businesses are able to retarget key customers based on their activity across the internet.

Behavioral advertising vs. contextual advertising

Highly targeted ads are the hallmark of online behavioral advertising. To achieve this, marketers gather information about a user based on their browsing habits. The two most common methods for doing so are by using website cookies and tracking pixels. 

Once marketers have this data on hand, they aggregate it to group users, draw certain inferences about them, and deliver ads that they believe a user in a certain segment is most likely to interact with. 

Browsing history is a good indicator of ongoing interests, hobbies, or product preferences, while search queries might show immediate needs or intentions. So, if you often watch yoga videos on YouTube, you may see ads for yoga mats on other websites. Alternatively, a recent Amazon search for office chairs could result in ads for ergonomic furniture on unrelated sites.

Contextual advertising, on the other hand, doesn’t rely on tracking user behavior. Instead, it delivers ads relevant to the content of the web page a user is currently viewing. For instance, someone reading a recipe blog might see ads for kitchen appliances or grocery delivery services. 

Behavioral advertising tracks personal information, therefore raising concerns related to data processing and sharing. Contextual advertising uses immediate, page-level relevance. This avoids the complexities of cross-context tracking and minimizes privacy risks.

Cross-context behavioral advertising and the CPRA 

Data privacy concerns target the core of behavioral advertising. Advertisers, publishers, and advertising network providers like Google and Meta exchange personal information about data subjects — ranging from location data to purchase histories — to segment users and deliver targeted ads.

Under previous data privacy regulations, there was at times debate about whether the concepts of “sale” and “sharing” could be used interchangeably. Some players in the marketing industry attempted to use this lack of clarity to sidestep compliance. 

For example, some businesses argued that they weren’t “selling” personal data, since no money actually changed hands. Instead, they were just “sharing” that data in exchange for targeted ad placements or insights.

To prevent this and similar ambiguous actions, California lawmakers provided a comprehensive definition of what constitutes “sharing” in terms of personal data when updating and expanding the earlier CCPA. CPRA SEC. 14. Section 1798.140 (ah)(1) states that:

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross‐context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross‐context behavioral advertising for the benefit of a business in which no money is exchanged.”

Put simply, the CPRA considers any transfer of personal information to third parties for the purpose of cross-context behavioral advertising as sharing. This comprehensive definition aims to hold businesses accountable for how they handle consumers’ sensitive information.

Another important factor to keep in mind here is automated decision-making. Businesses using AI systems or algorithms in cross-context behavioral advertising must also disclose how these systems process and share personal data and enable opt-out. 

CPRA requirements regarding cross-context behavioral advertising

The CPRA establishes several obligations for businesses engaged in cross-context behavioral advertising to promote consumer privacy and transparency. 

First, businesses that are involved in data sharing must have a prominent “Do Not Sell Or Share My Personal Information” link on their websites. This enables consumers to easily opt out of having their personal data shared with third parties for advertising purposes. 

When a user triggers the “Do Not Sell or Share” mechanism, businesses must promptly honor this privacy opt-out signal. This also applies to consent preference signals sent by Global Privacy Control (GPC) tools, which enable users to automatically communicate their preferences across multiple sites.

In addition to placing obligations on businesses, the CPRA also establishes requirements for service providers, contractors, and third parties. Service providers and contractors must agree to binding terms that limit their use of shared data to authorized purposes. Third parties must adhere to strict privacy rules and provide clear disclosures about their data practices.

Is cross-context behavioral advertising compatible with other data privacy laws?

Cross-context behavioral advertising isn’t just a concern for businesses that need to comply with the CPRA. A number of other privacy laws have also addressed this practice, either directly or indirectly. 

California Consumer Privacy Act (CCPA)

The CCPA and CPRA are complementary California laws, though the CPRA largely replaced the CCPA. The CCPA focused on consumer rights like data access, deletion, and opting out of the sale of personal information, and the CPRA expanded these rights to explicitly include cross-context behavioral advertising. 

The CCPA addressed the sale of personal information, but the CPRA added clarity by covering data sharing practices that do not involve monetary transactions but still facilitate targeted advertising.

Federal Trade Commission (FTC) Act

The FTC Act addresses cross-context behavioral advertising through its prohibition of unfair or deceptive practices in data collection, handling, and processing. 

Businesses engaging in behavioral advertising must: 

• Employ transparent data practices
• Avoid misleading claims
• Provide consumers with clear, accessible ways to opt out of data sharing for targeted advertising

The FTC is also watchful about automated decision-making, including AI-driven advertising systems. 

It advises businesses to use AI tools that are not discriminatory, deceptive, or harmful, and encourages transparency about AI’s role in decision-making. The Act also recommends providing mechanisms for consumers to opt out of, challenge, or understand automated outcomes.

General Data Protection Regulation (GDPR)

The GDPR addresses cross-context behavioral advertising through its rules on data collection, handling, and processing. 

Businesses must establish a lawful basis for processing personal data. This includes obtaining explicit user consent for tracking and profiling activities, while upholding users’ rights to access, rectify, or delete their data and object to profiling for advertising purposes.

The law also regulates automated decision-making, including AI systems used in behavioral advertising. Businesses must: 

• Disclose when such systems are used
• Provide transparency about the logic behind them
• Enable users to request human intervention if decisions significantly impact them 

ePrivacy Directive (ePD)

The ePrivacy Directive, sometimes called the “cookie law,” complements the GDPR by specifically addressing data collection and tracking technologies like cookies, which are fundamental to cross-context behavioral advertising. 

The ePD requires businesses to obtain users’ consent before storing or accessing data on their devices for advertising purposes. Transparency is vital for the ePrivacy Directive, as businesses must disclose to users how their data is collected and processed in order to obtain informed consent.

How to carry out behavioural advertising in a privacy-compliant way

Achieving and maintaining regulatory compliance won’t just help your business to avoid penalties; it helps demonstrate accountability and integrity to your audience. 

With increasingly strict requirements from data privacy laws like the CPRA, GDPR, and other laws, businesses must prioritize transparency, accountability, and respect for users’ rights when implementing targeted advertising strategies. 

Here are the compliance boxes you need to check for a privacy-led approach to marketing and to stay on the right side of the law:

• Provide clear notices: Prominently display plain language notices with clear explanations of how users’ data will be collected, shared, and processed for behavioral advertising.
• Obtain consent: Get consent from website visitors where legally required before collecting or processing their data for advertising. Your consent mechanisms must comply with applicable laws.
• Make opting out easy: Where prior consent is not required, provide users with simple, visible ways to opt out of data sharing. These may include a “Do Not Sell Or Share My Personal Information” link or privacy settings that honor opt-out signals like those from GPC.
• Work only with compliant partners: When partnering with advertisers, publishers, and ad network providers, check that they comply with data privacy laws and maintain proper safeguards for shared data. (Under many laws companies are liable for third-parties’ activities.)
• Minimize data collection: Collect only the data that’s necessary for you to meet your advertising goals, retain it only as long as it’s needed for stated purposes, and be sure to implement safeguards to protect it, such as encrypting data and performing regular audits.

Achieve regulatory compliance and protect customer data

Cross-context behavioral advertising is an effective tool for delivering personalized, targeted ads that engage leads and drive results. However, the complex data handling involved comes with regulatory compliance risks. 

To comply with privacy laws like the CPRA and build trust with customers: 

• Be transparent about your data handling practices
• Obtain valid user consent
• Enable users to opt out of behavioral advertising

Adherence can be challenging when you consider the volume of website visitors that your business tracks and the amount of data you collect. Fortunately, this becomes much easier with the right tools in place.

The Usercentrics CMP simplifies consent management so you can better navigate data privacy laws’ requirements and honor user consent choices across all your platforms. Usercentrics helps you achieve compliance with data privacy laws that are relevant to you while helping to turn your privacy-conscious website visitors into loyal customers.