When it comes to complying with the CCPA, ad tech vendors and their digital advertising partners need to be fully aware of what the law presently entails and what they need to do in order to comply with the new regulation.
Note: This blog post is just for informational purposes only, and is not designed to serve as a full legal guide. This must not be read or treated as legal advice. For more specifics, including your position and compliance requirements under the law, please be sure to obtain the services of a licensed law firm and/or consult lawyers fully knowledgeable on the law. The full InMobi guide on CCPA can be found here: https://www.inmobi.com/california-consumer-privacy-act.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy regulation applicable to the users based in the State of California in the United States. CCPA becomes effective from January 2020 and at a high level imposes transparency with regard to the collection, processing and use of consumer’s personal information and provides consumers with certain rights regarding such usage. Under the law, consumers can ask for control of how their data is used: elaborated as Right to Access/Right to Forget/Right to Opt of Sale, etc .
According to the IAB, the law is designed to provide users with more control over how personal data about them is used and collected. Once the law is in effect, users in California will be able to opt out of the sale of their personal data.
Note that the law has a very specific definition of sale. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
“In many ways, the CCPA is a first of its kind law in the United States: an omnibus statute that seeks to create broad privacy and data protection rules that apply to all industries doing business in one jurisdiction, California, rather than focusing on a single sector or specific data collection and use practices. The CCPA was created in response to changing public perceptions. Users, rightfully, want to understand and have the option to exercise control over their own data,” IAB noted.
In the context of CCPA, personal data or personal information includes without limitation online identifiers such as device identifiers, IP address, ad-ids, gpid etc. and any inferences drawn from the same used to create audience profile. De-identified/anonymized, aggregated consumer information is not deemed to be personal information under CCPA.
“The CCPA framework creates a new service provider relationship between publishers and tech companies that contractually establishes how consumer data can or cannot be used by the vendor. However, it applies primarily to publishers that sell data (data onboarding and identity-matching companies, for instance, that buy publisher audience data) or that use publishers’ first-party data in programmatic, like some ad tech vendors,” AdExchanger’s James Hercher wrote in December 2019.
The law doesn’t just cover consumer data collected in 2020 and beyond. Specifically, users in California can request information from the prior 12 months from relevant/affected technology companies.
“While the California Consumer Privacy Act takes effect on January 1, 2020, the 12-month look back in the law will require companies to have the ability to respond to individual California resident requests for specific information about what personal data has been collected about consumers and the various categories of third party vendors with which the company has shared consumer data,” the law firm Perkins Coie has noted.
Intentional violation of the CCPA can bring civil penalties of up to $7,500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. The maximum fine for other violations is $2,500 per violation. Other impacts comprise of claims, action for damages, termination of the engagement, loss of reputation, business and revenue.
CCPA vs. GDPR
In many key ways, CCPA and GDPR cover similar territory. The European Union’s General Data Protection Regulation (GDPR) also covers data collection and usage, but it’s specifically an opt-in law, i.e. consumers have to specifically allow publishers and their partners to collect and use their data. CCPA, in contrast, is an opt-out law.
Further, both laws have different definitions of personal data and children’s data, and levy different fines. And, unlike CCPA, GDPR specifies a Data Protection Officer and data breach notifications.
CCPA Compliance and Ad Tech Companies
Who must comply with CCPA? Ultimately, in the programmatic space, all partners in the ad transaction will have certain liability in account of CCPA, so long as they have customers in California. This is true even if someone is defined as a Service Provider, Business or some other distinction under the law.
For starters, businesses that are impacted by the law will likely need to make it easy for consumers to specifically state that they want to opt out, with a button or similar call to action that allows users to say, “Do Not Sell My Personal Information,” AdExchanger has noted.
“The language implies that publishers and advertisers will have to show the opt-out button to California residents who haven’t yet opted out every time they visit a site and on nearly every page – because what web pages don’t include some form of data collection, from widgets to ads and third-party trackers?” AdExchanger’s Allison Schiff wrote. This holds true for mobile app publishers as well.
What does CCPA mean for the programmatic advertising landscape? Many predict that it will probably make first-party data more valuable, since it’s more likely to be in compliance with the law. And, it may force publishers and their partners to more clearly explain to consumers the business purposes of their data collection and what users can expect to get in return.
To help with compliance, the IAB Tech Lab has established V1.0 of its CCPA Compliance Framework. More information can be found at https://iabtechlab.com/standards/ccpa/.
If you have any additional questions or concerns, please contact us via email at firstname.lastname@example.org.