On January 1, 2020, the California Consumer Privacy Act (CCPA) takes effect. CCPA will regulate businesses that collect and/or sell personal information, and it is intended to give Californians more control over their data. Billed as the most comprehensive and far-reaching privacy legislation in the U.S., the act leaves a lot open to interpretation, with broad, sweeping, and sometimes vague definitions of key terms such as “personal information,” “sell,” and “collect.”
Companies that do business in California, regardless of where they are located, will have to comply with the law if they have annual gross revenues over $25 million; buy, sell, receive, or share for commercial purposes personal information gathered from 50,000 or more consumers, households, or devices; or derive at least 50% of their annual revenue from “selling” consumers’ personal information. The act doesn’t specify whether “annual gross revenue” includes global revenues or only revenues from California.
Despite its murkiness, CCPA has implications for every player in the digital ad ecosystem. Here’s a wrap-up of the law’s five major requirements.
1. Notice to Consumers
CCPA mandates any business that collects a consumer’s personal information must, at or before the point of collection, inform the consumer which categories of personal information will be collected and for what purposes. Consumers must also be provided with (1) a description of their rights under the act, (2) a “clear and conspicuous” opportunity to opt out from the sale of their personal information, and (3) a method for submitting privacy inquiries and requests (a toll-free telephone number and website address, at minimum). The clear and conspicuous opt-out must be titled “Do Not Sell My Personal Information” and be included on the business’ homepage.
Complying with this notice requirement may be particularly challenging for third parties in the online ecosystem that don’t directly interact with consumers, such as ad networks and exchanges.
What’s more, the definition of “personal information” is broad. In addition to standard information such as names and email addresses, unique identifiers are considered personal information. This is data such as IP addresses, browsing and search histories, and consumer profiles—information ad tech firms use to anonymously track people on the web. Under CCPA, ad tech firms will be required to delete, upon request, any consumer’s information collected through tracking cookies. However, the law does include a loophole for “de-identified or aggregate consumer information.” Industry analysts note that it isn’t clear whether the types of identifiers that run the online ad ecosystem are subject to the law.
2. Access to Disclosure
Businesses that collect consumers’ personal information must, upon receipt of a verifiable request from a consumer, disclose the specific personal information the business has collected about that consumer. Disclosure also includes the sources from which the personal information was collected, the business purpose for collecting the information, and the categories of third parties with whom the business shared the information.
Under CCPA, businesses cannot discriminate against consumers who exercise any of their rights specified by the law. This stipulation prevents websites and publishers from denying consumers access to their services if they elect not to provide any personal information.
Non-discrimination also prohibits businesses from providing a different level of service or quality of goods to consumers who exercise their rights under CCPA. The act permits businesses to charge different prices, but only if the differential approximates the value of the data withheld. This is an exceedingly vague standard that will be difficult to apply.
4. Deletion of Data
Businesses that receive a verifiable request from a consumer to delete personal information must delete the information from their records. They must also direct any service providers to delete the information from their records as well. In the vast, widely dispersed digital ad ecosystem where dozens of companies can collect users’ information in connection with a single ad unit, enforcing this chain of deletion will be highly impractical.
5. Restrictions on Sale of Data
CCPA significantly restricts the sale of personal information, which has far-reaching implications, given that “sale” is broadly defined to cover any transaction in which personal data is part of the value exchange. Restrictions on the sale of data present particularly burdensome challenges to DSPs, SSPs, and exchanges that do not have direct relationships with consumers.
CCPA is sweeping in nature, with compliance requirements that aren’t entirely clear from the language of the statute. While the California legislature can still change details of the law before it’s enacted in 2020, businesses that use consumer data for analytics, advertising, and other monetization efforts need to take a good, careful look at CCPA now.
Bloomberg BNA, “Insight: The California Consumer Privacy Act’s Radical Impact on the Digital Ad Ecosystem” https://www.bna.com/california-consumer-privacy-n73014481612/
IAB, “The California Consumer Privacy Act Will Have a Significant Impact on the Digital Advertising Industry” https://www.iab.com/ccpa/