CCPA: America’s GDPR & What It Means For Digital Advertising
Digital Marketing is a dynamic field in nature.
As marketers, and especially here at Conduit, we are continually looking for ways to incorporate new emerging technologies to catalyst our ability to think ahead and form effective and data driven strategies around ever changing consumer trends.
We also understand that sometimes, and increasingly more often, we find ourselves needing to tailor these strategies to conform to new laws and legislation that have profound effects on the ways in which we execute our digital marketing campaigns.
Laws like HIPAA, COPPA, and the more recent GDPR to name a few, have resulted in a shift on how we are able to provide consumers with targeted digital marketing ads as well as set new guidelines on how to effectively run a digital marketing campaign.
The California Consumer Privacy Act, or CCPA, is the next groundbreaking legislation on this list and is being looked upon as the United States most comprehensive legislation on data privacy ever passed.
Its purpose, in short, is to give California residents greater control over the ways in which their online data is collected, sold, and stored while also affording these users with a greater sense of transparency into how this information is being utilized by for-profit institutions.
As digital marketers, we should all be aware of the effects this law will have on the ways in which we utilize data to build and execute targeted marketing campaigns. The purpose of this paper is to help shed more light on the CCPA.
What exactly is it? How does it compare to other privacy regulations recently passed, and how it will affect marketers not only in California, but throughout the United States beginning in January 2020?
It is also important to note that we are in no way, shape or form legal professionals and as such, this information should not be taken as professional legal advice.
THE LONG ROAD TO PRIVACY REGULATION
Throughout the last few years, the debate about user privacy has boiled up to a hot topic of debate following the famous Facebook – Cambridge Analytica scandal in which Facebook was found guilty of collecting the personal information of millions of users’ profiles without their consent, and subsequently utilized this data for political advertising.
This event helped spark what is known as the “Great Privacy Awakening”.
This ‘awakening’ describes the period when a large majority of internet users started to become aware of the fact that they really had no knowledge of how our personal data was being collected and utilized by these large corporations.
This “awakening” was followed by a massive wave of support towards the push for greater privacy regulations aimed towards some of the worlds largest tech companies such as Facebook, Google, and Amazon.
This support wave crashed on the shorelines of California on June 28th, 2018 when the California Consumer Policy Act was hastily signed into law, following in the footsteps of the European General Data Protection Regulation.
WHAT EXACTLY IS THE CALIFORNIA CONSUMER PRIVACY ACT?
The CCPA is a groundbreaking Bill passed by the Government of California to promote greater transparency towards how a consumer’s personal data is being utilized.
The policies outlined in the Bill are set to go into effect on January 1, 2020. These policies will afford citizens of California with four basic rights pertaining to their personal data:
The Right to Opt-Out:
All California citizens aged 17 and above will have the right to ‘opt-out’ of the sale of their personal data to third parties. As stated in the CCPA Bill,
“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.”
To ensure users are aware of their right to “opt-out” businesses must provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information”.
This link must direct users to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.
This “opt-out” law shifts to an “opt-in” law for users who are under the age of 16. For users between the ages of 13 to 16, they must provide authorization for the business to sell their data to a third party.
For users under the age of 13, this authorization must be given by a parent or guardian.
The Right to Be Forgotten
While the “Right to Opt-Out” allows users to unauthorize the sale of their data to third parties, they also have the right to request that any business delete all personal data that they have collected directly from that consumer.
The “Right to be Forgotten” must also be explicitly disclosed to all customers by the business in a “form that is reasonably accessible”.
However, this is not as far reaching as the Right to Opt-Out, as businesses will not be required to comply with a consumer’s request to delete personal information if the request infringes on one’s right to free speech, or, if the data collected data is necessary to carry out the following:
- A business transaction for which the personal information was originally gathered, such as providing a good or service, or to execute a contract agreement between consumer and business.
- Detect security incidents such as any malicious or illegal activity, or to help prosecute the responsible party.
- Comply with a legal obligation
- Or, to utilize the data internally in activity that is reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
The Right to Equal Service
The CCPA also ensures that regardless of a consumer’s preferences to exercise their rights established within the Bill, a business cannot discriminate against any consumer.
For example, a user who selects to opt-out of the sale of their personal data to a third-party, or who requests a business delete their personal information cannot be:
- Denied goods or services by that business
- Be charged a different price or rate for goods or services, including the use of discounts or other benefits or imposing penalties on said consumer.
- To be provided a different level of quality of goods or services
- Be suggested that they will receive different prices for goods or services or different quality of goods or services.
The only instance in which a business is not obligated to abide by this article is if the quality or price of the good or service provided is directly correlated with the collection of a consumer’s personal information.
The Right to Know
Finally the CCPA offers all users the right to know what personal data is being collected and for what reason. The California Consumer Privacy Act states that,
“A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:”
- The categories of personal information that the business collected about the consumer.
- Categories of personal information that the business sold as well as the categories of third-parties who received the information.
- The category or categories of information that were sold to a third-party.
- The categories of information that were disclosed for a business purpose.
Furthermore, upon the receipt of a verifiable request of information by a consumer, the business must disclose and deliver, free of charge, all requested information within 45-days.
The information disclosure must include all personal information collected by the business throughout the 12-month period prior to the receipt of request.
These four basic rights create the framework for the legislation. But it’s important to distinguish that these rights do not apply to everyone, and the CCPA details exactly who is protected under these newly established rights.
WHO IS PROTECTED UNDER THE CCPA AND WILL MY BUSINESS BE AFFECTED?
The CCPA is a California Legislation that will protect the data privacy rights of all California consumers.
A “consumer” is defined in the Bill as any “natural person who is a California resident”.
An important distinction about the protections outlined in this Bill is that all residents of California are protected under the CCPA regardless of whether they are located within the state or not.
So the same regulations apply to all California consumers regardless of their location including instances such as traveling out of state for business or leisure.
This protection places a unique responsibility on businesses to refrain from the collection of personal data of any California resident at any place and time, which could lead to a strong reliance on unique identifiers such as user ID and IP addresses to ensure compliance with the legislations outlined in the Bill.
In regards to which businesses are required to comply with CCPA guidelines, the CCPA will affect any for-profit business regardless of their physical location.
Furthermore, any for-profit business that:
- Have annual gross revenues in excess of $25 million.
- Buys, sells, or receives the personal information of 50,000 or more California consumers, households, or devices.
- Collects fifty percent or more of annual revenue from the sale of consumers private information.
will be subject to abide by the laws set by the CCPA.
This will also include any business or entity that controls, or is controlled by another entity that meets the aforementioned criteria, or, who also shares common branding with said parent entity.
This far-reaching definition aims to cover a broad range of businesses that may fall within the consumer data industry.
Compliance has become a large area of focus throughout 2019 for businesses that will be held to the policies laid out by the CCPA.
The enforcement of this new law, despite the challenges, can actually become a competitive advantage for early adopters.
In an article by Mitratech, they mentioned that, “Research done after the imposition of the GDPR found 62% of UK consumers felt more comfortable sharing their personal information after it went into law.
By showing they’re compliant, companies can get out in front of what’s become a seismic shift in consumer attitudes, where transparency is what drives trust”.
Keeping along with this line of thinking, it is important that businesses get ahead of the curve when it comes to compliance to ensure that all t’s are crossed and i’s are dotted, as the law also has put in place stiff penalties for those who are found to be in violation of the California Consumer Privacy Act.
WHAT ARE THE PENALTIES FOR NON-COMPLIANCE WITH THE CCPA?
As with all laws, there have been severe monetary penalties put in place for those who neglect to become compliant with the regulations put in place by the CCPA.
These penalties include a $3,500 fine for non-intentional violations and a $7,500 fine for what are deemed to be intentional violations of the CCPA.
Any business that is found to be in violation will be given a 30-day grace window to rectify the violation upon receiving notification of their noncompliance.
Additionally, the CCPA grants the right to citizens to put forward a class action lawsuit against any corporation in the instance of a data breach.
These class-action lawsuits could result in the payment of between $100 and $750 per incident, or could be greater than $750 if the damages exceed that amount.
HOW DOES THE CALIFORNIA CONSUMER PRIVACY ACT COMPARE TO THE EUROPEAN GENERAL DATA PROTECTION REGULATION (GDPR)?
The CCPA mirrors the European GDPR in many ways, mainly, in its objective to provide consumers with greater control over their personal information.
The GDPR provides users with the same basic rights given by the CCPA which we previously touched upon, however, there are many distinct differences in how these laws are enforced, who is protected under these laws, as well as the penalties that are incurred by companies who are found to be non-compliant
Unlike the CCPA which explicitly offers protection solely to “consumers” who are natural persons (individuals) and residents of California, the GDPR’s protection is much further reaching and inclusive of all ‘data subjects’ who are natural persons, but does not specifically mention any guidelines in regards to necessary citizenship or residency within Europe.
Another distinction between the two is that the GDPR protects information that can be linked to any specific ‘household’, while the CCPA concerns itself only with the data of specific ‘individuals’.
Lastly, the GDPR requires compliance from all businesses, public bodies, institutions, and not-for-profit organizations while the CCPA only pertains to ‘for-profit’ organizations.
As previously mentioned, the CCPA and the GDPR offer their constituents similar rights to greater data privacy.
For businesses that may need to be dual-compliant, there are a few main similarities and differences that you should be aware of, as it pertains to these four basic rights.
The Right to Opt-Out
Both the CCPA and GDPR afford individuals with the right request that an organization refrain from the selling of their private data.
However, the means in which these rights are exercised vary tremendously between the two legislations.
As we mentioned, the CCPA offers the ability to “opt-out” of the sale of their personal data to a third party and is available through a link on the home-page of the business website titled “Do Not Sell My Personal Data”.
All consumers must be made aware of the data that is being collected and the purpose of collecting that data.
As long as those requirements are met, a business has the right to collect that information until a consumer independently chooses to exercise their right and “opt-out”.
The GDPR on the other hand requires an “opt-in” to data collection from all users if the reason for the data collection does not fall under one of several legal categories for which the data would be necessary, including:
- To execute a contract with the individual, for example, to supply goods or services that the individual has requested, or to fulfill obligations under an employee contract
- When data collection is necessary for any type of legal compliance
- Vital interests, or when the data collected is utilized to preserve one’s physical integrity or life
Since the GDPR has gone into effect we have seen examples of this opt-in policy enforced on business domains that utilize cookie tracking in the form of a “cookie banner”, which requires that a user accepts or declines that specific websites data collection policy before entering the site.
The Right to Be Forgotten
Again, the CCPA and GDPR each offer consumers the right to request the deletion of all personal information that has been collected, and/or sold to a third party, which has been the focus of a lot of businesses who have previously not had a good handle on thies data after it has been distributed or sold.
Unlike the CCPA which does not define the scope in which a consumer request may be made and does not require a consumer to justify his or her reasoning for a request to be forgotten, the GDPR only allows for the deletion of consumer data if and only if:
- Consent is withdrawn, and there is no other legal reasoning for the continuation of the collection of personal data, or,
- If the data is no longer needed for the original purpose for which it was collected
Several differences also lie in the time frames to which a business must respond to a request to private data deletion.
The GDPR requires a business to respond to the consumer within 1 month of receipt of a qualifying request for deletion.
This is considerably shorter than the CCPA which requires a business to respond within 45 days.
The Right to Equal Service
Consumers who fall under the protection of the GDPR and CCPA are provided protection against discrimination of services based on their decision to exercise their rights towards data privacy and protection.
However, the GDPR is less specific as it does not explicitly define the scope in which users are protected from discriminatory action based on these preferences.
The language within the Bill does state that regardless of their choice consumers should be processed ‘fairly’.
While there is no exact definition for what ‘fair’ processing entails under this Bill, the focus remains on ensuring that regardless of one’s choice to opt-in or not they cannot receive different treatment as it pertains to the receipt of goods and/or services.
The Right to Know
The final commonality between the four main rights provided in both the CCPA and GDPR is the consumers right to know what private data is being collected, and why.
This also includes a consumers right to request full disclosure of exactly what data is being collected, along with any third-parties who have received their data.
The main distinction between the two lies in the specific length of time that the disclosure report must cover.
The rights outlined by the GDPR apply to all personal data that has been collected from the consumer making the request, meaning that, that specific consumer must be made aware of all personal data collected by the business
Included in their response must also be information regarding the period of time in which that data was retained by the business, information relating to the consumers right to file a complaint, as well as any data transfers that occured with that specific individuals data.
WHAT IS CONSIDERED PRIVATE INFORMATION BY THE CCPA AND GDPR?
Now that the groundwork has been laid in regards to both the CCPA and the European GDPR, there has been a lot of emphasis put on ‘private information’, and ‘personal data’ but what exactly does that include?
Unfortunately, the answer is not as black and white as one would hope, and the definition is up for interpretation in both the Californian and European privacy regulation bills.
As has been written within the California Consumer Privacy Act, personal information is defined as,
“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”
This information includes identifiers such as real name, alias, postal address, unique personal identifiers such as IP address, email address, account names, social security numbers, driver’s license numbers, passport numbers, or other similar identifiers.
Similarly the European Commission defines ‘personal data’ as any information that relates to an identified or identifiable living individual.
Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data and follows this with similar examples as listed in the CCPA.
These loose definitions of key pieces of information make it increasingly difficult for businesses to gain a firm grasp on the steps they need to take in order to ensure full compliance with the CCPA and GDPR.
WHAT’S NEXT FOR PRIVACY REGULATIONS IN THE UNITED STATES?
The California Consumer Privacy Act is slated to go into effect on January 1, 2020.
Since its approval, many other states have made a push to pass their own versions of online privacy law to help give more rights to consumers in regards to their private data.
Nevada has followed suit with the passing of the “Nevada Senate Bill 220 Online Privacy Law”, which requires businesses to offer consumers the right to opt-out to the sale of their personal information to third-parties, much like the requirements listed in the CCPA.
Similarly, Maine and New York are two states that have also made efforts to pass stricter privacy laws for their citizens.
With the inevitable continuation of state-by-state legislation, hopefully soon will come a day where our Government can push for a federal law to help give equal privacy rights to all citizens of the United States, as it will start to become increasingly difficult for businesses to be compliant with all individual state laws as it pertains to the preservation of online privacy.
WHAT DOES THE CCPA MEAN FOR DIGITAL MARKETING?
As a marketer, the biggest question we can ask is how will the CCPA affect the industry and the way in which we are able to execute a targeted marketing campaign?
And the short answer is that there is no way to know right away.
Putting into perspective the guidelines laid forth by the CCPA, we can only speculate the number of users who may decide to exercise their right to opt-out of the sale of their personal data.
We can also only speculate as to what effect this would have on digital marketing, but as leaders in the space we will continue to be on top of the changes that are brought along with the enactment of the CCPA beginning in January of 2020.
But let’s think about this for a minute.
For years, companies have been heavily reliant on consumers granting access to location data from their personal devices, despite any skepticism in regard to what that information is being used for.
It is an important trade off that a majority of consumers are willing to accept, we give information about ourselves to help provide businesses with the ability to give us a greater ‘user experience’.
It is no secret that data and technology help facilitate meaningful and mutually beneficial relationships between consumer and business, and we speculate that this view will not change based on the regulations passed in the California Consumer Privacy Act.
But what if a large majority of users begin to opt-out of the sale of their personal data?
From what has been outlined in this paper, it is easy to see that all forms of Behavioral targeting will be greatly impacted by the CCPA, as access to third-party private data becomes severely limited as users begin to opt-out.
So where would this leave us?
We speculate that digital marketing will start to see a larger shift towards utilizing first-party data, as well as a shift in focus towards contextual targeting to reach one’s ideal audience. Along with this shift to contextual targeting will most-likely be a transition from Open Exchanges to Private Marketplaces or PMPs.
This transition will create high demand from marketers to secure inventory that is contextually relevant to the good or service that is being advertised without the utilization of behavioral data such as keyword searches, geo-fencing data, and other online site browsing activity for insight and access to their ideal user.
While these are just speculations, it is important to think about the various possibilities that await the industry on the other side of 2019.
The California Consumer Privacy Act is only the beginning of privacy regulation in the United States.
As we have seen, these regulations aim to help give greater control to consumers over their personal data, how it is shared, collected, stored, and sold.
Here at Conduit and as a leader in the Digital Marketing space, we will continue to analyze the impact that the CCPA has on the industry, and share how we are continuously staying ahead of the curve to ensure that we continue to provide high performing marketing campaigns for our industry partners in 2020 and beyond.
Learn More About How Our Team Of Experts Can Help You!