Last year we shared our Definitive Guide for the GDPR. Now it’s time to unpack the latest in privacy legislation - the CCPA. We’ll outline what the CCPA is, how it impacts ad tech, how to comply, and where you can learn more.
Written for publishers seeking clarity on ad monetization, this article aims to clarify the California Consumer Privacy Act of 2018 (CCPA).
The CCPA, or California Consumer Privacy Act, is a state law that grants California residents greater control of their personal data - similar to the GDPR for European residents.
The CCPA applies just to larger companies doing business in California:
The CCPA was approved by former Governor Jerry Brown in June 2018 and became effective January 1, 2020. While it won’t be enforced until California’s Attorney General publishes the new law’s regulations - which it has until July 1, 2020 to do - the CCPA includes a lookback window for any personal data collected on California consumers starting last January 1, 2019.
Like the GDPR, the CCPA allows consumers to determine how their data will be used and requires companies (that meet its thresholds) to impose tighter restrictions on how they collect and process personal data.
While both the GDPR and CCPA offer consumers strong personal data protection, impact businesses regardless of HQ location, consider cookies personal data, and curtail programmatic advertising, the CCPA is not simply an American or “light” version of the European law:
$2,500 for unintentional breaches; up to $7,500 for intentional breachesCapped at 20M Euros or 4% of global annual revenue, whichever is higher
While opt-out may sound better to publishers than opt-in consent, according to a recent poll by BritePool and Annenberg Research, 87% of consumers would choose to opt-out of ad targeting.
That being said, as long as a user hasn’t opted out, you may continue to do cookie matching, interest targeting, frequency capping, programmatic ads, and so on.
Here’s where things get trickier, as the CCPA defines “personal information” broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This includes browsing and search history, mobile IDs, IP addresses, and geolocation data.
It also covers pseudonymised data if it can be linked back to an individual consumer.
The Attorney General defines a “household” as a person or group occupying a single dwelling, whether that group consists of family members - or the roommate you found on Craigslist.
Businesses must also consider the personal information collected on residents’ devices; if a user opts out on one device, you must honor that request on all of their devices - as well as all of the devices of everyone they live with!
The term “reasonably be linked” is also a sticking point; it will be up to California’s Attorney General to determine what is a reasonable thread.
The CCPA further defines PII to be a way of identifying consumers “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”. Essentially, any information that advertisers could use to build a personal preference profile.
Businesses must state whether or not they sell PII in their privacy policies. If they do, they’ll also need to determine whether data broker laws apply to their business model. This broad definition could impact how publishers share data with ad exchanges, ad networks, DMPs, DSPs, analytics platforms, and more.
Under the CCPA, you must allow California residents to opt-out of the sale (per the above definition) of their personal information. Once they opt-out, you must honor that request moving forward.
CCPA defines those “business purpose” use cases as:
Under the CCPA, you are not required to offer an opt-out for cookies required for site performance, such as remembering items in a shopping cart, shipping information, or website analytics (we have a separate article on CCPA and Google Analytics). The opt-out is specifically for preventing any future data selling.
So, how will the CCPA impact your monetization efforts?
Even if you do meet these requirements, there are two important points:
There are a few scenarios that would fit under ad tech here:
ScenarioConsiderationsYou use 1st-party data (aka, email address given in a registration form) or device IDs (like browser cookie or IDFA) to optimize what content is promotedThis would likely fall under “business purpose” because it’s required for best user experience. In that case, users cannot opt-out of this data usageYou use the same data in your in-house ad server (such as behavioral targeting or for frequency capping), where advertisers are buying against those profiles, but no actual PII is shared with the advertisersAs no PII is being “sold”, users cannot opt-out of this data usage (but further clarifications may deem that not so)You show ads based on what a user searches for or based on the page’s context (aka category targeting)No PII is used here - totally fine, and the user can’t opt-out of these adsYou buy PII from 3rd-party data provider and use that to personalize contentCCPA doesn’t explicitly penalize for PII purchases, so you could use that for on-site targetingYou have PII of your users and that data is shared with infrastructure partners like Kevel or AWSThese partners would be considered service providers and sharing data with them does not fall under CCPA’s definition for “selling”, especially since you’re probably using them for a “business purpose”. But if a user asks to be deleted, you should delete their PII if saved on these platforms
If you are collecting PII and then re-selling, if the user hasn’t opted out, you can keep doing it. If they request data deletion, you need to delete it from your system and (likely) request deletion from partners.
When you send an ad call, you are likely populating it with what’s considered PII, like an IP Address or Mobile ID. Additionally, when you send an ad request, you're sharing that data with many companies in the ad tech chain. If the user hasn’t opted out, this is allowed.
Now, what happens if the user opts out of data being sold? Well, it’s not 100% clear. As mentioned, the CCPA requires honoring opt-outs in situations where you are disclosing PII to a third-party for “monetary or other valuable consideration”.
Many will likely argue that with an ad call you aren’t selling the PII, and the money you make isn’t due to the ad network paying you for the information. Ergo, you aren’t sharing the info for money.
That said, this is a bit of a stretch. Programmatic advertising uses PII to increase the value of that impression. Adding in location and IDs can greatly heighten your eCPMs, so sending a users’ PII in exchange for a more valuable bid seems to certainly fall under the law.
If any of the following applies to you, you’ll need to comply:
Let’s break this into four steps:
(1) Conduct a data audit
We recommend a detailed audit and risk assessment of the data you have, how it’s used, and whom you share with (you likely did this for GDPR too). You’ll want to identify what partners you have shared data with, regardless of whether it was for a sale or a business purpose, since January 1, 2019.
For instance, if you’re doing programmatic advertising or data sales, be prepared to provide a list of everyone involved (such as ad servers, exchanges, DMPs, DSPs) to fulfill consumer requests. Group these into categories, noting that any new partner will require you to update your records.
(2) Update your privacy policy
Your privacy policy will need to:
(3) Update your website
Under the CCPA, you’ll need to display a “Do Not Sell My Personal Information” link for California residents:
If you’re not exclusively online and/or you don’t have direct relationships, your “do not sell” link must offer at least two opt-out options, including a web page and toll-free number. You’ll also need to provide a link to that page in your privacy policy and on your homepage footer. The CCPA defines “homepage as “any internet web page where personal information is collected”.
The IAB published its CCPA Compliance Framework in December 2019, shortly after compliance software companies such as Truyo started to create options for their customers.
(4) Make data rights actionable
You’ll want to develop an internal process to delete data upon consumer request or cease data sharing upon opt-out. Most likely this will be manual, such as creating a dedicated email address the user has to contact, which is then directed to the relevant party (a product manager, IT team, ad ops, etc). That person would then enact measures to honor the request, like deleting the data from internal or external databases. In addition, if you do sell PII, you’ll need to exclude that users’ data from future sells, either manually or through automated exclusion lists.
For publishers doing programmatic advertising or sending ad calls to a third-party, it gets a little trickier, as you’ll have to strip PII for that user in future ad requests, including IP, mobile IDs, cookie syncing IDs, etc. There are a couple potential paths here:
It will pay (or in this case, save) to be fully compliant to avoid penalties.
Unintentional violations of the CCPA may result in fines of $2,500. Intentional breaches of the CCPA can result in fines of up to $7,500.
Individual consumers can also sue for $100 to $750 per breach or actual damages, whichever is higher. We’ll likely see a spike in class action lawsuits this year.
California Governor Gavin Newsom signed seven related bills into law on October 11, 2019. After multiple public hearings and comment periods, California Attorney General Xavier Becerra issued the final, approved regulations on August 14, 2020.
Proponents of the CCPA also drafted a November 2020 ballot initiative - The California Privacy Rights and Enforcement Act of 2020. The CPRA has passed and will be enforced in January 2023. The CPRA will further expand CCPA consumer protections and redefine a “business” as having 100K or more consumers/households.
Great! We hope we’ve shed some light on the CCPA. It’s confusing, for sure, but there are plenty of resources to help you navigate this unique legislation.
We've also created some resources for other new privacy laws. Are you ready for Brazil's LGPD, Thailand's PDPA, and the EU's GDPR?
Here are a few additional sources that may prove helpful in your quest for compliance:
