The California Consumer Privacy Act (CCPA) became law on Jan. 1, 2020, and ad tech companies are among those businesses that must inform consumers of any personal data being collected and then give those consumers the option to have it deleted.
Guaranteeing consumers greater control over their privacy is not an impossible ask, but it will take planning to ensure that the law is properly followed so that fines can be avoided and greater trust can be established with customers. Greater transparency is not only considered beneficial to consumers, but also to companies as customers will gravitate towards companies that provide them with greater privacy and control over their data.
While CCPA is a state law, in reality it’s considered a national law because companies are expected to institute any privacy changes company-wide, which often means nationwide. The law applies to any business in California that has at least $25 million annually in revenue or makes at least half of their revenue from buying, selling or gathering consumer data from at least 50,000 Californians.
The CCPA is seen as a reaction to the growing public demand for privacy protection laws, especially after revelations from companies like Facebook and Google that user data was not kept private. Eventually, Congress is expected to get involved and enact a federal privacy law.
Brian Midili, director, client strategy and analytics, who acts as a privacy ambassador at Nielsen, says he believes the CCPA is a step in the right direction.
“For consumers to be able to request access to or deletion of their data, for example, goes a long way towards allowing consumers to have more control over their personal data,” he says. “It also helps businesses to gain consumers’ trust and confidence.”
No business can afford to ignore CCPA or the predicted changes coming from the federal level. Here’s some things adtech companies need to know:
- Disclosure is required. Companies must disclose whatever data they are collecting on consumers through a website or a phone number. A “Do Not Sell My Personal Information” button must be included on company websites. This will apply to companies that do business in California – or even have a website that is displayed in California, which has the fifth largest economy in the world.
- Deletion is mandatory. If a consumer requests it, companies must delete that consumer’s personal data and not sell it to third parties.
- Discrimination is banned. If a consumer requests that information be deleted, a company will not be able to refuse to serve the customer or charge more to that person.
- Acknowledgment required of personal data. Among the “personal data” that a company must reveal and delete upon request: biometrics; internet browsing information; any products a consumer buys or considers buying; geolocation data; academic and employment information and inferences drawn to create a profile about the individual to reflect preferences, attitudes, etc. For each category of personal information identified, a company must reveal the source of the information, whether it’s directly from the individual, indirectly through a third party or from company observations.
- A detailed road map is necessary. Companies will be required to identify: all the entities that are given access to consumer information; if there is a contact with that entity; the purpose for such access; and whether the entity may use the information for its own commercial purposes. In addition, consumers are entitled to know where the information is stored, in what format it is stored and who is responsible for maintaining that information.
While the California attorney general is charged with enforcing the law and levying fines up to $7,500 for intentional violations, critics say that in reality the state attorney general really doesn’t have the resources to undertake such a huge task. In addition, there is a “cure” provision that allows companies to take action to fix the violation and avoid penalties. Consumers can sue for $100 to $750 if a company gets hacked, but class action law firms may be unwilling to take on the cause in such an event since companies can opt for the “cure” rule and avoid monetary punishment.
While that may be somewhat reassuring to adtech companies, CCPA causes plenty of other headaches. For one, at least 27 states are crafting some kind of privacy law, and since they aren’t copies of CCPA, it could lead to adtech companies complying with dozens of different privacy laws. For another, having a one-size-fits all federal law doesn’t look promising anytime soon with a fractious Congress that hasn’t been able to settle on a law for security breaches in nearly a decade of attempts.
Midili and Guru Gowrappan, group CEO of Verizon Media, say they would rather see one federal law rather than a mishmash of state laws.
Still, any law will bring challenges. Grant Whitmore, chief digital officer at Tribune Publishing, told AdAge that the publisher of the Chicago Tribune, Baltimore Sun and New York Daily News is facing some real challenges if consumers opt out of having their data collected and they use a Safari browser that retires a person’s cookie after 24 hours.
“What happens if we don’t see you again?” he wonders. “We don’t know who you are anymore without cookies.”
How and When to Seek Permission
Further, how and when will companies seek permission from consumers if they are using multiple devices? Coupled with the changes that browsers have made with cookies “has created a scenario where it feels like we’re walking in a minefield,” Whitmore says.
Gowrappan says that Verizon is trying to figure out a way to simplify the customer privacy process so that consumers aren’t constantly faced with pop-ups that ask them to read lots of fine print.
“It’s hard to go through that list and say do I agree with this, do I consent, do I share that data?” he says. “The biggest thing we are working on now is, how do you improve the user experience?”
Guy Flechter, chief information security officer at AppsFlyer, says that another issue for adtech companies is that if “implied consent was once acceptable, we know that is no longer the case.
“This has forced some companies to build consent management mechanisms into their products and others to look for other suitable solutions. As the regulators continue to demand compliance with basic principles such as transparency and lawfulness, we believe this will force additional changes in how the ad tech industry works.
Some may believe – erroneously – that as long as they’re following the European Union’s General Data Protection Regulation (GDPR) that took effect in 2018, then they’re OK under CCPA.
There are enough differences that if companies don’t update and customize their data policy, they could run afoul of CCPA rules and face legal action.
What exactly are the differences and similarities? Consider this information from PwC:
Of course, for some companies one of the first challenges may be determining what data they have on consumers – and then preparing for some public backlash once consumers determine the expanse of data that firms have collected on them.
The bottom line is that just like other regulation compliance issues, CCPA is going to cost companies money. For example, the Tribune has put a privacy expert on board to figure out who its website it working with, where the data is going and if the data will be in compliance with CCPA. It has also hired an outside vendor to help it deal with the new regulations.
CCPA Concerns and Costs
In a review released by California’s Department of Finance, it’s estimated that CCPA could cost companies a total of up to $55 billion in initial compliance costs. Companies with fewer than 20 employees can expect costs around $50,000 to become compliant in the beginning, while organizations with more than 500 workers could see an average of $2 million from the outset to become in line with the law. In the next 10 years, total compliance costs for all businesses could range from $467 million to more than $16 billion, the report says.
The report also notes that under GDPR, smaller companies took on a disproportionately bigger piece of compliance costs, and the same is likely to happen under CCPA.
Still, many of the concerns about GDPR “appear to have been overstated,” researchers say. While smaller companies may have struggled to meet compliance expenses, the largest technology companies “are often several steps ahead of both competitors and regulators,” they say.
Finally, on a promising note, the report states that CCPA may provide a “future competitive advantage” for affected companies because it will create “additional barriers to entry for future competitors considering entering into the California market. Moreover, if the CCPA is a precursor for future privacy regulations at the additional state or federal level, then firms already in compliance with the CCPA will have a competitive advantage over firms that are not.”