Everything Marketers Need to Know About the California Consumer Privacy Act

There's still confusion in the industry over CCPA, which goes into effect on Jan. 1

The California attorney general's guidance on how his office would enforce CCPA and interpret the law has done little to ease concerns. Illustration: Trent Joaquin; Source: Getty Images

For companies tasked with addressing issues of data compliance, the California Consumer Privacy Act has been a moving target.

The law, which California hastily passed in June 2018, will govern the way companies collect, use and share consumer data once it goes into effect on Jan. 1. While there was hope that a federal data privacy law would preempt CCPA, none has gained any traction on Capitol Hill. That leaves marketers and industry groups looking west to understand what they need to do to avoid being whacked with lawsuits in 2020.

After months of internal negotiations between its stakeholders, the IAB and its affiliated standards body opened its proposed CCPA Transparency Consent Framework to public comment through Nov. 5. The framework proposes a “master contract” that would bind publishers’ ad-tech suppliers to a code of conduct that complies with the law, and  it offers guidance on the correct conduct when consumers opt out of targeting. This comes weeks after California Attorney General Xavier Becerra issued guidance on how his office would enforce CCPA and interpret the law.

However, there is still confusion over how the law deems the activities of the online ad industry’s middlemen, and the latest guidance from Becerra has done little to put the industry at ease when it comes to understanding where the burden of liability lies.

As was the case with the EU’s General Data Protection Regulation, or GDPR, CCPA-compliance preparations are likely to run into the eleventh hour.

Here’s a look at the letter of the law and what it means for various stakeholders:

What does CCPA mean for consumers?

Under CCPA, consumers who reside in California will be able to opt out of having their data collected, shared or used. According to the current version of CCPA, the opt-out clause means websites will have to provide a clear “do not sell my personal information” button.  The law gives consumers the right to ask a business twice a year for a report outlining all the data it has collected on them, and it gives consumers the right to tell businesses not to sell that data and to delete it. Consumers will be able to find out which categories of data have been collected on them and with which parties their data has been shared along with the commercial purpose for acquiring the data.

CCPA extends to consumers new rights when there’s been a data breach, including the right to sue for up to $2,500 per violation and $7,500 for intentional violations.

What does CCPA mean for agencies and brands?

Agencies and brands that have their own data management platforms will have to have the infrastructure to track the data they have on each consumer, and they will need to invest in storing it securely. Neil Sweeney, founder and CEO of Freckle IoT, a data company specializing in measurement and identity, said agencies and brands that don’t have a way to get gain for using consumers’ data will have “serious problems.”

“There is a very high probability that they will have to drain those data lakes that they just paid $5 billion for,” Sweeney said. “For everyone else, they will be scrambling to find new, compliant sources of data and will have massive sticker shock at what that data will cost. Most brands will now have to vend in and create their own data stacks versus relying on third parties.”

Changes to compliance may also mean agencies and brands will have a harder time reaching all the consumers they want to reach.

“It’s in an agency’s best interest to have as many places to spend on the internet as possible,” said Danny Sepulveda, vice president of global government relations at MediaMath. “The degree to which the law encourages and hides folks from visibility to either agencies or advertisers will have a serious effect on [marketers’] ability to obviously reach people, or [reach them] on a basis that is personalized and relevant to them.”

What does CCPA mean for platforms and publishers?

Any for-profit publisher with more than $25 million in annual revenue doing business or with consumers in California, or any publisher that collects personal information from more than 50,000 people must comply with CCPA. Alan Friel, a partner at the law firm BakerHostetler, said major publishers and social media platforms won’t have to worry about the CCPA’s opt-out clause as much as smaller websites that rely on third-party ads.

“[Facebook and Google] do not need to share personal information with third parties to send targeted ads,” Friel said. “They can also supplement what they have with a brand’s data, and the brand can share that with the platform even if a consumer has opted out under the CCPA as long as the platform agrees as a service provider not to share the data with third parties other than its own service providers.”

However, as with GDPR, publishers will likely have to ensure their ad tech supply chain is in compliance with the law. The aim of the IAB’s compliance framework is to provide a template to achieve this.

Celine Guillou, counsel at Hopkins & Carley, said CCPA requires that data collection notices are articulated in “plain and clear English,” but the wording of the latest guidance points to a potential situation in which  users will be bombarded with consent-request notices. “People’s heads are going to be spinning, especially when companies are going to be collecting more information than just a name and an email,” Guillou said.

Guillou’s clients are asking questions about how best to categorize their service providers as they try to establish whether certain web pages need to have a “do not sell my information” button, she said.

What does CCPA mean for ad tech?

Ad tech will likely be hit hardest by the new law. People may be willing to give data to a brand or publisher they trust, but providing access to an unknown company within the vast ecosystem of ad tech is another matter. Turning off the data spigot may affect digital ad CPMs if there is less data available to make ads relevant.

There’s some concern about how the law will be interpreted, particularly as it pertains to the selling of data. Because of the “do not sell” option required by the law, it’s unclear whether selling data will be interpreted as only an exchange of money or whether the terminology could be broadly interpreted to consider other kinds of value exchanges a sale.

“The definition of what constitutes a sale will have a big impact on what that leads in the space for those consumers who choose to opt-out,” Sepulveda said. “We don’t really know how many consumers will choose to opt out—[recent data suggests opt-out rates could be as high as 87%]—or, at this point, what that will mean effectively for inventory or addressable inventory for advertisers and what it’ll mean for competition as well.”

Others think the definition is too narrow. Johnny Ryan, chief policy and industry relations officer for Brave, said the bill may not prevent companies from sharing data from consumers’ secret browsing history, which already happens with real-time bidding systems.

The regulations governing service providers—in this instance, ad- or mar-tech companies used by publishers—is also a cause for concern among some in the industry. The law allows service providers “to combine personal information received from one or more entities to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity” but prohibits them from using “any personal information it received either from a person or entity it services or from the consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity.”

But, that section does not contain any explicit reference to companies that operate in the advertising industry, Guillou said.

“It kind of leaves us hanging,” she said. “With ad tech in particular, one of the questions that has come up is whether or not the companies that collect cookies for real-time bidding [such as ad exchanges] will be able to define themselves as a service provider or not.”

What happens next?

Even as January draws closer, there are last-ditch efforts to amend the bill. Even if changes aren’t made to the actual legislation, the state’s justice department could still interpret various parts of the law in different ways that will only become clear once the law goes into effect.

Becerra is slated to hold hearings across the state in early December to gather feedback from consumers and businesses on how the legislation will affect them. Groups such as the Network Advertising Initiative and the Association of National Advertisers have provided the DOJ opinions on behalf of their members. In the meantime, industry groups are urging members to take the current version of the bill seriously.

“If you haven’t taken a real hard look to see if you’re covered or not, you’re almost already out of time,” said Dan Jaffe, group evp of government relations for the ANA. “You better do it now. Don’t be surprised when they come knocking on your door.”

NexTech, July 27-30, 2020 Don't miss Adweek NexTech, live this week, to explore privacy, data, attribution and the benchmarks that matter. Register for free and tune in.

@martyswant martin.swant@adweek.com Marty Swant is a former technology staff writer for Adweek.
@ronan_shields ronan.shields@adweek.com Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.
Publish date: October 30, 2019 https://dev.adweek.com/digital/everything-you-need-to-know-about-the-california-consumer-privacy-act/ © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT