Privacy & Consent

A CCPA Compliance Checklist for Publishers

Pinterest LinkedIn Tumblr

California Consumer Privacy Act (CCPA) was passed in 2018 and is under enforcement action until July 1, 2020. The rules in CCPA are designed to improve user privacy and data protection, much like the EU’s General Data Protection Regulation (GDPR).

CCPA has done a fine job in defining user data, allowing users to opt-out from sharing it. The law is only applicable to businesses that target California residents/consumers. It covers a variety of businesses dealing in user’s data, directly or indirectly.

Non-compliance penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. Here’s a CCPA compliance checklist for publishers to avoid these penalties.

Understand Why Publishers Are Impacted

CCPA is applicable to all for-profit companies conducting businesses in California that collect user data, directly or indirectly, in order to make business. Technically speaking, CCPA should impact if you:

  • Deal in personal information of 50,000 or more California residents
  • Earn half of your revenue by selling or purchasing consumer information
  • And/Or your annual gross revenue is above $25 million

Here’s how publishers are impacted: You might not buy/sell user data directly. However, when you enable user targeting, you share a bunch of information with your advertisers in order for them to show relevant ads. Not limited to that, all the intermedial parties (SSP, DSP, ad exchange) in supply- and demand-chain, get to see/access the user data. If your primary source of income is advertising, then you, definitely, are impacted by the CCPA.

User Data Defined by the CCPA

Let’s understand the user data as defined by the CCPA.

  • User identifier: Name, email address, IP address, postal address, social security number, driver’s license number, passport number, and other details related to user’s identity
  • Internet activity: Browsing records, search history, preferred device (mobile, desktop, and tablet), engagement details with web, app and ad
  • Business records: Buying pattern, frequent purchases, item in consideration, purchased product
  • Other data: Profession-related data or employment details, biometric data, geolocation data, educational data
  • Pattern emerging from above data: Preferences, attributes, cognitive patterns, biases, outlooks, intelligence, abilities, and competencies

What’s in it for publishers: You use cookies to identify users over the internet. These cookies can be programmed to store username, IP address, geolocation data, and more.

What to Do and Where to Start

Publishers should understand, with CCPA in action, users are allowed to choose not to share their personal information. This means, publishers are required to build systems where users have the option to opt-out from sharing their personal data. Here’s where to start from:

1. Go Through Your Data Collection Process

Learn what kinds of platforms you are using for data collection, including Google Analytics, AdSense, Google Ad Manager, and other third-party services. Next, publishers need to ensure these platforms provide options to make your data collection process CCPA compliant.

Google Analytics user data - CCPA
Google Analytics user data

2. Get Started With Consent Management

Once you understand what data you are collecting and how it is being used, the next step is to implement a consent management system.

Here, publishers can either design an in-house consent management system or partner up with Consent Management Platforms (CMP).

CMPs are companies that take responsibility of collecting, storing, and processing user data as per their consent. Partnering up with a CMP should help publishers with CCPA, GDPR, and IAB’s Transparency and Consent Framework.

Publishers equipped with technical knowledge can get their hands on building in-house consent management systems. While this will take effort and time, managing consent in-house should save money and make the system more flexible.

3. Make Your System CCPA Compliant

As discussed, Google platforms, like Google Analytics, AdSense, and Ad Manager store user data and now provide options to turn on CCPA compliance.

Steps to make Google Analytics CCPA compliant:

  • Go to Admin >> CCPA settings.
  • Choose to Restrict data processing.

By restricting data processing, publishers stop user data to be taken to ad servers for further processing (cookies matching, audience segmentation).

Steps to Make Prebid CCPA Compliant:

In order to make Prebid CCPA compliant, publishers would require a CMP. The CMP provides a piece of consent management code to be placed in Prebid header code. This code fires up every time a prebid auction runs, asking users permission to store and use their data. Basis of user decision, the auction is further conducted.

Here’s an example of Prebid consent management code:

var pbjs = pbjs || {};
     pbjs.que = pbjs.que || [];
     pbjs.que.push(function() {
       pbjs.setConfig({
         consentManagement: {
           gdpr: {
            cmpApi: 'iab',
            allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
            timeout: 3000  // GDPR timeout 3000ms
           },
           usp: {
            timeout: 100 // US Privacy timeout 100ms
           }
         }
       });
     });

Similarly, demand partners and advertisers are required to update their systems. When this code starts to run, the demand-side system doesn’t show error executing it.

How Does User ‘Opting-out’ Affect Publishers?

User opting out doesn’t mean publishers can’t show ads to them. It means that publishers can’t fill in user’s details (cookies information) and share it with advertisers. This will restrict advertisers from showing targeted ads on the publisher’s website. 

In such a case, publishers can take help of contextual targeting showing ads relevant to their website (niche). And this targeting method does not use cookies or any other personal user data. Similarly, publishers can experiment with a mix of contextual native advertising to serve user-friendly, non-intrusive ads.

Also check: California AG Publishes Revised Version Of CCPA Regulations

What About Publishers Who Are Already GDPR Compliant?

Then things get easier for them.

Chances are, GDPR compliant publishers are already using a Consent Management Platform.

Here, it is important to understand the difference between GDPR and CCPA—GDPR asks publishers to tell users about their data usage, while CCPA wants them to ask for consent, whether users want their data to be used or not.

Integrating the existing CMP with CCPA rules won’t be much of a task.

In Closing

As reported by Washington Post, companies are really confused—some disclosing too much data, some with too much, and others have incorrect information.

California Attorney General’s office won’t begin enforcement for another six months. This doesn’t mean publishers should wait till the last minute to ensure compliance. The confusion will not get away until you get started with it. The last minute approach risks wrongful implementation resulting in missing out on business from California.

Review your data collection practice keeping the worst-case scenario in mind. Remember, users (consumers) have the right to know about their data usage. Leverage this to build better relationships and then subtly bring ad monetization into practice.


1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.