It’s known that user data is used for ad targeting online. When a user finds relevant ads while browsing, advertisers get quality leads and conversions, and publishers get better CTRs, making it a win-win situation.
It sounds simple enough but as soon as you hear news about data breaches, a dark side of digital advertising starts to appear. Recent studies have shown that 1 out of 5 Americans never check if their data has been compromised in a breach. And around 66% users don’t know what to do when they find out.
Given the state of things, there is a need to make stronger data security frameworks. One such framework that will soon be put into action is California Consumer Privacy Act or CCPA.
What is the California Consumer Privacy Act?
California Consumer Privacy Act is a bill introduced to enhance the online privacy of consumers residing in California. It was passed by the California State Legislature on June 28, 2018. However, it will be effective on January 1, 2020.
The intent of CCPA is to give the people of California the right to know about the usage of their personal information. Furthermore, CCPA also defines personal information for the companies using the user’s data for marketing, advertising, and reselling purpose.
According to CCPA, personal information is any data that identifies, relates to, describes, or can be linked to a consumer and household, directly or indirectly. According to this definition, tracking pixel, cookie ID, IP address, email address, web history, and other such data points fall under the umbrella of personal information.
What Does CCPA Has To Offer?
CCPA applies to any for-profit company doing business and collecting user information in California. Furthermore, the company should also satisfy at least one of these criteria:
- The company earns more than half of its revenue by selling user data.
- The company stores personal information of over 50,000 users, households, or devices.
- And/or, the gross annual revenue of the company is $25 million or more.
California Consumer Privacy Act gives people located in California the right to:
- Know what personal information is being collected
- Ask where and who is using their personal information
- Opt out of sharing their personal data
- Delete and update their data
- Ask whether their personal information is being sold. If yes then further ask to stop it
- Finally, to have equal services even when they choose not to share personal information.
What are the Exceptions and Fines?
CCPA doesn’t stop any company from doing business or collecting user data. However, if a user requests a personal data report, then the company must provide it. There are strict statutes against non-compliance. Hence, any company doing business in California must comply with CCPA rules and update its business accordingly.
California Consumer Privacy Act enforces a fine of $7,500 for each intentional violation. And for each non-intentional violation, the fine is set to $2,500. Furthermore, CCPA empowers the users to file a lawsuit against a company in case of non-compliance. If the violation is proven, the company can face damage between $100 to $750 or more to be paid to user.
Why Should Publishers Care?
As discussed, CCPA gives users the right to decide what kind of data they wish to share. Also, users can opt out of having their data stored. Now, publishers who track users for ad tech purposes should make themselves well aware of the CCPA, because these users can ask for their data to be deleted at any point. Furthermore, the publisher should, at all times, be ready to reveal the data they are storing related to each user.
CCPA also talks about fines. Meaning, in case a publisher is found not complying with CCPA, he/she will be subjected to fines or even barred from doing business in the California state.
What Makes it Different from GDPR?
GDPR asks companies to record user consent before collecting their data. However, CCPA doesn’t mention consent or stop companies from collecting data. Furthermore, GDPR didn’t clearly define personal information in their regulation. Whereas, CCPA is very clear about the personal information of users and households.
GDPR asks companies to clearly notify users where and how their information is going to be used. However, with CCPA, companies are only required to reveal that information when asked by users. In case of data breach, the company has to inform its users, as per both the frameworks.
To sum up, GDPR asks businesses to define the terms of data usage before collecting it. Whereas, CCPA wants businesses to notify the terms of data usage whenever asked by users. And if a user wants to opt out of sharing personal data, businesses have to respect the decision.
What to do Next?
While we have GDPR to make comparisons, it can be tricky because GDPR is all about user consent and CCPA mostly talks about privacy. However, it will be a good start for publishers to check the after effects of GDPR, in trying to evaluate the upcoming impact of CCPA. Start by listing down things you wish to start with like getting a consent management system, tracking and updating user consent. Basically, create a CCPA compliance checklist and follow it.
Reports suggest that many companies are still not ready for the big change. But since CCPA will come in effect in January 2020, there is still time to prepare. As with GDPR, CCPA will have repercussions for both publishers and vendors, both in terms of infrastructure costs for ensuring compliance, and fines and penalties in case of non-compliance. But unlike GDPR, the California Consumer Privacy Act is more well-defined in terms of stating its requirements. And enhanced data security for users is better for everyone involved in the long run.