For companies tasked with addressing issues of data compliance, the California Consumer Privacy Act has been a moving target.
The law, which California hastily passed in June 2018, will govern the way companies collect, use and share consumer data once it goes into effect on Jan. 1. While there was hope that a federal data privacy law would preempt CCPA, none has gained any traction on Capitol Hill. That leaves marketers and industry groups looking west to understand what they need to do to avoid being whacked with lawsuits in 2020.
After months of internal negotiations between its stakeholders, the IAB and its affiliated standards body opened its proposed CCPA Transparency Consent Framework to public comment through Nov. 5. The framework proposes a “master contract” that would bind publishers’ ad-tech suppliers to a code of conduct that complies with the law, and it offers guidance on the correct conduct when consumers opt out of targeting. This comes weeks after California Attorney General Xavier Becerra issued guidance on how his office would enforce CCPA and interpret the law.
However, there is still confusion over how the law deems the activities of the online ad industry’s middlemen, and the latest guidance from Becerra has done little to put the industry at ease when it comes to understanding where the burden of liability lies.
As was the case with the EU’s General Data Protection Regulation, or GDPR, CCPA-compliance preparations are likely to run into the eleventh hour.
Here’s a look at the letter of the law and what it means for various stakeholders:
What does CCPA mean for consumers?
Under CCPA, consumers who reside in California will be able to opt out of having their data collected, shared or used. According to the current version of CCPA, the opt-out clause means websites will have to provide a clear “do not sell my personal information” button. The law gives consumers the right to ask a business twice a year for a report outlining all the data it has collected on them, and it gives consumers the right to tell businesses not to sell that data and to delete it. Consumers will be able to find out which categories of data have been collected on them and with which parties their data has been shared along with the commercial purpose for acquiring the data.
CCPA extends to consumers new rights when there’s been a data breach, including the right to sue for up to $2,500 per violation and $7,500 for intentional violations.
What does CCPA mean for agencies and brands?
Agencies and brands that have their own data management platforms will have to have the infrastructure to track the data they have on each consumer, and they will need to invest in storing it securely. Neil Sweeney, founder and CEO of Freckle IoT, a data company specializing in measurement and identity, said agencies and brands that don’t have a way to get gain for using consumers’ data will have “serious problems.”
“There is a very high probability that they will have to drain those data lakes that they just paid $5 billion for,” Sweeney said. “For everyone else, they will be scrambling to find new, compliant sources of data and will have massive sticker shock at what that data will cost. Most brands will now have to vend in and create their own data stacks versus relying on third parties.”
Changes to compliance may also mean agencies and brands will have a harder time reaching all the consumers they want to reach.
“It’s in an agency’s best interest to have as many places to spend on the internet as possible,” said Danny Sepulveda, vice president of global government relations at MediaMath. “The degree to which the law encourages and hides folks from visibility to either agencies or advertisers will have a serious effect on [marketers’] ability to obviously reach people, or [reach them] on a basis that is personalized and relevant to them.”
What does CCPA mean for platforms and publishers?