With under a month to go, the California Consumer Privacy Act (CCPA) enforcement is the next milestone in the evolution of the data privacy landscape. The CCPA includes new individual rights to data access, erasure, opt-out and whilst there are broad similarities with Europe’s GDPR, there are also significant differences. This has raised questions around how businesses will handle compliance across individual states, and indeed national borders.
In the same way US publishers must comply with the General Data Protection Regulation (GDPR) if any of their traffic originates from the EU, European publishers need to comply with the CCPA if any of their visitors are Californian. What’s more, there’s a nagging feeling the Golden State is just the regulatory testbed and the CCPA will eventually be rolled out nationwide as federal law. This idea is given weight by Microsoft’s pledge to extend the CCPA’s core rights to users across the country.
While the CCPA shares the GDPR’s goal of giving consumers more control, the definition of personal data varies significantly, with the CCPA regulating information linked to households, not just individuals, and encompassing data that is inferred not just collected. The regulations outline a variety of user rights around deleting, correcting, transferring, and selling data, as well as applying penalties in different ways, so publishers must prepare to comply with both sets of rules.
With confusion around data laws still prevalent, we asked experts from across both the publishing and digital advertising industry for their take on CCPA, as well as any advice for publishers looking to comply with the new regulation.
Keith Abbey, VP Publisher Growth, Sovrn
“The CCPA law is still far from its final shape, but a lack of clarity should not prevent publishers from putting their data affairs in order. Publishers must prepare for the arrival of the CCPA with the mindset of getting ready for the worst, and accept that taking a Band-Aid approach to compliance may not be good enough for an increasingly tough regulatory landscape. Instead, publishers should re-evaluate their data practices with an eye to the worst-case scenario to ensure they meet diverse regulations and gain a competitive advantage.
“More than this though, privacy is essential and not going away because it’s the right thing for consumers. Audiences should have a holistic view of what happens to their data – including why it’s collected, what it’s used for, and who it’s accessed by. By welcoming data privacy into their business models, publishers can build a stronger relationship with consumers; one based on trust and respect.”
Ben Barokas, Co-founder and CEO, Sourcepoint
“With an urgent focus on the January 1st deadline for CCPA, publishers are absorbed in how they can become compliant in time, but they should also be looking ahead to consider how utilizing the privacy preferences process can open a dialogue with users and support future monetization strategies.
“CCPA strategies shouldn’t just be a checkbox for compliance, this legislation actually gives publishers the chance to gain trust through a comprehensive, transparent, and user-friendly process that establishes consumer choice as the standard for digital experiences.
“When publishers demonstrate they take compliance and data privacy seriously, consumers trust them more. It’s through this type of two-way relationship that a fair value exchange is established; publishers can utilize consent signals to their advantage and build sustainable monetization opportunities.”
Nickolas Rekeda, CMO at MGID
“2020 will be the year publishers place data privacy and security at the very core of their business ethos. The GDPR set the regulatory ball rolling back in 2018, but in many cases this merely led to a series of front-end tick-box consent forms – frustrating for consumers and falling short of compliance.
“But the implementation of the latest data privacy regulation – the CCPA – on New Year’s Day puts further requirement on businesses to be transparent about data practices. Under the new law, consumers must be fully informed about what their information will be used for and empowered to opt-out at any point in time. Further data protection bills are expected to follow – from other states, as well as other regions such as the India Personal Data Protection Bill. Each will bring its own twist on levels of protection and it’s clear that mere tick-box or side-stepping tactics just won’t be an option.
“For publishers, this means getting a handle on their own data flows – setting up unified storage systems that enable them to instantly identify what they have, as well as quickly fulfill consumer requests for data disclosure. They must focus on their supply chain – ensuring the partners and third parties they share data with align with best practices. Industry specifications such as ads.txt or sellers.json will become standard tools for achieving supply chain visibility, and compliance solutions such as those launched by the IAB will assist with meeting new regulations as they arise, and ensure accountability in data practices.”
Richard Foster, CRO, InfoSum
“If the GDPR implementation in Europe is an indication of how things will change under the CCPA in the US, then it’s unlikely penalties will be handed out straight away. But when enforcement kicks in, any company wanting to operate in California – whether they are based there or not – could be left racing to ensure compliance.
“For publishers, this adds another layer of complexity when thinking about the handling of data, because the CCPA requires consumers to opt-out rather than opt-in – as is the case with GDPR – and because this and any other new regulatory powers in the US will vary from state to state. Even the definition of what is classed as personal information differs. Publishers working in Europe and the US will have to consider multiple layers of compliance, and as a result are likely to want to find new ways of understanding their audience and monetizing their inventory.
“Publishers should recognize the CCPA as an incentive to build up a bank of first-party data on their audiences, and investigate compliant ways of making this available for the purposes of digital advertising. This will allow them to provide a higher level of addressability, similar to that which advertisers already get from dominant walled garden platforms (Google, Amazon and Facebook). By deploying tools and techniques that enable audience insight without the actual transfer of data, publishers can meet their regulatory obligations, while simultaneously boosting their appeal to advertisers.”
Gabe Morazan, Director of Product, Digital Governance (CIPP/E), Crownpeak
“Digital experiences are built on consumer engagement and anything that aids understanding of what your users want, and facilitates interaction, can only be a benefit. For this reason, we see regulations such as CCPA as a chance to not only put reassuring data privacy protections in place, but also to learn more about how your customers intend to interact and how you can give them the experiences to match their choices.
“One of the basic things that we’re encouraging companies to do in preparation for CCPA – other than putting policies in place to become legally compliant – is to make sure that your privacy processes are aligned with your digital brand and experience throughout the interaction, even after consent is given. Don’t implement obscure procedures with jargon-heavy text to capture privacy options. Instead, make this process easy to understand and navigate, make them feel they are entering a partnership with your brand rather than a one-way conversation, explain what their rights are and what choices they have. Implementing proactive privacy management practices will ensure publishers are compliant, while improving customer experience from both an engagement and rights protection point of view.”