Brands have until July 1, 2020 to ensure full compliance with the latest data privacy law, California Consumer Privacy Act (CCPA) that went into effect January 1, 2020. The following is a question and answer session with our Rakuten Advertising general counsel about how brands can ensure they are CCPA-compliant. Learn more - read an overview of CCPA Compliance Options for Publishers.
- What is CCPA?
The California Consumer Protection Act is a law designed to give California residents additional rights over the use and sale of their personal information. This means that consumers will have specific rights over any of their personal data that a brand has collected, such as:
- The right of access: This means consumers will be able to access their collected data as well as inquire on how their data will be used.
- The right of deletion: Consumers will be able to request deletion of any collected data. However, there are exceptions that may allow brands to do business. For example, a brand offering a coupon would be able to use this information in order to complete a transaction for the consumer, or a financial company needing to complete a transaction would be permitted to retain consumer data, as would a firm that requires this information for security or legal compliance purposes.
- The right to opt-out of “sales”: This right is what we expect will impact brands the most. Consumers will have the ability to opt-out of their data being “sold” from a business to a third party.
- When does CCPA go into effect?
January 1, 2020, but brands will have a six-month grace period on enforcement.
- Q: Who is impacted by CCPA?
Any brand doing business in California that collects, sells or buys personal information from online consumers are going to be impacted in some way. What brands do with this data will designate the requirements they must follow to be compliant, and each brand will fall under one of three categories: “business,” “service provider” or “third-party.”
- How do brands know which category they belong to?
As I mentioned earlier, these categories are based on the use of consumer data. While each company should consult their legal department to determine where their business sits, I’ve outlined the definitions below.
- “Business”: A for-profit entity doing business in California that collects consumers’ personal information itself or on the behalf of others (either alone or jointly) and:
- Has gross revenue above $25 million; or
- Annually buys, sells, receives or shares personal information from more than 50,000 consumers, households or devices for commercial purposes; or
- Has more than 50% of annual revenue derived from selling personal information.
- “Service Provider”: A for-profit entity that processes information on behalf of a business. A “service provider” is a business that receives information for business purposes or pursuant to a compliant contract.
- “Third Party”: Neither a business that collects personal information from the consumer nor is a service provider.
Something to note here, adtech companies can fall into different categories at different times depending on what they’re doing with the data at any given moment. Also, it’s suggested that if brands use collected personal information for advertising purposes, it’s best that they categorize themselves as a “business” or the value of their advertising will be limited (see Q6 for more detail).
- How will CCPA impact brands?
CCPA will have a large impact on digital advertising as it brings new regulations that restrict how brands collect and manage consumer data that is used to drive relevant advertising. Most immediately, brands will need to ensure that:
- They’re prepared to serve the required “opt-out” option to California residents by January 1, 2020 when CCPA takes effect.
- They’re able to pass on any required signals (i.e. a consumer has opted-out, requested deletion, etc.) to their partners/tech companies.
- Will this negatively impact brands’ advertising efforts?
The way we see it, no. But, being an attorney, I must beg your patience for a two-part answer.
- Part 1: If a consumer does choose to opt out of sales, then advertising to that consumer will obviously be affected because they have chosen to negate their data being collected or sold. Delivering relevant advertising requires the collection of data from consumers when they visit a brand’s website. This collected data is used to better understand brands’ ideal consumers’ shopping habits. Once identified, this data can be used to create advertising that will attract other consumers with similar shopping habits – meaning consumers that are more likely to engage and convert. Without this data, relevant advertising cannot be accomplished.
- Part 2: CCPA can ultimately improve the advertising ecosystem for both the consumer and business. For brands, it eliminates consumers who aren’t really interested or engaged with advertising promotions – meaning brands will now more easily know which consumers are open to personalized advertising or offers. In the end, we see CCPA as a way for brands’ ad dollars to reach more of the “right” consumer; therefore, increasing their ROAS.
Ultimately, it is our hope that CCPA will bring more transparency and rights into the use and sale of consumers’ personal information, while allowing businesses to get more bang for their advertising buck.
- What can a brand do and not do with a user’s personal information if they opt out of sales?
If a user opts out of sales, that does not mean that a company is required to delete this information or refrain from its use it (unless the consumer exercises their right to ask for their collected data to be deleted). What it does mean is that their personal information cannot be further used or repurposed for a commercial gain. For example, if a brand advertises 20% off a pair of shoes, it can still complete the consumer transaction, as well as pay the commission to the company that presented the ad; however, neither the brand nor the commissioned company may use any personal information of that consumer beyond fulfilling this transaction.
- What are the impacts of non-compliance?
As is the case with many laws, the action taken will depend on the severity of the infraction. Here’s a run-down of the enforcement mechanisms in the CCPA.
- Private enforcement: CCPA empowers consumers to file their own lawsuit in the event of a data breach allowing consumers to recover up to $750 per incident or actual damages, whichever is greater.
- Governmental enforcement: The State’s Attorney General can also file a civil case. Businesses have 30 days to fix their non-compliance or be liable to pay fines up to $7,500 per violation.
- What is required for advertisers to fulfill the CCPA requirements?
Advertisers will need to determine what category they fit best under (see question four), but any advertiser collecting and providing information to a partner will likely be considered a “business.” These advertisers will also need to provide explicit notice and an opportunity to opt-out to consumers. This way, the CCPA requirements have already been fulfilled before consumer data is collected and sent off to another party for advertising purposes.
We have seen some advertisers choose to geo-block California-based traffic or suppress California-based traffic when passing the collected data to another party.
On a high level, the following are solutions brands can take to ensure compliance:
- CMP integration: For advertisers already using a CMP tool previously created for GDPR, there may be integration opportunities.
- Disclosures and opt-out link: Advertisers can include a “Your Privacy Rights” link on each page of their website which will lead users to a disclosure revealing what companies may collect their personal information when they interact with their digital property. In our disclosure, we’ve included what kind of personal information is being collected (IP addresses, digital identifiers, etc.) and what this information will be used for (personalization of ads, analytics on how they engage with websites and ads, etc.).
For Rakuten Advertising advertisers, an email has been sent with more information about how new CCPA requirements affect them.
- What is required for publishers to fulfill the CCPA requirements?
For publishers that categorize themselves a “business,” they will need to disclose privacy rights through a link on their site and give users the option to opt-out of tracking or prevent the sale of their personal data.
Publishers will be relieved of this obligation if they block traffic via IP addresses for users in California. The options we’re suggesting for our publishers are:
- CMP integration: For publishers already using the CMP tool created for GDPR, there may be integration opportunities.
- Disclosures and opt-out link: Publishers can include a “Your Privacy Rights” link on each page of their website which will lead users to a disclosure revealing what companies may collect their personal information when they interact with their digital property. In our disclosure, we’ve included what kind of personal information is being collected (IP addresses, digital identifiers, etc.) and what this information will be used for (personalization of ads, analytics on how they engage with websites and ads, etc.).
In response to the requirements of CCPA, we have updated our publisher membership agreement (PMA), and this updated PMA went into effect on January 1, 2020. The biggest substantive change to our PMA is the language, which was updated to meet the notice and opt-out requirements needed to comply with CCPA.
For Rakuten Advertising publishers, an email from us communicating this information with a link to the new PMA has been sent. For any further questions, publishers can always reach out to their publisher development manager or our publisher support team at firstname.lastname@example.org.
- How will brands pass on proper signals to their partners?
There is still work to be done and some ambiguities around how companies can ensure compliance. Yet, similar to the industry work behind the CMP tool for GDPR, groups like the IAB and ANA are working to create a universal set of signals to allow partners and clients to pass along opt-out and delete requests. There is currently a compliance framework for CCPA the IAB/IAB Tech Lab has drafted that has a standardized contract for use between publishers and their partners and a series of technical specs so companies can follow through on the contract. Additionally, the digital advertising alliance (DAA) is offering a compliance tool that will allow publishers, brands, agencies and adtech companies in the digital supply chain to provide consumers a clear and recognizable mechanism to opt out of sales. We will be looking towards these groups to assist in providing tools and other material to guide the industry on best practices for compliance.
- What does Rakuten Advertising require of its advertiser and publisher partners to be compliant?
- How does CCPA affect brands outside of the US?
Any brand that does significant business with consumers who reside in California are required to be complaint with CCPA, regardless of their location, and the requirements to ensure Rakuten Advertising campaigns are complaint are the same as outlined above. Significant is defined by business that “annually buy, receive, sell or share personal information of at least fifty thousand California residents.”
Most say that if there is a chance, it’s a long way away. However, there are already many other states adopting similar privacy regulations. Nevada already has one in place, while Hawaii, Maryland, New Mexico, Washington and others have similar laws under draft. Brands should, if they haven’t already, accept that privacy regulation is becoming not only a federal concern, but a global one as well. GDPR has already gone into effect and new international laws are being made in Brazil, New Zealand and Bahrain, among others.
Still have more questions? Use the SUPPORT tab at the top of the page or this link to find the email or phone Customer Support contacts for your location.