Just as we’ve got the chance to exhale from GDPR races, another state law privacy framework is coming, and this time, it is CCPA regulation from the United States. You might be surprised, but GDPR has several less famous cousins: one draft equivalent in India, the other in Brazil, and the newborn one in Canada. Some of these national laws are still under construction.
When we talk about the California Consumer Privacy Act, we talk about the draft that became a working regulation in less than a week. Does it pose another threat for ad tech ecosystem or companies just need to know how to prepare?
What is CCPA regulation? State vs Federal law
CCPA regulation was created on June 28, 2018. It is a law that is supposed to protect privacy and personal information protection rights. Just like GDPR works for E.U residents, this one does for Californians, but with few differences.
According to the new rules, any citizen of California has the right to require from the company information about why their personal data was used, where it was sent, request a deletion, access to information, and the right to opt out. While this is only state law, it already inspires other states to introduce their own regulation, so the federal law that exists on the national level might be waiting just around the corner.
What does this mean for your company?
CCPA implementing regulations will apply to companies that collect, process, and use for any purpose the personal data of Californians. CCPA enforcement is scheduled for January 01/2020, in order to give companies time to suit their policies and internal processes accordingly. Types of businesses that will have to comply with:
Companies with annual gross revenues of $25 million and more.
Companies that buy or sell personal data in volumes of 50,000 or more California consumers or households.
If the company gets 50% of its revenues from selling the personal data of Californians.
What does it mean for Ad Tech industry?
As known, adjusting to the new privacy realities is crucial, especially for the ad tech sector. It will change the way ad platforms collect, process, and distribute information of Californian users; here’s how:
Third-party data share will shrink. When GDPR came into enforcement, some companies decided to quit processing EU consumers' personal data, which meant closing their EU business segment. The same may happen with CCPA. At the same time, this was valid only for the small companies that couldn't afford to rebuild their systems. As for the rest of the ad tech companies, it is expected that they will start to collect only those kinds of third-party data that they can justify under CCPA.
First-party data will gain momentum. Companies that comply with CCPA very much likely did the same in regard to GDPR. The world’s trend for transparency is obvious, and this is why, in the future, ad tech companies will rely less on third-party data and will need to apply direct first-party data instead.
Ad tech platforms will be more transparent. For one year, companies will be obliged to keep the data about sales. Nonetheless, every platform will have to place a “Do Not Sell My Personal Information” notice on the website. This notice will help Californian users opt out of the sale, so the information will not be further distributed. This will be the best leverage that will help ad tech companies appear transparent, safe, and loyal to customers.
Current state and challenges
Just like it happened with GDPR adoption in 2018, now almost 44.2% of the surveyed businesses, including ones in ad tech, have never heard of CCPA regulation. Around 11.8% know that they are eligible to comply, and 34% are not sure if it’s necessary for them.
In programmatic platforms, there’s no small task for preparing all tech layers and vendors for total compliance since the ecosystem is complicated and interconnected.
That's why recently, IAB released Transparency and Consent Framework 2.0. Using it, publishers will gain more power over data processing procedures on the third-party side, which will deliver more transparency on a per-vendor basis.
CCPA privacy regulation: how to prepare?
Preparing for CCPA regulation is like building a house - layer by layer; your company needs to create a program according to which you will plan the main organizational and technical compliance procedures. These are core things, to begin with:
Audit your internal processes and workflow to make sure they comply with data disclosure requirements.
Review CCPA requirements and update your privacy policies accordingly.
Structurize the types of information that you use and cut out unnecessary ones.
Make sure user requests for information deletion or management can be processed in time.
Audit vendors, contracts, and third-party service providers and verify if they’re also compliant.
Consult your employees about CCPA regulation concepts.
If your business is already compliant with GDPR, doing the same thing for CCPA shouldn’t be too difficult. Ad tech players who will take the new CCPA privacy regulation seriously can utilize it as a competitive advantage for their marketing and PR communications with customers. If your company is able to bring entire ad tech complex to compliance, then, undoubtedly, you will have a significant competitive edge over those ad market players who aren’t.