Just as we’ve got the chance to exhale from GDPR races, another one state law privacy framework is coming, and this time it is CCPA regulation from the United States. You might be surprised but GDPR has several less famous cousins: one draft equivalent in India, other in Brazil, and the newborn one in Canada. Some of these national laws are still under construction.

When we talk about California consumer privacy act, we talk about the draft that became a working regulation in less than a week. Does it pose another threat for ad tech ecosystem or companies just need to know how to prepare? 

What is CCPA regulation? State vs Federal law

CCPA regulation was created on June 28, 2018. It is a law that is supposed to protect privacy and personal information protection rights. Just like GDPR works for E.U residents this one does for Californians but with few differences.

According to the new rules, any citizen of California has the right to require from the company information about why their personal data was used, where it was sent, request a deletion, access to information and the right to opt-out. While this is only state law, it already inspires other states to introduce their own regulation so the federal law that exists on the national level might be waiting just around the corner. 

What does this mean for your company? 

CCPA implementing regulations will apply to companies that collect, process and use for any purpose personal data of Californians. CCPA enforcement is scheduled for January 01/2020, in order to give companies time to suit their policies and internal processes accordingly. Types of businesses that will have to comply with:

  • Companies with annual gross revenues of $25 million and more.

  • Companies that buy or sell personal data in volumes of 50,000 or more California consumer or households.

  • If the company gets 50% revenues from selling personal data of Californians.

What does it mean for Ad Tech industry? 

As known, adjusting to the new privacy realities is crucial, especially for the ad tech sector. It will change the way ad platforms collect, process, and distribute information of Californian users, here’s how:

Third-party data share will shrink. When GDPR came into enforcement, some companies decided to quit processing EU consumers personal data which meant closing their EU business segment. The same may happen with CCPA. At the same time, this was valid only for the small companies that couldn't afford to rebuild their systems. As for the rest of ad tech companies, it is expected that they will start to collect only those kinds of third-party data which they can justify under CCPA. 

First-party data will gain momentum. Companies that comply with CCPA very much likely did the same in regard to GDPR. World’s trend for transparency is obvious and this is why in the future ad tech companies will rely less on third-party data and will need to apply direct first-party data instead. 

Ad tech platforms will be more transparent. For one year companies will be obliged to keep the data about sales. Nonetheless, every platform will have to place a “Do Not Sell My Personal Information,” notice on website. This notice will help Californian users to opt-out of the sale, so the information will not be furtherly distributed. This will be the best leverage that will help ad tech companies appear as transparent, safe and loyal to customers. 

Current state and challenges

Just like it happened with GDPR adoption in 2018, now almost 44,2% of the surveyed businesses, including ones in ad tech, never heard of CCPA regulation. Around 11,8% know  that they are eligible to comply and 34% are not sure if it’s necessary for them.

ccpa preparation state

In programmatic platforms, there’s no small task for preparing all tech layers and vendors for total compliance since the ecosystem is complicated and interconnected. 

That's why recently IAB released Transparency and Consent Framework 2.0. Using it publishers will gain more power over data processing procedures on the third-party side which will deliver more transparency on a per-vendor basis. 

CCPA privacy regulation: how to prepare?

Preparing to CCPA regulation is like building a house - layer by layer your company needs to create a program according to which you will plan the main organizational and technical compliance procedures. These are core things, to begin with:

  • Audit your internal processes and workflow, make sure they comply with data disclosure requirements. 

  • Review CCPA requirements and update your privacy policies accordingly.

  • Structurize types of information that you use and cut out unnecessary ones.

  • Make sure user requests for information deletion or management can be processed in time. 

  • Audit vendors, contracts, and third-party service providers and verify if they’re also compliant.

  • Consult your employees about CCPA regulation concepts. 

The outcome

If your business is already compliant to GDPR, doing the same thing for CCPA shouldn’t be too difficult. Ad tech players that will take the new CCPA privacy regulation seriously can utilize it as a competitive advantage for their marketing and PR communications with customers. If your company is able to bring entire ad tech complex to compliance then, undoubtedly, you will have a significant competitive edge over those ad market players who aren’t.