On the heels of the General Data Protection Rules (GDPR) in the E.U., the California Consumer Privacy Act (CCPA) is now law. It grants California consumers specific rights regarding the collection, use, storage, and sale of personal data by businesses.
CCPA became effective January 1, 2020 with a six-month grace period before enforcement would begin. The penalties and fines for companies that do not comply can be significant. Civil penalties range from $2,500 per incident for non-intentional violations up to $7,500 for intentional violations.
Enforcement proceedings can begin as of July 1, 2020 but the California Attorney General has stated that companies shouldn’t think of that as a free pass. Non-compliance between January and July can still be enforced after July 1st.
With stiff penalties, it’s important for online businesses to understand what’s covered in the law and what is needed to comply.
CCPA in a Nutshell
CCPA is the strictest set of privacy regulations on the books in the U.S. It grants consumers new privacy-related rights:
- The right to know what personal information is being collected
- The right to know if (and how) their personal information is being shared or sold
- The right to opt-out of the sale of personal information
- The right to access their information
- The right to have their personal information deleted (with exceptions)
Under the Privacy Act, a sale isn’t limited to money changing hands. CCPA also protects consumer rights for data that’s exchanged for “valuable consideration.” That’s been interpreted by the California Attorney General’s office to include the exchange of data for targeting or ad delivery.
The definition of what qualifies as personal information goes beyond name, address and phone number. It includes IP addresses, cookies, browsing history, geolocation data, mobile ad IDs (MAIDS), device identifiers, or any interaction with websites, apps, or ads. It also includes profiles to identify or group consumers based on personal data.
CCPA prohibits selling any personal data of anyone under the age of 16 without explicit consent. For children under 13, parental consent is required.
What it does allow is the use of consumer data that is aggregated, anonymized, or de-identified. To qualify, such information must not be associated with any specific user or household.
What is the IAB CCPA Framework?
Primis is a signatory to the Interactive Advertising Bureau (IAB) CCPA Framework. We recommend publishers to also adopt these principles and policies for compliance.
- IAB CCPA Compliance Framework Document
- Limited Service Provider Agreement
- Implement the CCPA Framework Technical Specifications
Publishers selling information from consumers in California for digital advertising purposes must comply with the guidelines as applicable. Any traffic sent to Primis from California users should be CCPA-compliant.
Publishers have the only direct relationships with consumers. As such, it is the publisher’s responsibility to provide the appropriate links and disclosures to users, such as the required “Do Not Sell My Personal Information” link.
Publishers must send Primis the Privacy String signal if a user opts-out of the “sale” of personal data as defined by CCPA. If Primis does not receive the Privacy String signal from a publisher, we will treat these bid requests as not opted out of a “sale” under CCPA.
More Data Protection Laws Are Likely
It has been nearly two years since the law was enacted, but the enforcement regulations are still not final. The state’s AG has issued guidelines which have already been revised twice. There may be more changes still to come.
While it impacts any companies that do business with California consumers, it’s unclear whether the law applies to California residents while traveling.
A study by Cisco revealed that 84% of those responding want more control over their data and how it’s used. In the future, look for more privacy restrictions and data protection statutes. There’s already a ballot initiative set for November in California to enact a tougher law and stiffer penalties. More than a dozen states have introduced legislation in the past year, including Illinois, Maine, Massachusetts, Nevada, New Jersey, and Pennsylvania. There are also several versions of national data protection regulations being proposed and the formation of a Data Protection Agency in the U.S. as well.
This type of uncertainty around the final requirements to comply with CCPA and the potential of new laws make it especially difficult for businesses to comply.
Have any more questions? Please feel free to reach out to firstname.lastname@example.org or your publisher success manager.