“Winter is coming.” – Ned Stark, House of Stark
If you’re a GOT (Game of Thrones) fan like I’m becoming, you know that’s the motto for House of Stark and it’s issued as a warning or a heads up that the House needs to get itself prepared for hard times, as the season is about to change—both literally and figuratively. In essence, it’s a time of unknowing. Sounds a lot like how the Ad Ops industry must feel as folks deal with the E.U.’s General Data Protections Regulation (GDPR) and gear up for the California Consumer Privacy Act (CCPA).
Unfortunately, being GDPR compliant won’t necessarily mean being CCPA compliant. Also, it won’t be enough to just have systems in place to comply with CCPA and not continue to ensure that users’ data remains safe.
CCPA As We Know It Today
With the passage of the California Consumer Privacy Act of 2018, consumers will get a lot more visibility into the information collected about them when they visit online properties, as well as what is done with that data.
Set to go into effect January 1, 2020, with enforcement coming six months later, CCPA will apply to any company with CA-based assets or customers, including Californians who visit a website and whose data you touch. To sum it up, the law will apply if you have 50,000 unique CA visitors annually. For digital media companies, this will mean rewriting privacy policies, tinkering with data management systems, and providing more transparency to consumers.
Overall, the Personal Identifiable Information (PII) defined in CCPA is much broader than what’s been outlined in GDPR—“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes IP addresses, cookies, beacons, pixel tags, mobile ad identifiers, browsing history, search history, and geolocation data.
Companies will need to ask for consumer opt-in and divulge which categories and specific pieces of personal data are collected, as well as sources about how those categories were built, the purpose for which their data was collected, where the information comes from, how the information is used, and whether the information is being disclosed or sold. Chief here is the last point—publishers must have a homepage link to a page called, “Do Not Sell My Personal Information.”
You must also provide access to the data collected as well as enable portability and the ability to delete personal information (and instruct service providers using the data to delete it as well). You must also honor opt-out requests and cannot attempt to re-authorize until 12 months have passed.
Noncompliance with the law—and failing to secure the data you collect — could be met with some serious costs—$2,500 fine for each violation after a 30-day “cure period”; $7,500 for each intentional violation of the act.
The law is clearly aimed at third-party data brokers, and the people that buy their wares—and many publishers buy third-party data to help with targeting and meeting demographic guarantees. Companies with direct relationships with consumers—such as digital publishers—will likely see less of an enforcement impact, but publishers could probably easily find themselves on the wrong side of this privacy regulation. In addition, the California Attorney General’s prerogatives are not entirely knowable.
The fines wouldn’t be the only loss for companies not in compliance. Under some circumstance, consumers will be allowed to sue companies when their non-encrypted or non-redacted personal data has been accessed without authorization, theft, exfiltration, or disclosure of a security breach. The threat of class-action lawsuits may actually be more perilous to publishers.
The CCPA was already amended with technical fixes in the fall of 2018. Many in the digital advertising industry expect further revisions as questions linger around enforceability, but this makes it difficult to prepare for compliance and the clock ticks down.
Federal Data Privacy Laws Coming Soon?
That CCPA is completely complex is an understatement. AdMonster Editorial Director Gavin Dunaway’s recent musings, “CCPA Is Confusing AF,” clearly outlined just how unclear the regs are.
Since Dunaway’s writing, California’s Attorney General, supported by Senator Hannah-Beth Jackson, introduced legislation to both clarify and strengthen CCPA—greatly expanding consumers’ rights to bring private lawsuits for violations.. There’s also been a flurry of other legislative activity aimed at expanding the regs. As well, there’s been a stream of hearings including a recent one held by the Judiciary Committee of the California Senate that revealed difficulties faced by companies in implementation, such as challenges with the timeline and determining whether a person is actually a California resident.
We can expect the furor around CCPA’s confusion to continue at this pace until it goes into effect in 2020 and probably even afterward. Since GDPR, other states have either beefed up older privacy laws or enacted new ones, most notably Vermont’s Security Breach Notice Act that went into effect Jan.1 and aims to protect consumers from data brokers.
It goes without saying that a federal data privacy law is likely imminent. 16 Senators recently backed The Data Care Act that would be implemented by the FTC and require that companies safeguard personal data collected from users and not use the data in ways that could be harmful. And there are other proposals too—such as the Consumer Data Protection Act would put CEOs in jail for lying about consumer privacy and another, the Information Transparency and Personal Data Control Act, aims to regulate online privacy by requiring companies to present privacy policies in ‘plain English’ and get opt-in permission for the collection and sharing of users’ info.
This is hardly the first time we’ve seen such a strong push toward federal data privacy legislation, but given GDPR it’s clear that politics are shifting and major investments are as well. It’s certainly the kind of thing that tech giants like Google, Facebook, Apple and Microsoft want to happen. But many question whether their interests are actually in protecting consumers, or if they’re just looking for a simpler, easier federal regulation that will supersede all of the state ones. While many argue that CCPA is confusing, it’s also quite stringent. For now, CCPA is the fiercest in the land.
Looks like it’s time to start buttoning up. Brr.
Related: AdMonsters Playbook: Aligning Regulatory Compliance & User Experience