“Privacy” is a trending term in headlines and a pressing concern for the online public. With prominent news items like Cambridge Analytica’s data mining activities and third-party developers reading Google emails, people are increasingly concerned about the use and misuse of their personal information.
To address mounting fears, California passed the Consumer Privacy Act (CCPA), following on the heels of the EU’s new GDPR guidelines. According to TrustArc, “the CCPA is set to be the toughest privacy law in the United States by broadly expanding the rights of consumers and requiring businesses within scope to be significantly more transparent about how they collect, use, and disclose personal information.”
How will the CCPA affect companies doing business with California residents?
The California Consumer Privacy Act of 2018 passed through the California legislature on June 28, 2018 without opposition. Set to take effect on January 1, 2020, the current version will definitely be revised before this date, with prominent tech companies like Facebook looking to weigh in and provide feedback.
How did we get here? Back in 1972, the California Constitution was amended to state that its constituents have a right to privacy. That amendment afforded every Californian a legal and enforceable right to privacy.
Almost a half a century later—in a world of over 200 billion emails, three billion online searches, and two hours per person spent on social media a day—people’s privacy needs have increased exponentially.
To address this reality, the CCPA grants consumers the right to request that a business disclose the categories and specific pieces of personal information it collects, how they collect it, and what third parties they share it with. As the bill itself states:
“Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.”
That’s quite a legal mouthful, but what does it all mean specifically for digital advertisers?
Because of the GDPR, digital advertisers have already refined their processes to ensure compliance and consumer data safety. This includes mechanisms for fielding people’s requests for data access, deletion, and retrieval.
With the CCPA (notwithstanding AdExchanger calling it “GDPR-light”), there are a few additional things companies must do to make sure they’re protecting people’s data. Arguably the most significant part of the law for digital advertisers is a consumer’s ability to request deletion of their data and opt out of its sale—but the CCPA includes a definition of “personal information” that covers browsing and search history.
As far as scope goes, any company that does business with California residents—even if that company isn’t based in the state—must comply with the law. At the very least, this means many companies doing business in California will have to update their privacy policies and work practices to align with the new law when it comes into effect.
It’s important to note that companies have both a fix and an opportunity in front of them:
- They can apply the “Spotify exemption,” which lets them offer services based on the information consumers provide them.
- They can work with California lawmakers to influence the final legislation.
The law’s specifics are indeed likely to change by the time it’s rolled out on January 1, 2020. Despite an initial tech backlash, companies like Facebook are already weighing in on the changes. As Will Castleberry, Facebook’s VP of state and local public policy, stated, Facebook is “working with policymakers on an approach that protects consumers and promotes responsible innovation.”
As other states frequently look to California’s outsized influence and precedents, there’s a good chance the CCPA could become the national gold standard through state-level legislation. (With the current federal administration going in the opposite direction and loosening data privacy rules, we don’t see it adopting anything like the CCPA or GDPR in the foreseeable future.)
Should digital advertisers be worried? We don’t think so, for a few reasons:
- The GDPR is here and the industry is successfully adapting. There may be legal hiccups but we don’t expect them to have a lasting impact on a robust and thriving market.
- From making data policies more transparent to changing third-party data access, the industry has proven itself to be highly adaptive and innovative, quickly implementing changes that new laws dictate.
- Both the GDPR and CCPA can be seen as positive steps for protecting consumer privacy, while still allowing brands to connect with their customers and prospects with relevant messages.