The Complete AdExchanger Brain Dump On CCPA Now That The Law Is In Effect
The California Consumer Privacy Act (CCPA) officially took effect on Jan. 1, 2020, and now businesses must hustle to comply as a new clock begins to tick.
CCPA enforcement starts on July 1.
Here’s what you need to know to get up to speed:
CCPA is for now the most stringent privacy regulation in the United States. It grants consumers new privacy-related rights, including the right to see what personal information is being collected about them, to access it, to see who the data is being shared with (including third parties) and to opt out of the sale of that data.
What constitutes a sale? The better question might be, what doesn’t?
Under CCPA, a sale doesn’t just mean the transfer of data in exchange for money, but also for “other valuable consideration,” which could include the non-monetary value that companies derive from sharing data … aka, the foundation upon which most of ad tech is built.
The law also has a broad definition of what counts as personal information, which includes IP address, cookies, browsing history and geolocation data.
Although CCPA is largely an opt-out law, businesses are required to get an explicit opt-in to collect the personal information of children under 16.
Attorney general’s implementation regs
In October, the California attorney general’s office published the first draft of its highly anticipated CCPA implementation regulations, the purpose of which is to help operationalize the law and clarify any confusing bits. [Click here to read the full text.]
The regs, which aren’t finalized, clarify how to define a “household” and how to verify consumer data requests, but there’s plenty left unanswered.
The AG doesn’t share, for example, what a CCPA-compliant opt-out button should actually look like and doesn’t provide a more specific definition of the word “sale.”
The regs also include a few new legal requirements that don’t appear in the original statute, such as having to acknowledge the receipt of a consumer request within 10 days and treating user-enabled privacy controls, such as a browser plug-in, as a valid signal of a consumer’s choice to opt out of the sale of their personal info. Some interpret the latter as a de facto resurrection of “Do Not Track.”
The AG’s office is working on finalizing its draft regs based on comments received during a 45-day open comment period that ended on Dec. 6. If there are any changes, a second draft will be made available for public comment.
Industry compliance tools
Over the last few months, the advertising industry has been busily working on solutions to help companies comply with CCPA.
The Interactive Advertising Bureau and IAB Tech Lab developed a CCPA compliance framework comprised of technical specs for passing CCPA-related information within OpenRTB transactions along with standardized contracts for use between publishers and their partners.
Google agreed to adopt the IAB Tech Lab’s technical mechanisms for compliance, but not the contracts, since it’s already got product-specific contracts of its own in place with partners. Separately, Google is also allowing sites and apps to disable personalized ad serving across its ad products to help its partners with CCPA compliance.
The Digital Advertising Alliance created a green icon modeled off of its AdChoices icon for publishers to display within their site or app along with CCPA-compliant opt-out language, such as “Do Not Sell My Info.”
Despite a major push by the tech lobby, most proposed amendments to weaken the CCPA never made it to the governor’s desk for a signature.
The handful that did pass were fairly noncontroversial, including one amendment to clarify that “publicly available information” and “deidentified or aggregate” data are not considered personal information (AB 874) and another to exclude vehicle and ownership data for the purposes of repair related to warranty or recalls (AB 1146).
Two other amendments, one which provides an exemption for employee data (AB 25) and a second that creates an exemption for B2B data (AB 1355), only apply for one year. The California state legislature will revisit both in 2020.
A new ballot and beyond
California isn’t the only state with a data protection statute on the books. Nevada, Maine, Pennsylvania, Massachusetts, New Jersey, Illinois, Hawaii and others have either enacted or are in the process of enacting privacy-related laws of their own.
And even in California there’s more uncertainty on the horizon. Alastair Mactaggart, the man who helped push CCPA into law, introduced a new ballot initiative for 2020 that would, if passed, bolster the CCPA and add new consumer rights, including tighter restrictions related to the use and sale of sensitive info, such as health and financial information and precise geolocation, and require companies to provide more transparency into automated decision making and profiling.
Mactaggart sees the CCPA and his new ballot proposal as springboards for privacy legislation at the federal level.
Lawmakers on both sides of the aisle are pushing for a national privacy law, although the notion of preemption remains a sticking point. Republicans are in favor of a federal law that preempts state-based laws, while Democrats have said they will only support a national standard that is at least as strict as the CCPA.