CCPA and Ad Tech: The Definitive Guide of Fall 2019

Earlier this year we shared our Definitive Guide for the GDPR. Now it’s time to unpack the latest in privacy legislation - the CCPA. We’ll outline what the CCPA is, how it impacts ad tech, how to comply, and where you can learn more.

Written for publishers seeking clarity on ad monetization, this article aims to clarify the California Consumer Privacy Act of 2018 (CCPA).

Please note that this article is for informational purposes and does not offer legal advice. We recommend you seek legal counsel to determine how the CCPA affects you.

What is the CCPA?

The CCPA, or California Consumer Privacy Act, is a state law that grants California residents greater control of their personal data - similar to the GDPR for European residents.

The CCPA applies just to larger companies doing business in California:

  • Those with $25M in annual gross revenue, and/or
  • Those that generate more than 50% of annual revenue from data sales, and/or
  • Those that have bought, sold, and/or shared (for commercial purposes) personal data on 50K+ California residents, households, or devices

The CCPA was approved by former Governor Jerry Brown in June 2018 and will be effective January 1, 2020. While it won’t be enforced until California’s Attorney General publishes the new law’s regulations - which it has until July 1, 2020 to do - the CCPA includes a lookback window for any personal data collected on California consumers starting January 1, 2019.

Like the GDPR, the CCPA allows consumers to determine how their data will be used and requires companies (that meet its thresholds) to impose tighter restrictions on how they collect and process personal data.

CCPA vs. GDPR: How do they differ?

While both the GDPR and CCPA offer consumers strong personal data protection, impact businesses regardless of HQ location, consider cookies personal data, and curtail programmatic advertising, the CCPA is not simply an American or “light” version of the European law:

CCPA GDPR
Scope CA residents EU residents
Consent Opt-out; opt-in for minors Opt-in
Personal information Includes pseudonymous and sensitive data for individuals and households Includes pseudonymous and sensitive data; limited to identifiable individuals
Rights Includes access and deletion without penalty Includes access, correction, and deletion without penalty
Enforcement California Attorney General European Data Protection Board (EDPB)
Penalties Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher

$2,500 for unintentional breaches; up to $7,500 for intentional breaches
Capped at 20M Euros or 4% of global annual revenue, whichever is higher

Whereas the GDPR is an opt-in law requiring privacy by design, the CCPA is an opt-out law.

While opt-out may sound better to publishers than opt-in consent, according to a recent poll by BritePool and Annenberg Research, 87% of consumers would choose to opt-out of ad targeting.

Consumer rights under both laws impact the ad tech industry, as programmatic advertising relies on consumers’ personal information, including geolocation data, browsing history, cookies, and more.

That being said, as long as a user hasn’t opted out, you may continue to do cookie matching, interest targeting, frequency capping, programmatic ads, and so on.

‘Personal information’ under the CCPA - and why it’s so confusing

Here’s where things get trickier, as the CCPA defines “personal information” broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This includes browsing and search history, mobile IDs, IP addresses, and geolocation data.

It also covers pseudonymised data if it can be linked back to an individual consumer.

Let’s clarify those terms:

Household
The Attorney General defines a “household” as a person or group occupying a single dwelling, whether that group consists of family members - or the roommate you found on Craigslist.

Businesses must also consider the personal information collected on residents’ devices; if a user opts out on one device, you must honor that request on all of their devices - as well as all of the devices of everyone they live with!

Reasonably
The term “reasonably be linked” is also a sticking point; it will be up to California’s Attorney General to determine what is a reasonable thread.

Identifies
The CCPA further defines PII to be a way of identifying consumers “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”. Essentially, any information that advertisers could use to build a personal preference profile.

‘Sale’ under the CCPA - and why it’s so confusing

“Sale” goes far beyond the monetary transaction we normally associate with this term. According to the CCPA, it is “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration”.

We anticipate greater clarity soon, but this broad definition could impact how publishers share data with ad exchanges, ad networks, DMPs, DSPs, analytics platforms, and more. The Attorney General will publish more CCPA regulations during the public comment period through December 6.

What do - and don’t - you have to provide an opt-out for?

Under the CCPA, you must allow California residents to opt-out of the sale (per the above definition) of their personal information. Once they opt-out, you must honor that request moving forward.

Like the GDPR’s “legitimate interest” clause, though, the CCPA has a notion of “business purposes”. This refers to situations where, even if the user opts out to selling, you can continue to use their PII. (However, as detailed later, you do have to be forthcoming about this in your privacy policy.)

CCPA defines those “business purpose” use cases as:

  • Auditing consumer interactions, including counting and verifying ad impressions
  • Detecting security incidents
  • Debugging/repairing errors
  • Providing short-term, 1st-party uses, including contextual customization
  • Performing services, including verifying customer information, providing customer service
  • Conducting internal research for tech development

Under the CCPA, you are not required to offer an opt-out for cookies required for site performance, such as remembering items in a shopping cart, shipping information, or website analytics (we have a separate article on CCPA and Google Analytics). The opt-out is specifically for preventing any future data selling.

CCPA and ad tech

So, how will the CCPA impact your monetization efforts?

Put simply, if you don’t meet the revenue or volume requirements, the CCPA will not change your current protocol.

Even if you do meet these requirements, there are two important points:

  1. Consent under CCPA is opt-out, not opt-in
  2. CCPA is specifically against data selling (as per the above definition). There is no explicit rule against using PII if you aren’t selling it.
What if you aren’t selling PII?

There are a few scenarios that would fit under ad tech here:

Scenario Considerations
You use 1st-party data (aka, email address given in a registration form) or device IDs (like browser cookie or IDFA) to optimize what content is promoted This would likely fall under “business purpose” because it’s required for best user experience. In that case, users cannot opt-out of this data usage
You use the same data in your in-house ad server (such as behavioral targeting or for frequency capping), where advertisers are buying against those profiles, but no actual PII is shared with the advertisers As no PII is being “sold”, users cannot opt-out of this data usage (but further clarifications may deem that not so)
You show ads based on what a user searches for or based on the page’s context (aka category targeting) No PII is used here - totally fine, and the user can’t opt-out of these ads
You buy PII from 3rd-party data provider and use that to personalize content CCPA doesn’t explicitly penalize for PII purchases, so you could use that for on-site targeting
You have PII of your users and that data is shared with infrastructure partners like Adzerk or AWS These partners would be considered service providers and sharing data with them does not fall under CCPA’s definition for “selling”, especially since you’re probably using them for a “business purpose”. But if a user asks to be deleted, you should delete their PII if saved on these platforms
What if you are re-selling data?

If you are collecting PII and then re-selling, if the user hasn’t opted out, you can keep doing it. If they request data deletion, you need to delete it from your system and (likely) request deletion from partners.

What if you are doing programmatic advertising?

When you send an ad call, you are likely populating it with what’s considered PII, like an IP Address or Mobile ID. Additionally, when you send an ad request, you're sharing that data with many companies in the ad tech chain. If the user hasn’t opted out, this is allowed.

Now, what happens if the user opts out of data being sold? Well, it’s not 100% clear. As mentioned, the CCPA requires honoring opt-outs in situations where you are disclosing PII to a third-party for “monetary or other valuable consideration”.

Many will likely argue that with an ad call you aren’t selling the PII, and the money you make isn’t due to the ad network paying you for the information. Ergo, you aren’t sharing the info for money.

That said, this is a bit of a stretch. Programmatic advertising uses PII to increase the value of that impression. Adding in location and IDs can greatly heighten your eCPMs, so sending a users’ PII in exchange for a more valuable bid seems to certainly fall under the law.

If the user has opted out of selling, then, you’ll have to honor their request by removing their PII in future ad calls (as well as PII for any of their household members, as per the “household” rule).

CCPA compliance

Who needs to comply

If any of the following applies to you, you’ll need to comply:

  • $25M in annual gross revenue
  • More than 50% of annual revenue from data sales
  • Bought, sold, and/or shared (for commercial purposes) personal data on 50K+ California residents, households, or devices
How to comply

Let’s break this into four steps:

(1) Conduct a data audit

We recommend a detailed audit and risk assessment of the data you have, how it’s used, and whom you share with (you likely did this for GDPR too). You’ll want to identify what partners you have shared data with, regardless of whether it was for a sale or a business purpose, since January 1, 2019.

For instance, if you’re doing programmatic advertising or data sales, be prepared to provide a list of everyone involved (such as ad servers, exchanges, DMPs, DSPs) to fulfill consumer requests. Group these into categories, noting that any new partner will require you to update your records.

(2) Update your privacy policy

Your privacy policy will need to:

  • Outline the new California consumer rights under the CCPA: the right to notice; right to access; right to opt-out; right to request deletion; and right to equal services and prices.
  • Provide detailed accounts of personal information collected, sold, and/or disclosed since January 1, 2019 (12 months prior to the law’s effective date):

    -What kind of information is collected
    -How it’s collected (cookies, registration form, etc)
    -Why the information is collected
    -How consumers may access, delete, or deny collection of their information
    -How you verify consumers’ ages and obtain minors’ consent
    -How you verify consumers’ identities when accessing/disclosing information
    -A “Do Not Sell My Personal Information” link to a web page, toll-free number, and/or email address (more below)

(3) Update your website

Under the CCPA, you’ll need to display a “Do Not Sell My Personal Information” button for California residents:

If you’re an online-only business with direct consumer relationships, your “do not sell” button can link to an opt-out email address

If you’re not exclusively online and/or you don’t have direct relationships, your “do not sell” button must offer at least two opt-out options, including a web page and toll-free number. You’ll also need to provide a link to that page in your privacy policy and on your homepage footer. The CCPA defines “homepage as “any internet web page where personal information is collected”.

We anticipate “do not sell” button specs from California’s Attorney General in the coming weeks, but compliance software companies such as Truyo have started to create options for their customers.

(4) Make data rights actionable

You’ll want to develop an internal process to delete data upon consumer request or cease data sharing upon opt-out. Most likely this will be manual, such as creating a dedicated email address the user has to contact, which is then directed to the relevant party (a product manager, IT team, ad ops, etc). That person would then enact measures to honor the request, like deleting the data from internal or external databases. In addition, if you do sell PII, you’ll need to exclude that users’ data from future sells, either manually or through automated exclusion lists.

For publishers doing programmatic advertising or sending ad calls to a third-party, it gets a little trickier, as you’ll have to strip PII for that user in future ad requests, including IP, mobile IDs, cookie syncing IDs, etc. There are a couple potential paths here:

  1. If you have server-side integrations with your partners, you could write the code yourself to automatically strip excluded users’ data
  2. If you are relying on JavaScript tags where you don’t have that control, you’ll need to make sure your partners have a process for honoring the user’s request. If they don’t, and you continue to send this data to those ad partners when the user visits the site/app again, this would be a violation of the CCPA
  3. Consent Management Platforms will likely be appropriated for this. These tools popped up to manage GDPR consent, with the IAB specifically building a CMP framework on how to incorporate consent into programmatic advertising. Given the nuances between the two laws, though, it’s not as easy as flipping a switch; CMP vendors will need to update their tech, which will take time

Penalties for non-compliance

It will pay (or in this case, save) to be fully compliant by January 1, 2020 to avoid penalties.

Unintentional violations of the CCPA may result in fines of $2,500. Intentional breaches of the CCPA can result in fines of up to $7,500.

Individual consumers can also sue for $100 to $750 per breach or actual damages, whichever is higher. We’ll likely see a spike in class action lawsuits next year.

What’s next?

California Governor Gavin Newsom signed seven related bills into law on October 11, 2019. The next opportunity to amend the CCPA law will be the 2020 legislative session.

Proponents of the CCPA have also drafted a 2020 ballot initiative - The California Privacy Rights and Enforcement Act of 2020. If passed, that law will further expand CCPA consumer protections and redefine a “business” as having 100K or more consumers/households.

We’ll continue to follow that legislation and follow up with another Definitive Guide as needed!

This is helpful. What else should I read?

Great! We hope we’ve shed some light on the CCPA. It’s confusing, for sure, but there are plenty of resources to help you navigate this unique legislation.

Here are a few additional sources that may prove helpful in your quest for compliance:

Official CCPA Texts

California Consumer Privacy Act (AB-375) - California Legislative Information

Amendments to the California Consumer Privacy Act (SB-1121) - California Legislative Information

CCPA Guidelines from Data Processors

"Introducing the 'Preparing for the California Consumer Privacy Act' Whitepaper"- AWS (Amazon)

"Consumers Are Wary of How Companies Use Their Data: What Retailers Need to Know"- Salesforce

"The California Consumer Privacy Act and Its Impact on Email Senders" - SparkPost

"Preparing for the CCPA and the Future of Data Privacy Regulation" - Segment

"How Emma is addressing the California Consumer Protection Act" - Emma

"7 Key Differences Between GDPR and CCPA" - Otonomo

"What is CCPA and How Does It Affect Me?" - Ongage

Consent UX Examples

"A Marketer’s Guide to the CCPA"- eConsultancy

"What is Privacy UX?"- CMS Wire

"An Analysis of the California Privacy Act: Implications for App Publishers, Mobile Marketers" - Medium (TrueData)

"Consent and and preference management: A primer" - IAPP

"The CCPA Hidden Game Changer - 'Do Not Sell My Personal Information'" - Truyo

"Do Not Sell My Personal Information Link for California" - Clarip

Additional Sources

"Comparing Privacy Laws: GDPR vs. CCPA"- Future of Privacy Forum

"How to know if your vendor is a ‘service provider’ under CCPA" - IAPP

"CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation" - IAPP