The California Consumer Privacy Act or CCPA is law that is meant to enhance the privacy rights of all California residents. The original bill was signed into law on June 28, 2018, and takes effect on January 1, 2020. The latest amendments were added on September 23, 2018 and let me tell you, it’s a doozy. If you have better things to do in your day then read lengthy legal texts, but still want to learn all about CCPA, then you have come to the right place. I read the latest version of the CCPA for you and will summarize everything you need to know right here. But first, a little background on how we got here.

Privacy is one of the hottest topics in ad tech, if not all of technology, this year. High profile data breaches and unauthorized data access like the Equifax or Cambridge Analytica scandals have thrust data privacy and governance into the limelight. News grabbing headlines that those scandals have created have put any company predicating their business on buying, selling or using user personal data under the microscope. So how does this impact ad tech?

Advertisers rely heavily on data to precisely target individuals who would be most receptive to their brand or product’s marketing tactics. IP addresses and app IFAs are two key identifiers used to individually target consumers with audience targeting. Both of these identifiers are considered personal information under CCPA and therefore make any company retaining these data points subject to the act. But if you prepared for GDPR, you may be all too familiar with some requirements of CCPA.

Europe’s General Data Protection Regulation (GDPR) turned the entire industry on its head when it went live in 2018, sending publishers and ad tech vendors scrambling to either become compliant or stop doing business in Europe entirely. Some chose the latter – but for those who remained, becoming compliant was a grueling process with heavy penalties for any missteps (€20 million or up to 4% of the annual profit - whichever is greater).

CCPA borrows many of the core concepts from GDPR but with its own unique spin and less severe penalties. So let’s take a look at what the California legislature cooked up.

Disclosure: The below is simply a summary of portions of the bill the author found most relevant to ad tech and is not meant to serve as replacement for fully reviewing the bill before making any legal decisions for your business.

Which businesses does the CCPA affect?

The act affects any business that satisfies one or more of the following:

  1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Since this will only be a California state law, a "consumer" in the context of the act is any California resident.

At a very high level, the act requires that businesses:

  • Disclose the personal information they collect and the purpose for collection and provide that info to the consumer if the consumer submits a verifiable consumer request
  • Delete consumer data if consumer submits a verifiable consumer request
  • Stop selling personal data for users who have “opted-out”
  • Do not discriminate against consumers exercising rights under CCPA
  • Make available two or more methods for submitting requests for information
  • Provide a “clear and conspicuous” opt out link on your homepage titled “Do Not Sell My Personal Information” if selling consumer personal data

Now let’s take a deeper dive into each of the items above.

Disclose the personal information the business collects and the purpose for collection and provide that info to consumer if they submit a verifiable consumer request

This must be done at or before collection and inform consumers of the categories of personal information collected, the sources from which it was collected, the business purpose for doing so, categories of third parties they are sharing with, and the specific pieces of personal information collected.

If the business receives a verifiable consumer request from the consumer they must disclose and deliver personal information they have collected via mail or electronically. Businesses must disclose all consumer rights and all categories of personal info collected in a privacy policy updated at least once every 12 months.

The same goes for any business selling consumer personal data, and furthermore they must disclose the categories of businesses to which they are selling the data. No third party is allowed to sell personal data of the consumer without the consumer having the chance to opt out.

Delete consumer data if consumer submits a verifiable consumer request

The business must disclose the consumer’s right to delete their personal information and honor any request to do so. If the business uses any service providers to process personal information of consumers they must direct the service provider to do the same.

Stop selling personal data for users who have “opted-out”

The consumer has the right to direct a business that sells personal info the right not to sell that data. This is referred to as the “right to opt out”. However, a business may not sell personal info if they know the consumer is younger than 16 years of age unless they are between 13 to 16 years of age OR a parent or guardian of someone less than 13 years years of age affirmatively authorized sale of personal info. This is the “right to opt in.

Do not discriminate against consumers exercising rights under CCPA

If a consumer requests their personal information, ask to be deleted or opts out of having their data sold, a business cannot discriminate against that consumer. The business cannot deny goods or services, charge different prices or rates or provide different level of quality of goods and services for consumers exercising their rights under CCPA.

Interestingly, the act does allow businesses to offer financial incentives to consumers for letting them use their personal data. This can be in the form of direct payments or offering different prices or quality of goods and services if it is “related directly to the value provided to the consumer by using consumer data”.

Make available two or more methods for submitting requests for information

Businesses must provide two separate methods for submitting requests for information and at a minimum, one of these methods must be a toll-free telephone number and if a website is maintained, a website address. The business must disclose and deliver the information within 45 days of the request.

This link must provide all rights around opting out. If the user chooses to opt out, the business must respect the opt out for twelve months before requesting the user opt in again. The “Do Not Sell My Personal Information” link is required to be on the homepage but the act does allow a business to show a different homepage for California residents only with this link displayed.

What does the CCPA consider personal information?

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Includes but not limited to:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

What is the punishment for non-compliance?

Business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation

Where does that money go?

Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision, shall be deposited in the Consumer Privacy Fund, created with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.

So they will use the money for all prosecution or legal fees that occur due to enforcing this act.

What is a “verifiable consumer request”?

There are still some open questions around defining exactly what a “verifiable consumer request” actually is and how a consumer goes about making one. The act directs the California Attorney General to establish rules and procedures around how a business should verify that an individual is who they claim to be when making requests for information or deletion. The Attorney General is required to establish these rules and procedures before the act goes into effect.

While I hope the above helps you gain a quick understanding of CCPA, there are still many minute details not mentioned that must be understood and taken into consideration if the CCPA will impact your business. So please do not use this post as a replacement with reading the full law.

With more and more states considering similar privacy laws, and data privacy in general entering the public consciousness, it is important for anyone working in ad tech to gain an understanding of how state governments are dealing with these serious issues.  Business and engineering teams need to be in lockstep to ensure technology and procedures are in place to properly respond to California's new rules around data and privacy.