Ready or Not! a Quick Guide to CCPA and How Brands Can Prepare

Ready or Not! a Quick Guide to CCPA and How Brands Can Prepare

Consumer expectations of online advertising are rising; yet, many reports reveal brands don’t deliver on these expectations. Accenture states that over 60 percent of customers have stopped doing business with at least one company because of poor customer experience.

What’s more, there have been instances of highly publicized data misuses and privacy breaches, which combined have led to an environment of consumer distrust. This loss of trust has ushered in a new era of Digital Marketing, marked by consumers’ heightened awareness of how their data is used, and a demand for more transparency, leading to the rise of new privacy regulations.

Compliance with these new laws is a critical component to regain consumer trust, and the industry needs to take action. The EU has taken a stance in data privacy through its adoption of the General Data Protection Regulation (GDPR). Now, U.S. lawmakers are implementing the latest privacy law, the California Consumer Protection Act (CCPA). Here’s what marketers and brands need to know.

The Right to Opt-Out

The role CCPA takes in this revamp of online advertising will require brands and publishers to give consumers more transparency and rights over the use and sale of their personal information. Consumers will have the right to access and deletion to their data.

However, the more important aspect brands should be aware of is the consumer’s right to opt-out of sales – meaning consumers can choose to opt-out of their personal information being sold from a business to a third party. This right affects brands and publishers who employ advertising services that use consumer data for things like increased modeling and segmentation, retargeting, prospecting of potential audiences, and more. Generally, any brand that has Marketing tools that increase the relevancy of advertising will be affected by CCPA.

Read more: Let’s Test Your CCPA Preparedness!

Determining Your Brand’s Role

The first step in CCPA compliance is to determine which of the three categories they, and their partners, operate under when CCPA takes effect on January 1, 2020. In this decision-making process, it’s all about what brands are doing with their consumer data that will guide them to categorize themselves as either a “business,” “service provider” or “third-party.” This distinction is particularly important for AdTech companies, which can operate as different things at different points in time, depending on the circumstance of how they’re collecting and using data.

As the law states, any brand doing business in California with gross revenue of $25 million or above, or if 50 percent of their revenue comes from buying, selling or gathering personal information of at least 50,000 California residents need to consider themselves a “business.” In other words, brands, whether on their own or jointly with others, that collect consumers’ personal information, determine how this information is processed, and decide the purpose for which it is processed should operate as a “business.” If brands limit their ad serving partners to just “service providers,” it may significantly reduce the effectiveness of their advertising initiatives. Brands may find themselves in back in the early 2000s – faced with sponsoring contextual advertising or presenting irrelevant offers to the wrong audience.

Brands should consider how they’re to provide users with notice and an opportunity to opt-out directly with their ad service partner, which is the core of compliance with CCPA – presenting consumers with options to manage the sale of their personal data. Underlying the ability to be compliant is the challenge of how brands will communicate opt-out and do-not-sell data between “businesses,” “third parties” and “service providers.”

Similar to industry work behind the CMP tool for GDPR, conversations around a universal set of signals are progressing between groups like the Interactive Advertising Bureau (IAB) Tech Lab to allow partners and clients to pass opt-out and deletes requests. Although there’s still a lot of ambiguity around the practicalities of the law, the IAB recently released a draft of a compliance framework that will help brands better navigate their contracts and signal passing.

In this draft, the IAB’s framework will provide a standardized contract for publishers and their partners, as well as an outline of technical specs to help companies ensure these contracts are implemented. For AdTech companies that end up with publishers and advertisers that don’t push these signals, it’s important to decide alternative ways to manage data while remaining compliant.

Expanding the Principle

Although CCPA is the most imminent law, there are many other states that have similar laws currently under draft, including Hawaii, Maryland, Massachusetts, New Mexico, Texas, and Washington – not to mention new international laws in Brazil, New Zealand, and Bahrain, among others. Brands may plan to screen for California residents to focus compliance efforts solely for these customers, but it’s only a matter of time before these privacy policies are adopted by other states (perhaps one day advancing to the federal level), and countries. Brands should take on the fundamental goal of what CCPA entails now to simplify future compliance of any up and coming privacy laws (and you can bet that they’re coming).

With the rise of privacy regulation, we’re in a position today where we have the cleanest data we’ve ever had, centered around consumers who have opted in, and are tuned in to online advertising. This gives businesses the ability to focus advertising efforts to reach, engage and convert consumers who are more likely to purchase – while rebuilding the mistrust that’s grown between consumers and brands due to breaches in privacy.

Read more: Infringement of Privacy Rights in the Digital Age

Picture of Chris Lin

Chris Lin

Chris Lin is Chief Legal Counsel and Chief Privacy Officer at Rakuten Advertising. Building on her deep knowledge of data privacy and business operations, she helps to create solutions to capitalize on the ever-changing possibilities of technology, media and big data. Her previous roles include partner at OutsideGC, venture partner with NextGen Venture Partners and General Counsel and Chief Privacy Officer at comScore. Chris a member of the Association of Corporate Counsel and the International Association of Privacy Professionals. She holds a JD from Georgetown University Law Center, and a Bachelor’s degree from Yale University.

You Might Also Like