CCPA: An Explainer For Digital Publishers

With the arrival of 2020, the California Consumer Privacy Act (CCPA) officially came into effect. However, the Attorney General’s office can’t technically begin enforcement until July; it is therefore essential that publishers use this grace period to get their affairs in order if they haven’t done so already. By regulating the collection, processing and sharing of personal data, the act gives publishers the opportunity to become totally transparent about their data practices, allowing them to place data privacy, security and the responsible use of consumer information at the very core of their business. 

So, with that in mind, let’s take a closer look at what the CCPA means for digital publishers and what they can do to ensure compliance. 

Who does the CCPA apply to?

Upon first inspection, some publishers may feel that the CCPA doesn’t impact them; this being the case for two main reasons. First, it only applies to businesses that make $25 million or more in annual revenue, possess the data of over 50,000 consumers, or make more than half their annual revenue selling personal data. Second, it only applies to companies that process the personal information of California residents.  

Despite this reasoning, it is advised that all publishers aim for compliance with the CCPA. Its terms may or may not still be subject to change, but either way it is recommended that publishers follow the current guidelines, especially with other state and national data laws currently in the pipelines that are likely to apply universally. By the same token, it is rather ineffective for data practices to be changed according to state; per the sheer size of California, any state law will essentially become a proxy for Federal regulation. Therefore, rather than trying to find ways around data regulations like the CCPA, digital publishers must accept the need to align with them. 

What data rights does it provide? 

The CCPA gives consumers the right to understand a businesses’ data collection practices, to access any personal data collected about them in the previous 12 months, and to ultimately have that information deleted should they wish to. Furthermore, it also gives them the right to not have their personal data shared or sold, as it is now fundamental that all publishers include an opt-out link on their website. The law gives consumers the right to equal services and prices, so that businesses can’t discriminate against them if they choose to exercise their rights under the CCPA, for instance by opting out of the sale of data to third parties. 

What are implications for non-compliance? 

The fines for non-compliance with the CCPA currently stand at up to $7,500 per intentional violation, and $2,500 per violation without intent. In addition, publishers may need to pay compensation of up to $750 to any individuals affected, even if non-compliance appears to have done no harm. But whilst the potential fines resulting from a violation of CCPA will undoubtedly be damaging to publishers, the bad press associated with a breach could be even greater. By complying with the regulation, publishers can build consumer trust and maintain a positive reputation.  

Three steps to publisher compliance

Step 1: Understand data flows. The first step for publishers is for them to get a handle on their data flows, understand what they collect, where it is stored and what it is used for. By implementing unified data storage systems, they can gain an overview of the data they have and fulfil access or deletion requests from consumers quickly and efficiently, which is essential given the 45-day deadline. Publishers also need to understand which third parties they are sharing data with; the CCPA has a strong focus on the sale of data, but this doesn’t necessarily require a financial transaction, it also applies to the disclosure of information for business purposes which require no payment. By adopting industry specifications such as ads.txt and sellers.json, publishers can gain a better view of the data supply chain and a deeper understanding of who they are sharing their data with.

Step 2: Determine data necessity. Once they understand data flows, publishers can take the opportunity to decide what personal data they really need to collect, store and share. For instance, with the inferred data used in behavioral ad targeting still a bit of a question mark under CCPA, publishers may want to explore other options such as native advertising which uses contextual targeting and requires no personal information. The less personal data publishers collect, the smaller the risk of breaching CCPA.    

Step 3: Provide full transparency. When they understand their data practices, publishers must ensure that these are fully disclosed on their websites. They can use the IAB’s CCPA Compliance Framework for Publishers and Technology Companies both for guidance in how to explain data practices to users via clear disclosures, and as an operational mechanism for compliance. The framework enables publishers to include the necessary ‘do not sell my personal information’ link, and to automatically send a signal to downstream tech partners when the link is clicked to ensure that they respect the user’s choices.

Despite the fact that CCPA is now in full effect, publishers still have time to get their data practices up to scratch. By assessing their data flows, deciding what information is essential, and ensuring fully transparent disclosure, they can make the most of the opportunity CCPA and other data laws bring and put consumer privacy at the heart of their business.