The Future of Data Privacy: Where We Are Now
There are only four months left before the California Consumer Privacy Act (CCPA) is in effect and compliance deadlines kick-in. According to eMarketer only 8% of businesses said they are prepared. As more direction for CCPA unravels, StackAdapt is monitoring the conversation closely and preparing to guide our customers through the complexities of CCPA.
Consumers are becoming more acutely aware of how their Personal Identifiable Information (PII) is being used within the world of digital and increasingly within the advertising ecosystem. With the introduction of the General Data Protection Regulation (GDPR), governments outside of Europe are starting to take note and the next wave of regulation is occurring, as we can see in CCPA.
CCPA is due to come into effect in January 2020, and will alter the relationship between publishers and consumers, as well as create significant compliance efforts.
How Does CCPA Compare to GDPR
CCPA will provide Californian consumers new rights regarding their personal information and imposes several data protection duties to entities conducting business in California. Similarly to GDPR, CCPA will work to encourage transparency in the tech ecosystem and require each player to report data breaches to consumers, to restore consumer confidence.
The biggest differentiator between the GDPR and CCPA mechanism would be the opt-in or opt-out consent requirement—GDPR requires opt-in consent, whereas CCPA will only require the opt-out mechanism. Because of this, the anticipated impact on customer databases will not be as significant as experienced with GDPR.
Who is affected? | California residents | European Economic Area (EEA) residents |
What does it collect? | Collects personal information with the slightest chance of being linked to a particular consumer (i.e., address, browsing history, behavioural data) | Collects personal information that can be used to identify a person (i.e., address, license plate number, blood type) |
Who must comply? | California businesses of a substantial size (with regard to revenue or number of consumers affected) | Any data controllers and data processors |
What is the basis for consent? | Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out | Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data |
What is the response time? | Responsible parties have 30 days to respond to a request | Responsible parties have 40 days to respond to a request |
What are the financial penalties? | Companies in breach can be fined up to $2500 per violation or $7500 per intentional violation | Companies in breach can be fined up to 4% of their annual global revenue or 20 million euros |
*Data is subject to change and framework may adjust overtime. See IAB for updates.
Although these changes are unique to California, there are other states also following suit. New York will be the second state to implement a state-level comprehensive privacy law. The New York Privacy Act (NYPA) is expected to have similar characteristics as CCPA, however the biggest differentiator will be the way of legal action. Under NYPA, any resident of New York will have the ability to file an individual lawsuit against breaching companies, instead of the usual prosecution and fining through the attorney general of each state, as seen with GDPR and CCPA.
As the two most populous states work to align with the privacy trend, 15 other states such as Washington, Nevada, and Texas are also looking to implement changes, either amending a pre-existing privacy law or drafting one from scratch. The common fear of CCPA is regarding the avalanche of 49 other state-level processes. Until then, entities will have to comply with each state law and comply with the unique regulations in each state.
The Implications of CCPA
CCPA provides California residents new rights to:
- Know what personal information is collected.
- If personal information is shared or sold, and to whom.
- Access to and request deletion of their personal information.
- Opt-out of the sale of their personal information .
- Receive equal service and price, even if they exercise their privacy rights.
In addition to the above, CCPA will create 3 categories of coverage: business, service provider, third parties. Each category of coverage has different CCPA compliance obligations—businesses for example have more compliance obligations than third parties and service providers. The complete compliance obligation details are laid out in the IAB Roadmap for CCPA.
With the categories specified rather broadly, the implications for the digital advertising industry are somewhat unknown—specifically coverage for demand-side platforms (DSPs) and supply-side platforms (SSPs). Some contend that DSPs and SSPs are each considered a “business” because they leverage client personal information. Others contend that they are in fact “service providers” to publishers and advertisers. And of course, there are others who believe DSPs and SSPs should be considered “third parties”.
In addition to these differences in opinion and formal agreement on what a DSP or SSP should be defined as, there exists the “programmatic paradox”, which challenges OpenRTB as an uncompliant model to begin with. This has sparked many questions such as:
- How does an SSP send personal information to a DSP, using OpenRTB, when neither of them know whether the consumer has received explicit notice and what the opportunity is?
- When a consumer opts out, does CCPA bar the delivery of a personalized ad, or bar the “sale” of personal information for the delivery of a personalized ad?
- Is there still a way to use Real-Time Bidding (RTB) and recover some value in ad serving after consumer opts out?
- What conduct in ad serving through RTB would be problematic after consumers opt out?
As more concerns such as these continue to arise, the digital advertising industry is also becoming increasingly regulated, as has historically happened in other industries.
The Ongoing Discussion
Much still remains up in the air with CCPA, despite the deadline drawing near. As part of the ongoing privacy discussions occurring in congress, we’ve identified some key points that you should be aware of:
- The creepiness factor has grabbed the attention of House and Senate members, but issue and conflation and demagoguery are rampant.
- That bill will likely be seen as the main congressional product on privacy, and will provoke sustained industry advocacy through 2020.
- The draft that Privacy for America produces, which IAB is constructing as part of a cross-industry coalition, will be a main driver for congressional consideration.
- Republican Members of Congress have stated that the federal preemption must be included for any bill to pass the House and Senate.
- Democrats insist that CCPA-like language must be the “floor” for any piece of draft legislation.
StackAdapt will continue to monitor CCPA progress and communicate with our clients accordingly—including the publication of future blog posts.