With rising concerns over data privacy, California recently set a new precedent with the passage of California Consumer Privacy Act, or CCPA. In broad strokes, this groundbreaking legislation provides California residents the right to know what personal information is being collected on them, understand how that information is being used or sold, and request deletion of that information. For more information on the act, you can review its official webpage here.
For marketers, CCPA is a portentous event with the potential to affect the way brands engage with prospects and customers, encompassing the platforms we use, partners we engage with and the way we share and store consumer information. When the dust has settled, CCPA compliance will almost certainly mean increased scrutiny on third-party data sources, negatively impacting the availability of third-party data as vendors struggle against increased regulation coupled with dwindling data inventories.
Reduced access to third-party data will, in turn, create pressure on marketers to develop better first-party data acquisition channels — a brisk current pushing them towards keeping more information in-house while curtailing reliance on unreliable and risky outside sources. Faced with pressure to comply with CCPA, marketers will be forced to more closely monitor and control their partner ecosystem and any/all processes that transmit consumer data.
Given this scenario, brands with a stronger focus on first-party data will be in a better position to defend their information collection practices by pointing to the role of that data — as opposed to outside sources — in shaping consumer experiences. Brands that struggle to make this shift will quickly find themselves at a competitive disadvantage.
Despite being legislated in California, CCPA applies to all companies, no matter their location, that meet specific criteria. The way CCPA is written, many marketers will find their lives disrupted due to the bill’s impact on third-party data sources. And because CCPA comes into effect soon, along with look-back language, marketers need to start rethinking their targeting approaches right now. And there are real financial penalties for getting it wrong.
While not legal advice, this post is an attempt at a comprehensive review of CCPA’s potential implications for marketers, along with some strategies to help ensure compliance as the bill is modified and ultimately becomes law in a few short months.
The Skinny on CCPA
CCPA is a bill that enhances consumer privacy rights and provides protections for residents of California. The bill applies to any business, including any for-profit entity that collects consumers’ personal data, doing business online or brick-and-mortar, in California and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million; or
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information
CCPA defines consumers as “a natural person who is a California resident,” including anyone residing in California as well as “every individual who is domiciled in the state” — even when they are outside of California. In other words, CCPA applies to CA residents both inside and outside of the state. Expanding on GDPR, the EU’s General Data Protection Regulation that came into effect in 2018, CCPA protects information on households, not just individual consumers.
Furthermore, CCPA applies a very broad definition of “personal data.” While specific carve-outs have been made for employee and job applicant data, as well as exemptions for loyalty and rewards programs, CCPA applies to a wide breadth of consumer information, including IP addresses, email addresses, records of purchasing, consuming histories and tendencies, Social Security numbers, driver’s license numbers, passport numbers, browsing history, search history and geolocation data.
As it stands, CCPA will take effect on January 1, 2020 and be enforced on July 1, 2020 or six months after the Implementation Regulation is published (whichever comes first), with a look-back provision of 12 months (i.e., January 1, 2019). In other words, including the look-back provision, CCPA is already in effect and brands must be prepared to comply with its provisions.
Like it or not, CCPA will impact almost every organization that does business in California or handles personal information of California citizens. And although CCPA was inspired by the earlier enacted GDPR and appears similar to its European counterpart, its core legal framework is different, and it places many new burdens on brands. Marketers take notice.
New Rights for Consumers
CCPA gives consumers several key protections relating to how their data is being collected and shared. If requested by a consumer, a business that collects and sells data on California residents must disclose:
- What it collects: the categories and specific pieces of personal data that it collects and sells
- Where it’s collected: the categories of sources where that data is collected
- Why it’s collected: the business purposes for collecting or selling the data
- Who it’s shared with: the categories of third parties with whom the information is shared
Upon request, businesses must provide a copy of the collected data to the individual in a portable, readily usable (and shareable) format. Regardless of how many of these requests ultimately come in, brands must be prepared to respond to them, and information must be provided to the consumer within 45 days of request.
CCPA provides the right to opt-out of having data sold to third parties. If the consumer opts-out, businesses must wait 12 months before re-requesting authorization. Of paramount importance, CCPA also holds organizations accountable for actions by third parties in their marketing ecosystem who may have been shared information that can be matched against a consumer or household, even if it’s hashed (encrypted).
From the moment CCPA comes into effect next year, brands must be prepared to fulfill on these obligations — or else face steep penalties. How steep? Non-compliance penalties can be up to $750 per user, per violation, and civil penalties up to $7,500 per violation. Unlike GDPR, which was enforced primarily by European regulators levying fines and penalties, in the US enforcement will most likely also include civil penalties (i.e., lawsuits) as CCPA rolls out.
As anyone who lived through the CAN-SPAM Act of 2003 can attest, the specter of nuisance suits in a real thing. If history repeats itself with CCPA, many brands will be forced to marshal legal resources to fend off countless civil actions. As was the case with CAN-SPAM, easy-to-target “violators” with deep pockets can expect to be hit by a bevy of lawsuits — some real and some frivolous — once the bill goes into effect. With a $7,500 fee barrier, many brands may decide to settle as opposed to fighting civil actions, which will unfortunately encourage more of this behavior, not less.
Fly in the Digital Marketing Ointment
CCPA’s potential impact on digital advertising cannot be understated. The way the law is written, CCPA protects any information that can be linked to a consumer or household that can be used for targeting — even if it is anonymous. What’s more, CCPA holds organizations accountable for actions by third parties in their marketing ecosystem. In other words, CCPA implies sequential liability across all third-parties, including service providers, who are involved in the transmission or collection of consumer data.
This is a critical issue that creates a lot of potential liability for large brands. Why is that? Because it’s no exaggeration to say the entire modern digital advertising ecosystem is predicated on the transmission of consumer data to target advertising to specific audiences. Programmatic media buying, for example, relies heavily on third-party data sharing across many different tools and players. So, unless a company operates its website (or app) in complete isolation — without any programmatic ads or analytics software — it’s probably collecting people’s personal information and sharing it for “business purposes,” and as such is regulated by CCPA.
Let’s take a quick look at the programmatic media ecosystem, with all its moving parts, to understand CCPA’s potential impact. Each arrow in the diagram below represents the transmission of information across platforms/parties, facilitating the placement of a brand’s ad unit on a publisher’s website.
While CCPA is squarely aimed at the third-party ecosystem of data providers (the box highlighted in red) anyone who receives or transmits consumer information for business purposes may get caught in CCPA’s cross-hairs. Compliance thus means ensuring all third-party service providers who have access to consumer personal information are 100% compliant with CCPA. Some food for thought relating to three categories of partners:
- Digital Agencies — which consumer data do agencies have access to? In particular, media agencies may be collecting cookie data. To be CCPA compliant, these partners need the ability to delete upon request.
- Affiliates & Ad Networks — affiliates likely collect more information on consumers than traditional agencies. CCPA doesn’t differentiate between marketing communications from a brand or its affiliate partners.
- AdTech Partners — a variety of AdTech tools — ESPs, DMPs, SSPs, etc. — collect information covered by CCPA. Brands must ensure all partners are CCPA compliant and can delete individuals upon request.
Not Someone Else’s Problem
Many brands mistakenly believe that CCPA is an issue to be solved for in a vacuum by legal and IT. While achieving CCPA compliance may require some technology investments — for example Consent/Permission Management — there are many critical process, procedure and communication initiatives that will need to be implemented to avoid running afoul of the regulation.
For example, because CCPA is at its core a consumer protection act, the bill mandates specific practices relating to user experience. As such from a marketing communications perspective, there are four main standards that must be met when CCPA goes into effect next year:
- Visible Opt-out Links– CCPA mandates wording similar to “Do not sell my personal information” be used on a business’ homepage, and the California-specific description of privacy rights must also be made available
- Consistent Messaging– marketers must work with legal and compliance to iron out category/labeling nomenclature for consumer data and accompanying messaging presented to consumers
- Ease-of-use– CCPA specifically requires organizations to provide individuals with easy-to-access links so they can request their personal information no longer be sold or opt out of further data collection
Beyond experience, the thornier issue relates to page tags and the flow of information across the marketing and advertising ecosystem. Not surprisingly, many large brands tend have intricate ecosystems, with dozens of websites hosting robust content, a social media presence across many platforms, multiple ecommerce engines and links to many external partners. To compound the situation, some of these properties may be managed or run by third parties such as digital agencies or service providers. In all likelihood, this is where the lion’s share of compliance issues will occur.
Across the properties, the tags and pixels placed on various Web pages usually come from an unknown (and large) number of sources that include MarTech platforms (DMPs, Tag Management, Web Analytics, etc.), sundry exchanges and ad networks. Tags and pixels, keep in mind, are essentially set up to gather and transmit data. Across all properties, the number can be expansive and include tags/links from internal tracking systems (e.g.., Adobe, Segment GA, etc.), SSP/DSPs and other media partners and networks.
To ensure compliance, in other words, brands must identify and catalog the number of tags on their owned Web properties and determine how many links appear in an individual tag and exactly where those links point. Once identified, each partner must then be identified assess for both compliance and potential risk. How complex is this issue? A quick scan of a leading beauty company’s home page, for example, identified 24 distinct tags redirecting to quite literally dozens of external links. And this was just one page — out of hundreds.
To move towards a path of compliance, we recommend the following process:
- Survey properties / pages — inventory and perform scan of properties, as well as each page, reviewing code as it corresponds to writing tags/pixels. We recommend using a tool to review and compile page tags, links, and pixels. It’s possible part of this task can be automated.
- Build list of external links — using the link data, build master table of all tags and pixels across all sites. Organize tags and categorize both internal links and tracking tags (e.g., GA, Adobe, Segment, etc.).
- Create master list of partners — click through to tag/link destinations and create list of referring/linking entities. Locate Sell/Insertion Orders and match against known partners (e.g., affiliates, publishers, networks, etc.).
- Assess partners for risk — break down partners into White, Black and Gray Hat groups based on familiarity and risk profile. Black Hat partners should be purged immediately, while White Hats should be added to a whitelist; all others should be assessed for risk potential and CCPA compliance.
- Create CCPA compliance framework — use findings to draft CCPA compliance rules for all publisher sites, including list of whitelisted partners. Consider moving to common web content management platform and tag management system to minimize risk moving forward.
A Brave New World Wide Web?
In coming years, CCPA will most likely impact digital marketing in a meaningful way. Unless the law is changed dramatically between now and when it goes into effect — which is or course a possibility — the general usefulness and impact of targeted advertising, retargeting campaigns and other programmatic channels will be negatively impacted by reduced access to third-party data.
What we may end up with, in other words, is a worldwide web with less “dumb” personalization across top-of-funnel consumer activities, yet a richer, more relevant experience later in the customer journey individuals known by brands. Not a terrible outcome, in many respects. That being said, the act of navigating from Point A to Point B, from preparation to compliance, may end up a time-consuming and costly endeavor for many parties.