An Analysis of the California Privacy Act: Implications for App Publishers, Mobile Marketers

Elliott Easterling
Oct 2, 2018 · 11 min read

Most companies in the data collection or distribution space have likely already heard about the California Consumer Privacy Act of 2018 (AB375), a bill that was signed into law at the end of June and will go into effect on January 1, 2020. Intended to be a replacement for a broader privacy bill that was on the state ballot for November, the bill has been likened to Europe’s General Data Protection Regulation (GDPR).

However, contrary to the GDPR, which was crafted over the course of four years, the California Consumer Privacy Act (CCPA) took only three months for legislators to draft and pass, without the usual input from industry groups or privacy advocates. In fact, the CCPA itself instructs the California attorney general to “solicit broad public participation” in order to initiate regulations that are meant to clarify some portions of the law. As a result, the exact meanings, interpretations, and requirements are likely to change before the law’s implementation in 2020.

In early September, the California legislature passed SB 1121 to amend the CCPA at the urging of the ACLU, coalition groups, adtech, and other big tech companies seeking to address “technical” errors in the law such as the murky language and overlap with other federal privacy statutes. Still, some consumer privacy groups opposed the amendment, citing it as potentially undermining the intent of the CCPA to protect consumer privacy, and they’ve called for strengthening the bill even further in the coming months.

With all the uncertainty swirling around the law and its amendments, as well as their contradictory wording, it may be challenging for app publishers and mobile marketers to navigate the new regulations, let alone identify the best practices to ensure compliance.

As passionate advocates of truth in data, we value the fidelity of privacy, and support establishing responsible standards for data sharing. Though we anticipate there will be changes ahead, here is our analysis of the law and its amendment as they currently stand, as well as some insight into the practical implications for businesses that collect and use data in the state of California.

CCPA in a nutshell

In short, the CCPA requires companies to be more transparent with California-based consumers about the data they’re collecting, disclose what data has already been shared, provide financial incentive for consumer data sharing, and clearly communicate to those consumers their right to opt out of sharing their data. Sounds simple, right? Not so fast.

Because of its fuzzy definitions, criteria, and exceptions (along with some logistical concerns it raises in regard to consumer disclosure), the law and its amendment present inherent challenges to interpretation, and what together they’ll mean for businesses that use data. Let’s first identify who will be specifically affected by the new legislation, then break down the key points to consider to help you outline an effective compliance strategy for your business.

Who the law applies to

The bill outlines two primary constituents who will be directly affected by this bill: companies that do business in California and meet certain criteria, and California residents. Put simply, if you are:

…or are a legal resident of the State of California, the CCPA is going to affect you.

Practical implications for California businesses
Even buying a Facebook ad can reasonably be seen as “buying personal information,” since you’re using someone else’s collected information to target your ad. And if more than 50,000 people see your ad, your business is subject to the law. The CCPA will also apply to subsidiaries, co-branded entities, or affiliates if the business that meets the above criteria owns more than 50 percent of the affiliate, even if the affiliate doesn’t do business in California.

However, if you are a nonprofit, the law is not intended to apply to you. If you have a small app or website, don’t monetize in any way beyond direct sales to users, and don’t place any advertisements that use data, it may not apply to you either.

As far as California legal residency is concerned, regulations like the GDPR apply on a country-by-country basis, and both mobile and web are already set up to recognize from which country a user’s device is registered (or at least from where the device is connecting). Yet, there is no existing system to recognize the state of an individual user’s legal residency, and given the number of tourists visiting California or with second residences in the state, determining who is or isn’t a resident is tricky at best. Therefore, to ensure compliance with the CCPA, any business that collects data in the U.S. should do one of two things:

  1. Ask each person who uses their service to disclose what state they live in
  2. Apply the California privacy requirements to everyone

Which approach ends up being right for your business depends very much on what works best with your current onboarding flow and UX.

Questions that arise
It is worth noting that the law’s current definition of a “doing business in California” is rather loosely defined. It doesn’t specify whether the business is required to have a physical presence within the state, if the sale (“doing business”) is to a single California resident, or a single California user, that may or may not have actually purchased anything. This question of what constitutes “doing business in California” has also come up in many debates over state sales taxes, hence the definition has admittedly undergone changes over the years, and will also likely be yet another moving target under this law.

Key provisions of the law: what they really mean for your business

Per the CCPA — and similar to the GDPR — if requested by a consumer, a business that collects and sells data on California residents must disclose the categories and specific pieces of personal data that it collects and sells, the categories of sources from which that data is collected, the business purposes for collecting or selling the data, and the categories of third-parties with which the information is shared. However, the business is only required to disclose the categories of these third-parties, not the entities themselves.

Businesses must also provide a copy of the collected data to the individual in a portable, readily usable (and shareable) format within 45 days of request, but is only obliged to supply it twice within a 12-month period. Similar to the GDPR, once personal information has been collected, that information can’t be used for a different purpose without also notifying the consumer.

In regard to what constitutes a “business purpose” for collecting or selling data, the CCPA defines it as use that’s “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” The law provides several examples of “business purpose(s),” including:

  1. detecting security incidents
  2. providing advertising or marketing services
  3. processing payments

Additionally, a business’s privacy policy must include a description of consumers’ rights, including the business purpose(s) noted above if they apply, and must outline one or more ways a consumer can submit requests for the above information.

How this might affect your company: You’ll need to be prepared to hand over the info on where your personal information is coming from, whom you’re sharing it with (or selling to), and the specific purpose for which it was collected. Making sure your business has a system in place to accurately access, easily export and automatically send this information to the consumer will be the best way to ensure you’re well-suited for compliance. In addition to crafting a clear and explicit privacy policy, operations, sales, and marketing teams should also work with engineers and devs to flesh out category/labeling nomenclature and accompanying messaging beforehand for consistency.

Catches and exceptions: The CCPA also requires that before a business collects a consumer’s data, in addition to making the consumer aware of the categories of information that are being collected (usually in the form of a log-in screen or similar interface), the consumer must also be informed of the purposes for data collection. If your company’s app or website isn’t using clear microcopy or messaging to disclose that info, you’ll want to consider doing so to avoid falling into noncompliance.

There are also exceptions for data that’s been collected for one-time use, as long as the data isn’t retained, transferred, re-identified, or otherwise linked. In other words, if a consumer enters their information on a company’s website once for a single sale or transaction, the company doesn’t have to disclose the above info to the consumer, even it’s requested.

If a business receives a verifiable request from a consumer to delete personal data, it has to comply and direct any service providers to also delete the consumer’s data from their records too. However, there are quite a few exceptions — if the consumers’ data is necessary to:

  1. complete a transaction
  2. protect against malicious, deceptive, fraudulent, or illegal activity
  3. identify or repair errors within the app/website
  4. comply with the law, including the first amendment right of free speech
  5. engage in public or peer-reviewed scientific, historical or statistical research that’s in the public’s interest (there still needs to be adherence to all other applicable ethics and privacy laws, and the consumer has to have provided informed consent)

Should one or more of these exceptions apply to your business, providing a statement to the consumer identifying which exception(s) relieve you from deleting their data is a good way to maintain transparency and avoid potential disputes. It’s recommended your company have an overall playbook for consumer requests (one that also encompasses deletion requests under the GDPR is a good idea), along with a set of pre-drafted responses in order to ensure that all requests are handled consistently.

How this might affect your company: Interestingly, your business may actually need to retain some form of a person’s data in order to comply with this particular provision of the law. For example, to ensure ongoing compliance with the deletion request, a data collection firm would need to retain sufficient identifiers to prevent the person from being re-entered into their database at a later time — and to provide proof of deletion should it be requested by the consumer, law enforcement, or others.

Catches and exceptions: The bill also identifies an additional and difficult-to-dispute exception that many businesses may subsequently choose to note when tackling the right-to-deletion provision: if a consumer’s data is deemed by the business as “necessary” for internal use, and that use is “reasonable aligned” with what the consumer would expect from the business, deletion of data isn’t required. In addition, the law doesn’t consider “personal information” anything that the local, state, or federal governments would publish legally, like court records. What remains unclear is if the deletion is attached to the person, to the device or to the household.

Consumers will have the right, at any time, to refuse to have their data sold to third parties. While the specific definition of “sale” is still pending clarification from the California attorney general, businesses will need to make consumers aware — whether through an explicit privacy policy or other clearly accessible notice — that the right to opt out of having their data sold indeed exists, and that by not opting out, a consumer is, by default, agreeing to the sale of their data to third parties. If the consumer does opt out, a business must wait 12 months before requesting authorization of the sale of data. The consumer would also have the opportunity at any time after to change their minds, and opt in.

Moreover, a business cannot sell the personal information of a consumer who’s under 16 years old unless the business has received an “opt-in” consent. This means that consumers between the ages of 13 and 16 can provide the necessary opt-in consent directly to the business. For consumers under the age of 13, a business must obtain the affirmative authorization from a parent or guardian before selling the personal information.

How this might affect your company: The CCPA requires that businesses describe the rights of consumers in a privacy policy or somewhere on the business website. The CCPA expressly states that wording similar to “Do not sell my personal information” be used for a link on a business’ homepage, and that the California-specific description of consumers’ privacy rights also be made available. Presenting this policy at the time of data collection is also advised so that consumers can let your business know right away whether or not to proceed in selling their data.

Catches and exceptions: If the data has already been sold to third parties prior to consumer opt-out, that data isn’t subject to this CCPA provision; only the data collected by the business after a consumer opts out is prohibited from sale.

The CCPA goes on to state that, if a consumer exercises his or her privacy rights under the law, a business can’t deny them goods or services. However, the business can charge that consumer a different rate for those goods or services, depending on what “value” the consumer’s data is given, which appears to be at the discretion of the business. The law simply outlines that the rate differences be “reasonably related to the value” of the consumer’s data.

How this might affect your company: Because what is “reasonably related to value” is admittedly subjective, this is a particularly grey area within the bill. Identifying quantifiable values to specific data points or segments as they relate to your company’s consumer price-points may be worthwhile to establish what sorts of tiers you’d be willing to offer to those who opt in, opt out, or otherwise execute privacy rights. Proposing incentives in the vein of discounts, loyalty points or the like may be a viable approach to acquire consumers consent for data sharing and selling. Just be mindful that these incentives must not be “unjust, unreasonable, coercive, or usurious in nature.” Again, this is subjective terminology, but it’s best to design an incentive program that is based on the same (or similar) value points placed on the consumer’s data as you outline your pricing tiers.

Catches and exceptions: While the CCPA allows for businesses to charge rates dependent on consumer data sharing consent, the bill specifically prohibits businesses from suggesting that the consumer will receive a different price or level of quality of goods or services if they do not share or agree to the sale of their data. Being mindful of this clause is critical, particularly as you’re wording your privacy policy.

If you decide to offer financial incentives to consumers who agree to share their data, the bill requires that you inform your consumers of these incentives within the same privacy policy that also outlines the right to opt out and other provisions within the CCPA. The consumer has to expressly opt in in order to enter into any agreement to receive financial incentives for sharing their data, and still has the right to opt out at any time.

What’s Ahead for App Publishers and Mobile Marketers

California may have been the first state to introduce a data privacy bill like the CCPA, but it assuredly won’t be the last. How this bill (and its subsequent amendment) will play out may set the stage for future privacy legislation nationwide; so it stands to reason that as its language undergoes further evaluation by the data collection and distribution community, more questions are likely to arise.

For app publishers and mobile marketers, the best way to position your business for compliance (and success) is to develop best practices for onboarding and workflow, institute a rigorous vetting protocol of your third-party partners, and establish proactive data collection strategies that take into account the provisions laid out in this article. While the CCPA may be the beginning of a new tide in consumer data privacy, by understanding the law and its implications, you can ensure your business doesn’t get lost out to sea.

(This article was prepared with the assistance of Kari Kelly of Kelly Corporate Counsel. Nothing in this article should be construed as legal advice or as a comprehensive understanding of everything you need to know about data privacy and protection. We recommend that you retain an attorney to lay out your CCPA strategy.)

The Mobile Source

A round-up of information about mobile data, mobile marketing, and programmatic advertising

Elliott Easterling

Written by

Founder and CEO of TrueData. www.TrueData.co

The Mobile Source

A round-up of information about mobile data, mobile marketing, and programmatic advertising

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade