An Analysis of the California Privacy Act: Implications for App Publishers, Mobile Marketers
Most companies in the data collection or distribution space have likely already heard about the California Consumer Privacy Act of 2018 (AB375), a bill that was signed into law at the end of June and will go into effect on January 1, 2020. Intended to be a replacement for a broader privacy bill that was on the state ballot for November, the bill has been likened to Europe’s General Data Protection Regulation (GDPR).
However, contrary to the GDPR, which was crafted over the course of four years, the California Consumer Privacy Act (CCPA) took only three months for legislators to draft and pass, without the usual input from industry groups or privacy advocates. In fact, the CCPA itself instructs the California attorney general to “solicit broad public participation” in order to initiate regulations that are meant to clarify some portions of the law. As a result, the exact meanings, interpretations, and requirements are likely to change before the law’s implementation in 2020.
In early September, the California legislature passed SB 1121 to amend the CCPA at the urging of the ACLU, coalition groups, adtech, and other big tech companies seeking to address “technical” errors in the law such as the murky language and overlap with other federal privacy statutes. Still, some consumer privacy groups opposed the amendment, citing it as potentially undermining the intent of the CCPA to protect consumer privacy, and they’ve called for strengthening the bill even further in the coming months.
With all the uncertainty swirling around the law and its amendments, as well as their contradictory wording, it may be challenging for app publishers and mobile marketers to navigate the new regulations, let alone identify the best practices to ensure compliance.
As passionate advocates of truth in data, we value the fidelity of privacy, and support establishing responsible standards for data sharing. Though we anticipate there will be changes ahead, here is our analysis of the law and its amendment as they currently stand, as well as some insight into the practical implications for businesses that collect and use data in the state of California.
CCPA in a nutshell
In short, the CCPA requires companies to be more transparent with California-based consumers about the data they’re collecting, disclose what data has already been shared, provide financial incentive for consumer data sharing, and clearly communicate to those consumers their right to opt out of sharing their data. Sounds simple, right? Not so fast.
Because of its fuzzy definitions, criteria, and exceptions (along with some logistical concerns it raises in regard to consumer disclosure), the law and its amendment present inherent challenges to interpretation, and what together they’ll mean for businesses that use data. Let’s first identify who will be specifically affected by the new legislation, then break down the key points to consider to help you outline an effective compliance strategy for your business.
Who the law applies to
The bill outlines two primary constituents who will be directly affected by this bill: companies that do business in California and meet certain criteria, and California residents. Put simply, if you are:
…or are a legal resident of the State of California, the CCPA is going to affect you.
Practical implications for California businesses
Even buying a Facebook ad can reasonably be seen as “buying personal information,” since you’re using someone else’s collected information to target your ad. And if more than 50,000 people see your ad, your business is subject to the law. The CCPA will also apply to subsidiaries, co-branded entities, or affiliates if the business that meets the above criteria owns more than 50 percent of the affiliate, even if the affiliate doesn’t do business in California.
However, if you are a nonprofit, the law is not intended to apply to you. If you have a small app or website, don’t monetize in any way beyond direct sales to users, and don’t place any advertisements that use data, it may not apply to you either.
As far as California legal residency is concerned, regulations like the GDPR apply on a country-by-country basis, and both mobile and web are already set up to recognize from which country a user’s device is registered (or at least from where the device is connecting). Yet, there is no existing system to recognize the state of an individual user’s legal residency, and given the number of tourists visiting California or with second residences in the state, determining who is or isn’t a resident is tricky at best. Therefore, to ensure compliance with the CCPA, any business that collects data in the U.S. should do one of two things:
- Ask each person who uses their service to disclose what state they live in
- Apply the California privacy requirements to everyone
Which approach ends up being right for your business depends very much on what works best with your current onboarding flow and UX.
Questions that arise
It is worth noting that the law’s current definition of a “doing business in California” is rather loosely defined. It doesn’t specify whether the business is required to have a physical presence within the state, if the sale (“doing business”) is to a single California resident, or a single California user, that may or may not have actually purchased anything. This question of what constitutes “doing business in California” has also come up in many debates over state sales taxes, hence the definition has admittedly undergone changes over the years, and will also likely be yet another moving target under this law.
Key provisions of the law: what they really mean for your business
1) The consumers’ right to ask and data transparency
Per the CCPA — and similar to the GDPR — if requested by a consumer, a business that collects and sells data on California residents must disclose the categories and specific pieces of personal data that it collects and sells, the categories of sources from which that data is collected, the business purposes for collecting or selling the data, and the categories of third-parties with which the information is shared. However, the business is only required to disclose the categories of these third-parties, not the entities themselves.
Businesses must also provide a copy of the collected data to the individual in a portable, readily usable (and shareable) format within 45 days of request, but is only obliged to supply it twice within a 12-month period. Similar to the GDPR, once personal information has been collected, that information can’t be used for a different purpose without also notifying the consumer.
In regard to what constitutes a “business purpose” for collecting or selling data, the CCPA defines it as use that’s “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” The law provides several examples of “business purpose(s),” including:
- detecting security incidents
- providing advertising or marketing services
- processing payments
Catches and exceptions: The CCPA also requires that before a business collects a consumer’s data, in addition to making the consumer aware of the categories of information that are being collected (usually in the form of a log-in screen or similar interface), the consumer must also be informed of the purposes for data collection. If your company’s app or website isn’t using clear microcopy or messaging to disclose that info, you’ll want to consider doing so to avoid falling into noncompliance.
There are also exceptions for data that’s been collected for one-time use, as long as the data isn’t retained, transferred, re-identified, or otherwise linked. In other words, if a consumer enters their information on a company’s website once for a single sale or transaction, the company doesn’t have to disclose the above info to the consumer, even it’s requested.
2) The consumers’ right to request deletion
If a business receives a verifiable request from a consumer to delete personal data, it has to comply and direct any service providers to also delete the consumer’s data from their records too. However, there are quite a few exceptions — if the consumers’ data is necessary to:
- complete a transaction
- protect against malicious, deceptive, fraudulent, or illegal activity
- identify or repair errors within the app/website
- comply with the law, including the first amendment right of free speech
- engage in public or peer-reviewed scientific, historical or statistical research that’s in the public’s interest (there still needs to be adherence to all other applicable ethics and privacy laws, and the consumer has to have provided informed consent)
Should one or more of these exceptions apply to your business, providing a statement to the consumer identifying which exception(s) relieve you from deleting their data is a good way to maintain transparency and avoid potential disputes. It’s recommended your company have an overall playbook for consumer requests (one that also encompasses deletion requests under the GDPR is a good idea), along with a set of pre-drafted responses in order to ensure that all requests are handled consistently.
How this might affect your company: Interestingly, your business may actually need to retain some form of a person’s data in order to comply with this particular provision of the law. For example, to ensure ongoing compliance with the deletion request, a data collection firm would need to retain sufficient identifiers to prevent the person from being re-entered into their database at a later time — and to provide proof of deletion should it be requested by the consumer, law enforcement, or others.
Catches and exceptions: The bill also identifies an additional and difficult-to-dispute exception that many businesses may subsequently choose to note when tackling the right-to-deletion provision: if a consumer’s data is deemed by the business as “necessary” for internal use, and that use is “reasonable aligned” with what the consumer would expect from the business, deletion of data isn’t required. In addition, the law doesn’t consider “personal information” anything that the local, state, or federal governments would publish legally, like court records. What remains unclear is if the deletion is attached to the person, to the device or to the household.
3) Providing clear notice for opting out
Moreover, a business cannot sell the personal information of a consumer who’s under 16 years old unless the business has received an “opt-in” consent. This means that consumers between the ages of 13 and 16 can provide the necessary opt-in consent directly to the business. For consumers under the age of 13, a business must obtain the affirmative authorization from a parent or guardian before selling the personal information.
Catches and exceptions: If the data has already been sold to third parties prior to consumer opt-out, that data isn’t subject to this CCPA provision; only the data collected by the business after a consumer opts out is prohibited from sale.
4) Freemium limits and financial sharing incentives for data sharing
The CCPA goes on to state that, if a consumer exercises his or her privacy rights under the law, a business can’t deny them goods or services. However, the business can charge that consumer a different rate for those goods or services, depending on what “value” the consumer’s data is given, which appears to be at the discretion of the business. The law simply outlines that the rate differences be “reasonably related to the value” of the consumer’s data.
How this might affect your company: Because what is “reasonably related to value” is admittedly subjective, this is a particularly grey area within the bill. Identifying quantifiable values to specific data points or segments as they relate to your company’s consumer price-points may be worthwhile to establish what sorts of tiers you’d be willing to offer to those who opt in, opt out, or otherwise execute privacy rights. Proposing incentives in the vein of discounts, loyalty points or the like may be a viable approach to acquire consumers consent for data sharing and selling. Just be mindful that these incentives must not be “unjust, unreasonable, coercive, or usurious in nature.” Again, this is subjective terminology, but it’s best to design an incentive program that is based on the same (or similar) value points placed on the consumer’s data as you outline your pricing tiers.
What’s Ahead for App Publishers and Mobile Marketers
California may have been the first state to introduce a data privacy bill like the CCPA, but it assuredly won’t be the last. How this bill (and its subsequent amendment) will play out may set the stage for future privacy legislation nationwide; so it stands to reason that as its language undergoes further evaluation by the data collection and distribution community, more questions are likely to arise.
For app publishers and mobile marketers, the best way to position your business for compliance (and success) is to develop best practices for onboarding and workflow, institute a rigorous vetting protocol of your third-party partners, and establish proactive data collection strategies that take into account the provisions laid out in this article. While the CCPA may be the beginning of a new tide in consumer data privacy, by understanding the law and its implications, you can ensure your business doesn’t get lost out to sea.
(This article was prepared with the assistance of Kari Kelly of Kelly Corporate Counsel. Nothing in this article should be construed as legal advice or as a comprehensive understanding of everything you need to know about data privacy and protection. We recommend that you retain an attorney to lay out your CCPA strategy.)