Data collection and management have fed digital advertising for a quarter-century, but the industry is facing major changes, as this month, California Attorney General announced a notice of proposed rulemaking and draft regulations for California’s new consumer privacy law–the California Consumer Privacy Act (CCPA). The act is slated to take effect on January 1, 2020, and is expected to significantly restrict how companies collect and manage consumer data.
In a nutshell, the proposed act means that California citizens and California state itself will be able to sue any company that violates their personal data sharing rights under the law. In a press release issued on October 10, Attorney General Xavier Becerra said: “Knowledge is power, and on the internet, age knowledge is derived from data. Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private. We take a historic step forward today to protect Californians’ inalienable right to privacy. Once again, California leads the way putting people first in the Age of the Internet.”
The CCPA includes the following key requirements:
- Businesses must disclose data collection and sharing practices to consumers
- Consumers have a right to request that their data be deleted
- Consumers have a right to opt-out of the sale or sharing of their personal information
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent
Also, for-profit organizations that do their business in California and collect consumers’ personal information will be responsible for complying with the CCPA if they have an annual gross revenue that totals $25 million or higher; purchase, receive, sell or share consumer data from 50,000 or more consumers, households or devices and finally, make the majority of their annual revenue from selling personal data.
Adding to the anxiety is the fact that, at the moment, businesses don’t have a clear understanding of how to interpret some aspects of the law and don’t have a finalized bill to review.
Daniel L. Jaffe, group executive vice president, Government Relations for the Association of National Advertisers explained: “The California Consumer Privacy Act is going to go into effect in less than three months, on January 1, 2020. Before it goes into effect, possibly, the rulemaking by the attorney general will be completed. He has come out of his rulemaking proposal on October 10 and [how these] proposals usually work is that you get a 45-day comment period. And then, if there are major changes that could be made to the rule, you get another 45 days. So, it’s either 60 or 90-days of time for comments. That at the very least will push the final rules to the limit of the legislation going into effect.” He added: “This, I can see from talking to [ANA] members, created a great deal of anxiety, confusion and general problems because companies don’t have a finalized bill to prepare for. When you are shooting at a moving target, that’s very difficult and there is at least a possibility that the rules may not be finalized until after the effective date of January 1, 2020.”
According to the Interactive Advertising Bureau (IAB) estimates, the act will cost businesses tens of billions of dollars. Dave Grimaldi, executive vice president of Public Policy at IAB said in a press release shared with AList: “[…] A recent CCPA economic impact assessment, prepared for the Office of the Attorney General, asserts that CCPA could cost companies in California up to $55 billion in initial compliance costs alone. Considering these high costs, it is imperative that implementing regulations provide strong protections while avoiding unnecessary costs to innovation, content development and general services that could be devastating to small and mid-size California businesses, including potential job losses.”
And of course, it is quite possible that the act will affect not only businesses but customers as well. “Eventually, consumers are going to pay for this through a hidden tax because it’s going to [cost companies billions of dollars]. Somehow, [the state] is going to have to handle that massive [losses which will result] in higher costs for services and products,” Jaffe said.
Unfortunately, it’s estimated that smaller businesses will face the biggest obstacles as they don’t have access to all the resources of their larger competitors. “A lot of small and mid-size companies may not be as well prepared to respond to [the proposed regulations] because they don’t have armies of lawyers, IT experts and other [specialists] to depend on,” Jaffe said.
So, what can brands do to get ahead now? Jaffe says that most importantly, companies must be able to track the data they are collecting and from whom and put it together ASAP in a presentable format to be able to provide if and when requested.
Also, according to Matthew Baier, COO and CMO at Contentstack, to get compliant with CCPA, brands need to:
- start a campaign for CCPA compliance with CMS
- understand automated consent management and validation
- organize easily-accessed and adjustable consumer profiles and consent records
- set up thorough permissions settings
- build adaptable and extensible site architecture
It is also important to develop “right to be forgotten” workflow, as according to the act, a customer will be able to request his or her personal data from the system at any time. “Because of this, you’ll want your CMS to be constantly tracking where all the pertinent data associated with a single user lives so that you can find and remove it during the allotted time frame,” Baier writes.