Law and regulation topics aren’t very pleasant things to dive into. But we can’t ignore “cobblestones” like the California Consumer Privacy Act (CCPA) as it sends ripples through the AdTech waters. New restrictions on how businesses collect and manage personal data inevitably stir the advertising industry up and trigger further changes in the ССPA qualification criteria. No matter who your vendors are, this new law makes you responsible for their mistakes, non-compliance, and security failures.
Are you feeling uneasy? Don’t! We, at Postindustria, understand your worries. Read on to get the lowdown on the new requirements the Act brings to the table and how they might affect your relationships with vendors.
The CCPA: what is it?
The California Consumer Privacy Act (CCPA), which came into force on January 1, 2020 (final regulations were approved in August 2020 due to COVID-19), regulates how businesses collect and manage the personal data of California residents. Much like the European General Data Protection Regulation (GDPR), the Act aims to protect personal information through setting restrictions and penalties that can cost companies a pretty penny.
The arrival of the CCPA brings changes to the qualification criteria we have been accustomed to. Now, data owners are fully responsible for data security and AdTech vendors they are working with. And yes, it means that you will pay for a breach caused by your vendor.
We’ve mentioned the word “data” quite often. So let’s start our journey to understanding the CCPA rules by outlining what personal data you and your partners may collect.
Want to know more about tech trends?
Sign up to be the first who receive our expert articles
What personal data do you collect?
Regardless of how the CCPA qualification criteria relate to you, the chances are, you or your vendors collect different types of personal data that are subject to the CCPA. Let’s paint a better picture of this process first.
Advertisers commonly work with media and ad agencies that provide their services through agency trading desks (ATDs). The latter use one or more demand-side platforms (DSP) to purchase ad placements from publishers through ad exchanges or supply-side platforms (SSPs). An advertiser can also use a DSP directly, with no ATD as an intermediary between it and the publisher.
Both sides, be it the advertiser or publisher, rely on AdTech to collect and analyze data from multiple sources, evaluate demand, and identify trends. Advertisers can boost their ad results by analyzing the behavioral data of current and potential customers. On the other hand, publishers collect data to evaluate if their audience is interested in their current advertisers and whether it’s worth adding to their ad inventory.
Data is at the core of ad space. Collected information may include users’ behavior, characteristics and preferences, abilities, gender, age, location, and demographics. There are three main types of data:
First-party data, collected directly by brands and publishers (CRMs, emails, sign-ups, social media, etc.)
Second-party data, which is first-party data shared by brands and publishers (for example, to their vendors)
Third-party data, collected from outside sources (third-party cookies, data resellers, etc.)
The GDPR and newly enforced CCPA largely restrict the use of third-party data while bringing the data collected directly by brands and publishers more in focus. In other words, first- and second-party data are now the king and the queen of the field.
Some types of third-party data like cookies are rapidly dying; others can be paired with the brand’s data for generating more insights. Let’s turn to the CCPA qualification criteria for more details.
The CCPA requirements on personal data and its use
In broad terms, personal information for the CCPA is any information (even pseudonymized) that identifies, describes, or could be linked with a person or household. By a “household,” the CCPA understands a group of people living in the same place, be it your much-loved granny or a roommate you dream of getting rid of.
The CCPA is strongly against selling data, which involves much more than we usually understand by this phrase. The Act considers any data disclosure or transfer for monetary or “valuable consideration” as selling.
Unlike the GDPR, an opt-in law requiring privacy by default, the CCPA enables users to opt out of ad targeting any time they want. In the case of household members, if a user opts out, you need to meet this request for all of their devices and the devices of everyone they live with. It goes without saying that your vendors should do the same.
There are several sticking points for AdTech vendors in the CCPA requirements. Here they are.
Vagueness on the difference between third parties and service providers
For the CCPA, any third party is viewed as a potential bad actor: it can neither collect personal information from users nor receive it from brands. In contrast, an AdTech service provider can do both. Neither a third party nor a service provider can further disclose or sell personal information.
Unlike third parties, service providers are subject to contractual obligations and should delete data or stop using it once a user decides to opt out. Yet, there is an exception here — a “business purpose,” which is the next mysterious term.
The ambiguous definition of a business purpose
A business purpose refers to situations when personal data may be used even after the user has opted out. Such cases include security control, customer service, debugging and tech development, and auditing user interactions. For example, the CCPA doesn’t require you to delete cookies and tags necessary for site or app performance, such as shipping information, remembering shopping cart items, and so on.
Why are these sticking points important? Look at these two examples:
You have some first-party data on your customers and share it across your infrastructure. Perhaps you are partnering with AWS. AWS will likely be considered a service provider that uses data for business purposes.
Your AdTech service provider uses third-party cookies for ad tracking and then uses the collected personal data for its marketing. Would this fall under the “business purpose” as defined by the Act? There’s no clear answer as yet.
As the law is relatively new, it will take some time to clear up ambiguities and it is likely stricter terms may be introduced. The journey has just begun: similar regulations in other states and the California Privacy Rights and Enforcement Act (CPRA) are upcoming, which will further expand the terms and conditions of the CCPA. This can seem like a gloomy outlook for the industry, but Postindustria is ready to help you understand what you can start doing today to mitigate risks and remain CCPA compliant.
Though the CCPA qualification criteria may seem ambiguous, the penalties for non-compliance are clear: $2,500 per unintentional data breach plus $100-750 per breach if individuals decide to sue you for statutory damages. The good news is that not every company (yet) needs to comply. Here’s a list to check whether you fall under the regulations:
Your annual gross revenue is $25 million and above
Data sales make up over 50% of your annual revenue
You process or hold personal data of more than 50,000 California residents
If any of these conditions describe your case, you need to be CCPA compliant. The first and most crucial step is to assess the data you collect, how you use it, and whom you share it with. This step involves:
Listing all the vendors you’re working with
Assessing the risk for every vendor based on the shared data and its volume
Deciding on the vendor’s data rights and diligence level
Establishing an incident response plan
AdTech vendors may process mountains of confidential data, including physical and email addresses, phone numbers, payment and biometric information, and more. If you share personal data with them, the CCPA requires you (unless your vendors fall under the Act themselves) to ensure that these third parties implement and retain security practices. Simply put, you have a responsibility for the security of the data your vendors process on your behalf.
How can you ensure that your AdTech vendors keep your data secured? Here are some tips:
Document vendor’s responsibilities in the contract
Include indemnity clauses for data breaches in the contract terms
Design an incident response plan together with the vendor (this plan should become a part of your internal plan)
Keep in mind that the CCPA also requires you to report any data breach. Consider encrypting the data you use and share and ensure that your vendors encrypt the data too. This will help you reduce penalties in court in case of a breach.
The CCPA isn’t a piece of cake, but it shouldn’t give you the heebie-jeebies either. It reflects current trends and aims to make the qualification criteria more straightforward, with the rise of first-party data and a greater focus on personal data security. As a data owner and controller, you are now responsible for the data you and your vendors process. So be demanding when choosing which vendor to partner with! With 14 years of hands-on experience in the AdTech field, Postindustria can become such a vendor for you — all you need to do is drop us a line.